What is the difference between a password and a private key(s) on Steemit and how to make your account more secure, by using them correctly.

in security •  last year

As we just recently learned, keeping your password private is extremely important. This same goes in regards of all private keys. But many people wonder: what is an actual difference between a password and a private key?

This post is written mostly for an average Joe, who do not know anything about cryptography or even computer science.

The password is a Master Key to your account

... which you should never use!


Master-Key-Lock-Experts-In-Houston.jpg
image source

With a password to your account, you can do everything. You can upvote, post, comment, make transfers, change a description of your profile or change a password for a new one. EVERYTHING. So... it is very handy as long as you do not make your password public by accident.

But you are a PRO, so this will never happen to you, right? Take a look at this conversation of Mike and Amanda:

<Mike> That was really great video, really! You have to watch it!
<Amanda> could send me a link to it? I cannot find it
<Mike> no problem, here you have:
<Mike> p@ssw0rd!19870202
<Mike> fuck!
<Amanda> did you just accidentally paste here your password? :D

Looks familiar? And what would happen to Mike's account if he would paste it on public chat? We are only humans, we all make mistakes!

But I need my password to use Steemit, right?

Actually, you don't.

Steem blockchain has a built-in permission system, which gives you a possibility to use a proper private key as a password, which will give you limited access to certain areas of your account. So, for example, you can log in with private posting key, you still will be able to vote, post and comment but you (or anyone who own your private posting key) will not be able to transfer any funds from your account or change your password.

How to login with Private Posting Key only, without a password:

  1. Obtain a private key from your wallet, from permission section
  2. Log out
  3. Log in with obtained private key as it would be a password

YouTube version of this gif: https://www.youtube.com/watch?v=jBzqZFuenGs

2017-06-11-17-59-28.gif

The rule is: you can log in on Steemit with any of your private keys, but then you will be able to do only things which can be authorized with this type of key.

But what If I will need to make a transfer?

You have 3 possibilities:

  1. Use your obtained private active key only to authorize a transaction when you will be prompted to do so.

  2. Do not use Steemit at all to make transfers. Use Steem Wallet called Vessel, created by @jesta. You can download it and install it on your computer. At the time of writing this post, it is still experimental version, so it is recommended only for beta-testers, but I have to admit it looks very promising.

  3. Use your Master Password, but be very, very careful.

So why I need a Master Password at all?

Technically speaking, you don't need it. If you have your all private keys (posting, active, owner, memo) then you can do everything without a password, even create a new password and a new set of all keys.

Why is that? Because in the whole Steem ecosystem, a password is used only to generate public and private keys from it. But exactly this is done under the hood, I will explain in my next article.


This article belongs to series of articles which describes security on Steemit:

  1. What is the difference between a password and a private key(s) on Steemit? How to make your account more secure, by using them correctly. (this article)
  2. Public and Private Keys - how they are used by Steem, making all of these possible?
  3. Public and Private Keys - how they are working under the hood
  4. How passwords are stored by Steemit in your browser, and why it is secure.
  5. How to set own password, which is not generated by Steemit
  6. How to setup multisig/multiple authorities for your account
  7. ...
    Make sure to follow my account, if you don't want to miss any of these :)
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Thanks, very usable piece of info!

Thank you for your post

Always best to get familiar with security features first than implement them further down the line where there's more risk. Nice post!

Greetings from Jordanów @noisy! Hope all is well in Silesia :) A excellent post after your recent white hatting adventures! I told them to have #steemfest2 in Krakow but no one would listen! The Poles are great crypto fiends! I'll just RS this post instead! Steem on!! ... and look out for my Polish post later on ... 'Culture Shock in Poland -- What WAS shocking to me!'

And most important: Never, NEVER paste/write any PRIVATE information in transfer memo from Poloniex (or other markets)!


There is one key to rule them all. But do we always need the master?

·

If the slave is ready, the ruler comes.

Thank you ! I am new to all of this and truly never take passwords very seriously, but after reading your last post.... well yikes! You make it a bit easier to understand! @noisy I appreciate your post!

I wish i could see the key im logged in with any time!

·

actually, that is not a good idea for smal improvement! :)

·
·

I didn't mean the actual key, just a note like: "you're loged in with the Post / Active / Memo / Master Key"

·
·
·

I get you. Cuts out a lot of clicking and searching to find out the status.

I write about silver. Here is my latest post: https://steemit.com/silver/@hgmsilvergold/if-you-are-a-silver-and-gold-stacker-this-is-for-you

Excellent post! Following and resteeming. This stuff needs to be said over and over again so people can understand how this all works.

I would also encourage everyone to use a password manager like 1Password. If you know any of your passwords, they are probably already insecure and/or you are vulnerable to phishing attacks.

Cybersecurity starts with you.

  1. Keep your OS up to date with security patches.
  2. Always run an updated antivirus system.
  3. Use a password manager like 1Password (you shouldn't know any passwords, they should be generated for you automatically).
  4. Don't download or click on stuff you don't trust.
  5. Don't ignore warning messages! (Also, don't click on pop ups which pretend to be legit warning messages).

While we're on the topic of good computer behavior, I'll also throw in: have multiple backups. Without them, if you lose your private keys or encrypted password database, you'll have a very sad day.

·

Very true!

Very good and important post. I haven't known about this keys so far. This tutorial helps me a lot. Thank you :).

Nice post! :D

Important info re-steemed!

cool

Dzięki, od dzisiaj zacznę z tego korzystać ;)

Thank you for this post. With the password being so long it scares me how easily I could paste it somewhere by accident. Very new and reading everything I can to make the best of my time here and progress :)

Great article, I've aways wondered what all of the long codes in the permissions section were used for.

very, Very, VERY GOOD TUTORIAL @noisy

Thank you

Keep STEEM N ON,
Frank

You have been PROMOTED FREE for using the "security" and "tutorial" TAG (hashtag)

https://steemit.com/promoted/security

https://steemit.com/promoted/tutorial

nice post @noisy

it's very benefits and scince.
your writing is our representative. That's what we want to say all along, thank you. I also see steemit is a real revolution about social media.

There's an important tip a friend told me about keeping passwords. He said; break the passwords in pieces and store each piece independently of another. I've found this tip very useful in the prevention of cyber crime.

Do not use Steemit at all to make transfers.

why?
Also, are our private keys kept on Steemit's servers? How is this secure? If it's not secure, what is going to be fixed about this situation?

·

It is secure, but when you interacting with a browser, you can paste you password in the wrong field, because you can forget that you have it in the clipboard. So this is about minimizing a possibility of making human error factor.

·
·

every time I use any kind of password, I go back after and copy random little text, just to make sure.... (it's my little don't go insane habit) :)

·
·
·

very good habit :)

·
·

does steemit save our keys on a server?

·
·
·

nope. All keys are saved in a browser in your localstorage. As you can see in the end of you my article, I am going to write a detail post about exactly this topic :) Stay tuned :)

·
·
·
·

ok i will wait patiently for it. This is the exact thing i want to understand. thank you

·
·
·
·
·

This is the beauty of public and private key encryption. Any system can validate your signed messages using your public key (i.e. ensuring you used the correct private key), but they don't ever have to have access to your private key to do so. That's why if you lose your private keys, they are lost forever. No one has a backup but you. :)

·
·
·
·
·
·

yes, but how does the private key get sent to steemit, after you input it into the box? This is the part i still don't understand....where does that private key go? To what area inside of the steemit website?

·
·
·
·
·
·
·

As far as I understand (I may be wrong), it doesn't get sent to Steemit. JavaScript in the browser uses what you input there, runs the appropriate signing algorithm to create signed content and then sends that signed content to Steemit. Steemit then uses the public key to validate the signature. If you're familiar with public and private key encryption and signing / validating signatures, this makes a lot more sense. PGP is a great example and I've used that for a long time so it's familiar to me. I hope that helps. Thanks for asking these questions!

Thank you for the post. "niech leci w gorące " ;) Do have you already written a script for finding private keys in comments and posts? (ps. please donate when you use this idea :D )

Great post about account security. Have you seen the post in which they ran through all the memos and found wif keys etc?

·

that was mine post ;)

·
·

Ahh I see, I am terrible with names when I am sleepy. Well, you should read your own post ;)

THANK YOU! Its all what I needed to know. Now it makes soooo much more sense and a light at the end of the tunnel (or the beginning? lol)
Cheers!

Very helpfull post. | Bardzo pomocny post.

Good stuff. Resteemed.

nice information.....deserve my upvote and resteem...

Very interesting ! Now I know how to use the key :) ty :D

·

@ranchorelaxo. Please upvote my post i am very poor .i belong to pakistan if you help my life will be changed thanks.

·

hi )
ThankS for BeinG HERE !! - ))

YOU are certainly .. ta'KING this "IN" .. like no OtheR !! !! !! - ))
IT'd be nice to "hear your thoughts on STEEM" ?? - ))
.. being so "bullish" - ))
ha ha - ))

lovelovelove )))
greb'Z )

·

there is a huge amount of difference when it comes to password or a key. passwords are generally user created while keys are machine language created.

Step 0 when joining steemit: secure your future holdings!

Excellent effort guys, remind me to include you in my will.thumbs up bigtime

use my link to Join Genesis mining :
https://www.genesis-mining.com/a/865841

Genesis mining 3% discount code : VJFYH5

Thank you

Very good information. This is the first time ive heard about private keys which will be very helpful to me. Its a good way to add a little more security, especially since I use multiple devices and travel a lot so easier to lose or have a device stolen or get hacked. Thanks.

Nice post. Very helpful.

a nice article explaining the use of the various keys.

good^^

Thank you!

I'd love to be able to use a Hardware Wallet (i.e., trezor, ledger, etc) to sign in and out and sign anything critical like power down requests, etc.

Unless someone here has thoughts on it, I will Add it to the list of things to research.

(The crypto space being what it is, I have more to research than I could possibly ever actually research, though, so please don't wait on me for any answers!)

Thanks so much for this. I did a transfer today and that's the first time I came upon the different passwords on my account. Obviously I knew security was important but your post came at with perfect timing for me to understand them. Upvoted and resteemed.

thanks for clearing some questions up. Will be prudently waiting for part 2 of this article. I'm I have a question or 2 for it.

Very informative I did not know this. Thank you so much!

Very helpful, Thanks

Come check out my page and follow great post

A truly useful post. thanks @noisy :)

Thanks for the info. :)

Thanks very helpful

I never thought that I can do everything without a master password for as long as i have all my private keys.. Nice!
Thanks @noisy ! This is such a very relevant information.

We have to be deligent and more careful how we can save our password. Thanks for the information @noisy

Very useful information!

Re-steemed og upvoted!

Nice post @noisy

Recommended post, a must read.

very good information . ! cool !

Thank you for this. Very cool, man. Needed so I could configure the WP Steem Wordpress plugin.

This article still does not have an example how we can utilise public keys. Would you be able to provide an example how it is done in the future, @noisy ?

·

Public keys are just that: public. PKs are used by others to communicate with us or confirm our identities.

Someone can send you a message and encrypt it with your public memo key: this makes it unreadable by anyone except you (you need to use your private memo key to get at the plaintext of the message).

If there is a demand, I'll write an explanation with more details.

·
·

But how on earth do you send a message with the encrypted public memo key?? That's intriguing! I would want to know how it works!

·
·
·

Steemit is still a young platform. The memo feature hasn't been activated yet.

·
·
·
·

This will be very interesting when this actually starts running.

Dzieki! Na Polski da rade wrzucic czy link ? Pewnie duzo osob by poczytalo

Does that means that steem uses a brain wallet? isn't?

Thanks,

Is it dangerous to give you "Private Posting Key" to websites like steemian or even d.tube?

Thanks @noisy for this explanation. I was afraid to ask lol

·

Never, never, never be afraid or ashamed to ask. If you will not ask today, Tomorrow you will be even more afraid or ashamed, not even mentioning how embarrassing it would be to ask in next year - after such time, we already should know that, right? :)

If you cannot find an answer in google within 15 minutes, start asking people.

·
·