How to secure your private keys (with explanation)

Some time ago, I wrote a post about how to secure EOS private keys and avoid getting hacked. I didn't quite explain the reasons why I made those suggestions properly in that article. So, I have re wrote it with proper explanations and posting it here for my readers.

• If you are using scatter chrome extension, keep only your active private key saved in it. Keep the owner private key somewhere else secure such as printing it down in a piece of paper. This is very very important. Let me repeat, keep only your active private key saved in scatter. If scatter gets hacked, you will be rekt if you keep the owner private key in it.

Scatter chrome extension or the desktop wallet are installed in the computer and are generally connected to the internet. If your computer is hacked and a hacker gains access to its administrative permissions, he can take control of it by remote desktop without you even noticing that.

This kind of situation is rare but they do happen. If you keep your owner key secure and offline and only keep your active key in the scatter wallet, your staked funds will be secure in a situation like that. And you will have three days to change the permission of your active key.

• Never paste your private keys online in a website. If a website is asking for your private keys, than it is most likely a scam. If you encounter such sites, report it to experts or write a post on r/eos subreddit for help.

EOS based services don’t need your private key to provide you with services. They can use blockchain interface such as scatter to sign transfers or contract actions. Any service that requires you to input your private key on their website will have full control over your EOS account and your funds.

• If you need to copy your private key then, don’t copy your whole private key to clipboard. Instead copy the last 46-47 characters and memorize the remaining first 4-5 characters. If you have printed your private key or saved it somewhere, then check if it is 51 characters long. All EOS private keys start with a 5 and are exactly 51 characters long.

Spyware programs are generally known for snooping on clipboard copied contents. If you have a stealth spyware installed in your system without your knowledge, it can steal your keys if you copy the whole key to the clipboard.

If you don’t copy the first 4-5 characters of the private key, the spyware program will most likely fail to determine what key it is. This doesn’t apply to you if you have confidence that your system is secure and free of any malicious software.

• Download wallet software from trusted sources. If you are downloading from github, always check the green mark in the top left of the browser in the address bar. It should say “Github Inc [US]” if you are using chrome.

Downloading wallet software from unofficial sources is not secure. Unofficial sources sometimes contain malicious versions of wallet software that are programmed to steal private keys. Recently, a EOS holder lost 200 EOS tokens after he downloaded and installed a malicious version of Greymass EOS Voter wallet.