A quick reminder for your steem security
When I first came here I did not know all the underlying cryptography and security assumptions. I simply generated a master password in the browser wrote it down to store it securely and then used it in the steemit application. Nothing complained and everything was working fine. I think that this is what most people, especially non-tech users, will do.
But it is not very secure. When your computer is compromised that may cause a lot of trouble and potentially the loss of your funds. Steem actually has a very smart system of different permission keys, where most actions only require your posting key or your active key and your owner key or master passwords should be kept offline. But this is all for nothing if you sign in with your master key everyday!
A user can essentially create a steem paper wallet and only ever use their posting and active key online, giving the account maximum security. This may be to complex for many users, but what everyone can do to immediately improve their security are the following easy steps.
In steemit go to Wallet -> Password
Generate a new password and securely write it down / back it up!
Go to Wallet -> Permissions and write down the new private active and posting keys
[these are obviously my public keys, you need to click on the buttons on the right to find your private keys]Log into steemit with your private posting key (not your Master password!) and store that in your browser
Store your active key somewhere accessible, you will need it to make transfers.
Store your master password offline and secure.
Using these simple steps should enhance your account security significantly and it does not complicate your everyday life much. There really is no downside of doing it, so best do it NOW!
Frankly, I don't think the solution with a small set of different private/public keypairs is such a very good idea, I do feel uncomfortable giving away my private keys.
There are two other solutions that seems better to me. I wish I could generate a new private key (or, "token") for every service/app(lication)/website I'd like to use, tokens with a given expiry date, and tokens that can be explicitly revoked. I suppose this idea would require a hard fork.
The other option is to not give away any private keys nor passwords to any service/app(lication)/website, but rather have them send signature requests. Such a signature request could go to a web site that already have either the password or the private keys (i.e. steemit.com), to some specialized website (steemconnect already exists for this purpose?), to some desktop application or cellphone app. This can be done fairly transparent to the end-user (i.e. when I post something from busy.org, it could automatically find out that my account was created at steemit.com, send a signature request there, steemit.com could send me a dialogue box where I'm allowed to do a one-time signature for the specific post or (default) allow future signature requests from busy.org to be approved all until I revoke such permissions through the settings.
The latter is possible without a hardfork, but would require quite some cooperation and a bit of development effort by all the major players in the ecosystem.
There are already some options for your first idea. Any account can set up other accounts to use their posting or active roles, and also revoke them at anytime. This means that you can keep your keys safe but you give others access to your account. Steemauto for example does that.
The second option can be done by directly interacting with the chain. In an application this will probably not increase the security of less technical users since the will be using their private keys to sign on an online machine anyways. It might be possible to build special steem hardwarewallets for that though.
It should be noted that the passwords you enter in steemit always stay local in you computer. steemit does not know your passwords! But when your computer is infected that does not really help :)
Hi frdem3dot0! (Sorry for contacting you through this). I read your previous article about why you steem. Thanks a lot for your sincere sharing! That was so much helpful!
If you have time, can you please spend some time for completing a survey? We’re currently doing a survey research on why we keep steeming. It’s a 5-minute survey: https://goo.gl/H1XeJi
BTW, every participant will receive 1 SBD. In addition, you will join a raffle of 10 SBD (selecting 10 people). You can read more details about our survey here: https://goo.gl/kDu364
If you can help us with our research, we would very much appreciate that.
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by frdem3dot0 from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.
@frdem3dot0 Thank you for not using bidbots on this post and also using the #nobidbot tag!
Hi @frdem3dot0!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 2.672 which ranks you at #13616 across all Steem accounts.
Your rank has improved 370 places in the last three days (old rank 13986).
In our last Algorithmic Curation Round, consisting of 361 contributions, your post is ranked at #232.
Evaluation of your UA score:
Feel free to join our @steem-ua Discord server