You are viewing a single comment's thread from:

RE: SteemConnect V3 Beginner's Guide

in SteemHelp8 months ago

Can anyone explain why Busy.org and Steempeak.com do not have one simple option of login with a posting password?

Sort:  

Let me try.

Every time you do something on the blockchain with your account, your (appropriate) private key is verified to see if you have the right to do so with your account. The blockchain doesn't know it's your account unless it verifies this way.

On general Steem interfaces (like Busy or Steempeak you mentioned), you need to do many operations: log in, post, vote, comment, maybe vote for witnesses and so on. Each of these operations needs to be verified.

Without a mechanism to make things easier, this would make the entire user experience a living hell, with you needing to confirm every single minor transaction (operation).

Now, there are two ways of making things easier.

  • the SteemConnect way
  • the Steem Keychain way

In the SteemConnect way, you AUTHORIZE an application of your liking (Busy, Steempeak or another) to post on your behalf.

While this may seem more than needed, it is one way to effectively just log in to your application and start doing things like posting and voting and commenting, without dealing with confirming transactions every time. But you have to authorize the application first to post on your behalf, and for that you need your private active key, and that is a one-time operation.

In the Steem Keychain way, you don't give any authorization to any application, and for every operation the Steem Keychain browser extension will act as a middle man between you and the application. And every time when the interface asks for the needed private key verification, Steem Keychain verifies it and returns a result to the application.

On Steem Keychain you can decide whether you are asked every time to confirm all operations for a given application (website), or allow an operation and let Steem Keychain know to do the same with all future operations from the same application (logins, posts, comments, votes).

In the future there may be a way for these applications to have simpler user interfaces for a category of users which don't have a full blockchain account (yet), but use the application.

I hope I haven't lost you with an explanation that was more detailed that what you might be looking for.

Thanks for the effort, @gadrian, but I did not ask how the apps are working. My question was: “why Busy.org and Steempeak.com do not have one simple option of login with a posting password?” You know, just for posting and voting, like you can do it at the official Steemit.com page.

You mean without SteemConnect, to enter the private key directly?

Yes.

Because that's not safe/recommended.

I would understand if you said “more convenient”, @gadrian, but… Why it would one password on SteemConnect be more secure than four different level passwords at Steemit security management? What if user exposes this one password to the smartphone data thieves?

Why not leave the option just for posting password for those who want to live dangerously? Like we did do it on Steemit.com? Why not let people decide on their own what is more secure for them?

Why it would one password on SteemConnect be more secure than four different level passwords at Steemit security management?

The private keys are encrypted on your own device. Someone needs access to your device, and nobody is crazy enough to even bother trying to break the encryption. That's why the most common attack vector is phishing or hunting user errors.

Plus, if you would have read my guide you would know on SteemConnect only private posting key are stored, not any of the others.

Why not let people decide on their own what is more secure for them?

Most people don't give importance to security until they lose their accounts and it may be too late for them.

The most dangerous thing to a user's account is the user himself.

If you want to live dangerously, be my guest, but overall an application has to take a responsible approach.

The private keys are encrypted on your own device. Someone needs access to your device, and nobody is crazy enough to even bother trying to break the encryption.

He doesn’t need to bother with encryption if he gets the SteemConnect password. Are we talking about the same things?