The forgotten password problem

in #steem5 years ago (edited)

One of the main obstacles to the adoption of cryptocurrencies is the forgotten password problem. In a typical centralized platform you simply fill out a form online to request a new password. Usually it involves providing your username and/or an email. The website will send you a link to your registered email which is used to authenticate that you are the owner of the account. You then proceed to change your password and you are all set.

Source: Pixabay

People are used to this and it makes thing easy. The problem with this approach is that your information is vulnerable to hacks of the central server. On the other hand blockchain is much more secure since only the user can know his/her private keys. However, if you forget or lose it you have no recourse...your funds are lost for all eternity.

So on the one hand with the centralized approach you risk loosing your funds via a hack of the central server and on a blockchain you could lose access to your account forever.

What if there was a way for people to recover the keys to their account on a blockchain with minimal risk? Before I outline my proposal let me use a real world example to ilustrate where I am going with this.

It is not uncommon for someone to give a copy of the keys to their house to a relative or friend. You trust that they will not betray that trust by stealing your possessions. But what if you could give a copy of your key without actually doing it?

I am no expert in cryptography but it occurred to me that this problem can be bypassed by using double encryption. Let's say that you use the public key of a trusted acquaintance to encrypt your private key and you then follow up by encrypting the already encrypted password with the public key of another third party (lets say the operator of a website). You then send an memo to the last security partner.

So your private key would be hidden in plain sight. To recover your private key or password you would need to request the decryption of both messages in the correct order. Of course there are still points of failure (the main one would be if both third parties collude to steal your information or if one of them loses access to his/her account) but if we combine this with the account recovery feature that steem has we can have a very robust system that caters to mainstreem users.

The beauty of this is that your trusted friend doesn't even need to see your encrypted password...it would be like giving out a copy of your key without actually doing it. In addition the site operator does not have to carry the risk of storing passwords.

EDIT: One way to reduce the risk even further is to not let the site operator know who your recovery partner is. You would need to include a secret word (something that you would never forget) as part of the memo that you send out. Your security partner will not know your secret word until you ask him or her to request the password. Even if the site operator is hacked knowing the secret is useless since only your security partner can decrypt your password.

Am I too off base here? Is this doable?

Sort:  

Hi, because this is a bit complicated for me, I better keep it in various ways like I did, have a nice day...

Congratulations @porquesi! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You distributed more than 100 upvotes. Your next target is to reach 200 upvotes.

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Coin Marketplace

STEEM 0.22
TRX 0.20
JST 0.034
BTC 98504.77
ETH 3362.26
USDT 1.00
SBD 3.06