How the Steem account recovery works (and why your trustee can't steal your account)
Note: This article is aimed at both normal users and developers. The technical part of this post contains both a plain english explanation, as well as the Steem APIs to help developers
As some people may know, I run a service which lets people create anonymous Steemit accounts with BTC/LTC called AnonSteem. As part of the creation process, the account @anonsteem becomes a "trustee" of the created account.
I recently had an AnonSteem user lose their password within a few minutes of changing it. Luckily they never removed the original keys from the site, and I was able to get them some new keys through the recovery system.
There isn't much written about the recovery system, so I had to do a bit of my own digging in the Steem source code to figure out how this works.
Some people may have noticed the "Stolen Account Recovery" on the sidebar of Steemit. This is a built-in network function that allows hacked accounts to be recovered.
But what does that mean? Doesn't this mean you can recover a persons account from thin air?
Short answer: No. In most cases I cannot do ANYTHING at all. Neither can @steem (in the case of accounts created via steemit.com).
The reality is, unless the trustee has a copy of at least one of your owner private keys, they cannot recover your account without your help.
So how does it ACTUALLY work?
It looks really simple, right? Pop in your name, a recent password, and press recover.
They send you an email, you click a few more buttons, and suddenly you have your account back.
The important thing is the recent password.
The STEEM blockchain knows the history of your account, and every owner key that has ever been used for it. When you enter your recent password, it uses that to generate an owner key that can match up to a previous owner public key on the account.
Without that password, the trustee cannot do a thing.
Let's get a bit more technical
The first step in the procedure is to verify that the account holder is the REAL account holder. That's up to the trustee on how to verify.
In my case, I was already helping the user with payment problems on their transaction, so I knew they were the rightful creator.
Once you know it's the real person, they'll need to send you a new public owner key to be put onto the account. They need to make sure they have that private key nice and safe, because they'll need it to actually use the account after.
For this example, we're going to be using cli_wallet
on both the user, and the trustee. This could also be done in python, or on the client in Javascript.
In each example we will call the trustee @anonsteem and the user who needs recovered @someguy123
Step 1) The user will generate a new owner key. This key will be used to log into the account later on
This step could be done using something like @xeroc's Paper Wallet Generator, but for sake of consistency with the rest of the article, here's how to do it via the cli_wallet
.
On the user's CLI wallet:
unlocked>>> suggest_brain_key
{
"brain_priv_key": "TROUSE HARPER COATED CURBER CORREAL FIASCO PRIOR EXPECT STOLEN COLOSS PADGE MELOID SUBITEM TENDENT ASHAMNU REBOLD",
"wif_priv_key": "5JJkdbGadV1RfekzUaqkp9TKQ9MjpBHfQ4TwsHtRrRwC7FyyRyB",
"pub_key": "STM5foN8y9VMznea9pKaRAVQxbbxWz3uYa7AYHkj42kE4bdT2Xvho"
}
Step 2) The user now sends proof of identity, and the new owner public key to the trustee:
STM5foN8y9VMznea9pKaRAVQxbbxWz3uYa7AYHkj42kE4bdT2Xvho
Now, the trustee has verified the account holder is the real person, and has their new public key ready to go. Let's begin the recovery process
Step 3) The trustee load their active key, and uses it to tell the network "hey, allow this person to change their key to THIS, as long as they have at least one of the previous owner keys"
On the trustee's (@anonsteem) CLI wallet (spaced out for readability):
unlocked>>> import_key TRUSTEE_ACTIVE_PRIVKEY
unlocked>>> request_account_recovery "anonsteem" "someguy123"
{
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
["STM5foN8y9VMznea9pKaRAVQxbbxWz3uYa7AYHkj42kE4bdT2Xvho",1]
]
} true
This tells the network that the trustee has proved the owners identity, and that the owner is now permitted to update their key to that public key, as long as they have access to at least one previous owner key.
Now, the users job is to load both their last accessible owner private key, and the NEW owner private key.
Once they're loaded, they will be able to broadcast a recover_account
transaction, that will change the owner key of the account.
Step 4) The user loads both the old and new private keys. They tell the network they want to complete the recovery request by signing both public keys in a transaction with their private keys.
Small note: The "old owner key" has to be recent, which as far as I'm aware means active within the past 30 days (someone please correct me if I'm wrong)
On the user's (@someguy123) CLI wallet (spaced for readability):
(new owner private key, of which they sent the public key to the trustee)
unlocked>>> import_key 5JJkdbGadV1RfekzUaqkp9TKQ9MjpBHfQ4TwsHtRrRwC7FyyRyB
(old owner key that was hacked)
unlocked>>> import_key 5......
unlocked>>> recover_account "someguy123"
{
"weight_threshold": 1,
"account_auths": [],
"key_auths": [["STM.......",1]]
}
{
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
["STM5foN8y9VMznea9pKaRAVQxbbxWz3uYa7AYHkj42kE4bdT2Xvho",1]
]
} true
Step 5) Good to go! The user has a new owner key on their account, and can log into Steemit and change their password.
After this, assuming everything is correct, the user will now have a brand new owner key! If you try to log into Steemit by using the owner key as your password, it will require you to set a normal password so that it can generate your other keys.
You would be able to see this recovery on the blockchain by looking at their account on https://steemd.com
The image above is an example from a real user I helped recover. To give the user a small amount of privacy, I've redacted the username and public keys. (yes I know if you really care enough, you can find this on the blockchain)
Conclusion
I originally thought that the account recovery system was basically a backdoor into any account. After experimenting with the recovery system, I learned that's not the case at all.
Without co-operation from you, the user, in most cases the trustee is NOT capable of "hacking your account" via the recovery system as you might think.
I hope my post has helped people to trust the account recovery system, and also helped developers understand this crucial part of the account authentication system within STEEM.
could you explain how to set trusted account?
That can only be done once every 31 days or so. I'll look into it and maybe post another article about that if I'm successful.
its been 9 months but i reallly love this artcle and it makees me reliegved that if my account ever gets hacked, i can get it back! because if a majorty of steemit witnesses notcied a whale account was hacked, they COULD override the blockchai if t was like everyone against 1 hacker right? Like all the steemit witnesses can help get an account back to someone who gets hacked, as long as they havetheir recet password right? so as long as u find out ur account is hacked BEFORE 30 days passes by, you will be able to get it back if u have ur passwor right?
VERY cool news!
how cani make sure my trustee is steemit.com
if i signedup with steemit.com the normal way like i did, i should be fine right?
basicaly i LOVE knowing i can ttrust the whales and @dan and the steemit "miners" or witnesses to have my back!
Great information, I wondered how all that black magic worked.
Do you know if there is a way to remove or change the "Recovery Account"?
Is it possible for the "Recovery Account" to take control of my account and change the keys?
You can also change your password online then use the account recovery in 30 days to restore it back using your first password. That will demonstrate the feature without the command line. Great job to include the CLI, this is very interesting to show this too. I always use a test account though if I'm playing with this.
The user was on the verge of just creating a second account anyway, and said they were happy to let me experiment with their account.
Might have been better to use an actual testing account, but oh well, the process went smoothly, and I successfully recovered their account, so there's no losses there :)
I didn't bother explaining the online recovery in detail, because that's just not very interesting. This is for anyone who operates any sort-of service that creates accounts, or as of HF14, simply acting as an independent trustee.
Thanks for checking out my posts James!
@someguy123 I posted this question on an post that @noisy posted a while ago, but I just realized that perhaps this is a better place to ask this question. When you said that "The reality is, unless the trustee has a copy of at least one of your owner private keys, they cannot recover your account without your help".
Does this mean that if ANONSTEEM site did not actually delete the first owner private key from the anonsteem server, it could re-store and thus take over the account of a user? I know that the site states that the user can delete the original keys from the server after the account password has been change in steemit.com. But what happens if the user does not delete those keys? Could someone use those keys that were not deleted but should have been to hack the new user account?
If it is possible to hack a user account by using the original/first keys that should have been deleted from the anonsteem server, how do people know for sure that those keys have been deleted from the server?
Hey someguy I hope you see this can I ask how many times can the password be recovered within 31 days from the original one
@someguy123 Question (I know this is 2 years later) If I started an account through steemconnect, are they a trustee on the account as well? My computer had a meltdown and I lost the masterkey to an account I never logged into. But it's clearly a sub-account created through Steemconnect. Do you think it's irrecoverable?
hey @omitaylor. Did you ever find an answer to you your question? I jsut had a similar experience and I would like to get access to the second account created :/