Warning to users using third party applications - Be extremely careful providing your keys to anyone or any site!
I recently posted two articles on how to use the SteemConnect tool to create new accounts on the Steem blockchain as well as how to delegate SP to another user. SteemConnect is an amazing tool, and I am extremely thankful to the Busy.org team for providing the community with these awesome features =)
@sneak (Employee of Steemit, Inc.) commented on one of the posts with a warning. I am very thankful that he did, because I did not include sufficient warning in my posts for users to be extremely cautious when providing their active key to another site. I took for granted that the Busy.org team is a highly trusted group of people, and it did not even occur to me to warn people.
Let me make this clear, I am not saying that users shouldn't trust their keys with Busy.org and the SteemConnect tool. Personally, I have used their tool and will continue to do so. It is not without risk though - I am opening up my account to the possibility of being hacked. Users need to be aware of the risks and decide for themselves what is appropriate to do with their keys, and who (if anyone) to trust them with.
Here is some advise on managing the security of your keys:
- First of all, if you have not already saved and backed up your account password (owner key) somewhere safe, where it would not be destroyed in the event of a hard drive crash or fire - DO IT NOW. There truly is no way to get into your account and access your funds if your key is lost. Any money that you have in your account would be gone forever. You need to save this key.
- If you still have not saved and backed up your password, please stop reading this post and do not continue reading it until your password is safely backed up. (Seriously)
- Never, under any circumstances, give your owner key to any other person or third party website unless you trust them with your life. Anyone who has access to your owner key would be able to steal your entire account and everything in it. There really should never be a reason to do this unless you want someone you fully trust to have access to your account in case something happened to you or your keys. Even then, it is questionable.
- Be extremely careful with providing your active key to any other person or third party website. Anyone with access to this key can basically do whatever they want with your account, including stealing all of your money. You could still recover the account with your owner key, but any money they were able to transfer out would be gone. You should really trust anyone or any website that you are providing this key to. You are essentially giving them full access to your account. If you wouldn't trust them will full access to your account, then don't give them your active key.
- You should also be very careful when providing your posting key to any other person or third party website. Even though they would not be able to take any of your money, they can still use your voting power, post things on your behalf, and act as you on the blockchain.
- Even if you trust a person or website with your key(s), you also must trust the security measures they have in place to protect your key(s). If they get hacked and your key(s) gets stolen, then the hacker will be able to do whatever they want with your key(s).
- Do not use a key with higher authority than what you need. Example, if you are just logging in to post, vote, and comment - do not use your active or owner key. Use your posting key. If you are transferring funds, do not use your owner key. Use your active key.
- If you have provided any of your keys to a person or third party website that you do not fully trust, it is recommended that you change your password here: https://steemit.com/change_password. This process will generate new keys for your account. Before you click the button to change your password, be sure to save and backup your new key. Please re-read points #1 and 2.
The bottom line is this - if you provide any of your keys to another person or third party website, you are giving them full access to do whatever those keys are allowed to do. If you do not trust them with the authority that the keys grant them, and their ability to protect them from getting hacked/stolen then do not provide them with the keys.