You are viewing a single comment's thread from:
RE: A new approach to Content Reward Allocation
The private key IS client-side, but in this system it's derived from a combination of your password (only you know) and some other info (known by the service), aka a "brain key". You can also export the WIF to other computer, and use it directly (forget the password).
That makes it sound like the other info is only known by the service and the user the service shares it with, which isn't true. The other info is public knowledge. Which means someone who has (or guesses) your password can derive all your private keys (unless you changed them from their default after registering with Facebook or Reddit).
So to everyone reading this: you better be using a strong[1] and unique[2] password. The best approach is to use a password manager and have the password manager generate the password with 256-bits of entropy for you. Also, it is better to have a separate password for your owner key that you normally keep securely stored offline (with some redundancy is a good idea too).
[1] By strong, I don't only mean long. Steemit requires that you use at least 16 characters. But if your password is, for example, just some combination of your full name plus birth date, then it isn't strong because it can easily be brute forced by a hacker targeting you specifically who knows your identity (by following the linked Facebook account perhaps).
[2] Unique is important because if you reuse the same password you use on some other service, and that service gets hacked (and they had bad security practices so that they were holding your plain-text password in their database), then a hacker who gets that hacked information from the black market can try those passwords out on your account.