When you first register your Steem account, you're given your master password, a single complicated string of characters you need to remember to log in to your Steem account. However, in reality, your Steem account is protected by multiple keys/passwords which each have a specific purpose/usage.
For example, if you've been logging on to Steemit.com with that master password, you're doing it wrong! There are certain places these special keys/passwords need to be used for security reasons. This article will show you the purpose and usage of each of these keys and passwords. Let's dive in!
Overview of Keys
This first section will include an overview of each key type. There are three types of keys on Steem:
- Posting Key - The first and most used key type, used for posting, voting, and commenting
- Active Key - The second key type, used for money/currency transfers
- Owner Key - The third and most powerful key type, with the ability to change literally anything on your account
- Memo Key - Used to read/create memos, this key is, for now, pretty useless and can be ignored
For each of these keys, there are two "classes": the public key, and the private key. The public key is, well, public, in that everyone knows your public keys, and they can't really do anything at all. Your private keys, however, are the secure/important ones that you need to keep private and safe.
This order (posting, active, then owner) is also ordered from "least secure/important" to "most secure/important."
Ideally, you should keep all of these safe and sound, but some services may require your posting key (such as auto-voting bots) so the posting key is the least secure, in that sense.
The active key is in the middle in terms of importance/security as it is necessary to move funds out of your account or deal with any of the Steem/SBD in your account. However, the owner key is by far the most important, because it has the power to reset every other key. The owner private key is the master password you got when you first signed up for Steem, starting with a
How do I find these keys, if I only know my Master Password or Owner Key?
First, go to https://steemit.com. If you're already signed in, log out. Now, press "Sign in" once again, and log in with your master password.
After logging in, press your profile picture at the top-right corner of the screen. Then, press the "Wallet" tab.
Within the Wallet section, there are three different sub-sections. Click on the one marked "Permissions."
Now, you should be able to see four sections with QR codes and public keys. These are only the public keys for each section. To see the Posting Private Key, press the "Show Private Key" button next to the public key. To see the Active Private Key, press the "Login to Show" button next to the Active Public Key, then log in to see it.
You will not be able to see the Owner Private Key, because it's the most secure/important one and should be kept offline as much as possible.
In the next three sections, we'll go over each key and when you should use the key to log in.
The Posting Key is used for the least secure facets of the blockchain:
- posting posts/articles to Steem
- commenting/replying to another post
- upvoting/downvoting another post
Not a lot of financial or irreversible damage can be done with this key, though you still need to keep it secure unless you want hackers or others voting/posting with your account. Some services, such as guilds, curation trails, and auto-voting robots may ask you for your posting keys.
If you're able to say with a reasonable degree of certainty that the website/service looks qualified, and that other users have used it without worries, it's generally fine to give them your posting key.
Lastly, I highly recommend you always sign into Steemit.com with your posting private key. Signing in with your master password or owner key works, but is not recommended because you can get everything done with just your posting key. Using a more powerful key puts that key at a higher level of risk should your computer get stolen or hacked.
See the last section ("Keeping Your Keys Safe and Secure") for more details on this.
The Active Key is mostly used for financial aspects of Steem, relating to your Steem balances and SBD reserves:
- transferring Steem or SBD out of your account
- transferring Steem or SBD into your savings
- placing orders on the Steem Exchange
- changing account settings (such as your profile picture)
- powering up, or powering down Steem
Not so coincidentally, these are the only times you should ever use your Active Key. No service should ever want your Active Key, because your Active Key controls all of the funds inside your account.
Furthermore, if you give your Active Key to a hacker or scam, they can easily and irreversibly transfer all of your hard-earned Steem and SBD out of your account. Don't let this happen.
Remember: if you're not doing something related to money (Steem/SBD) or related to changing an account setting, you don't have to use your active key.
The Owner Key is the most powerful and important key. It includes the "master power" and can do literally anything to your account:
- everything the posting key can do (post, comment, vote)
- everything the active key can do (transfer funds, change settings)
- Master Power: reset every other key, including the owner key itself
- vote for Steem witnesses
Every change or transaction that can be done on your account is available to the Owner Key, including everything the posting/active keys can do. Furthermore, the owner key is used to vote for Steem witnesses, who are the accounts who produce the Steem blockchain.
The "Master Power" of the Owner Key allows it to reset every key on your account, including itself. If someone gets your owner key, they can easily reset every single key including the owner key itself, locking you out of your account.
This is why it is incredibly important to keep this key safe. Every key should be kept safe and secure, but this one should be treated with an even higher standard of safety. You will never need to use your Owner Key on any third-party service, and it's highly recommended not to use it for Steemit.com either.
Keeping Your Keys Safe and Secure
Keeping your Steem keys safe and secure is highly important.
Sign in with Posting Key
When you sign into Steemit.com for the purpose of posting, commenting, or voting, sign in with your posting key. This is because in basically any worst-case scenario, attackers can't do much to your account.
Say you logged into a fake website pretending to be Steemit.com— even so, the hackers only got your posting key, so the worst thing they could do would be to post a spammy article to Steem under your name, or vote on a bunch of posts you don't like.
Say you had a keylogger or virus on your computer recording your password— still, the attackers can't do much (except post or vote without your permission).
Additionally, you can easily change your posting key if you know this happened, using the Key Change Process shown below.
Key Recovery/Change Process
It's okay to let a trusted friend or service handle your posting key, because it can't harm your account too much. However, if you lose your active key or owner key in the future, or believe someone else might have it, use this process to reset all of your keys:
- Sign into Steemit.com with your Owner Key. This is the only time you should do so.
- Click this link. Your address bar should read
- Follow the directions in the link to change your master password, thereby changing all other keys.
Cold Storage for Owner Key
Your Master Password (the original password you got when you signed up) is also your Owner Key. It should be kept in what's known as "cold storage", which simply means that it's isolated from the rest of the world and Internet.
The easiest way to do this is to remove it from all computers and electronic devices, and write it down on a piece of paper. Store that piece of paper somewhere safe and secure, such as a safe/vault inside your house.
Check Your Links
When you click on a link and see a website that looks like Steemit, check the address bar above. Do you see a green lock indicating a secure connection? If no, close the tab immediately. If you do, check to make sure the website reads
steemit.com and not anything different. If it's similar but not exactly the same, it's still a phony.
If you ever enter your password on a phony website, make sure to reset your keys ASAP using the Key Change process above.
That's all you need to know about Steem's passwords, keys, and how to keep them safe. You now know exactly when to use each key, and what each key should be used for.
You can now consider yourself a Steem Key Ninja :)
Thanks for reading,
announcement: @mooncryption is now on other social media! Use the buttons at the right to find our various social media pages from Steemit to Facebook to Twitter!