You are viewing a single comment's thread from:

RE: Offline Attack on Steem User Credentials

in #steem8 years ago

That's pretty terrifying, and it's a good job that you posted this... It hadn't occurred that of course hashed passwords are going to be freely available offline because in using a web UI you're used to the assumptions of a traditional web model.

Good on you (assuming you did what you said) for just reassigning back to Steemit. Sounds like we do really need 2FA or generated only passwords... It's a shame that browser tooling around SSL client certs is so user unfriendly, having a client cert as a per-browser alternative to the generated password would be a good way of removing the usability barrier. Users would obviously still have to store their password but they could use the installed client cert for day-to-day auth and just use the password for requesting new certs for new devices.

Coin Marketplace

STEEM 0.28
TRX 0.21
JST 0.039
BTC 97116.48
ETH 3691.84
USDT 1.00
SBD 3.96