Passwords are a Problem!

People want to join SteemIt but there's a problem

I've been having great success getting people to sign up for SteemIt! I count 15 people who I directly got on board, and even more indirectly if I'm allowed to count those who they later got on board. My sister on the other hand has had mixed results. Her social circle is pretty different from mine, but I think a bigger issue is that she started raving about SteemIt later than I did and by then the new password system was in place.

Everyone she talked to was intrigued about SteemIt. A new social network that pays you?! Pretty awesome! Of course some thought it was too good to be true, it must be a scam, but many got past that. But few got past the user experience problem.

Passwords are an Anachronism

We treat passwords like they are a fundamental part of using the internet, but that's wrong, the fundamental job is authentication, passwords are just one tool. And they're a poor tool. When a user authenticates they care about two things: convenience and security. A password can be very convenient, it's really easy to type in p-a-s-s-w-o-r-d into Facebook and have access to your profile instantly. And millions do! The most popular password is "123456" followed by "password". Due to a lack of awareness, people take huge risks with their information security, with identity theft growing at an exponential rate.

Identity theft is still a relatively small problem in scale, but account security is even more important in SteemIt than on Facebook and most other websites people use, because access to a SteemIt account increasingly means direct access to funds which can be sent irreversibly in an instant. It's money dangling out there on the internet, just begging for a hacker to come and pilfer it.

But what about making my password more secure?

Security-minded people have many ways they adapt to the insecurity of the password system. Stronger passwords. More passwords. Password managers. Password managers hidden in a virtual machine disconnected from the internet which you can only access with a USB key. Even the best attempts to improve password security make your passwords less convenient. XKCD passwords are great until you have to remember one for every website you use because you're a sucker for phishing emails! Even one-time-only passwords with Google Authenticator can be intercepted on the fly and used in a way which you didn't intend.

Back to my sister's experiences before, SteemIt passwords in particular are difficult. The site now forces you to choose a long random string, which is fantastic for security, and necessary because the data goes straight to a public blockchain. But securing and using such a long string is a large cognitive hurdle, one which we have seen stop many new users who would otherwise appreciate this site.

Stop Thinking about Passwords, Start Thinking about Keys

If you live in a house, it's a good bet that you don't secure it with a password. You probably have a house key. If you have a car, you likely have a car key. So why do we apply such different thinking to the internet? We can have keys to the internet, and today they have gotten quite advanced.

Keys aren't perfect, but all the problems associated with passwords above do not apply to keys. And most of the problems with keys can be solved by using just one relatively simple password in conjunction with them. The hurdle for having a key to the internet is that so far, nobody has been willing to buy one for you. When you started renting your house, your landlord likely gave you a set of keys, you didn't have to go out and get one yourself. The same is true when you bought a car. But Google and Facebook were not willing to give you a key when you signed up, so you don't have a key to the internet. Let's start changing that!

My suggestion may need some ironing out, but this is what I think are the first steps:
(1) SteemIt.com needs to support the U2F protocol so that this can be done at all.
(2) When you're getting your friend onto SteemIt, which you certainly are trying to do, get them to get a key! Maybe even buy one for them, they are not expensive at all. They may be apprehensive about buying something when they are just starting, but you are likely invested in the site and know the value of getting them onto it. Not only will it help them change their thinking about how they use the internet, but it also proves that you think SteemIt is so valuable that you're willing to go to the effort of getting them a physical item to have them as part of the network.

I would appreciate some feedback on this idea. It's often the case that someone recognizes the problem, but the solution they propose isn't ideal either. So let's discuss and refine to the point that we have something we can really do.

H2
H3
H4
3 columns
2 columns
1 column
34 Comments