How I nearly lost my Steemit account (and all my STEEM) - A WARNING
TL;DR: I saved my Steemit password in Safari and when I dropped my MacBook I was unable to recover my passwords to a new machine (even though I had two complete, redundant backups) because of a recent and subtle change to how Apple encrypts saved passwords.
MY WARNING: "Ramblin' Bob's eighth rule"
WRITE DOWN a backup copy of your Steemit password on PAPER, no matter how good or reliable you think your current backup might be.
When I signed up here in July 2016, after the big blitz of publicity, my brain must have been thinking "this is like reddit" instead of "this is like bitcoin". I was fortunate enough to have a completely separate (and paper-based) backup of all my bitcoin-related passwords. But for some reason it was unclear that I would ever really use (or store money) here on this site when I first signed up and that was the error that nearly cost me dearly. I was only an occasional and reluctant "oh I'll just save my password in the browser" person at that stage. And my brain's first impression of this site must have been "this is a social media site" instead of "this is CASH" because I let Safari save my Steemit password and assumed my double redundant backups of that MacBook would be reliable enough. It was not.
Last month, in the midst of my crisis I posted this writeup and warning to the macOS sub on reddit (because I couldn't post here!):
On Dec. 1st I dropped my 2012 MacBook Pro Retina. The display/hinge area broke and I was never able to boot up the machine again.
I was originally unimpressed with the new Touch Bar MacBook Pro and wasn't intending to replace my trusty old machine just yet, but this accident became the excuse to run out and buy the new replacement. Since I had a recent Time Capsule backup of my old machine, I figured I would be in good shape ... until...
I used Migration Assistant to restore everything from the Time Capsule to my new Touch Bar Mac, and after many, many hours everything popped up on my new MacBook Pro ... except my passwords saved in Safari!
Originally I was very conservative in using a browser to save my online passwords. For years I had the feature turned off, but eventually I acquiesced and started using it, but with iCloud Keychain syncing turned off, so the passwords were just stored locally, encrypted in my Keychain, and not on Apple's servers. I figured this, with multiple local backups, was the safest and most secure route to use this feature.
I've recently learned that this was probably wrong.
Apparently something changed around Safari 9 or 10 in how Safari stores your passwords. Originally they were stored in your login.keychain (located in ~/Library/Keychains) which you could inspect with Keychain Access. Now is seems that if you use a password Safari had previously saved in your login keychain, Safari now removes it from the login keychain and (if you have iCloud Keychain syncing off) saves it in the "Local Items" keychain, which is saved in a UUID named directory inside ~/Library/Keychains in an encrypted database.
The trouble arises if your machine ever breaks and you need to restore to new hardware. It seems this new iPhone-style encryption of the Local Items keychain is machine specific. If you restore this database to a new machine, Sierra creates a brand new directory/database with its own UUID and apparently cannot read the old one.
I've been going back and forth with Apple Support for three weeks now trying to get a resolution to this situation. For weeks they'd come back and try to walk me through how to restore the login.keychain file and I'd try to explain to them that Safari's passwords aren't saved there anymore.
It got escalated to second and third level support, then to engineering, and then beyond engineering, until they finally got back to me today, after nearly a month of trying to resolve this issue, to say: "yes, we're sorry, it seems you are right. Even with ample backups it seems like those saved passwords are probably gone. There's nothing we can do now but stay tuned for a future update that may or may not help resolve your problem."
So for now, IF YOU ARE USING SAFARI 10 TO SAVE YOUR PASSWORDS: either turn on iCloud Keychain syncing to save a copy on Apple's servers, or get a secondary/paper backup copy (that does not depend on backup copies of your files) of all those outrageous random digit passwords Safari is generating for you. Because if you break your specific machine, they may be gone.
Well (obviously, I was able to post this) I can report that this story does have a happy ending. After months of going back and forth with Apple, they essentially gave up and said "those passwords are gone". Fortunately through months of frustration trying to deal with this issue I developed a deeper understanding of how and why this could have happened (despite two good backups) and I came up with the solution that got me out of this jam: repair the original broken MacBook.
Fortunately it was the hinge and display that broke when I dropped this MacBook. The internal SSD drive and (more importantly) the original CPU (and original UUID that did the encrypting) were (in theory) still in good shape. If Apple could repair the display enough to get the machine booting again, I could be in good shape. Of course if that MacBook was burned, stolen, or dropped from slightly higher, this story might have a very different ending.
So I'm happy to say, me (and my STEEM!) are back. And WRITE DOWN A COPY OF YOUR PASSWORD!
Found this through SteemBoost, following.
This is very good info !! Back that password up
Me too.
As a bitcoin pro the first thing I did when creating my account two days ago was writing my PW down on paper.
THIS IS A MUST-DO for anyone. Nice story you got there to back up this point. : )
I have my passwords in my apps so if I did drop it I can get access to all my stuff through internet so I still have access to it
Always a great idea to have a backup for a backup especially on Steem with $100's to $100k at stake. Excellent post @ramblin-rob
A good reminder to back everything !
Thanks for sharing that very valuable lesson with us @ramblin-bob
Came across this via @steemboost and upvoted.
New Steemian
@incomepal
Janitor unit says much pine sol to Unit's suggestions. Unit found your post through Steemboost as well.
This is good advice. Already wrote it down and secured my passwords.
Follow me i'll follow you back
This is the best advice that most people probably will not listen to and follow. Thanks for sharing this story and hopefully reaching a few folks before it is too late.
thanks for the warning....ought to be careful