Difference between revisions of "Steem Key Management"

From Steem Center
Jump to: navigation, search
(Links, related articles, references, etc)
m
 
(42 intermediate revisions by 7 users not shown)
Line 1: Line 1:
=Managing Keys=
+
To keep your [[Steem]] account secure you must save your master password and keep it somewhere safe. The master password is used to derive all keys for your account, including the owner key. If logging in with your post key, make sure you don't overwrite or misplace your original master password.
 +
 
 +
The [https://steemit.com/faq.html#How_can_I_keep_my_Steem_account_secure Steemit FAQ] explains why the password is long and random for maximum account security. There is no way to recover your account if you lose your password or owner key! Because your account has real value, it is very important that you save your master password somewhere safe where you will not lose it.<ref>[https://steemit.com/faq.html#How_can_I_keep_my_Steem_account_secure How can I keep my account secure], '''Steemit FAQ''', retrieved in 17/7/2017</ref>
 +
 
 +
It is also a strongly recommended that you store an offline copy of your password somewhere safe in case of a hard drive failure or other calamity. Consider digital offline storage, such as an external disk or flash drive, as well as printed paper. Use a safe deposit box for best redundancy. Fabian Schuh (@xeroc)'s post on a [https://steemit.com/steem/@xeroc/paperwallet-easily-secure-your-account-with-steem-paperwallet-generator Steem Paperwallet Generator] is an excellent resource.<ref>[https://steemit.com/steem/@xeroc/paperwallet-easily-secure-your-account-with-steem-paperwallet-generators (Paperwallet) Easily secure your account with Steem Paperwallet Generator], Written by '''Fabian Schuh''' (@xeroc) in August 2016.</ref>
 +
 
 +
In June 7th 2017 Krzysztof Szumny ([https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so @noisy]) found a flaw in design that made his cousin accidentally pasted his own password into wrong field (a memo field), when he made a transfer. He wrote a script and warned all [[Steemian|steemians]] caught in the same mistake.<ref>[https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so We just hacked 11 accounts on Steemit! ~$21 749 in STEEM and SBD is under our control. But we are good guys So...], Written by '''Krzysztof Szumny''' (@noisy) in June 7th, 2017</ref>
 +
 
 +
==Managing Keys==
  
 
If you don't manage your keys correctly, you are putting your account at risk.
 
If you don't manage your keys correctly, you are putting your account at risk.
  
If you get hacked you are giving them access to every key you own on steemit. Loss of your keys will result in loss of access to your account.  Keys should be stored privately and safely.
+
If you get hacked you are giving them access to every key you own on Steemit. Loss of your keys will result in loss of access to your account.  Keys should be stored privately and safely.
  
==Types of Keys==
+
===Types of Keys===
  
 
* Posting Key
 
* Posting Key
 
* Active  Key
 
* Active  Key
 
* Memo Key
 
* Memo Key
* Master Key
+
* Owner Key
 +
* Master password
  
==Posting Key==
+
===Posting Key===
 
 
The '''posting key''' is used exclusively for submitting posts, applying upvotes and downvotes, selecting and deselecting followers and muting accounts.
 
  
 +
The '''posting key''' is used exclusively for submitting posts, applying upvotes and downvotes, selecting and deselecting followers, muting accounts and claiming reward balances.
  
 
The posting key is the safest way to log into an account.  It limits the privilege of the person using it to functions that do not have access to the wallet, thereby maintaining the safety and security of the tokens.
 
The posting key is the safest way to log into an account.  It limits the privilege of the person using it to functions that do not have access to the wallet, thereby maintaining the safety and security of the tokens.
 
  
 
The posting key offers the safest way to access your account on a regular basis and it is recommended that you develop the habit of using it as your primary way of logging into your account.
 
The posting key offers the safest way to access your account on a regular basis and it is recommended that you develop the habit of using it as your primary way of logging into your account.
  
==Active Key==
+
===Active Key===
  
This key should '''only''' be used to place orders and to deal with transfers in the wallet.
+
The '''active key''' should ONLY need to be used to '''confirm transaction or trades''' or change user settings.
  
You only need to use your active key to '''confirm transaction or trades'''.
+
Do not use your active key to log in for posting and upvoting on a daily basis. Use your posting key instead.
  
 +
=== Memo Key ===
  
 +
The Memo Key is used for handling private messages and encrypted transaction memos.
  
If you follow this guide you will be less likely to have your account stolen.
+
The memo key is the only key that can encrypt and decrypt private messages sent and received via your account.
  
The site currently doesn't inform new users about this information.
+
=== Owner Key ===
  
== Memo Key ==
+
The '''owner key''' is the key with the highest privilege level.  It is the key required to change all the other keys.  This is the key that should be most carefully safeguarded against loss or theft.  With this key your account can be completely taken over by a malicious party.  Loss of this key severely limits the operation of the account. The owner key is not directly visible on the steemit.com website but can be derived from the master password using the [[CLI Wallet]] or an [[API Libraries|API Library]] like steem-python.
  
Please expand upon this subsection.
+
=== Master Password ===
  
== Master Key ==
+
The '''master password''' is used to derive all keys above. A hashing function calculates the corresponding private and public keys from the master password, the account name and the key type ("posting", "active", "owner" or "memo"). Having the master password enables to retrieve all private keys of an account. See [[CLI Wallet]]'s <code>get_private_key_from_password</code> or steem-python's <code>steembase.account.PasswordKey()</code> on how to derive the keys.
 +
Don't use the master password to log into steemit.com or any other steem application. Never copy the master password into posts or transaction memos. Use the lower privilege keys to maintain the security of your account.
  
The '''master key''' is the key with the highest privilege level.  It is the key required to change all the other keys.  This is the key that should be most carefully safeguarded against loss or theft.  With this key your account can be completely taken over by a malicious party.  Loss of this key severely limits the operation of the account.
+
''Please expand upon this subsection.''
  
Don't use the master key for posting, or funds transfers.  Use the lower privilege keys to maintain the security of your account.
+
== Locating Steem Keys ==
  
Please expand upon this subsection.
+
Your Steem keys are found in your wallet under the permissions tab. At https://steemit.com/@yourusername/permissions. Substitute your actual username for yourusername in the example shown.
  
= Locating Steem Keys  =
+
The page will look something like this image:
  
Your steem keys are found in your wallet under the permissions tab. At https://steemit.com/@yourusername/permissions. Substitute your actual username for yourusername in the example shown.
+
[[File:98b083a38fd88840533aa0a6ba0b6898.png|thumb|500px|center|Where are your Keys? '''Click to expand''']]
  
The page will look something like the image on the right.
+
==Securing Your Account ==
  
[[File:0f079289dc752c0f34a970d128a89c23.png|thumb|500px|center|Where are your Keys? '''Click to expand''']]
+
*Secure your master password generated on your first signing up somewhere no one will find it. You should not need you master password afterwards unless you want to change it.
 +
*Show your private posting key by clicking the button and copy to a safe place.
 +
*Show your private active key by clicking the button then copy to a safe place.
 +
*You can copy the memo private if you need to but you likely won't need it.
 +
*Now copy your private posting key and use that as your password to login.
  
= Securing Your Account =
+
Once logging in with the posting key and going back to the permission page it should look like this:
  
*Secure your main password you made when first signing up somewhere no one will find it.
+
[[File:0f079289dc752c0f34a970d128a89c23.png|thumb|500px|center|What will it look like when using a Posting Key?  '''Click to Expand''']]
*Show Your post private key by clicking the button and copy to a place no one else can find it.
 
*Show Your active private key by clicking the button then copy to a safe place.
 
*You can copy the memo private if you need to but you likely won't need it.
 
*Now copy your private posting key and use that as your password to login.
 
  
Once logging in and going back to the permission page it should look like this.
 
  
[[File:98b083a38fd88840533aa0a6ba0b6898.png|thumb|500px|center|What willl it look like when using a Posting Key?  '''Click to Expand''']]
+
==References==
  
 +
<references />
  
==Links:==
+
==Links==
  
 
* '''Steem.io''' : https://steem.io
 
* '''Steem.io''' : https://steem.io
* '''Steem White Paper''' : https://steem.io/SteemWhitePaper.pdf
+
* '''Steem Dynamic Accounts Permissions''' : https://steem.io/documentation/dynamic-account-permissions/
* '''Steem Dynamic Accounts Permisions''' : https://steem.io/documentation/dynamic-account-permissions/
+
* '''@pfunk''' : [https://steemit.com/steemit-guides/@pfunk/a-user-s-guide-to-the-different-steem-keys-or-passwords A User's Guide to the Different Steem Keys or Passwords] ''June 2016''
* '''@pfunk''' : [https://steemit.com/steemit-guides/@pfunk/a-user-s-guide-to-the-different-steem-keys-or-passwords A User's Guide to the Different Steem Keys or Passwords], ''June 2016''
+
* '''@steemitguide''' : [https://steemit.com/steemit/@steemitguide/a-complete-guide-on-steemit-permission-keys-posting-owner-active-memo-digital-passwords-with-unique-functionality-that-allows Everything you need to know about Steemit's Permission Keys; Posting, Owner, Active, Memo! Digital Passwords with Unique Functionality, that allows you to Securely connect your Steemit Account with Third-party Services] ''January 2017''
* '''@steemitguide''' : [https://steemit.com/steemit/@steemitguide/a-complete-guide-on-steemit-permission-keys-posting-owner-active-memo-digital-passwords-with-unique-functionality-that-allows Everything you need to know about Steemit's Permission Keys; Posting,Owner,Active,Memo! Digital Passwords with Unique Functionality, that allows you to Securely connect your Steemit Account with Third-party Services] ''January 2017''
+
* '''@ramblin-bob''' : [https://steemit.com/steemit/@ramblin-bob/how-i-nearly-lost-my-steemit-account-and-all-my-steem-a-warning How I nearly lost my Steemit account (and all my STEEM) - A WARNING] ''February 2017''
* '''@ramblin-bob''' : [https://steemit.com/steemit/@ramblin-bob/how-i-nearly-lost-my-steemit-account-and-all-my-steem-a-warning How I nearly lost my Steemit account (and all my STEEM) - A WARNING], ''February 2017''
+
* '''@smi''' : [https://steemit.com/vulnerability/@smi/important-vulnerability-in-password-protection-for-accounts IMPORTANT !!! Vulnerability in password protection for accounts] ''February 2017''
* '''@smi''' : [https://steemit.com/vulnerability/@smi/important-vulnerability-in-password-protection-for-accounts IMPORTANT !!! Vulnerability in password protection for accounts], ''February 2017''
+
* '''@sassal''' : [https://steemit.com/ethereum/@sassal/2eh9w7-how-to-keeping-your-cryptocurrency-safe How To: Keeping Your Cryptocurrency Safe] ''April 2017''
* '''@sassal''' : [https://steemit.com/ethereum/@sassal/2eh9w7-how-to-keeping-your-cryptocurrency-safe How To: Keeping Your Cryptocurrency Safe], ''April 2017''
+
* '''@good-karma''' : [https://steemit.com/steem/@good-karma/steem-private-keys-analogy-2017525t935606z Steem private keys analogy] ''May 25th, 2017''
* '''@good-karma''' : [https://steemit.com/steem/@good-karma/steem-private-keys-analogy-2017525t935606z Steem private keys analogy], ''May, 25th, 2017''
+
* '''@good-karma''' : [https://steemit.com/esteem/@good-karma/steem-multi-authority-permissions-and-how-posting-authority-works-2017529t84022790z Steem multi-authority permissions and how Posting authority works] ''May 29th, 2017''
 +
* '''@anarchyhasnogods''' : [https://steemit.com/steem/@anarchyhasnogods/keeping-your-steemit-account-secure Keeping Your Steemit Account Password Secure] ''June 13th, 2017''
 +
* '''@noisy''' : [https://steemit.com/security/@noisy/public-and-private-keys-how-they-are-used-by-steem-making-all-of-these-possible-you-can-find-answer-here Public and Private Keys.  How they are used by Steem.], ''June 15th, 2017''
 +
* '''@paolobeneforti''' : [https://steemit.com/steemit/@paolobeneforti/phising-alert-don-t-give-your-private-key-to-anyone Phishing alert! Don't give your private key to anyone] ''June 15th, 2017''
 +
* '''@thecryptofiend''' : [https://steemit.com/steemit/@thecryptofiend/a-quick-guide-to-how-keys-passwords-work-on-steem-and-steemit A Quick Guide To How Keys and Passwords Work on Steem and Steemit] ''June 16th, 2017''
 +
* '''@evimeria''' : [https://steemit.com/steemit/@evimeria/i-have-back-my-stolen-account-on-steemit-happy-august-to-all I have back my stolen account on Steemit!!! Happy August to all!!!] ''August 1st, 2017''
 +
* '''@neoxian''' : [https://steemit.com/steemit/@neoxian/warning-do-not-log-on-anywhere-using-your-owner-key Warning! Do not log on (anywhere) using your owner key] ''September 21st, 2017''
 +
* '''@kingswisdom''' : [https://steemit.com/steemit/@kingswisdom/how-i-easily-discovered-more-than-usd160-000-worth-of-private-keys-in-one-day-on-steemit How I easily discovered more than $160,000 worth of private keys in one day on Steemit] ''October 11th, 2017''
 +
* '''@firepower''' : [https://steemit.com/steemit/@firepower/4-tips-for-steemit-account-recovery-and-wallet-security 4 Tips For Steemit Account Recovery & Wallet Security!] ''December 7th, 2017''
 +
* '''@alignment''' : [https://steemit.com/steemit/@alignment/i-recovered-my-account-after-it-had-been-stolen-but-i-can-t-edit-the-phisher-s-comments I recovered my account after it had been stolen but I can’t edit the phisher’s comments. advice is needed.] ''March 9th, 2018''
  
==Related articles:==
+
==Related articles==
  
 
* [[Steem]]
 
* [[Steem]]
Line 87: Line 106:
 
* [[Steem Wallets]]
 
* [[Steem Wallets]]
  
==References:==
+
==External links==
 +
 
 +
* '''Quartz''' : [https://qz.com/1028936/watch-these-bitcoin-ransom-payments-get-lost-in-the-expanse-of-the-blockchain/ Watch this extorted money get lost in the expanse of the blockchain] ''Written by Keith Collins, published in 7/17/2017''
 +
* '''WeTrust Blog''' : [https://blog.wetrust.io/why-do-i-need-a-public-and-private-key-on-the-blockchain-c2ea74a69e76 Why Do I Need a Public and Private Key on the Blockchain?] ''Written by Leon Di, published in 1/29/2017''
 +
* '''BTC News''' : [http://btcnews.com/steemit-investigates-security-breach-theft-85000-steem/ Steemit Investigates Security Breach and Theft of $85000 in Steem] ''Written by Gautham N, published in 7/15/2016''
 +
* '''Softpedia''' : [http://news.softpedia.com/news/steem-social-network-hacked-user-funds-stolen-ddos-attack-followed-after-506417.shtml Steemit Social Network Hacked, User Funds Stolen, DDoS Attack Ensued] ''Written by Catalin Cimpanu, published in 7/18/2016''
 +
 
 +
==In other languages==
 +
 
 +
* [[Bahasa Indonesia]] (Indonesian) : [[Manajemen Kunci Steem]]
 +
* [[日本語]] (Japanese) : [[Steemキーの管理]]
 +
* [[繁體中文]] (Traditional Chinese) : [[管理Steem鑰匙]]
  
* '''BTC News''' : [http://btcnews.com/steemit-investigates-security-breach-theft-85000-steem/ Steemit Investigates Security Breach and Theft of $85000 in Steem] ''Written by Gautham N, published in 7/15/2016 ''
 
* '''Softpedia''' : [http://news.softpedia.com/news/steem-social-network-hacked-user-funds-stolen-ddos-attack-followed-after-506417.shtml Steemit Social Network Hacked, User Funds Stolen, DDoS Attack Ensued] ''Written by Catalin Cimpanu, published in 7/18/2016 ''
 
 
<br>
 
<br>
  

Latest revision as of 03:23, 9 July 2018

To keep your Steem account secure you must save your master password and keep it somewhere safe. The master password is used to derive all keys for your account, including the owner key. If logging in with your post key, make sure you don't overwrite or misplace your original master password.

The Steemit FAQ explains why the password is long and random for maximum account security. There is no way to recover your account if you lose your password or owner key! Because your account has real value, it is very important that you save your master password somewhere safe where you will not lose it.[1]

It is also a strongly recommended that you store an offline copy of your password somewhere safe in case of a hard drive failure or other calamity. Consider digital offline storage, such as an external disk or flash drive, as well as printed paper. Use a safe deposit box for best redundancy. Fabian Schuh (@xeroc)'s post on a Steem Paperwallet Generator is an excellent resource.[2]

In June 7th 2017 Krzysztof Szumny (@noisy) found a flaw in design that made his cousin accidentally pasted his own password into wrong field (a memo field), when he made a transfer. He wrote a script and warned all steemians caught in the same mistake.[3]

Managing Keys

If you don't manage your keys correctly, you are putting your account at risk.

If you get hacked you are giving them access to every key you own on Steemit. Loss of your keys will result in loss of access to your account. Keys should be stored privately and safely.

Types of Keys

  • Posting Key
  • Active Key
  • Memo Key
  • Owner Key
  • Master password

Posting Key

The posting key is used exclusively for submitting posts, applying upvotes and downvotes, selecting and deselecting followers, muting accounts and claiming reward balances.

The posting key is the safest way to log into an account. It limits the privilege of the person using it to functions that do not have access to the wallet, thereby maintaining the safety and security of the tokens.

The posting key offers the safest way to access your account on a regular basis and it is recommended that you develop the habit of using it as your primary way of logging into your account.

Active Key

The active key should ONLY need to be used to confirm transaction or trades or change user settings.

Do not use your active key to log in for posting and upvoting on a daily basis. Use your posting key instead.

Memo Key

The Memo Key is used for handling private messages and encrypted transaction memos.

The memo key is the only key that can encrypt and decrypt private messages sent and received via your account.

Owner Key

The owner key is the key with the highest privilege level. It is the key required to change all the other keys. This is the key that should be most carefully safeguarded against loss or theft. With this key your account can be completely taken over by a malicious party. Loss of this key severely limits the operation of the account. The owner key is not directly visible on the steemit.com website but can be derived from the master password using the CLI Wallet or an API Library like steem-python.

Master Password

The master password is used to derive all keys above. A hashing function calculates the corresponding private and public keys from the master password, the account name and the key type ("posting", "active", "owner" or "memo"). Having the master password enables to retrieve all private keys of an account. See CLI Wallet's get_private_key_from_password or steem-python's steembase.account.PasswordKey() on how to derive the keys. Don't use the master password to log into steemit.com or any other steem application. Never copy the master password into posts or transaction memos. Use the lower privilege keys to maintain the security of your account.

Please expand upon this subsection.

Locating Steem Keys

Your Steem keys are found in your wallet under the permissions tab. At https://steemit.com/@yourusername/permissions. Substitute your actual username for yourusername in the example shown.

The page will look something like this image:

Where are your Keys? Click to expand

Securing Your Account

  • Secure your master password generated on your first signing up somewhere no one will find it. You should not need you master password afterwards unless you want to change it.
  • Show your private posting key by clicking the button and copy to a safe place.
  • Show your private active key by clicking the button then copy to a safe place.
  • You can copy the memo private if you need to but you likely won't need it.
  • Now copy your private posting key and use that as your password to login.

Once logging in with the posting key and going back to the permission page it should look like this:

What will it look like when using a Posting Key? Click to Expand


References

  1. How can I keep my account secure, Steemit FAQ, retrieved in 17/7/2017
  2. (Paperwallet) Easily secure your account with Steem Paperwallet Generator, Written by Fabian Schuh (@xeroc) in August 2016.
  3. We just hacked 11 accounts on Steemit! ~$21 749 in STEEM and SBD is under our control. But we are good guys So..., Written by Krzysztof Szumny (@noisy) in June 7th, 2017

Links

Related articles

External links

In other languages




Help keep this wiki page updated. Register, click in edit, add or modify the text and save.
If you're already a steemian you can be rewarded with steem, see how in @steemcenterwiki.