The Beginner Guide To Not Getting Hacked On Steemit
The afflux of new users, combined with the recent phishing attempts and DDoS attacks can mean only one thing: Steemit is going mainstream.
But with this exposure, a lot of potential problems are now a reality. One of this problems is security. Although the phishing scams were stopped really fast, a few users got caught and they lost their accounts.
Because of that, and because this kind of howto was missing from my introductory articles, I decided to do a very quick and easy writeup, targeted specifically at newcomers. But I hope to be useful to any Steemit user who takes security seriously.
Without further ado, let's start.
Question: Where is my account stored?
Answer: Your steemit.com account is stored in the blockchain. So your account it's actually a transaction stored in the blockchain, along with posts, comments, votes or tokens transfers. It's not stored in a separate database, that Steemit INC or any other entity can access.
Question: If it's public, it means everybody can access it?
Answer: Everybody can see it exists, can see what it does, like all its posts, comments and transactions, but it cannot be used by somebody else, only by the person who has the keys to it. These keys are your account.
Question: I'm confused, what keys are you talking about?
Answer: In the Steem blockchain, every account has a few capabilities, and each capability is unlocked by a certain key. For instance, your posting capability is unlocked by your posting key. The capability to make token transactions (and transfer tokens to exchanges, for instance) is unlocked by the active key. And the owner key unlocks everything, it's like the "mother of all keys".
Question: What is a public key?
Answer: It's the key that starts with "STM". This is, as the name says, public, and it's used by the blockchain to identify your actions publicly. You have a posting public key that is stored along with all your posts and you have an active key that is stored along with all your transactions.
Question: What is a private key?
Answer: It's the "unlocking" pair of a public key and it starts with "5K" (or "5J"). For instance, when you post something, your content is "tagged" with your public key, but in order to make sure it's actually you who posts that content, you need to "sign" the posting with your private key. This "pairing" makes you the owner of the content, that's why you can modify it. THIS IS THE KEY YOU SHOULD NEVER GIVE AWAY. NEVER. EVER.
Question: What is the Steemit password, then?
Answer: That password - also called "master password" - is an encrypted string derived from your keys and it gives you access to the Steemit.com frontend. If you lose that, you can still access your data via direct interaction with the blockchain, by using your keys. The master password starts with "P5".
Question: What happens if I give my owner key to a bad guy?
Answer: You're screwed. That person will have instant access to your account directly from the blockchain, will be able to post on your behalf and take away your funds.
Question: What happens if I give my master password to a bad guy?
Answer: You're screwed. Read above. The bad guy can access Steemit.com, and, from the Settings section, to see your private keys.
Question: I remember I gave Steemit an email address when I registered? Can't this be used somehow?
Answer: If you remember that email address, or, even better, if you still have access to that email address, then you can initiate a recover process, with Steemit INC. So all is not lost.
Question: So there is a way to get back my account?
Answer: You're not following me. Your account is just a transaction in the blockchain, that can be unlocked by your owner / active / posting key. If you lose those keys, your only chance to recover your account is to remember the email address with which you signed up and then initiate a recovery process with Steemit INC. But while you're doing all this, your account may be dried, so don't rely on this "feature", be proactive and protect your keys.
I guess this is it. If you really understand what's going on and take good care of your keys, you should be ok. Other than that, use sunscreen, don't drive and text, don't drink and drive, you know the drill.
I'm a serial entrepreneur, blogger and ultrarunner. You can find me mainly on my blog at Dragos Roua where I write about productivity, business, relationships and running. Here on Steemit you may stay updated by following me @dragosroua.
https://steemit.com/~witnesses
If you're new to Steemit, you may find these articles relevant (that's also part of my witness activity to support new members of the platform):
You really can't pay enough attention to online secure these days. Even Pornhub is getting attacked by hackers and malware-spreaders these days.
I would also recommend Steemians install an ad blocker on the browser they use to access Stemmit. A lot of viruses and keyloggers area spread through Google/Bing ads.
This post has to be one of the must read post for new users on steemit...thanks for keeping it simple.
It should be added to the info page.
Thanks for this post. It's a MUST READ for everyone who's not sure about those keys.
Thanks for posting this detailed info!
Nice! I've been around a minute or two and enjoyed this still! Thanks!
Thank you for writing and sharing this-- this makes it very CLEAR what's what. I think a lot of people-- and this will get "worse" as Steemit becomes more and more mainstream-- are confused about a site that seems to have (in street terms) "so many passwords."
Public keys, private keys, and different keys to do different things. Most web sites-- as you know-- have ONE password. End of story.
It's important for people to know exactly what each of these ARE and what they DO.
Resteeming.
Thanks and glad you find this useful :)
This is a great write up. I go through intro posts and give promising new people beginner information. A "Security" section is part of it. I want to make sure people understand the basics of account security right away.
In addition to the key issue, people should also understand why using "Savings" to store Steem Dollars and Steem Power to store STEEM is so important. The three day withdraw time for Savings and the many week long withdraw time from Steem Power protects your investment here in case you are hacked or have your account compromised.
I'm beginning to think I completely understand the key issue too, but there's still one missing link people fail to mention. Your master key when you get the account starting with P5 is a hint. I was initially getting confused when I looked in my account permissions area and did not see that key. Well, it makes sense, for the key you see listed in the Owner section (same as master) is the public key. The one you get when the account is first made is the private master key. Is that correct? Per traditional PKI knowledge though, that can be confusing. Both should not be shared with anyone. "Public" does not mean it should be given out.
Here's the security blurb I share with new promising accounts when I see them:
Security
Do not use your owner key to log into Steemit.com to post. Use your private posting key instead. Keep your owner key offline as much as possible, and only use it when you must.
Per the advice given by Arcanage, you should only use your owner key to:
A lot of scams have been happening on Steemit recently. If you click a link to a site that prompts you to log into it, be extra careful. Double and triple check the address to make sure it is really steemit.com. A recent scam was using "lsteemit" as the domain name, and people were entering their owner keys to log into it. That allowed the scammers to take those user's accounts, empty the money from them, and then ruin their reputation by using the newly hacked accounts to further the scam.
If you find or suspect a scam, please report it in the #steemitabuse channel on steemit.chat.
Edits and suggestions are welcome. Thanks everyone for being diligent, patient, and helpful regarding the security of Steemit.com!
Great. That has cleared up a lot of confusion. Thanks
Good info... i never able to use the other keys for instance whenever i post or transfer it doesn't accept other keys (posting/active/owner) but will only accept the masterkey ??
it's a simple hierarchy: memo, posting, active, owner
with the master being able to change the others before and the owner password to change everything, in the case of someone having access to the keys in any case.
post is for general activity, active is for most transactions as well, but you can use any of the higher level permissions as well
I'm still not clear on the difference between private and public keys.
for example...Busy asks for the posting key...what exactly are they asking for?
They want you to sign in using your private posting key, so that they can verify it against your already public posting key. You can think of the public key as the "keyhole/card reader" and the private key as your "physical key/key card".
You can use it to log in on other Steem sites and apps, just remember that the responsibility is with you as a user.
In this case, if someone was to have a look at your private posting key, they would be able to blog and comment using your account. To stop them you would have to change your master key(password), which in turn would change all of the keys including the posting key.
It'd be nice if they were to say "log in with your private posting key"...is that too much to ask?
Public key is like your house address, everybody knows it, and knows it belongs to you. Private key is the actual key to your house, so you should never give it away.
Busy asks for posting keys because they will have to sign the posting transaction on the blockchain, to pair your article with your identity.
AFAIK, the posting key never really goes to Busy over the internet, it stays on your own computer. It is used by the JS library of Busy to sign the transaction locally and then the transaction is broadcasted to the blockchain.
private and public are p2p answer to security, so messages don't get intercepted pretty much how people sent letter with stamps and seals, now think that only the corresponding recipient can remove the seal with his private key, because you sealed with his public key, then you know only he read the message or whoever is the holder of the other key.
It's cryptography and how blockchains work, that's how you get a trustless system, because users are not trusting the system to do anything else than what it is intended, ie. relay messages.
Cheers :)