Ok, we are going fast with our Steem Security series, but it is fun, so let's continue and learn today something very useful :)
Let's start with a quick recap of what we already learned from previous articles:
In the first article, I mentioned, that to use your Steem account, you do not need to use your password at all.
So why I need a Master Password at all?
Technically speaking, you don't need it. If you have your all private keys (posting, active, owner, memo) then you can do everything without a password, even create a new password and a new set of all keys.
Why is that? Because in the whole Steem ecosystem, a password is used only to generate public and private keys from it. But exactly this is done under the hood
From the 2nd article you should remember, that transaction pushed to Steem blockchain are authorized by signing each transaction with a proper individual private key. This works only because Steem Blockchain stores a corresponding public key of every user.
And the most important: Steem Blockchain do not store your password. It only stores your public keys generated from your password.
Conclusion: If you want to change a password, a new set of keys has to be generated from it. The password changes when new public keys are upload to Steem Blockchain.
Scenario: Changing a password with Steemit.com website
- User @noisy3 want to change an old, long, and hard to remember password from P5KB2ir4BaDTeeBe5SUW16F6NYGeYSVaUBn261kDPLGGCSiNahtm to a new password
- From user's menu, user choose option "change password" and he is redirected to @noisy3/password
- User has to provide an old password, but he cannot provide a new password, because it is generated by steemit website.
- If user want to change password, he ends up with long, hard to remember but very secure new password, like this: P5KMpYPGmVMkWgaDBX337eo3nULEq3MwrEtURydXbdS213exrKbx
Question
Why user cannot set an own password?
Steemit changed a password policy in last year. Before that, users were able to set any password. The only requirement was, that it had to be at least 16-characters long.
But the truth was, that if a user set as a password a string of characters like:1234567890123456
, then this password wasn't secure at all, because it was very easy to guess or brute forced using the most common password patterns.Why I need so hard to remember password?
What you actually need is a very secure password, and secure passwords are often very hard to remember. Probably you treat Steemit as another social media website, so you might be surprised, why your Facebook password is not strong and good enough. (BTW, I hope, that you do not use exactly the same password on all type of services - that is very dangerous!)
The reason why your password has to be so secure is simply because with this password you also manage all your funds. So your Steem password should be as hard to guess as your password to your bank account!
Concerns
Generated passwords are very secure, but there are at least 3 big problems with them:
They are hard to remember, and the truth is, that they do not have to be:
You need to trust a Steemit website, that this password is generated randomly, and it is not saved anywhere
Generated in such way passwords follow very well described and known specification. Every Steem user can easily recognize that those random string of letters is probably Steem passwords:
-P5JcPfXayxiaFYPPKrt2BJGajtpACHoh35WZcgP6YKWuvovAYfb1
-P5K6j5G7tp6B9JsR6HVJf7NE828Ms3oMvYhReDrXMZe1dohiPdg4
-P5JigoK5v3E7E2ChbVhjb3Ji9USKz5vJBu9m2Yubf3aeJE1mxAmt
So guess what will happen if you by accident publish your password somewhere, because you copied it from password manager or a file, and you forgot, that your password is still in your clipboard. This might happen:
or this:
Setting own password with Python Script
With script below, you can set any password, and you can do that without Steemit website.
# requirements: python3.5, steem==0.18.8
import json
from steem import Steem
from steembase.account import PasswordKey
from steembase import operations
old_password = 'P5KMpYPGmVMkWgaDBX337eo3nULEq3MwrEtURydXbdS213exrKbx'
new_password = 'smooth lesson hawk initial promote critic'
account = 'noisy3'
old_owner_key = str(
PasswordKey(account, old_password, "owner").get_private_key()
)
s = Steem(keys=[old_owner_key])
new_public_keys = {}
for role in ["owner", "active", "posting", "memo"]:
private_key = PasswordKey(account, new_password, role).get_private_key()
new_public_keys[role] = str(private_key.pubkey)
new_data = {
"account": account,
"json_metadata": {},
"owner": {
"key_auths": [
[new_public_keys["owner"], 1]
],
"account_auths": [],
"weight_threshold": 1
},
"active": {
"key_auths": [
[new_public_keys["active"], 1]
],
"account_auths": [],
"weight_threshold": 1
},
"posting": {
"key_auths": [
[new_public_keys["posting"], 1]
],
"account_auths": [],
"weight_threshold": 1
},
"memo_key": new_public_keys["memo"]
}
print("New data:")
print(json.dumps(new_data, sort_keys=True, indent=4))
op = operations.AccountUpdate(**new_data)
result = s.commit.finalizeOp(op, account, "owner")
print("Result:")
print(json.dumps(result, sort_keys=True, indent=4))
This script could be much shorter, but I think for educational purposes, script above is better
Script in action
This article belongs to series of articles which describes security on Steemit:
- What is the difference between a password and a private key(s) on Steemit? How to make your account more secure, by using them correctly.
- Public and Private Keys - how they are used by Steem, making all of these possible?
- How to generate all Steem user's keys from master password, without a Steemit website, being OFFLINE
- How to set own password, which is not generated by Steemit (this article)
- How passwords are stored by Steemit in your browser, and why it is secure.
- How to setup multisig/multiple authorities for your account
- ...
Make sure to follow my account, if you don't want to miss any of these :)