Last night I dealt with two cases of Steemit account thefts. Apparently two users were unable to log-in, and one of their accounts seemed to have some SBDs transferred out. The transfer memos were different; old vs new and things seemed fishy.
They reached out for help on Steemit.Chat and I advised them on how to proceed further. Most users are unaware/careless on the basics of account security. In light of these new developments I felt it would be good to write a quick guide on doing things the right way on Steemit.
Generating Posting & Active Private Keys
This is what 100% of the new members should be doing to protect their account. If you've been around longer and are yet to secure your account then you can simply follow this guide.
At account creation you are given a password. This is the master key or owner key to your account. If you lose this then everything is lost. Ergo, use that that to generate your posting private and active private keys. If you lose it or hacker gets hold of the master key then they can simply change the password and it would be difficult to retrieve your account.
Steps for generating Steemit Private Keys:
- Visit Wallet page and click on the Permissions Tab.
- Click on Show Posting Private Key and save the Private key
- To retrieve your Active key, you must login with your masterkey under 'Active' in the same tab and it will show you Active Private key.
- Backup all keys at multiple places (cloud storage, print it, store it in a pen-drive in your locker)
Posting private key allows you to vote, comment and participate on Steemit.
Active key allows you to trade on the internal market, change settings, and most importantly use your wallet page to make transfers, power up, power down etc.
As you can see there is absolutely no need to use your main password to login and use Steemit everyday.
You must read these two articles by @noisy that describes these keys and their use in depth: Article 1 and Article 2.
Witness and top user @pfunk has made an excellent guide on different Steem keys and Passwords as well as securing your account with a new Owner key. Please read these articles to ensure security of your account and assets.
Steemit Account Recovery Guide
Steemit is unlike any other social media platform on the web. Due to the inherent nature of it's monetary system, the blockchain by design makes it difficult to recover your password in the event of a loss or theft as it's difficult to ascertain ownership in some cases. If for some reason you never used the aforementioned keys to secure your account you may still have a chance at recovery but you have to follow these exact steps to ensure quick account recovery.
Conditions That Need To Be Met For Recovery
- Your password/keys were changed/lost.
- You have the original master password or owner key from account creation.
- You complete account recovery within 30 days of when your password/keys were changed.
- Access to Email used originally when creating your account.
Steps For Account Recovery:
- Enter your username and old master password or owner key by going to Wallet —> Password Tab —> Recover Account Option.
- Use the exact Email that was used to create your account. If you use a wrong email this can delay the process or it might not be possible for Steemit to take action.
- You have to submit the request within 30 days of loss of access to your account for Steemit to consider your request.
- Send an email to Steemit at support at Steemit.com mentioning all the facts related to your situation.
Currently the system is setup to prevent someone from stealing your account and in such a case you can recover it within 30 days of losing access to it. It is entirely upto the user to come forth and attempt account recovery + report to Steemit about loss of account access.
Stupid Mistakes Noobs Do
- Never research more into the working of Steemit's blockchain system and certain intricacies of it's working.
- Treat this platform as you would treat Facebook/Twitter in terms of account security.
- Logging in with Master key on your laptop browsers.
- Using master key on mobile browsers instead of using apps like eSteem built by @good-karma.
- Sharing keys with each other via unsecure channels when requesting assistance.
- Sharing keys in the memo as described by @noisy in his Steemit account hacking article.
- There's no dearth of stupid things that we do with our password but you get my point!
Secure Your Systems
- Use incognito mode if possible or simply use the private posting key to surf Steemit.com
- Use eSteem or similar client on mobile. Don't use the browser when you can avoid it. Generator QR code and use eSteem to load your password with a simple scan.
- Use Zenmate or better proxy for your chrome browser.
- Use a good anti-virus, firewall and anti-malware software on your windows based systems.
- Use Little Snitch for securing your Macs.
- Don't trade keys on email on messenger apps. Use Google docs and delete file, also from trash after sharing.
- Use Google Authenticator/Authy to log-on to your email/gmail accounts instead of or in addition to phone SMS/OTP and save your backup passwords carefully.
- Don't use browser anti-virus extension as it can be a deterrent to your privacy and security.
I hope this article prevents further issues for new and established users who are unaware of these security features of Steemit.com. Maybe in the future, Steemit will make an easier account recovery system but for now it's easier for the end users to protect our accounts by simply being smart about it.
If we are ignorant we will risk losing our work and our Steem/SBD worth a lot of money! There is no point in holding Steemit responsible for being unable to recover your account thereafter.
Kindly re-steem and share this with your Steemit friends and help them secure their accounts
Disclaimer: I'm not a data security expert and this is purely based on my personal understanding of Steemit. Security experts are welcome to advice on better ways to secure Steemit accounts which any layman or newbie can easily follow without confusing themselves.
You may also continue reading my recent posts which might interest you:
- Crypto Current Affairs—South Korea Drafting Bills to Legalise Bitcoin & Ethereum!
- Crypto Current Affairs—Is Bitcoin Legal Tender in India?