Steem Basics: Understanding Private Keys

in #steem2 years ago (edited)

Steem Basics Private Keys v4.jpg

In a previous post we discussed how we are in the process of splitting Condenser (the open source software that powers into two separate applications that will work together seamlessly. One application will handle all the financial functions (wallet) that require a higher level of security, and the other application will handle all the social functions that require a relatively lower level of security. The end result will be two applications that are more secure and optimized for their specific functions.

Private Key Management

This “separation of concerns” is similar in concept to the different types of keys every Steem account holder is given when they create an account. These keys “unlock” different levels of control over an account. One of the advantages of the split will be that it will enable us to create a more intuitive user experience with respect to the use of your keys. For that reason we thought we would take this opportunity to educate any users who are still confused by the private key system on what these keys do and how they can be used safely.

Posting Key

In today’s post we want to focus primarily on the Posting Key and Master Password as these help explain the overall design of Steem’s private key system. Steem’s private keys are “hierarchical” which means that each one enables the key holder to perform a wider variety of activities with the associated account. The “Posting Key” is at the bottom of the hierarchy because it can do the least. It can only be used to perform social activities like posting, commenting, upvoting and downvoting. While these activities are common, they do not require a high level of security, because they do not authorize any operations which can negatively impact token balances.

If you prefer watching to reading, check out this video in which Steemit’s Content Director (@andrarchy) explains Steem’s Private Key system:

Screen Shot 2019-02-20 at 1.55.11 PM.png

To retrieve your Posting Key, go to the permissions tab inside your Steemit wallet. Your public Posting Key will be at the top of the page and alongside it you will see a button that says “SHOW PRIVATE KEY.” When you click on that button you will be prompted to input your Active Key or Master Password. Once you do so, your private Posting Key will be displayed. At this point you might want to consider saving this key to a password manager like LastPass or Dashlane for safe storage.

Permissions v2.png

A user’s keys are vulnerable any time they are entered into an application. A malicious actor could create a fake interface at a domain that is a common misspelling of and that requests you input your private keys (phishing). A malicious browser plugin can also gain access to keys stored in your computer’s memory or your web browser’s cookies. Having a Posting Key ensures that the key that is used the most–and is therefore most likely to be acquired by a malicious actor–conveys the least authority. Even if a hacker does get this key, the only things they can do with the account are the social activities (as opposed to financial).

Key Hierarchy v2.jpg

Because the Posting Key has the fewest authorities, there is no harm in always attempting to use the Posting Key if you are not confident about which key should be used. In other words, if all of this sounds confusing, all you need to remember is that the safest option is to only use your Posting Key. If a key with higher authority is required to perform the action, you will be informed by the interface that the Posting Key is insufficient and that another key is required.

In the vast majority of such cases, you will then use your Active Key. But remember to be more cautious in those circumstances. That being said, the Posting Key can certainly be abused too, so users should always be vigilant. We will continue to release posts like this to educate users about how they can protect themselves within the Steem ecosystem.

Master Password

While a hacker acquiring a Posting Key might be unpleasant for the account holder, as long as the rightful account owner still has their Master Password (or their Owner Key), they can always change all the other keys and regain total control over their account.

Password v. Key

One might wonder why the Master Password isn’t also called a “key.” That’s because all of the keys are actually derived from this single password. That’s why it’s called the “Master” password. It is also called the “seed” because it is the first password that is created, and it is from that the rest of the keys spring forth. That’s why it can be used to perform any function on Steem, from social activities to financial activities. Its convenience has led many to use this password for everything, but this is the precise opposite of its intended use.

Since keys can be used to do any activity in Steem apps like, the Master Password should be securely stored in a password manager (like LastPass or Dashlane), or offline entirely, and only used for highly-trusted applications, minimizing the risk it could be acquired by a malicious actor. Remember, if you use your private keys right, you be unlikely to use the Master Password ever, therefore sacrificing some convenience for the benefit of security is a worthwhile tradeoff.

Steem Connect and Keychain

Users should always be careful when signing into any site that requests any of their private keys. We at Steemit, Inc. can only speak to the security of Otherwise, we recommend only signing into websites through SteemConnect which is an open-source, universal, login layer for Steem Apps, built by a community developer (@fabien) in collaboration with Steemit, Inc. Think of it as “Facebook Connect” for Steem apps.

Users who do not want to input their private keys into Steem-powered websites can use the the Keychain extension created by the @steemmonsters team. Keychain stores Steem keys in a browser extension which can automatically provide the appropriate keys when prompted by a Steem app, thereby foregoing the need for users to expose their keys by copy-and-pasting them into a website.

steemconnect keychain.jpg


The goal of this post was to focus primarily on the Posting Key and Master Password because understanding these two items delivers the most insight into the overall design of the system. The Posting Key is at the very bottom of the hierarchy because it grants the least authority, but it is also the key Steemians should be using the most since it governs social functions. The Master Password, on the other hand, is at the very top of the hierarchy because it grants the most authority and is almost never necessary.

We will cover the rest of the keys in future posts, so if you found this informative, be sure to follow @steemitblog and please share this post with anyone who is trying to gain a better understanding of the private key system.

The Steemit Team


Great post. What is the memo key for and where does it fit in the security hierarchy?

Posted using Partiko iOS


This is crazy I upvoted you hours ago. maybe I didn't press post button hard enough the comment for you end up below danielndt or maybe it is because I was messing around with my setting, but my post of 11 hours ago was meant for you apshamilton.

I see you post under mine. The changes are confusing but for the better eventually I think. I use SteemPeak and Partiko rather than Steemit in any case.

Confusing plus I am going to just take it slow let all the info soak in thanks for your reply and advise. I will be following you.



I agree about the Memo key and where it fits or is it a security risk. I feel vulnerable with all the changes going on with the wallet security. If you read my blog the other day I was frustrated and angery enough to get what I could and get lost. I need some one line solutions and I could settle down and hash my way through it, until then the old hawgwild is on a short leave, (Doctors orders; don't get to stressed out).

hola soy nuevo alguien me puede explicar como comenzar en la actividad, y que paginas serian mas productivas para unirme a la comunidad steem

Nice information thanks You So much

Muy buena pregunta, estoy interesado también en esa clave que no entendí como usarla.

It seems that I did not understand the lesson well

when i try to view my private posting key it wont let me, i click reveal, log in, and then im logged in but it is still hidden, how do i fix this?

Magic Dice has rewarded your post with a 3% upvote. Thanks for playing Magic Dice.

Very nice tutorial! So glad to see this coming from the Steemit blog, simple to understand information like this is exactly what new users need. I agree with Crim, we need this in one easy to find location with some other FAQ. Nice progress!

Easy for you to say, I still feel vulnerable with things being changed fast.

This is really well put together! Well done~ I'm going to carry it through into some of the new user communities. I hope to see this rolled into the FAQ here or into however you refresh the introductory new user experience for front ends with the upcoming split~

Thanks Crim! That's the idea!

Couple of years ago, on recommendation of PBG, I opened an account and invested couple hundred bucks into SP (and even made a post); sorry to say - very very confusing site(s). For I have user name and all my keys; for Steem Chat I have another user name AND password. To get to my wallet I have to print one of the keys! But the worst thing it is impossible to find Support or Help on your site, to ask questions (not addressed to in FAQ), e.g. how do I assign a password (rather than key), to acess my wallet? what is the address to use, to access Hive blockchain, to see the results of the recent fork? Can anybody contact me via [email protected] ? Thanks.

Superb video. Having things like this to send new users to when they ask about the keys, or even linking to from the FAQ in different dApps will be really helpful!

Shame I can't flag people who comment on YouTube though.

lol, why'd you make me look?!

Great video! This really breaks it down so it's useful to newbies but many users that have been here for a long time might have an 'aha' moment too :-)

Thanks for commenting, things are getting better in #Steemit and at #Steem network especially in the area of communication, information, advertising, and projecting Steem to the far ends of the planet earth!

Thanks @steemitblog for the reminder cum information.

I never got this one:
Master Password (or their Owner Key).
Are these two different names for the same thing or I'm missing something?

Yes I was confused by this as well for a long time but I'm pretty sure that yes Master/Owner key is the same, then you have the active and the posting key.

To oldtimer(74) Another old timer with some steem power and experience and you don't know either that's puzzling a minnow like me does not have a chance it seems. I wish I could give you the answer. Another fear of mine is bungling around and making the same mistake 3 or so times and lock myself out of my own blog and wallet sites. I thought I was locked out an hour ago, luckily I recorded all these keys and codes on paper 3 months ago. I had to try 3 of them and finally the type fest ended. whoever is implementing these changes would slow down so us Minnows can have some fun Please

Definitely one of the most useful posts on sorting steemit out I have seen in a long time excellent post.

This video was very good ... and it helps lot :)

Excellent work with this! :)

Thank you @steemitblog
This information is very useful especially for new users on our pride platform...

I think this blockchain-based social media would push speaking freedom. but I wish it could be like Bitcoin, people can sign up freely instead of requiring email and phone number, people can use many opensource client instead of single website.

After changing the keys some time ago, I can only log in to my account with the Posting Key, I try to reveal the other keys by entering the password Posting Key and nothing has the same asterisks, I have the old Active Key but it doesn't work well.
Thank you

Muy buena la inducciòn acerca del manejo de las claves de seguridad de steemit. Gracias.

Good post. I will translate this and share it with our local communication members.

Interesting. Shared with my followers :-)

You separated the Owner Password from the Master Password in your diagram, but aren't they the same thing?

They are not! The Master Password is used to generate all the other keys, including the Owner Key. The confusion is usually around the fact that we don't even allow you to view your Master Password through That's because the only reason you should ever really be using your Master Password is when you are going through the account recovery, in which case you should be retrieving the Master Password from your safe storage. The Master Password is the password you get upon signing up. You should then take that password, go to your wallet, retrieve all the other keys, and only use those keys going forward. Hope that helps!

Is there a way to change the Master Password?

Yes, by clicking your avatar and selecting "Change Password." The password being referred to there and in the following page is the Master Password, because remember, there is only ONE password on Steem, the rest are KEYS.

Screen Shot 2019-02-22 at 9.15.57 AM.png

Thank you @steemblog that will help me so much!

It's high time that an official statement was made about the use of keys. Steemit has to be the only site I know of that has left its use and functions to be explained by 3rd parties. These important details need to be front and center for all users, all the time!

I'm glad to see progress finally being made in this regard.

Since steem.centerwiki has already done an excellent job of making sense of Steem, it would be prudent and most efficient to simply link to it as a great reference manual.

Good idea! Thanks!


Posted using Partiko iOS

Allow me to translate this post into Indonesian :)

nice tutorial :-)

Great! Steemit needs more official tutorials. This may also be of interest: Steemconnect login with posting key instead of active key

Great tutorial. Quite informative even though short. Would like to know, which category does the password generated using the link sent to our emails during sign-up, fall in?

Hi. I visited for the first time.

Im confised. I have 1 password and after some days i got one transaction id ..what is that then?

And when i have to use master key?

Thanks.. This post is very good

STEEM, is a token that can be transferred and traded like Bitcoin. STEEM can be converted to STEEM POWER.... Steem is the best. I think, Steem is A Proof of Concept (POC) and are a small exercise to test the design idea or assumption.

For me absolute stupid way here. Plaese dont name it private key if it is server key. Real private keys should be generate offline and never put into any open file on internet.

I'm having immense trouble with this - I can't get into my wallet to obtain the private key because it requires a private key to get in.

Is there a way to reset this with Steem or is there another way to get this securely?

Mi pregunta con cual clave ingreso a mi monedero para gestionar?

Thank you,
This was a good review of an important topic.
I will resteem this post.

Very nice tutorial & very helpful and concise.

I resteemed this article. Thank you for the information.

Posted using Partiko iOS

I don't get it yet :(
I click on the reveal button but the passwords stay the same (***************) like that.
I click reveal, I log in, but any of the keys reveal
help me out please?

Much more informative writings.

I think the picture of wallet should be changed as below.

I cant sell my steem... everytime i try to transfer to blocktrades it says "transaction broadcast error missing active authority..." it's driving me crazy! Help me i want the money back

I understand the key process and its' need but what I don't understand is when I log into my account and navigate to "key/permissions" and try to copy any key so I can save it outside my account , I cannot. I click "reveal" and it takes me to the log in page. I log in and that sends me back to permissions where I hit reveal again and I am sent back to login. How do i reveal my keys??????? Help!

Very nice tutorial! So glad to see this coming from the Steemit blog, simple to understand information like this is exactly what new users need.

Thanks, I could enter again

Definitely very helpful and concise!

Thank you for sharing. I havent been on this for awhile and gotta catch up. There are so many apps to choose from for Steem Connect how does one determine which one is the best to join? Do the posts from one app connect to the other apps? Or do you need an account for all of them? Thank you.

Hi and thank you for the instruction. I am new to the platform and I need help to withdraw steems i bought from Bittrex to my steem wallet. Can you help me please or which is the correct key to withdrawal ?
withdrawal tab on Bittrex has Memo and recipient wallet address. I have tried so many tutorials about transferring the coin but each time was invalid.
Thank you

esteem app asks for master password. What can you say about that?

Esteem has SteemConnect support. It's a great app that has been around for a long time and has a great developer behind it, @good-karma.

Glad to know, im a huge fan

Крутой пост , мне нравится всё стало ясно

well explained
i find it very interesting all this
just learned about it like a week ago

can I get some piont?

techbegins is the best company for social media and digital marketing.
We are a digital marketing expert. More information Please Visit my Site

I appreciate all of the information. I’m new to this site and must admit, there is a significant amount of excitement from what I’ve witnessed thus far. Trying not to become overwhelmed in the beginning is always a challenge. I’m sincerely in awe of the capabilities here. Thanks

Thanks. Being a new steemit user, I am delight to see such a great and helpful post to prevent our account from being abused by hackers. I highly recommend all new steemit should have a read on this post.

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

I tried to login with my masterkey which I kept saved over the years, but how can I receive a posting key to get logged in again?

I am new and this was very easy to follow!

Es mi primera publicación, un poco complicado al tratar de conseguir la clave para el login pero se pudo.

Couldn’t see where to save my pdf password keys page so I screen shot it, wrote it out and try using it but it keeps failing. How can I get my master key like the pdf doc page sent me so I can try saving it directly. .? Pls o need some advise

Nowadays you people are very active. it is very good ♥

We've always been active, we're just communicating a lot more ;) Thanks!

glad to hear this... boss

Again and again I try to withdraw SBD to Bittrex from my wallet and get -
"Transaction broadcast error"
I did it before hundreds of times.
I have read all instructions and manuals here,
I enter my Active Key
I enter memo and...
Again the same...
"Transaction broadcast error"
What is going on? Could anyone help me?

PS. OK, guys I have helped myself.
I have read the instructions one more time and it helped)))))
So, for transactions Withdrawal SBD for example - you need NOT all those keys, that are mentioned in your account. But that one, that is saved (if you had done transactions before, at Google Password manager.
IMPORTANT. This password start not from "S", or "5" but from "P" only.

dams ahole are gonna try stealing our Steem - having the same issue. This platform is getting to be a joke.

So, I should avoid logging on a Steem app I don't trust, even using my posting key?

I notice that when I login Dtube or Steem Monsters, I'm inside their domain, so I'm actually sending my password to their web server.

Some Steem App then can verify my password on blockchain, and save it? And use it on other Steem Apps? Or be hacked and have my password stolen and used?

Sorry, if my password is sent directly to a Steem App's web server and it's the one validating it on Steem blockchain, I don't feel secure about it. Shouldn't it be using some kind of token or single sign on? In example, many sites allow us to use a standard SSO to log on them, but in this case they redirect us to a SSO authoritative's website (Google in example) and it's in that one we login, then we're redirected back to original site who just recognize the authentication without ever seeing our password.

Yes, or you could use Steem Connect.


How I may find my posting key . . . I am trying very hard but could not find any right to post a topic: