The Steemit Account Security Tutorial June 2017

steemit account security.png

Will you see the best ways to keep our Steemit accounts safe because until today I was not practicing these myself? After researching the best practices for keeping my account secure, I started logging in a new way to Steemit today because I realize how easy it would be to lose access to my account and found an easy way to avoid this. That said, the most likely way for each of us to lose access to our account is to LOSE OUR OWN PASSWORD which I provide help with below the initial tutorial.

Just having a copy and paste text document or a piece of paper in our wallets or remembering passwords places us at risk of losing our own passwords and makes it easy for someone else to steal them. While any of these ways of keeping passwords are probably okay for logging into Steemit with posting and active private keys, we need something better for the account password. Having a secure and reliable password system in place is HIGHLY RECOMMENDED when using any cryptocurrency wallet online especially on Steemit for keeping the main password safe! LastPass is what I use because it allows me to have my passwords available on any device and generate new secure passwords automatically while remembering one ultra secure master password for the account and 2 factor authentication options making it challenging for anyone but me to sign in.

A simple trick for greater account security.

The easiest method to maintain greater Steemit account security is to log in with our POSTING PRIVATE KEY instead of using the account password. If anyone gets access to our password, they can immediately withdraw any Steem or Steem Dollars and begin powering down all Steem Power, and block us from signing back by setting a new password. Fortunately the recovery process gives a possibility to get the account back but why bother with the risk when there is a simple way to avoid it? Meanwhile, if the posting key is stolen the worst someone is going to do is blow all our voting power or follow a bunch of people we don't want to follow or make crazy posts with our account.

To make transfers, then we also use the ACTIVE PRIVATE KEY to sign the transaction instead of the password for our account because we cannot get locked out of our account just by losing the active key and we can immediately stop any active key theft transactions by changing the password which resets all the private and public keys. Today I tested using the active key for both and IT DID NOT WORK TO POST OR UPVOTE which was surprising because previous guides suggested it would.

Where are the private keys?

To find your private keys, you will need to be logged in with your password and then visit @jerrybanfield/permissions except switch your username in place of mine. It should look like this.

steemit logged in with password.png

See that the posting key, the active key, and the memo key each have private keys along with public keys. To see all of these, log in with the master password and click Show private key or Log in to show. All public keys can be viewed on https://steemd.com/@jerrybanfield on any profile. The private keys are effectively lesser access passwords we can use to give limited access to our Steemit account which is extremely helpful to keep the account secure.

What does each key do?

  1. The Private Posting Key allows permission to create posts, vote, and follow other accounts meaning it handles most everyday activities. Ideally we stay logged in with the posting key and then need to use the active key for transfers ...
  2. The Active Private Key allows transferring, trading, powering up, powering down Steem Power, and voting for witnesses. Unlike what I read in previous guides, my active key today DOES NOT allow me to post which might have changed from how it was months ago. I tried and while logged in with the active key it would not even allow me to vote for a post. Thus, I log in by default with the posting key and then put the active key in when I need to take any of these actions.
  3. The Memo Private Key allows for private messaging. I am not sure if this feature is active now or not. I believe when it is working that anyone with my private memo key would be able to send me a message privately on Steemit. For today, I do not use this key.
  4. The Owner Private Key allows full access to everything EXCEPT changing the password. You will not see the option to view the owner private key in Steemit today because they removed it at some point. Now I believe you can only get it in the CLI wallet or with a script using the password. Ideally it would be good to grab a copy of the owner private key to help with recovery if needed. For simplicity, I suggest just focusing on the password because that has greater access than the owner key and as long as you have the last password, account recovery is possible. If you want to get your owner private key, try this guide @dantheman/get-your-private-key-from-your-steemit.
  5. The Signing Key is used by witnesses and unless you are going to be a witness as I am hoping to be soon, this key is not relevant for day to day activities and is not seen in the Steemit wallet.

For greater account security, log in with the private posting key by default and then sign in with the active key to make transfers.

This is what I am doing now because it is STUPID EASY when we are using the password every day to sign in to have a security breach. We could accidentally copy and paste the password when logging in with it on a daily basis. Several users recently posted their passwords into memo fields on transactions and one white hat hacker thankfully told them about it before a black hat hacker came along and locked them out of their accounts. It also seems not too difficult to hack wifi networks, let someone see your password when you sign in with it, or any of the other thousands of ways to end up letting the password slip out when using it every day. For example, I just finished a trip where I signed into Steemit on a hotel wifi using my password. Someone easily could have been monitoring it and got into my account that way. Now as I use the posting keys, the risk for all these drops a lot and the master password can be kept only for special occasions!

Without the need to use the Steemit account password for signing in each day, our Steemit wallet password can now be easily kept ultra safe using any method from a fire box at home to hiding it in a secret place to getting a safety deposit box to placing it in a password manager under a different name or one of any millions of other tricks you can think of it keep it safe. The one big problem with this is that the harder it is to find, the easier it might be to lose.

The #1 real security risk with our Steemit account is losing our own access to it.

Nearly any statistics of crime and any qualitative research into what makes our lives difficult consistently reveals one uncomfortable fact. We are the most likely ones to cause ourselves a problem. All crime combined is nothing compared to the amount of us that take our own lives directly and especially indirectly through overdoses and related accidents such as drunk driving. Nearly every bad thing in my life that has happened was a result of my own choices.

Therefore the surprising fact is that the main risk to losing access to our accounts is losing access to our own password. If you are using the keys to sign in as I suggest here, at least if the master password is lost you can still post and make transactions as long as you keep those keys. You might even be able to use them to recover your account depending on the evolution of Steemit account recovery. If you sign in with your password and NEVER PULL THE KEYS and LOSE YOUR PASSWORD, that is it! No more account access. If I had to guess, I would say at least 1,000 out of 200,000+ users already have lost their password and are locked out of their accounts.

Being locked out of our own accounts is almost completely preventable with using a password manager combined with some kind of offline backup. Lastpass is what I use because it makes it easy to generate, store, and use passwords on any device while giving me the chance to make one strong master password I remember to get to all of my other passwords.

Combining LastPass with an offline backup gives me an ideal solution for my passwords with ease of use daily and a fail safe in case something happens with LastPass. With using my posting and active keys to sign in now to Steemit, I now have the option to keep my Steemit password out of LastPass to help minimize the consequences of a LastPass security breach whereas before I had to have it in there to sign in each day.

What is challenging for many of us to understand is how easy it is to lose a password when we have so many accounts online that we often do not use for long periods of time. I have lost access to many passwords in the past but was always able to get back in using email. With Steemit, this option is not available if you signed up lately because account recovery via email is not an option as far as I see today. Other cryptocurrency wallets offer absolutely no hope of help making a password manager critical for security online today.

How and when to change the password?

Making a new password is a bit uncomfortable because if we mess it up, we are now locked out. A significant percentage of all my account troubles online have been right after changing the password. Ideally when we make new accounts we would store our generated password safely and use the posting and active keys daily to sign in which would minimize the need to change the password. However, if like me and you have been using it to sign in everywhere such as on different networks and devices every day, changing the password is probably a good idea before switching to using active and posting keys to login because if anyone got access to the password before without using it right away, it will be completely useless to them after 30 days from the change.

Here is what the change password looks like for me at @jerrybanfield/password. Change the username to see yours or just go into the wallet and select password from your profile picture at the top right.

change password field.png

Fortunately Steemit generates a password for us which should be copied and pasted into whatever password backup system we are using and then either copied and pasted back from it or manually typed in to the retype password field to change. When I tried to do mine, I got an error about the owner key permissions first and then it seemed to work the next time upon resubmitting again without refreshing or anything.

Thank you for reading this post because I hope it is helpful for you in keeping your Steemit account secure today! Thank you to @pfunk for his guide A User's Guide to the Different Steem Keys or Passwords at @pfunk/a-user-s-guide-to-the-different-steem-keys-or-passwords because this was a starting point for my research today.

If you think this is a helpful post for Steemit users, would you please upvote this because it will help more of us see the simple tips for keeping our accounts secure that might help a lot of us avoid getting hacked?

Love,
Jerry Banfield

H2
H3
H4
3 columns
2 columns
1 column
238 Comments