Moments ago I changed the owner/active/posting/memo keys of ~500 Steem accounts.
I changed their keys to Steemit's key so Steemit can allow these users to regain access via the recovery mechanism they established.
I was able to do this because I was able to guess these account's passwords.
I was able to guess their passwords because of what I would argue is a flaw in Steem's UI. Specifically, it currently allows users-chosen passwords by default. In most applications user-chosen password are not problematic. However, they are problematic in this use-case because a scrambled form of each user's password must be stored on Steem's public blockchain meaning anyone with a copy of the blockchain can mount a large-scale offline dictionary attack to recover them. Research as well as real-world precedent has repeatedly shown that a non-trivial fraction of users are incapable of choosing passwords resistent to offline-attack even when password complexity requirements are enforced.
Forcing machine-generated passwords in the UI for owner/active keys would be one possible step towards mitigation. I'm aware of the usability counter-argument to this suggestion. However, consider that my effort expended ~1 USD of computing resources and ended up recovering the credentials of accounts with liquid assets valued in the thousands and semi-liquid assets (SP) in the tens of thousands. Given this fact, it would be hopelessly naive to assume offline attacks will not be attempted in the future at much greater scale and by totally bad actors.
I invite others with constructive mitigation ideas to share them.
One futher point, unless explicitly invited by Steemit, I will not attempt any future white hat shenanigans. My motivation was to alert this community to a genuine danger and do so in manner that hopefully leaves a more lasting impression than yet another "how to pick a strong password" snorefest post.
