Preface
With massive number of people joining steemit everyday, I have observed that a large number of majority is rather casual towards their Steemit Account Security. Your Steeemit account is not just a blogging site account. It is also your Steem and SBD Cryptocurrency wallet. I have also seen a lot of people securing their other crypto wallets with utmost care yet somehow their steemit account keys are not as secured as they should be.
This guide is being compiled for fellow steemians which shall deliver following agenda points:-
- To educate Steemit community about different kinds of passwords / keys and how to secure them.
- To Inform the community about which key to use for what purposes.
- To guide the community on how to save their accounts from possible hack attacks by using the best anti-virus.
Why Does Your Account Need Security
Your account needs security because it contains money. That is as simple as it gets. This is not your Facebook or Youtube user account. This is far more important.. So it needs the same level of security as your bank accounts.
At this point, you must be thinking that when you signed up for steemit, you were assigned with a rather excruciatingly long master password that is very safe to say the least so you don't need to worry about anything..
I am here to tell you, "thats where you are wrong..."
But before jumping into how to secure your account, it is mandatory that you must learn about all types of keys assigned to you by steemit, which you might have already casually looked at in your wallet under the section "Permissions". If you haven't, It is time to do it.. You can reach your permissions section like this:-
Types of Passwords and Keys on Steemit
There are total 4 types of keys along with 1 Master Password for your steemit account. Each has its own functionality and they must be used as per their directed usage.
1. Posting Key:-
This is the key that every steemian must use to login to their steemit account everyday. This key will keep your account secure. If you login with this key, the only actions you can perform on steemit are:-
(a) to make a post
(b) to comment on posts
(c) to upvote posts
(d) to follow / unfollow / mute / unmute profiles.
This is pretty much each of us do when we login to steemit. This key does not let you perform any other action aside from those that are stated above. You cannot change your passwords, transfer funds, visit internal market etc when logged in with this key.
2. Memo Key
When logged in with this key, you cannot perform any other function on steemit other than following two:-
(a) to decrypt and read private messages
(b) to create and send encrypted private messages
This function is still not available on steemit but I believe there will be one once steemit goes out of beta. This is just for info. Otherwise, this key is pretty much useless in current circumstances.
3. Active Key:-
When logged in with active key, it can perform following functions:-
(a) all the functions of posting key
(b) to make funds transfers
(c) to make trades in internal market (for both Steem and SBD)
(d) to perform power up / power down to and from Steem Power respectively
(e) to vote for witnesses
Active Key takes you one step further to what Posting Key is capable of doing. This is my second recommended key after Posting Key that most steemians can use as part of their daily steemit activities since it covers pretty much everything that we normally do on steemit plus some advanced features as well.
Be warned : If someone else gets hold of this key, they may login to your account and clear out your Steem and SBDs holdings in a heartbeat and that will be unrecoverable.
4. Owner Key:-
As per latest update of Steemit, Owner Key is same as Master Password. The Owner Key that you see on your "Permissions" section, is the just the public key (Which cannot be used to login to steemit). The private key of the same Owner Key is the Master Password itself.
That is why you cannot see either "Show Private Key" or "Login to see" options infront of Owner Key. As of now, The Owner Key is dormant. In previous versions, it used to have its own significance and specific usage. May be in future updates, Owner Key will be revived with revised functionalities associated with it.
I still chose to include Owner Key separately here to avoid confusion amongst people who would probably go to their Permissions Section and will wonder that what is Owner Key..
5. Master Password:-
Here is that Password with long string of characters that was assigned to you when you signed up for steemit and this is probably the key you have been using to sign in to your steemit account since then. The Master Password is the private key of Owner Key that you see in your "Permissions section". The Master Password can do all possible functions that your steemit account has to offer including regenerating the Master Password itself..
The Master Password is not to be used for your daily activities on steemit. Please, be warned: if the password is stolen, Your entire account can be drained of funds, defaced, brought down to its knees and can prevent you from ever using your account again. Hence, in the beginning of this post, I recommended using Posting Key Or in case of accessing wallet, the Active Key to perform your day to day tasks on steemit.
As a quick reference, please see the Password / Keys functions and their importance in the chart below:-
What to Do if You Lose Your Master Password and Keys
Nothing. There is nothing you can do. If you lose the master password, you are done. Even if you know your posting key, but you lost active and master passwords then all you can do is login, post, upvote, comment, follow / unfollow, mute / unmute.. and thats it...
What to Do if Someone Takes Over Your Account and Changes the Password
If someone has gotten hold of your master password and has changed the password and all the keys in order to lock you out, then there is hope for you. Follow these steps to recover your account:-
- Go to Stolen Account Recovery Page. The link is also available in main site menu.
- Provide you account name.
- Provide the master password that was used in last 30 days (The one that you know and was active before someone else changed it).
- Provide the email address that you used to register your account with.
30 days limit is the key here. I cannot emphasize this enough. Because once that 30 day line crosses, say goodbye to your account forever.
How Can Someone Hack Your Account
Well.. there is no such thing as a hack. The long string of gibberish characters as your Master Password ensures that classic Dictionary attack, Brute Force attack and Xieve attack methods remain unsuccessful.Today's techniques are more simple and sophisticated. I am willing to bet 100 Steems that those amongst you who use iPhones and MacBooks have stored their steemit password / keys in Notes application. I am willing to bet 100 more Steems on the fact that almost 95% of those users have Notes Sync enabled through iCloud. So all I need is to retrieve your iCould password, which is a walk in the park for anyone who has some knowledge on how to do it.
The most efficient way by which someone can retrieve your password is via Phishing Attack. A person can send you a link to their post / comment that looks exactly like steemit link. The fake link will open a page (Which will look exactly like steemit interface) that will ask you to first put in your login and password and you will end up giving it to that page. And your account will be gone since the person who sent you the link has now got your username and password.
You can also provide your own password to someone on a silver platter. How?
- By storing your master password in browsers as autofill and then losing your device
- By losing your phone / laptop where your password might be sitting very nicely in Notes or Word / Excel file
- By handing over your device to someone for longer periods
- By keeping your password copied in clipboard and then unsuccessfully copying a link to share it with someone and then accidentally pasting your password instead on that particular thread. (believer it or not, this happens a lot)
How to Best Secure Your Steemit Account
There are alot of means to do that. But I will emphasize on the most effective and the most practical ones.
- By putting your Master Password in Cold Storage (On paper or on offline storage) and never using them unless you absolutely want to.
- By using only Posting Key for your daily Steemit usage / activities.
- By looking out for phishing pages and links. (if you are already logged in, steemit will not ask you to login again to see a comment or a post).
- By not giving someone your private posting key to do upvotes and comments on your behalf (yes.. people do that).
- By rechecking your copied link of anything in your device first that the intended link has infact been copied and you will not accidentally paste your password on a chat.
- Never use public computers to login your steemit (as they may contain Key Loggers).
Hey @jbn, You said something about using the best anti-virus in the start of the post. What is it?
Aaah yes.. I use an anti-virus that almost makes it impossible for anyone to take over my account. This best part is that it is free. That Anti-Virus is COMMON SENSE. If you use your common sense while being online, I can guarantee you that all of your assets / passwords / keys / drives etc will remain secure forever.
How to Reset Your Password
As of Current, Steemit does not allow for generation of separate keys. So if you would like to change a specific key, You will have to reset your master password that will automatically change all the keys in your Permissions section.
Master Password Reset is recommended when you are in doubt that someone else might also be controlling your account or even at the slightest of hints that your account may have been compromised.
To Reset Master Passwords and all keys, please follow these steps:-
- Go to Wallet --> Password (which is right next to Permissions).
- Once inside, please write your username and your current master password.
- Click on "Generate New Password" button. Your new generated password will appear.
- Please make a copy of it and place it in cold storage.
- Rewrite your new password in the field, "Re-enter generated password"
- Check both boxes that say "I understand steemit cannot recover lost passwords" and "I have securely saved my generated password".
- Click "Update Password"
- You will receive a success notification on left bottom of the page and you will be automatically logged out of steemit.
- Login again with your new password.
- Go back to Permissions after logging in again
- Please make a note of all of your keys as they have all been changed as well.
- Now you can choose the key from which you would like to log in to steemit.
please see the picture below to reset your Master Password:
Conclusion
The criticality of this topic demands that education related to steemit account security must be imparted to all steemians from time to time(specially to new comers). This way, we can all contribute towards making this platform better, stronger and more secure.
Kindly consider to upvote and resteem this post
Best Regards
JBN
UPDATE 1.0 TO THE POST
Please note that few changes have been made to the post.
Following Additions have been made:
- How to reset your password / keys
Following Headers have been edited:
- Owner Key
- Master Key
- Flow Chart describing all keys and their functions
All images are mine except the second one that was taken from pixabay
Genuinely good work this is! Incredible guidelines and not just nice-to-apply measures. Securing our accounts, and thus our Steemit wealth, is of utmost importance.
Phishing can be disastrous for people who may innocently give their keys away. If anyone sees a phishing link, it should be reported to the community immediately. Here's how to report a phishing scam and what it looks like.
Resteeming this for wider benefit to the community and more awareness about security. Excellent job again!
Really good article, thanks!
I made note of my keys and am now logged in with the posting key.
Just have one thing is unclear. The owner key that I found in permissions doesn’t work. When I try to login with it, I get the error message that it’s a public key!
I have resteemed this
Yes you are very much right.. Steemit received an update in which they removed the role of owner key. I cant believe that I missed that but i guess thats because i never use owner key.
Kindly re-read the post. It has been edited. You made a wonderful contribution and gave me the opportunity to make my post error free..
I will also give you the short answer here.. the owner key that you see now in permissions is just the public key to your master password. Means you cant use it login. So as of now, there are only 3 keys that matter :-
Please re-read the edited header of "owner key" and "master password" for detailed answer . Also re-read the diagram that explains the keys and their functions..
Once again, thank you for the contribution..
Great, thanks! It’s clear now!
Do you have any tips for me to store my master password? I’ve written it down but would also like to save it somewhere. The problem is that I’m on an Ipad and have no access to my laptop at the moment.
Hmmm.. my first suggestion would be to store it on a usb drive that does not remain connected to the internet.. but since you are on iPad, i would suggest that you should download secure notes application.. do not sync it to your iCloud. Create a note on it. Write your password on it without writing anything else like "steemit master password" etc.. Apply a password on the note that should not be your App store/icloud/email password.
You can also remove iCloud sync from your default Notes application and lock the note that has password on it..
I almost put my password in the memo field luckily Steemit won't let you do that
There was a time when it was possible and alot of people accidentally posted their passwords in memo. ;)
I was thinking about finding some time to read about how keys work on steemit in detail, as I want to make some software which can do automated stuff, and for that purpose, I want to keep my key in a very safe manner on my computer. Now this post of yours was really helpful in that regard.
Well now you know. Steemit is evolving with time and there have been alot of changes as far as keys and passwords are concerned..
This is the most recent one.. i have updated the post. There were few errors in it. I would urge you to kindly re-read the role and task of owner key and master password. Also i added a paragraph on how to change your password and keys..
Best regards..
Thanks for this information but seriously am a new member most of this keys you mentioned I don't know them. I remember someone telling me to send my posting key so that anytime I want to post they will all help me with upvote.is it adviceable to give someone my posting key?
Nooooo wayyyyy... even though posting key doesnt give anyone to mess with your wallet, i would strongly suggest to never give your posting key to anyone (no matter how much reward they are offering). They can ruin your profile by spam commenting, following people you dont want to follow and posting stuff you dont want to post..
This information is so precious to apply important security rules and preserves your Steemit wealth. The master key is not visible under permissions?
Yes. That is because Master Key is the private key of Owner Key. Owner key is the public key to Master Password. The master Password will only be visible at the time of generation and thats it..
However you can see your memo, active and posting keys (both public and private) when you are logged in with master password..
Hope that it helped??
You should only put the Owner key and include de Master password under this box, that confuses me with the terminology. This post will change the way I interact with the platform, thank you so much for this steemit security masterpiece. I am pretty sure most of the users log every day with the master password.
Good suggestion.. but looking at your reputation, i am guessing you are an experienced steemian who understands how platform works.
But most people dont..
The only reason i included owner key in this diagram is because the "Permissions" section still shows Owner key as one of the keys. However steemit also uses the term Master Password as well.
Hence i decided to include all to avoid confusion amongst newbies who would go to their Permissions settings and then they will start wondering what Owner key is since it is listed seperately over there..
A long time ago. Owner key was not the public key of Master Password.. it was altogether a different key that could perform all functions except "memo key" functions.
However, in latest updates, the function of owner key has been revoked yet it still shows up in the Permissions section. I am guessing that future upgrades will have something to do with this. Otherwise, they would have totally omitted the term Owner Key..
@jbn, thanks for this very informative post! Personally, I use password managers like LastPass to save all these keys and passwords.
Upvoted, resteemed and started to follow you. Looking forward to more good posts to come!
Using password managers are also one of the ways to save keys and passwords in a secure manner..
However most people are not even familiar with how password managers work.. thats why i decided not to include it in the post..
thank you mate.. hopefully you will like me ;)
Great article keep it up @jbn
It's good to include keywords here that describe what Steemit Account Security is about.
The full content of your description is a unique guideline..
Thank you brother..
thank you so much for this post sir :-) full of important information, useful to all steemians specially the newbies like me :-) God bless po :-)
Thank you po.. what type of password do you use to login to steemit.. did this post make you change your ways about how to login on steemit in a more secure fashion?
I still think that we should work toward hardware wallet. The solution will get out of hand with the new users not understand the usual security model on blockchains.
Thats pretty much right. Nothing beats the security provided by a hardware wallet.. but do you think that everyone will be interested in buying 100$ + worth of ledger nano...
most people's accounts are not even worth that much here .. just saying though. But u r absolutely right.. i read your article and i felt absolutely gutted to see that ladger nano even supports some xyz coins but not steem.. should have been there..
Assuming a lot of people will eventually hodl more cryptocurrencies, I still think it would be worth it for enough people. Also note that you can pay ledger to work on your coin (I think it was like 50000€). Since most code are an adaptation of Bitcoin, it is not that hard. But even I was shocked by how many new coins were added.
I am sorry i couldnt upvote ur article as it was already paid out..
no worry. The fact that you read it is more than enough. It gives me motivation to work on that.
Keep steeming my friend.. i have started following you so that i dont miss out on some of your great ideas (and duly upvote those in time :) )
What I didn´t find out yet is, how to change the keys. You wrote "(f) to change active key, posting key and memo key." How do you do that from time to time to keep the account safer?
Thank you for pointing that out.. i had this in mind but i forgot to write about it.. the post has been updated. Kindly read the header just above the conclusion for detailed answer to your question.
Ok thx - I know how to reset my master pw and that all other keys are changed then too. I just thought, that there would be any possibility to just change your active key after some time, when you used it several times with Steemconnect - just to get sure. Also what I´m still missing, is some kind of overview, which other websites/services I granted access and an easy possibility to revoke this access (like you can do with Twitter, Google etc.)
There used to be.. in previous versions, active key was used to change all the keys while keeping master password same.. now this facility is gone. So if you want to reset just one key, you will have to reset them all..
Your post is very effective and useful for Steemit Community. You have educate us effectively and efficiently. Thanks brother @jbn Once again.
Thank you brother. I would request you to kindly resteem this for benefit of others..
This is an awesome guide about security on Steemit!
If I'm hones I think I underestimated this point, which I shouldn't do.
Since there is coming more and more money into my account through earning and the rising prices of steem, I think I have to lay a bigger focus on it.
The whole crypto scene is about self-responebility.
One should not underestimate this important topic since it is your money which can be in danger.
Exactly my friend.. one moment of weakness and your entire account can be emptied within seconds.. stay safe and use posting key to login.
Also i would advise you to not hold steem or sbd for too long.. either power up ur steem or sell your steem/sbd on exchanges to invest in other coins.. because that is liquid crypto in your wallet and can be transferred within 3 seconds..
Yeah usually I try not to have more than 30 Steem or SBD in my wallet.
Thank you for the reminder buddy
Very informative post. But I am still confused about the keys, because I only have 1 password, and that is the master key which was generated by Steemit when I joined. I never received or created or generated any posting key or active key.
I don't know how to generate a posting key or an active. Can you please make a detailed post about how to create posting key and active key , and how to use these keys to log in and out on Steemit.
Many thanks
the keys must be in the permissions tab in the wallet. Go to "Wallet" and then click "Permissions". You will get all the keys there.
Thanks for inform about steemit. good work and done i resteem your post:) keep it up bro.
Thank you very much.. which part helped you the most??
@jbn this is very very helpful to me thanks
@jbn Upvoting as this is a very important post all must read