Steem Basics: Understanding Private Keys - Part 1

in steem •  28 days ago

Steem Basics Private Keys v4.jpg

In a previous post we discussed how we are in the process of splitting Condenser (the open source software that powers steemit.com) into two separate applications that will work together seamlessly. One application will handle all the financial functions (wallet) that require a higher level of security, and the other application will handle all the social functions that require a relatively lower level of security. The end result will be two applications that are more secure and optimized for their specific functions.

Private Key Management

This “separation of concerns” is similar in concept to the different types of keys every Steem account holder is given when they create an account. These keys “unlock” different levels of control over an account. One of the advantages of the split will be that it will enable us to create a more intuitive user experience with respect to the use of your keys. For that reason we thought we would take this opportunity to educate any users who are still confused by the private key system on what these keys do and how they can be used safely.

Posting Key

In today’s post we want to focus primarily on the Posting Key and Master Password as these help explain the overall design of Steem’s private key system. Steem’s private keys are “hierarchical” which means that each one enables the key holder to perform a wider variety of activities with the associated account. The “Posting Key” is at the bottom of the hierarchy because it can do the least. It can only be used to perform social activities like posting, commenting, upvoting and downvoting. While these activities are common, they do not require a high level of security, because they do not authorize any operations which can negatively impact token balances.

If you prefer watching to reading, check out this video in which Steemit’s Content Director (@andrarchy) explains Steem’s Private Key system:

Screen Shot 2019-02-20 at 1.55.11 PM.png

To retrieve your Posting Key, go to the permissions tab inside your Steemit wallet. Your public Posting Key will be at the top of the page and alongside it you will see a button that says “SHOW PRIVATE KEY.” When you click on that button you will be prompted to input your Active Key or Master Password. Once you do so, your private Posting Key will be displayed. At this point you might want to consider saving this key to a password manager like LastPass or Dashlane for safe storage.

Permissions v2.png

A user’s keys are vulnerable any time they are entered into an application. A malicious actor could create a fake interface at a domain that is a common misspelling of steemit.com and that requests you input your private keys (phishing). A malicious browser plugin can also gain access to keys stored in your computer’s memory or your web browser’s cookies. Having a Posting Key ensures that the key that is used the most–and is therefore most likely to be acquired by a malicious actor–conveys the least authority. Even if a hacker does get this key, the only things they can do with the account are the social activities (as opposed to financial).

Key Hierarchy v2.jpg

Because the Posting Key has the fewest authorities, there is no harm in always attempting to use the Posting Key if you are not confident about which key should be used. In other words, if all of this sounds confusing, all you need to remember is that the safest option is to only use your Posting Key. If a key with higher authority is required to perform the action, you will be informed by the interface that the Posting Key is insufficient and that another key is required.

In the vast majority of such cases, you will then use your Active Key. But remember to be more cautious in those circumstances. That being said, the Posting Key can certainly be abused too, so users should always be vigilant. We will continue to release posts like this to educate users about how they can protect themselves within the Steem ecosystem.

Master Password

While a hacker acquiring a Posting Key might be unpleasant for the account holder, as long as the rightful account owner still has their Master Password (or their Owner Key), they can always change all the other keys and regain total control over their account.

Password v. Key

One might wonder why the Master Password isn’t also called a “key.” That’s because all of the keys are actually derived from this single password. That’s why it’s called the “Master” password. It is also called the “seed” because it is the first password that is created, and it is from that the rest of the keys spring forth. That’s why it can be used to perform any function on Steem, from social activities to financial activities. Its convenience has led many to use this password for everything, but this is the precise opposite of its intended use.

Since keys can be used to do any activity in Steem apps like steemit.com, the Master Password should be securely stored in a password manager (like LastPass or Dashlane), or offline entirely, and only used for highly-trusted applications, minimizing the risk it could be acquired by a malicious actor. Remember, if you use your private keys right, you be unlikely to use the Master Password ever, therefore sacrificing some convenience for the benefit of security is a worthwhile tradeoff.

Steem Connect and Keychain

Users should always be careful when signing into any site that requests any of their private keys. We at Steemit, Inc. can only speak to the security of steemit.com. Otherwise, we recommend only signing into websites through SteemConnect which is an open-source, universal, login layer for Steem Apps, built by a community developer (@fabien) in collaboration with Steemit, Inc. Think of it as “Facebook Connect” for Steem apps.

Users who do not want to input their private keys into Steem-powered websites can use the the Keychain extension created by the @steemmonsters team. Keychain stores Steem keys in a browser extension which can automatically provide the appropriate keys when prompted by a Steem app, thereby foregoing the need for users to expose their keys by copy-and-pasting them into a website.

steemconnect keychain.jpg

Summary

The goal of this post was to focus primarily on the Posting Key and Master Password because understanding these two items delivers the most insight into the overall design of the system. The Posting Key is at the very bottom of the hierarchy because it grants the least authority, but it is also the key Steemians should be using the most since it governs social functions. The Master Password, on the other hand, is at the very top of the hierarchy because it grants the most authority and is almost never necessary.

We will cover the rest of the keys in future posts, so if you found this informative, be sure to follow @steemitblog and please share this post with anyone who is trying to gain a better understanding of the private key system.

The Steemit Team

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Great post. What is the memo key for and where does it fit in the security hierarchy?

Posted using Partiko iOS

·

Muy buena pregunta, estoy interesado también en esa clave que no entendí como usarla.

Very nice tutorial! So glad to see this coming from the Steemit blog, simple to understand information like this is exactly what new users need. I agree with Crim, we need this in one easy to find location with some other FAQ. Nice progress!

This is really well put together! Well done~ I'm going to carry it through into some of the new user communities. I hope to see this rolled into the FAQ here or into however you refresh the introductory new user experience for front ends with the upcoming split~

·

Thanks Crim! That's the idea!

Superb video. Having things like this to send new users to when they ask about the keys, or even linking to from the FAQ in different dApps will be really helpful!

Shame I can't flag people who comment on YouTube though.

·

lol, why'd you make me look?!

Great video! This really breaks it down so it's useful to newbies but many users that have been here for a long time might have an 'aha' moment too :-)

Thanks for commenting, things are getting better in #Steemit and at #Steem network especially in the area of communication, information, advertising, and projecting Steem to the far ends of the planet earth!

Thanks @steemitblog for the reminder cum information.

I'd hope everyone uses a password manager if some sort as you need unique passwords for each site anyway. Something like Lastpass also reduces risk as it will only supply the password for the real site and not for a fake one.

감사합니다

I never got this one:
Master Password (or their Owner Key).
Are these two different names for the same thing or I'm missing something?

·

Yes I was confused by this as well for a long time but I'm pretty sure that yes Master/Owner key is the same, then you have the active and the posting key.

·
·

@oldtimer, @direwolf: No, they are not the same.
Owner Key is derived from the Master Password in a same way as Posting Key.

Let's say user bob is setting his new Master Password.
It will look like this: P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R.
Steem blockchain however, doesn't know anything about Master Password as such.
It uses keys, such as Posting Key, Active Key, Owner Key that are derived from the Master Password.
In such case bob will have:
Private Owner Key:
5JiD4BEytbFWMGeN3Zk9JfFFgFCTvfcDhDGReG7jt2DREY8JzMa
Private Active Key:
5K6p5g2ob577bA53qgLMGDGY3L3D7M4ccaY2qFSJppgEvJkeLFn
Private Posting Key:
5KW5yYgmPf7bRn6BFEWboLr9bj4QtmVJMNAm2SiErDN5BCGtWH5
How I know it? There's a cli_wallet functionality that lets you derive key pairs from the Master Password. It's used for convenience, as you need to securely store one, instead all four.
To derive Owner Key from Master Password, bob would need to use:
get_private_key_from_password bob owner P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R
Same for every role.

In fact you don't need to have Master Password at all. Your private keys can be generated and changed independently.

·
·
·

What is a cli-wallet and where can I find it?

There's a cli_wallet functionality that lets you derive key pairs from the Master Password. It's used for convenience, as you need to securely store one, instead all four.
To derive Owner Key from Master Password, bob would need to use:
get_private_key_from_password bob owner P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R

·
·
·
·

cli_wallet is a command line tool, a part of https://github.com/steemit/steem
You can either build it yourself or extract it from a docker image.

·
·
·

Thanks for the info. And where is the master password? Never seen it. I only got the four keys.

·
·
·
·

You get Master Password at the time of account creation through Steemit site (which I believe is what you got yours). You don't need it as long as you have all your private keys, or at least your private owner key, so you can set all the others.

·
·
·
·
·

Is there a scenario, where the private owner key is not enough and where you need the master password? e.g. account recovery?

·
·
·
·
·
·

No. Steem blockchain doesn't know about your Master Password.
Master Password is like a Master Key, that allows you to open doors on all levels of the building. You can use that one or separate keys. Separate key for the highest level in the building is enough to open it.
Also, if you change the lock in that door, Master Key will no longer be able to open it.

·
·
·
·
·
·
·

Ok. Now I know what's my error. I thought that I have the 4 private keys active, memo, posting and owner. I thought my password is missing. But: I do have the password and only the three private keys active, memo and posting. I don't know my owner private key, because it is not shown in the Steemit wallet. I think it is genarated automatically if I enter my password in Steemit.

Ist there a way to get the private owner key?

Definitely one of the most useful posts on sorting steemit out I have seen in a long time excellent post.

This video was very good ... and it helps lot :)

·

This spam is courtesy of @fulltimegeek! A real piece of shit who flags manual curation projects like @themadcurator because he's a spiteful cunt!!!

·
·

What is this ?????

·

This spam is courtesy of @fulltimegeek! A real piece of shit who flags manual curation projects like @themadcurator because he's a spiteful cunt!!!

Excellent work with this! :)

Thank you @steemitblog
This information is very useful especially for new users on our pride platform...

·

Definitely very helpful and concise!

esteem app asks for master password. What can you say about that?

·

Esteem has SteemConnect support. It's a great app that has been around for a long time and has a great developer behind it, @good-karma.

·
·

Glad to know, im a huge fan

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

Thank you,
This was a good review of an important topic.
I will resteem this post.

Muy buena la inducciòn acerca del manejo de las claves de seguridad de steemit. Gracias.

Good post. I will translate this and share it with our local communication members.

And when i have to use master key?

Interesting. Shared with my followers :-)

You separated the Owner Password from the Master Password in your diagram, but aren't they the same thing?

·

They are not! The Master Password is used to generate all the other keys, including the Owner Key. The confusion is usually around the fact that we don't even allow you to view your Master Password through steemit.com. That's because the only reason you should ever really be using your Master Password is when you are going through the account recovery, in which case you should be retrieving the Master Password from your safe storage. The Master Password is the password you get upon signing up. You should then take that password, go to your Steemit.com wallet, retrieve all the other keys, and only use those keys going forward. Hope that helps!

·
·

Is there a way to change the Master Password?

·
·
·

Yes, by clicking your avatar and selecting "Change Password." The password being referred to there and in the following page is the Master Password, because remember, there is only ONE password on Steem, the rest are KEYS.

Screen Shot 2019-02-22 at 9.15.57 AM.png

·
·
·
·

Thank you @steemblog that will help me so much!

It's high time that an official statement was made about the use of keys. Steemit has to be the only site I know of that has left its use and functions to be explained by 3rd parties. These important details need to be front and center for all users, all the time!

I'm glad to see progress finally being made in this regard.

Since steem.centerwiki has already done an excellent job of making sense of Steem, it would be prudent and most efficient to simply link to it as a great reference manual.

·

Good idea! Thanks!

nice tutorial :-)

Bookmark

Posted using Partiko iOS

Allow me to translate this post into Indonesian :)

I resteemed this article. Thank you for the information.

Posted using Partiko iOS

Great! Steemit needs more official tutorials. This may also be of interest: Steemconnect login with posting key instead of active key

Great tutorial. Quite informative even though short. Would like to know, which category does the password generated using the link sent to our emails during sign-up, fall in?

Hi. I visited for the first time.

Im confised. I have 1 password and after some days i got one transaction id ..what is that then?

Nowadays you people are very active. it is very good ♥

·

We've always been active, we're just communicating a lot more ;) Thanks!

·
·

glad to hear this... boss