Are account keys be the same?
Today on the Bitshares Hangout, Alex brought to the community's attention that many Bitshares accounts are vulnerable. If your owner key, active key, and memo keys are the same, then your account could be vulnerable.
Some 3rd party applications, ask for your active and memo private keys as a part of authentication. If you ever shared this, then you account is vulnerable, if all the keys match.
To check if the keys are different, go to https://cryptofresh.com and lookup your account.
How to change your keys
A fellow steemian, @sschiessl ,wrote an excellent article on how to change your keys.
Check your accounts immediately and make the necessary changes.
Thanks,
Please Remember to UpVote - ReSteem - Comment
My active and memo keys are the same but my owner key is different. Does that mean I’m okay?
Are accounts impacted differently if they have a local wallet rather than a web-based account?
I was under the impression that having a local wallet meant I was pretty safe: that someone would need my password and be using my computer to access my wallet. True or false?
Thanks
Same here too.
From OpenLedger’s knowledge base, defining the difference between wallet and account (cloud-based) models at https://openledger.freshdesk.com/support/solutions/articles/33000202644-what-are-the-differences-between-account-and-wallet-model-
“Being more secure than the account model, the wallet model is restricted to your current browser and device. To use the wallet in another browser or device, you need to import the wallet backup file or brainkey.”
This seems to confirm my earlier statement on security of the local wallet. I have not found anything else out yet.
Same here, should we do something?
same here, too. I have the same question as @cannonball6
10 steem tip for the one who can answer ;)
If your active key and your memo keys are the same and you have shared your private memo key, then your account is still vulnerable.
Say for instance, I created a website and asked you to enter your private memo key, I could then transfer your funds. That’s because your memo private key is the same as your private active key. Active keys give you the right to buy/sell/deposit/withdraw funds.
The owner keys provides this same access in addition to changing your password.
My owner, active, and memo keys were the same, so I changed my owner and active keys. Afterwards I can continue to read my memos on previous transactions.
As an alternative changing your keys, you could just create a new account and then transfer your assets from the old account to the new account.
Thanks for your follow up, it is appreciated. I am fairly confident I am okay since I have n ver knowingly given anyone access to any of my private keys, but I wonder if there is a way one could do so unknowingly.
You have highlighted the memo function as a potential vulnerability. The only times I have never included any memo is when making a deposit to Openledger and entering my account name in the memo field. I don’t expect this would create a vulnerability but I would love to be corrected if I’m wrong! Thanks again!
The memo key is a vulnerability if it matches one of your other two keys. If all 3 keys are different, then your account is secure.
Take a look at my answer below.
Thanks Mike...great information...cheers
Thanks
Great PSA! Thanks @pairmike.
Thanks
Thanks for the mentioning of my article!
You are very welcome!
Dear All, I sympathize with those users who were affected by the recent hosting provider’s account breach. Though it wasn’t our fault that credentials of some OpenLedger DEX wallets were stolen, resulting in lost crypto assets, I couldn’t stay still. Starting from July 2, our trading platform will launch the Reimbursement Program for such users. Read more in the official announcement at https://dex.openledger.io/access-issue-ol-reimbursement-program. Yours sincerely Ronny Boesing, CEO, OpenLedger ApS.