Your Steem account is worth money! How to secure it with a new owner key to keep it yours forever

in #steemit-guides8 years ago (edited)

After the big July 4th payout many people's accounts suddenly have tens, hundreds, sometimes thousands of Steem Dollars in them, and thousands of Steem Power too. In this post we're going to learn how to make a new, very secure owner password for our accounts. I'll explain why this is a good security measure, take you step-by-step through the process of creating a very secure password and updating your owner password to it. I'll then touch on what to do with the password or key once you've created and updated it.

See this post for more info about the different Steem account keys.

bosskey
from Zelda Boss Keys (buy)

The owner key

Your owner key gives full control over your Steem account. Its user is able to post, vote, transfer funds, and change all keys including being able to change the owner key. Notice I said "its user" and not "you"? Because if someone were to get your account or owner password, they can change all the keys and take your account and whatever it is worth for themselves. The owner key is meant to be used basically only if necessary, and otherwise written down/etched in stone and put into "cold storage," a crypto term for keeping your keys off of running or internet-connected computers.

If you have an account registered from Steemit (you registered through Facebook or Reddit), and you haven't switched to logging in with a posting key yet you are probably logging in using a long password that Steemit required you to make. If you haven't made any changes to your keys yet, this password controls all aspects of your account and includes the owner key.

[Sidenote: the concept of account ownership needs to be worked out for a Steem constitution].

Let's change it

I hope that is enough to convince you that logging in with your original password is not a good idea, at least not until you've changed your owner key.

warning WARNING: Take this seriously, do NOT lose your new owner password

Before we go further, I need to say that because the owner password is the master key for your account, if you lose it you will not be able to change the other keys if they get compromised and changed on you. Once you make the key, and especially after you've updated your account to use it, you need to make sure it's safe, secure, and won't get thrown out with yesterday's grocery list.

Step 1: Make your new owner key or password

Diceware

To create a super-secure owner password, we are going to use Diceware (Wikipedia).

Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select a word from the list.

Each Diceware word gives 12.9 bits of entropy and because we only have to do this once, we're going to crank those dice all the way up to 20 words for 258 bits of entropy. Diceware is fairly simple and straightforward: get a single dice (die, whatever), roll it 100 times (5 for every word), recording the result 1-6 on a notepad each roll, then looking up what word corresponds to your 5 rolls from a wordlist. Follow the instructions from Diceware's page (scroll down to "Using Diceware") for more detail. You will end up with 20 Diceware "words." If you wrote the words down in your computer, print a couple copies, and perhaps save to a USB backup drive (not a local, always on disk).

See also: XKCD, Password Strength

Step 2: Secure backups!

Now it's time to backup that new owner password offline, on paper, USB, DVD-R, Incan knots, etc. I'm going to pass this one over to @steempower who recently wrote a good guide to diligent backup:

Backup strategy to secure seeds, databases and digital files

Don't take it lightly. Should you ever need it, you'll want to make sure you'll have your owner pass or key well into the future.

Once you've updated your owner password or key you can not change it if you don't have the new one! So imagine a worse case scenario where as soon as you hit the Save button your house burns down. Before changing the owner key make all of your backups, including even offsite. Procrastination might be your downfall, so it's prudent to do this before going further.

Step 3: Update your owner password

Ok, you have your new password and it's backed up in multiple safe locations, not on a piece of paper hanging precariously over the paper shredder? Great, we're set to update your owner password.

Go to https://steemit.com/@youraccount, putting your account name in the URL where appropriate. Then click the Permissions tab.

permissions

Then carefully click the third pencil icon down, next to the owner key line, as shown below.

before-pencil

Type (carefully!) or copy and paste (paste into a viewable text editor first to make sure you have no preceding or trailing spaces though, important!) your 20-word Diceware password into the boxes. Also be aware that spacing and capitalization matter too! Every character has to be entered verbatim when setting it and identically when using it. So make sure your hard copy of the password is explicit with spacing and capitalization. Once done, hit Save, the spinning icon will spin just long enough to put a small sense of dread in your mind, but then you'll get the green text and you'll breathe again.

green text box

You'll still be logged in with your original password, and you'll see that you cannot show your owner key anymore. Success.

login with original pw

Then if you were to log in with the new owner password, which you don't need to do at all, you'd see you could edit all the keys, including the owner.

login with owner pw

Backup, backup, backup!

mays

Billy Mays here, reminding you to make sure you've got your password backed up!
BUT WAIT, THERE'S MORE!

Step 4: Make and log in with a posting key or password

Now that you've got your owner password securely backed up, you can move on to posting securely by only logging in with a posting key. I'm going to pass the buck again, this time to myself:

How to login with your posting key (and why this is important)

Your original 16+ character "master" password will still work as a memo key and active key. Remember the active key that your master password controls can still do a lot, including instantly transferring your Steem Dollars and STEEM tokens and less-instantly powering down your Steem Power, so keep it guarded as well.

To reiterate, many of the Steem accounts most got for free are now worth much more so be diligent in protecting the value your account holds. Create an owner key to be used for cold storage, make sure it's properly backed up so that you'll have it forever, and always log in with your posting key unless doing something with your funds.


If you found this or my other posts helpful, click here for my blog page and hit the follow button in the upper right!

Sort:  

Newbie here. I don't have a pencil showing on either posting, active, owner or memo. Anything I've missed?

Hey and welcome. It seems these have been deactivated for now, probably to prevent people from logging in with their active or owner keys. Thanks for pointing this out!

I just signed up and noticed this problem as well. I've set up my miner via Ubuntu 14.04 and need the active private key. I wonder if this is due to the recent hack? Anybody have any thoughts?

I dont have a "login to show" or a "show private key" button for Owner. The other 3 (Posting, Active, and Memo) i do. Is that normal?

Thank you

great guide! I prefer keepass or enpass as password managers / creators.

I agree password managers are easier. The guide above is good for the paranoid. One thing I found that wasn't clear was how to select your password. It seems like there must be a faster / easier method.

Perhaps some ideas on how to generate a good brainkey.

Diceware actually doesn't take that long, if you just keep rolling the dice and marking the result down until you reach 100. Then convert the rolls into words all in a batch.

The point is it's really good randomness. Furthermore, since this owner key is meant to be a one and done, and Steemit could potentially be around for decades, a password with 258 bits of entropy should be good for a while, right?

With KeePass, you can use the password generator. Specify a minimum of n characters, indicate upper/lower/numeric/special etc etc. Then press generate. The password will meet your specified criteria and be non word based.

Thank you!

Is this guide still accurate? I just signed up but I do not see these pencil icons on my permissions page, even though I am logged in.

I've encountered this same thing. Only allows me to change the password to a different random on-site generated password.

I'm in the same boat. No pencils.

Thank you for the guide. But if we want mass adoption this process must be easier

would it be possible to create some kind of archive/folder/place for articles like this?

If someone has access to all but the owner key, what can they do? What are the permissions for each key?

The other keys can do everything but change keys (transferring funds, voting, etc.). The main thing that protects the value of an account as long as you have the owner key is the powering down process taking two years, and one week for even the first payment. If someone were to take over your account (via the other keys) and for example start powering it down or using it to vote on their own posts, you could recover it with the owner key (by changing the compromised keys) and limit the damage.

However, if you have liquid steem or steem dollars in your account those could be stolen immediately with the active key. The memo key could be used to see your private messages.

Cannot change [Deposit using Bitcoin ] from wallet menu !
Ether and Bitshare are displayed, but cannot select.

Very well timed post my friend. Much Appreciated.

great job dear friend it will secure every one in steemit. thanks once again for briefing such an important point about securing steemit account.

Can someone check to see if his passwords were changed a second time?

Very informative post:) Needed this information thank you!

Great guide, thanks!

For some weird reason, the password that I used to create the account (and which was written down) doesn't work.

I am only logged in because Chrome remembered the password. Attempts to login through a separate browser are unsuccessful. Not sure what to do. I confirmed the password at the time...

Good news is you're still logged in! Go to https://steemit.com/@blocks2517/permissions and click "show" on all the keys, and copy them down, then print them or do something to save them. As long as you have the owner key, you can change the other keys. If your master password is stored in Chrome you should be able to extract it too.

Never mind my earlier post that I now deleted. This is the easier option.

Ugh. Password was never saved in Chrome (checked). I'm logged in because of cache.

This kind of sucks. I was going to use this account. ..

No...Active and Owner keys need a login while the others are clickable.

Not sure sure how to extract a password from Chrome. This might just be a bummer story. No variations work.

If it's saved in Chrome you can do this: http://www.thewindowsclub.com/manage-view-saved-passwords-chrome

If you can't show the keys for active and owner it sounds like you're logged in with just a posting key though. Hopefully you can recover your original password if it was saved in Chrome but without at least the active key you won't be able to spend any reward.

You should still keep the password you wrote down safe. Someone may in the future come up with a brute forcing tool that can speed up the cracking by using the incorrect password as a hint. There is still a slight possibility that you can recover your funds in the future.

Probably the most valuable post in the long run for people ;)

thanks for the info

Sounds too complicated for the average cats. Don't believe in the mass appeal anymore.

It's your account, you're responsible for it. Do whatever you wish but this guide is for people willing to take a little time and maybe learn something in order to keep their accounts secure for now and the future.

I would personally recommend getting a password manager tied to your browser which you can access by logging into synced account. That way you can update passwords as frequent as you want plus you can print out a list of passwords for all the other services as well all at once.

Looking into the future, I can sense that internet users will need to install password manager at some point with emerging secure applications :)

Hey Pfunk, I saw this and think it would be great to add it into the resource repository I wanna put together for newbies. I saw you read through my article already, just wanted to let you know. Good stuff man. https://steemit.com/wikiversity/@boardwalk-steem/lets-start-a-steemit-resource-repository

Nice guide, thanks!

Thanks! Very useful

Quality information. Thank you very much!

username: tonyson

https://steemit.com/steemit-guides/@pfunk/your-steem-account-is-worth-money-how-to-secure-it-with-a-new-owner-key-to-keep-it-yours-forever

Updated password, I can login to my steemit account yesterday (POSTING, OWNER, ACTIVE key). But, today I can not log (I am not copying them with an extra space at the beginning or end).

I've entered the correct password, but I still can not connect. I can login to my steemit account yesterday

What is this OWNER password?

This is your main password (owner account). You may change other keys with it. Don't show primary and owner passwords nobody!

Thank you for the guide. i will keep secure my steemit.

Thanks you just what I was looking for.

Thank you for your guide!

We must secure our account and password like The Wall Street keep their Golds...thank you for sharing information

Nice post, but it all sound gibberish to me ... I'm confused please

gracias por la info

Useful for me

I tried this and the icons next to each password are completely different than in the screencap above. All I have is a button that shows or hides private keys for posting, active and memo. No editing is allowed.

I can't do anything with the owner key; there is no button, no icon. I logged out and tried logging in again with the owner key and got a warning message that that was not allowed. It said I must use a private key, not a public key. What's that all about? Is this tutorial out-of-date?

I dont get it, too!! Where do I find my owner private key??

If I have lost my Owner key is there is there anyway to get that information seeing how I can only access the public one and now private one? All info I can find basically says im kinda S.O.L.

If you still have your active key, you can still transfer funds, power down, and maybe even make a new account for yourself with a new owner key/master password.

Lol. I looked at the clock and so much time has passed. Your post was so helpful. Do you know an exchange that will accept prepaid debit cards. I need to resteem this fir reference...upvote for appreciation. Thank you!!

If you post your owner password are they able to see it on the receiving end?

Thank you! I've been using Lastpass as an online password manager. I think I need an offline password manager too, probably a notepad and a safe deposit box.

I realize that this post was made a long time ago... I' just wondering if it is still relevant. I can't seem to find the permissions screen. Any help appreciated, thanks!