Since putting together the FAQ a while back, we've seen significant changes to the Steem ecosystem and have had many new users join us, so I think an update is overdue. Given that the full document is 56 pages long, I'm breaking it up into smaller sections so it's not overwhelming for readers. I'll be updating and sharing it one part at a time. Included in this post is "Security."
Some of this section starts to get technical, so if you don't understand something, don't worry and just move on to the next section. However, you should take time to familiarize yourself with keys; they are what keeps your account secure.
I'm close to finishing the updates. My final FAQ posts will include the categories:
- Technical Questions
- Other
If you have any questions about Steem, let me know and I'll try to get them answered or add them to the updated FAQ.
Security
How can I keep my Steemit account secure?
Save your master key and keep it somewhere safe
Log into your account using:
- Posting Key (Recommended, can be used to upvote/comment/post)
- Active Key (All permissions of posting key + Ability to transfer funds)
Change your key frequently
Be mindful of third parties claiming to keep your keys safe. They may not be safe and could even have malicious intentions.
How do I make my active key and owner key different from my posting key? Does the GUI allow this?
It is a very good practice to use a separate key for the active authority and another separate key for the owner authority. And furthermore it is a smart idea to keep the owner key offline. Unfortunately, the steemit.com GUI does not currently support independently changing the keys of the various authorities. Any password change on steemit.com changes the owner key, active key, posting key, and memo key in such a way that all four can be derived using the password. Other Steem community members have created third-party tools that can change a user's authorities independently. Options include @xeroc's Piston, @modprobe's Steem Pressure, and more (warning: these are third-party tools developed by people with no official association to Steemit Inc., and also some of these tools might be in beta, so use at your own risk). You can also change your keys using the command line cli_wallet tool that can be compiled from the official Steem codebase.
Is it safe to use my account while on public wifi?
No, not without first taking additional steps. To prevent someone from hacking into your account while on a public wifi network, you should use a service like Private Tunnel VPN. Also, if you are only posting, commenting and voting, log in using your Posting Key.
See: In my account, I see “Keys.” What are these? How are they used?
@ash/how-to-steem-it-secure-in-the-wild
In my account, I see “Keys.” What are these? How are they used?
Steem has five different keys (passwords) associated with each account. Four of these are used with typical accounts and the fifth by witnesses. They are Owner, Active, Posting, Memo, and Signing keys. Each has its particular set of functions and limits.
The Posting, Active, and Memo keys all have what is called a private key that can be viewed on Steemit. Your private Owner key is the password you used to sign up for Steemit. Do not share your private keys. When logging into your account, you will be doing so with the “private” option of that particular key, because it will give you the ability to perform specific functions.
To see your private keys:
- Click: “Wallet”
- Click: “Permissions
- Click: “Show Private Key” next to the key you wish to view
A key is like a password, except they are unique in that each key allows the user to perform specific functions. Notice I said “the user” not “you.” If someone else gets ahold of your keys, they will have full control of your account.
Owner Key - The owner key allows its user to post, vote, transfer funds, vote for witnesses, and change all keys including being able to alter the owner key. The owner key is only meant for use when necessary.The only thing the owner key can not do is decrypt private messages/memos sent to you, only the memo key can.
Posting Key - The posting key allows accounts to post, comment, vote, and follow other accounts. Most users should be logging into Steemit every day with the posting key, only using the active key when something to do with transferring funds or changing keys is necessary. You are more likely to have your password or key compromised the more you use it, so a limited posting key exists to restrict the damage that a compromised account key would cause.
Active Key - The active key can perform almost all functions for an account except change the owner key. It can change all other keys on an account, including the active key. The active key can do everything the post key can do, plus allows transferring, trading, powering up/powering down Steem Power, and voting for witnesses. It cannot decrypt private messages encrypted to your memo key.
Memo Key - The memo key is the only key that can decrypt private messages sent to your account. The Steemit team will implement this private message feature in the future.
Before you start logging in with any other keys, ensure your keys are backed-up, and your backups are backed-up!
@pfunk/a-user-s-guide-to-the-different-steem-keys-or-passwords
Is Steem, Steem Dollars, or Steem Power insured in the event of a hack or if someone takes over my account?
No, it is not. If your money is in Steem Power, however, it is impossible for a hacker to take out more than 1/13 per week. If you have your STEEM or Steem Dollars in savings, the hacker will have to wait three days to withdraw any money. These three days should be enough time to recover your account.
In my wallet, what is “SAVINGS?”
Savings is a way to keep your Steem and Steem Dollars more secure. If you transfer your tokens into savings, you’ll have to wait three days to transfer them out. This gives you time to change your keys in case of an account hack.
How do I set up my recovery account?
Everyone is already enrolled into the recovery feature by default. The only question is who your current recovery account is set to. You can find out the recovery account for anyone's account by, for example, looking for the corresponding field on their steemd.com page. On the page for my account, you can see that the recovery account is currently set to "steem". This is the account that Steemit Inc. uses to help users recovery their access to their account. You might notice that with some accounts, such as @gxt-1080-sc-0001, they have a blank recovery account. A blank recovery account simply means that their recovery account is the current rank 1 witness. The default for newly mined accounts is a blank recovery account. On the other hand, the default recovery account for a newly created account is the creator of that account. So accounts registered from steemit.com use "steem" as their default recovery account. As another example, we can look at @someguy123's awesome AnonSteem service which allows users to create a new Steem account over a Tor connection by sending the service an appropriate amount of bitcoin. This is an alternative way of creating a new Steem account to Steemit Inc.'s free registration faucet. But new accounts created using this service have @anonsteem (which is the creator of accounts registered using that service) as their default recovery account. For example, one can look at the steemd.com page for @steemmarket to find that it currently still has its default recovery account of @anonsteem.
So what if you want to change your recovery account? Or what if you want to disable the recovery feature for an account entirely? While it isn't possible to disable the recovery feature, you could simply change the recovery account to "null" (@null is a special account on Steem that no one has any control over) which effectively does the same thing. It can still be changed back to some other account in the future, but like all changes to the recovery account, for security reasons it requires owner authority and has a 30 day delay before the change actually gets activated (and the change request can be cancelled using owner authority at any time in those 30 days). It is possible to change your recovery account using a cli_wallet command, but I'm not aware of the existence of any user-friendly GUI tool or interface to do so currently. Again, I will let someone else write the step-by-step guide for how to change your recovery account using cli_wallet.
How does the recovery process work? What should I do first if I discover that someone hacked my account?
You must have already assigned a trusted individual who can identify you independently of your key. Steemit can identify users by their email, Facebook, and Reddit logins (if you signed up through us). You could also use your mother, wife, employer, or friend, or another 3rd party provider.
When you notice your compromised account, you should contact your account recovery partner (the trusted individual) and ask them to submit a request to change the locks on your account. They verify you by whatever means they find satisfactory and then submit a proposal to the blockchain to change the locks on your account.
Once you submit the proposal to the blockchain, you will have 24 hours to log in with both your old and new keys (aka passwords). Any key you used within the past 30 days is sufficient. If you login in time, then the keys will be changed, and the hacker will be locked out.
If you don't have a key used in the past 30 days, then your account will be unrecoverable.
@someguy123/how-the-steem-account-recovery-works-and-why-your-trustee-can-t-steal-your-account
What if your Recovery Partner is Hacked too?
In this case, they would appeal to their account recovery partner. Once they recover their account, then they can work with you to recover your account. It is exponentially unlikely that the hacker can compromise all accounts in a very long chain of recovery partners. Therefore, you and your recovery partner should not use each other as their backup.
@dan/steemit-releases-groundbreaking-account-recovery-solution
Again, if you have any questions about Steem, let me know and I'll try to get them answered or add them to the updated FAQ.