[Steem] How to change your Masterkey and why.
Hi, @jayplayco here.
The password system from Steem is not really easy, as it is divided into a master key, owner key, active key, posting key, and memo. As a new user, it is difficult to understand this kind of variety of different keys and functions. But after a while, you get used to it.
1. Understanding the creation of an account on Steem
As mentioned there are different kinds of keys (passwords) with different kinds of functions available. When you create a new account, you will normally get only a master key and need to check your other keys on a different interface. As blockchain technology does not allow you to find a lost master key, you will have to store in from the moment you got it very safe.
But, there is a difference if you have made your Steem account not on Steemit.com but on a third party service (paid or free doesn't matter). If you have enough Steem powered up, you are able to create accounts on your own with your Resource credits (A different story and should be mentioned another time) So, some witnesses and also Dapps are offering to create free accounts.
Such a free account creation service is an example offered by a trusted witness @justyy under the following link.
But even if you created the account from this trusted witness, you will have to change your master key directly after creating an account. The big hack of the community321 account should have been organized in a similar matter. The reasons are as below.
- The creator of your account can have a copy of your first master key.
- If the creator of your account is willing to use this information, he can take control of your account and transfer everything.
- If the creator (service) of the account went rogue you will not even be able to recover it, as the creator is normally registered as recovery account.
So, if you have created an account, not on Steemit.com, always remember to change the recovery account AND your master key directly after the creation. The free account service from @justyy will send you the keys per email, so there is always a copy of your master key in your email inbox and also the outbox. SO CHANGE YOUR MASTERKEY!
2. Understanding the different keys
In your normal Steem life, you will mainly use the posting key and active key. So let's explain those first.
1) Posting Key.
It is used for commenting or writing a post and also upvoting and downvoting posts. You will mainly use this key for your Steemian life. If you use 3rd party services, you can also give your authority rights to these Dapps. In normal cases, you will only give your posting keys authorities. But even only with posting key authorities, a Dapp could theoretically upvote and downvote instead of you at their will.
So it is very important to check your key authorities and remove especially services that are not anymore active.
I would like to recommend the service from @steemchiller, who is also a trusted witness on Steem.
In combination with a clean Steemkeychain you can easily remove account authorities here.
2) Active Key
Everything that is related to transfer Steem or SBD or stake Steem, etc. would need your active key. At the same time you will need to check if you have given your active key authorities to any 3rd party app, as it would mean that these Dapps could transfer your stake out of your account.
3) Memo Key.
It is only used for transferring with an encrypted Memo. A problem with this memo key is, that if you change your master key, which would also change all other keys, your old encrypted memos would not be readable anymore.
If you have a hidden message you need to send to somebody, the memo key would be the right one to use.
4) Owner Key
The owner key can do everything the posting and active key can do. It has also the power to reset the posting and active key. It means if you lose your owner key a hacker could change your keys so you would not be able to use your account anymore.
So an owner key should normally not be used in your daily activity, nor should any 3rd party Dapp get authority over your owner key.
5) Master Key
This is the key that you will get when you create your account. This is also the key that needs to be changed after the creation of your account if it is not coming from Steemit Inc.
As your master key will only be displayed once on creation (if you create it on Steemit Inc.) you will have to save it when displayed. After that, it is normally not possible to retrieve it. Your master key is also needed to recover your account after an hack.
3. Change your Master key
The easiest way to change your master key is Steemit.com itself. Login to your account and click (based on the desktop version) on the right upper three bar button.
You will find the menu 'Change Account Password'. The direct link for this menu is as followed.
The process is easy and will take only a few seconds. Please remember to keep your old Master Key (and don't delete it) as there had been already another chain hardfork been announced and snapshot on the 20th of May. This new chain would need the old Master Key to get access to your account. Additionally, this process would also separate your current Steem account password from any other split Chain from Steem and increase your security.
After saving your new Master Key, you will have to check your other keys which can be done with the following tools.
- https://steemyy.com/keys (A tool from @justyy and you can view your other keys when inputting your master key. Everything is only stored locally on your browser)
- https://steemworld.org/key-generator (A tool from @steemchiller and you can input your master key and user account to see your private and public keys)
- Steemkeychain - You can add your account with your master key, but will only see your posting, active, and memo key. (Owner key would be not visible with this method)
4. Thoughts
I have changed my Master Key after the hardfork because I did not want to have my keys shared with a forked and split chain. After seeing what a 3rd party Dapp provider would be able to do and is willing to do, I would personally urge anybody in concern with their security to change your master key at least for now.
Thanks for creating this great guide!
I've thought about this recently and I came to the conclusion that it would be best to have a possibility to change the memo key (maybe also in the Account Auths tool). In this way one could change the master key of his account and after that change the memo key back to the old one, so that old encrypted messages can still be read.
Small typo in your text:
Thanks! Changed the typo. A change only of the memo key would be something that could help. But as far as I know the memo key is also used to transfer Steem, which would mean that it would be not secure if you keep your old memo key. :)
I'm not sure how exactly the different frontends handle the encryption process. It could be that they use the active key also for encrypting the memo, which may not be the best solution.
On SteemWorld I always use the memo key to encrypt the memo field prior to signing the transaction with the active key... :)
Using the memo key is definitely not really easy for outsiders. Will check the memo function on Steemworld. Maybe I will finally be successful sending encrypted memos :)
Just did. it works perfectly. Thanks for your great tool~!
Yes, I agree that it is more comfortable for outsiders to make it all with only one key and this will be the reason why some frontends solved it in this way.
Your transfer came in and I can read the encrypted message using my memo key :)