How to protect your Steem account like you're paranoid
I don't know if you guys know this, but the Crypto in my name, @CryptoSharon, comes from cryptography, not cryptocurrencies. I love cryptocurrencies too because of cryptography and financial independence, but that's a secondary effect.
Something that keeps me thinking all the time is finding ways to ensure the confidentiality of my communications, as well as the ways in which my Internet services could screw me over.
How can you further secure your stay and access on this lovely blockchain, till you're left without holes to cover? There's always something else, I tell myself, and in this case, it's true, but let's dig as deep as we can and see how strong we can build our virtual bunker.
Let's start with Account Creation
Steem accounts can be created in many, many ways. The one thing most ways have in common (all but one) is that your account does not actually technically belong to you. You "own" (have access to) all your keys and you have the (conditional) freedom to change your keys or recover some of them if you lose them.
Which are these ways to create your account?
1. Steemit
The makers of the Steem blockchain also made Steemit and made a way to create accounts for "free" directly on https://steemit.com. It's completely secure, they assure us, but when we create the account, they are the ones who do the account creation transaction, pay for our initial fees and give us our password.
That's right, they have our password and they give it to us. That's a hole. We don't want anyone to access our password.
Even more, they require a cell phone number and an e-mail address. The e-mail address is no problem (download Tor and use https://cock.li to set up a free anonymous e-mail address), but the cell phone number can be an issue if you don't have an access to an anonymous cell phone number. A few possibilities are asking one from an online friend who doesn't know you, buying a burner phone service somehow, etc.
Steemit's insecurity boils down to
- They have your password
- Changing and recovering your password depends on them
- You have to do all the sign up from your browser with Javascript activated, which means they can get a lot of information from you (more info on this)
2. Steeminvite
@pharesim made a wonderful tool to make Steemit-independent accounts with https://steeminvite.com.
| Pros | Cons | |
|---|---|---|
| 1 | You don't need a cell phone number (you do need an e-mail address) | You need someone with another account (or having another account yourself) to create your account |
| 2 | You don't need to wait to see if/when the Steemit team approves your account | Your account will forever be associated with its metadata with the parent account |
| 3 | You can start with a bigger delegation for bandwidth issues | Steeminvite gives you your password, meaning they, at a certain point in time, may have your password (although I'm told that both Steeminvite and Steemconnect possibly create your password client-side, which would add safety but not ownership) |
We can see that even though Steeminvite is pretty cool and, for people with some SP to spare, a quicker and better choice to account creation. However, it's not at all at the peak of safety. Being paranoid, we'll pass.
3. Steemconnect
Steemconnect is basically like Steeminvite, only that Steemconnect is the one that will give you your password and will be the ultimate owner of your account. Here's a tutorial on how to create an account through Steemconnect.
4. AnonSteem
Same as Steeminvite and Steemconnect except you don't need another account. You just need to be able to transfer money to the account creation. It's more anonymous, you don't need a friend or an e-mail address, but who ensures that you'll be the actual owner of your account? They, like Steemconnect and Steeminvite, give you your password.
These are the main online services that allow you to create an account through them. I'm not sure if there are others, but these are the most known and the most "trustable".
5. Cli wallet (deprecated)
This method is no longer possible, I'm told. Before you were able to download, compile and run the Steem code and in there, you'd be able to create an account through a money transfer.
It was by far the second most secure mode to create an account, and it was pretty quick and easy too if you knew what you were doing. But some hardforks ago, it was disabled.
6. Mining (deprecated)
(Not possible anymore, check the comment section for an explanation)
This one was the hardest way, but it was also the safest way around. Before, you were able to mine Steem independently of who you were. But now you need to be a witness to mine, I'm told, and even witnesses cannot create accounts anymore. If you find a way around cli_wallet or witness account creation, please tell me in the comment section.
Basically, when you were going to start PoW mining, you used an account name to do it. If the account didn't exist, it got created automatically as soon as you got a block.
You didn't need to pay a fee for it (although you would have to pay for a server to mine, equipment, read a lot and do a lot of work to get there).
Near the end of this article, you'll find some guides about mining (now only useful for commemoration))
In this way, you yourself would create your account, nobody would have your password but you, you could change it, you could play with it, and it would be yours only. Rejoice.
It seems, though, that the only available account creation methods right now are through third parties. I'll never be comfortable with that, but we can choose the safest ones, which are Steemit, Steemconnect and Steeminvite, as far as I know, and I don't know how the backend of Anonsteem works.
How to ensure Secure Access to your Steem Account (SA to your SA)
There's plenty of ways that you can securely access your Steem Account, and most of them claim to be secure, but as we are paranoid, we'll only trust what we know. And what we know is that once you put your password somewhere and hit send, you don't know where it's sent (you don't even have to hit send if they can see your keystrokes or your clipboard).
The only noteworthy ways to access your account from online services are Steemconnect and Steemit. Anything else and you can almost safely assume that it's a scam and they'll steal your password.
Tip:
Whenever you are going to type your password, DO look at your Address Bar. It has to either say https://steemit.com (note the s after http)
If there is any difference in the URLs, an extra l (like Sleemit, which is one known phishing site) or .org instead of .com or, really, anything, DO NOT type your password in.
Make sure to always look at the address bar when you're asked for your password. I've seen dozens fall and lose their money and their accounts for this.
The only way to securely access your account
is directly through your own code. There are a couple possibilities:
- cli_wallet, which I mentioned earlier (compiled Steem code running directly on your hardware)
- RPC node wrappers. Basically creating a bot or your own front-end through things like dsteem, steem-js, steempy or your preferred library for your preferred language.
Note, though, that even if you use Tor to access a Steem node, the Steem node has a certain power over your connection. I don't know to which extent they can read your information (if you know, please tell me in the comments), but they can at least block your access if they want (not that I've ever heard of such a thing happening, but it's possible. Read a bit about it here
Image taken from Pixabay
Conclusion: Maximise your own security by being your own manager
The less other people know you, the more secure your information will be. If you're paranoid and don't want anyone hiding behind your back and reading your data when you create and access your Steem account, then simply don't give anyone the chance to have that information.
You can, however, make some compromises. I, for example, took a leap of faith and decided to trust Steemit with my funds. It's much easier and I didn't know anyone who would be willing to create me an account through Steeminvite when I started (basically from scratch, 15 Steemit-delegated SP and the only person I knew on the entire blockchain was @lunaticpandora)
Celebrate your freedom, you can be anonymous on this little place of the internet, for now at least, and let's hope that it keeps going in that direction.
@cryptosharon mining is coming back in the next hardfork https://steemit.com/steemit/@dragosroua/mining-is-coming-back-to-steem-only-for-account-creation-though-hardfork-0-20-0-hidden-gems
Yay! :333 I hope I get the chance to set it up. I'd love to be able to use that acount creation method.
You need a scrypt asic to do it.
Cli wallet and mining was possible before, but now it is not something you can install on a fly. This is reserved only for the witnesses, and that is it.
The SteemConnect and using your posting key is the safest method so far to use when you log into any application.
I used the AnonSteem for creation of a group account and it is very easy, fast and secure.
It is anonymous, but in my case it is completely irrelevant, I create accounts either for something of a purpose or for my friends because it is easier.
I never used the SteemInvite, but I think I will take a look the next time somebody asks me.
Yeah, logging in from SteemConnect is by far the safest way for third-party online services.
I haven't used AnonSteem but I can see its value. You can access it from Tor, and you can probably transfer from blocktrades using any other more anonymous cryptocurrency, and there you'll have a chance to create an independent account. It's not the most trusted way, but it's trusted overall and it's by far the most anonymous way I've found.
Sounds like if you want to be totally secure you should find a way to change the master password in a way you can audit that it went to you and only you. Should be command line client can do so hmm?
I don't think you can change your master password through CLI if you created it through Steemit. Not sure, though, but it would make sense for Steemit to keep a monopoly on that due to technical reasons.
Thank you, this really has some great advice, for normal people and for those paranoid lol. But, since there are so many scammers around I am not sure we can call ourselves paranoid anymore, objectively, it is a normal precaution.
Exactly. I've seen so much fishy stuff on the site that I'm always on the lookout. It's a part of my subconscious now and I keep observing for ways to protect myself. I might make another post on how to protect your passwords.
Sounds like you've been hacked before. I have. It's no fun.
Oh, so sad. I have fortunately not been hacked during my stay. I've been para-paranoid. I feel sometimes like I'm overcareful, but it's kept me safe till now.
I have been hacked in online games before, though. I suppose I've learned my lesson quite early on in life. But those times did hurt a lot. It's like those memes about "losing faith in humanity".
wow, very educative and well explained. I am here almost 2 years and didn't know some of this things. Thank you for that:)
:) Thank you for your nice comment. I just thought it might be useful to share some of this knowledge that was pestering me about finally getting out. I'm glad you liked it, and I hope you and others find it useful.
Mining is not possible any more
Unless you're a witness, right?
But not for account creation.
Mining does not exists anymore in the pow sense of a blockchain
Dayum, so the only kinda safe way left to create an account would be from
cli_walletthen? Is it possible?Never tried the cli way. All accounts ts are connected to mine that I am creating
What means do you use for creation? Steeminvite?
Steem-python/steempy:
Thank you
Woohoooo!! That's a nice thing to have. <3
God work! This will be helpful for many Newbies. Keep it up :)
You got a 12.44% upvote from @upmewhale courtesy of @cryptosharon!
Earn 100% earning payout by delegating SP to @upmewhale. Visit http://www.upmewhale.com for details!
Thanks for the info. As a newbie you've given me some valuable info esp about being careful of the url you are about the log-onto!
This is a very good article regarding protecting your account. Thanks!