You are viewing a single comment's thread from:

RE: SteemLogin - a new and easy way to sign in to Steem!

in #utopian-io2 years ago (edited)

Very insecure, not worth it. At least use a system like steemconnect where the user gives the other user authority. Don't give up the private keys.

Steemconnect is already insecure, this is 10x worse. Just look at what happened to utopian when they got hacked.

Sort:  

SteemConnect, you are giving active key = your money is not safe
This Connect, you are giving posting key = your (in most cases) worthless upvote is not safe

Eh, posting keys only, who cares. Steemconnect hardly works. It's buggy on every site that uses it. (See continuous login errors on drugwars due to expired credentials).

Maybe the devs could make that one better :)

The utopian hack caused everyone who used utopian to downvote some posts, making their rewards almost go to zero. Posting keys of tons of people at once has a large power.

If you use the account authority system, like utopian did, everyone could just remove authorization from the @utopian.app account and go back to their daily activities. If you give your key, you must now change it.

I think for the masses, ease of use is more important than security. Yeah if there is issues you gotta change your key. A small price to pay for ease of access for most people.

Can't lose money from a posting key really (other than wasted potential from misused votes). Meh.

Well, then at least use the system steemconnect uses, delegated authority. Don't directly store keys...

Steemconnect sucks

Agreed, but less than this service. Why, in your opinion, is storing actual keys on a server better than delegating authority to their account (@steemlogin)

Easier for normal users. Plus I believe irelandscape can make something that actually works. I've had enough experience using steemconnect to interface with various apps to conclude that it makes the user experience bad.

Not everyone cares as much about security as you (gosh most non crypto applications are as secure as steemlogin or much worse). So it's in keeping with the standard.

I am not saying to use steem connect. I am saying to use post authority instead of saving the private key. It is not any harder for the user except having to use an active key to give up the authority at first.

Almost every website nowadays does NOT save passwords in their DB, they save at least hashed passwords. This is not possible in this case obviously, so the closest thing as possible should be used instead.

You can lose a lot.
What if someone stars downvoting Bernie with your account?

You apologize to him, change your posting key, and move on. He's not going to punish someone who isn't actually at fault. There's no way, he goes after self-righteous assholes and scammers, not people who made an accident and are sorry.