SIP - Lost Password Recovery

[bytemaster]

Losing your password has been an unrecoverable sin for cryptocurrency users. The root of the problem is that anyone with the power to reset your password also has the power to steal your account.

Steem's account recovery process can help you recover your account only if you know a password from the last 30 days. This can help you recover if you forget it shortly after changing your password, but doesn't help in cases where your password is gone for ever.

Proving a Negative

It is impossible to prove a negative. Namely, it is impossible to prove that you lost your password. All you can do is prove that you "didn't lose" your password.

One thing we do know is that the probability of a lost password increases with time. This means that in theory abandoned or inactive accounts are likely to be "lost" and the funds unrecoverable.

Identity Verification

Account recovery depends upon a 2nd factor of identity verification. Typically this second factor is trusted by the account holder to not collude with the hacker, but is not trusted enough to have control over the funds. Furthermore, few organizations would want the liability of having authority to reset your password.

Compromise

Allow your account recovery agent to request a change in account ownership after 60 days of inactivity with the active key. Once the request is made, the owner of the account has another 30 days to use their active key and "cancel" the request.

Any account can "opt-out" of password recovery which would disable this feature and make the account holder fully liable.

Security Analysis

Changing a lost owner key is the equivalent of the Recovery Agent hacking your owner key and then colluding with the hacker to change your account while denying you the ability to recover your account.

The recovery agent would have no opportunity to hack your account if you remain active once every 60 days, and then you have 30 days to react to a corrupt recovery agent before any funds are at risk.

All told, if you lose your password and go through this process it will take 3 months to get your account back. For accounts with significant value / reputation it will clearly be worth the wait.

[theoreticalbts]

If we do this, there needs to be monitoring and alerting tools for password recovery requests. E.g. if the recovery agent has the capability to contact the user via email or PM on external social media site, they should start sending the user notifications when their active key has been inactive for 60 days, trying to prompt the user to either use their active key or start the forgot-password process.

[TonySon]

Thank you for @ned @dan @arhag and The Steemit team.

[iamsmooth]

60 days seems horribly short to me, especially since the description requires activity with the active key specifically. Many users, perhaps a majority, may simply use the social media features (posting key) and rarely employ the active key (because payouts are small). This may change if monetary usage becomes more important, as with the marketplace, but even then, not all users will do that.

In other cases users may simply take time away from the platform (months certainly) and just come back later without that being evidence of a lost/forgotten password.

For accounts with significant value/reputation, a longer wait is still worth the wait without intersecting so easily with normal usage patterns. I think perhaps 12 months inactivity is about right and coincides with the short end of typical inactivity periods in other systems (for example laws and rules on dormant accounts, unclaimed payments, abandoned property, etc.) Perhaps inactivity of any kind (including posting key) could trigger recovery more quickly, but 60 days still feels too short to me.

[arhag]

Here is my alternative proposal: https://steemit.com/steem/@arhag/proposal-for-new-steem-feature-deadman-switch-will-recovering-accounts-from-lost-passwords

[bytemaster]

@arhag thanks for your alternative proposal, I am of the opinion that your proposal is overly complex and presumes that people cannot trust someone to execute their will. This is a good case for sub/side chains with smart contracts. A niche compared to the general case of password recovery.

[TheDarkLightX]

Okay, please add to this the ability of the recovery agent to email a public key encrypted copy of the private key of the new owner account private or transmit it as a temporary recovery password.

Those of us who have a public key and secure email system should be allowed to have this in my opinion and I don't see how it would be so risky. Any thoughts?

[TonySon]

Dear Mr.Ned, "steem" CEO of Steemit, Mr.Dan and STEEMIT community.

30 days ago, seems horribly big to me. I cann't login to my steemit account. When my password updated.. I do not understand what is happening with my account.

my profile: https://steemit.com/@tonyson

@TonySon
Respectfully yours.

[theoreticalbts]

HF constant needs updated from HF13 to HF14.

[theoreticalbts]

More issues from code review:

• Need to check reset_request_time is in the past to avoid overflow in subtraction here
• Magic values fc::days(60) and fc::days(30) should be named constants in config.hpp
• reset_account_evaluator should check enable_account_reset
• Document the exact semantics; this ticket is outdated (e.g. ticket says only active key is required)

[theoreticalbts]

There's also an issue where complete_account_reset resets bandwidth to zero. We need to discuss whether it should assert the bandwidth hasn't been updated.

[mvandeberg]

I want to outline all different scenarios under which account recover/reset is necessary and determine how a user should act the gain access to their account.

• Has Owner Key
  No problem. User can change all authorities.
• Lost Owner Key
  If they lost the owner key because the attack was compromised and they have access to a recent owner key they can work with their recovery account and recover the account through the account recovery process.

All other scenarios assume the user does not have an owner key that was last used in the previous 30 days. For password reset, we have to assume an attacker does not have access to a recent owner key otherwise there is no way to prove the account does not belong to the attacker.

If an account has not been compromised a user can abstain from all activity for 90 days to regain full access to their account. This is significantly shorter than the 2 years required to transfer Steem Power to another account to have access to an owner key again.

• Neither user nor attacker have active key
  The account's active authority can be challenged, freezing the posting key. The user can then wait 90 days to reset the account.
• User does not have active key but attacker does
  Challenging the active authority will not lock the attacker out and the attacker can periodically act on the account preventing recovery. This is fixed if we allow challenging an owner authority. There are known problems with allowing challenging of the owner authority as it forces the user to bring the owner key out of cold storage.
• User and Attacker have Active Key
  The user will probably not be able to change the active authority before the attacker does and will lose access to the active key.

Posting key scenarios are a subset of no one having access to the active key and can be fixed by waiting 90 days or challenging the active authority.

Conclusion

The account reset proposal solves many other scenarios that are not addressed by account recovery but there is still one scenario that exists that leaves an account in an unrecoverable state.

[mvandeberg]

When we were previously discussing challenging of authorities, we were going to allow any account to challenge any other. The problem being that for even a high fee and high risk to an attacker, forcing a whale to bring their owner key out of cold storage is enticing. We decided against allowing that behavior because it would be too risky to whales and go against our design philosophy for owner keys.

What if an owner authority can only be challenged by the recovery account? All of the security measures in place regarding recovery/reset assume the recovery account is trusted. This still does not allow the recovery account to change the owner authority, only question the current ownership of the account. In fact, I would change the 60/30 days to measure from the moment an owner authority was challenged rather than inactivity. This allows an account that has a compromised active key to be reset as well. The only scenario in which an account can not be restored to the rightful owner is when the user loses the owner key entirely and an attacker has it. In which case the scenario is indistinguishable from a sold account and so the recovery account should not be able to act on the original owner's behalf anyway.

[arhag]

@mvandeberg: I like that latest suggestion that only the recovery account of an account can challenge the owner authority of that account. I would also like to see the recovery account be unable to challenge the owner authority of an account if that account has a pending request to change their recovery account.

[joinynguyen]

Here is my alternative proposal: https://steemit.com/steem/@joinynguyen/lost-password-recovery-on-steemit

[mvandeberg]

The current implementation assumes that all authorities are derived from a common brain key as is implemented on steemit.com. Should this feature keep this assumption and limit its usefulness to account being used on a site that manages keys in the same way that Steemit.com or should it drop the assumption, handle more use cases, and become useful for sites that may come up with an alternate key management solution?

[mvandeberg]

Currently the reset account and the recovery account are two different entities. Philosophically, should these be different or the same account?

[arhag]

@mvandeberg: Definitely separate. Someone can disable account reset by setting their reset account to "null". But they shouldn't be forced into disabling the very useful owner recovery feature as well. Reset privileges are a more serious risk to their account than recovery privileges, because the latter requires cooperation with someone who has a recent owner key, while the former does not. And the privilege disparity is even greater if only the reset account is allowed to do an owner challenge of the account.

[gfrivolt]

Is there any way or plan to make it possible to recover an account or at least the funds from an account with lost p/w? I know and admit that security is a top value for any blockchain, but still a well designed tested solution for account recovery will be eventually necessary..

@TonySon, did you have luck getting to your account? I've got the same issue as you.

[bionik75]

I have the same issue as @gfrivolt and @TonySon ... registered in steemit in december 2016; ı didnt login about 8 months ... ı forgot my password

my account on steemit :
https://steemit.com/@bionik

best regards

[grctest]

Can we have the ability to add additional password recovery options to our account when we've got full access? I registered using my reddit account last year and deleted the reddit account (irrecoverable) thus I have no possible account recovery options right now :(

[sawadeekrap]

hi there... i am having the same issue....my steemit account @sawadeekrap
and i have my password but it keeps telling me its incorect.... i have not logged in my account in over 1 year....i can easily prove that i am the owner of the account...
regards,
Jean

[grctest]

@mvandeberg How come this was closed? Should I create a separate issue for adding additional account recovery options? Because I have no valid account recovery options.