Your Steem account is worth money! How to secure it with a new owner key to keep it yours forever

11 months ago
72 in steemit-guides

After the big July 4th payout many people's accounts suddenly have tens, hundreds, sometimes thousands of Steem Dollars in them, and thousands of Steem Power too. In this post we're going to learn how to make a new, very secure owner password for our accounts. I'll explain why this is a good security measure, take you step-by-step through the process of creating a very secure password and updating your owner password to it. I'll then touch on what to do with the password or key once you've created and updated it.

See this post for more info about the different Steem account keys.

bosskey
from Zelda Boss Keys (buy)

The owner key

Your owner key gives full control over your Steem account. Its user is able to post, vote, transfer funds, and change all keys including being able to change the owner key. Notice I said "its user" and not "you"? Because if someone were to get your account or owner password, they can change all the keys and take your account and whatever it is worth for themselves. The owner key is meant to be used basically only if necessary, and otherwise written down/etched in stone and put into "cold storage," a crypto term for keeping your keys off of running or internet-connected computers.

If you have an account registered from Steemit (you registered through Facebook or Reddit), and you haven't switched to logging in with a posting key yet you are probably logging in using a long password that Steemit required you to make. If you haven't made any changes to your keys yet, this password controls all aspects of your account and includes the owner key.

[Sidenote: the concept of account ownership needs to be worked out for a Steem constitution].

Let's change it

I hope that is enough to convince you that logging in with your original password is not a good idea, at least not until you've changed your owner key.

warning WARNING: Take this seriously, do NOT lose your new owner password

Before we go further, I need to say that because the owner password is the master key for your account, if you lose it you will not be able to change the other keys if they get compromised and changed on you. Once you make the key, and especially after you've updated your account to use it, you need to make sure it's safe, secure, and won't get thrown out with yesterday's grocery list.

Step 1: Make your new owner key or password

Diceware

To create a super-secure owner password, we are going to use Diceware (Wikipedia).

Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select a word from the list.

Each Diceware word gives 12.9 bits of entropy and because we only have to do this once, we're going to crank those dice all the way up to 20 words for 258 bits of entropy. Diceware is fairly simple and straightforward: get a single dice (die, whatever), roll it 100 times (5 for every word), recording the result 1-6 on a notepad each roll, then looking up what word corresponds to your 5 rolls from a wordlist. Follow the instructions from Diceware's page (scroll down to "Using Diceware") for more detail. You will end up with 20 Diceware "words." If you wrote the words down in your computer, print a couple copies, and perhaps save to a USB backup drive (not a local, always on disk).

See also: XKCD, Password Strength

Step 2: Secure backups!

Now it's time to backup that new owner password offline, on paper, USB, DVD-R, Incan knots, etc. I'm going to pass this one over to @steempower who recently wrote a good guide to diligent backup:

Backup strategy to secure seeds, databases and digital files

Don't take it lightly. Should you ever need it, you'll want to make sure you'll have your owner pass or key well into the future.

Once you've updated your owner password or key you can not change it if you don't have the new one! So imagine a worse case scenario where as soon as you hit the Save button your house burns down. Before changing the owner key make all of your backups, including even offsite. Procrastination might be your downfall, so it's prudent to do this before going further.

Step 3: Update your owner password

Ok, you have your new password and it's backed up in multiple safe locations, not on a piece of paper hanging precariously over the paper shredder? Great, we're set to update your owner password.

Go to https://steemit.com/@youraccount, putting your account name in the URL where appropriate. Then click the Permissions tab.

permissions

Then carefully click the third pencil icon down, next to the owner key line, as shown below.

before-pencil

Type (carefully!) or copy and paste (paste into a viewable text editor first to make sure you have no preceding or trailing spaces though, important!) your 20-word Diceware password into the boxes. Also be aware that spacing and capitalization matter too! Every character has to be entered verbatim when setting it and identically when using it. So make sure your hard copy of the password is explicit with spacing and capitalization. Once done, hit Save, the spinning icon will spin just long enough to put a small sense of dread in your mind, but then you'll get the green text and you'll breathe again.

green text box

You'll still be logged in with your original password, and you'll see that you cannot show your owner key anymore. Success.

login with original pw

Then if you were to log in with the new owner password, which you don't need to do at all, you'd see you could edit all the keys, including the owner.

login with owner pw

Backup, backup, backup!

mays

Billy Mays here, reminding you to make sure you've got your password backed up!
BUT WAIT, THERE'S MORE!

Step 4: Make and log in with a posting key or password

Now that you've got your owner password securely backed up, you can move on to posting securely by only logging in with a posting key. I'm going to pass the buck again, this time to myself:

How to login with your posting key (and why this is important)

Your original 16+ character "master" password will still work as a memo key and active key. Remember the active key that your master password controls can still do a lot, including instantly transferring your Steem Dollars and STEEM tokens and less-instantly powering down your Steem Power, so keep it guarded as well.

To reiterate, many of the Steem accounts most got for free are now worth much more so be diligent in protecting the value your account holds. Create an owner key to be used for cold storage, make sure it's properly backed up so that you'll have it forever, and always log in with your posting key unless doing something with your funds.


If you found this or my other posts helpful, click here for my blog page and hit the follow button in the upper right!

Authors get paid when people like you upvote their post.
Join our amazing community to comment and reward others.
Sort Order:  trending
43
  ·  10 months ago

Newbie here. I don't have a pencil showing on either posting, active, owner or memo. Anything I've missed?

·
72
  ·  10 months ago

Hey and welcome. It seems these have been deactivated for now, probably to prevent people from logging in with their active or owner keys. Thanks for pointing this out!

70
  ·  11 months ago

great guide! I prefer keepass or enpass as password managers / creators.

·
67
  ·  11 months ago

I agree password managers are easier. The guide above is good for the paranoid. One thing I found that wasn't clear was how to select your password. It seems like there must be a faster / easier method.

Perhaps some ideas on how to generate a good brainkey.

·
·
72
  ·  11 months ago

Diceware actually doesn't take that long, if you just keep rolling the dice and marking the result down until you reach 100. Then convert the rolls into words all in a batch.

The point is it's really good randomness. Furthermore, since this owner key is meant to be a one and done, and Steemit could potentially be around for decades, a password with 258 bits of entropy should be good for a while, right?

·
·
55
  ·  11 months ago

With KeePass, you can use the password generator. Specify a minimum of n characters, indicate upper/lower/numeric/special etc etc. Then press generate. The password will meet your specified criteria and be non word based.

·
67
  ·  11 months ago

keepass is AWESOME !

62
  ·  10 months ago

Thank you!

64
  ·  11 months ago

Very well timed post my friend. Much Appreciated.

55
  ·  11 months ago

For some weird reason, the password that I used to create the account (and which was written down) doesn't work.

I am only logged in because Chrome remembered the password. Attempts to login through a separate browser are unsuccessful. Not sure what to do. I confirmed the password at the time...

·
72
  ·  11 months ago

Good news is you're still logged in! Go to https://steemit.com/@blocks2517/permissions and click "show" on all the keys, and copy them down, then print them or do something to save them. As long as you have the owner key, you can change the other keys. If your master password is stored in Chrome you should be able to extract it too.

·
·
67
  ·  11 months ago

Never mind my earlier post that I now deleted. This is the easier option.

·
·
·
55
  ·  11 months ago

Ugh. Password was never saved in Chrome (checked). I'm logged in because of cache.

This kind of sucks. I was going to use this account. ..

·
·
55
  ·  11 months ago

No...Active and Owner keys need a login while the others are clickable.

Not sure sure how to extract a password from Chrome. This might just be a bummer story. No variations work.

·
·
·
72
  ·  11 months ago

If it's saved in Chrome you can do this: http://www.thewindowsclub.com/manage-view-saved-passwords-chrome

If you can't show the keys for active and owner it sounds like you're logged in with just a posting key though. Hopefully you can recover your original password if it was saved in Chrome but without at least the active key you won't be able to spend any reward.

·
·
·
67
  ·  11 months ago

You should still keep the password you wrote down safe. Someone may in the future come up with a brute forcing tool that can speed up the cracking by using the incorrect password as a hint. There is still a slight possibility that you can recover your funds in the future.

62
  ·  11 months ago

Very informative post:) Needed this information thank you!

56
  ·  11 months ago

would it be possible to create some kind of archive/folder/place for articles like this?

59
  ·  11 months ago

Cannot change [Deposit using Bitcoin ] from wallet menu !
Ether and Bitshare are displayed, but cannot select.

57
  ·  11 months ago

Great guide, thanks!

54
  ·  11 months ago

good

51
  ·  11 months ago

Probably the most valuable post in the long run for people ;)

thanks for the info

46
  ·  11 months ago

Sounds too complicated for the average cats. Don't believe in the mass appeal anymore.

·
72
  ·  11 months ago

It's your account, you're responsible for it. Do whatever you wish but this guide is for people willing to take a little time and maybe learn something in order to keep their accounts secure for now and the future.

40
  ·  10 months ago

I would personally recommend getting a password manager tied to your browser which you can access by logging into synced account. That way you can update passwords as frequent as you want plus you can print out a list of passwords for all the other services as well all at once.

Looking into the future, I can sense that internet users will need to install password manager at some point with emerging secure applications :)

51
  ·  10 months ago

Hey Pfunk, I saw this and think it would be great to add it into the resource repository I wanna put together for newbies. I saw you read through my article already, just wanted to let you know. Good stuff man. https://steemit.com/wikiversity/@boardwalk-steem/lets-start-a-steemit-resource-repository

44
  ·  10 months ago

Nice guide, thanks!

27
  ·  10 months ago

Thanks! Very useful

43
  ·  10 months ago

Quality information. Thank you very much!

58
  ·  10 months ago

Can someone check to see if his passwords were changed a second time?

68
  ·  11 months ago

If someone has access to all but the owner key, what can they do? What are the permissions for each key?

·
68
  ·  11 months ago

The other keys can do everything but change keys (transferring funds, voting, etc.). The main thing that protects the value of an account as long as you have the owner key is the powering down process taking two years, and one week for even the first payment. If someone were to take over your account (via the other keys) and for example start powering it down or using it to vote on their own posts, you could recover it with the owner key (by changing the compromised keys) and limit the damage.

However, if you have liquid steem or steem dollars in your account those could be stolen immediately with the active key. The memo key could be used to see your private messages.

59
  ·  10 months ago

username: tonyson

https://steemit.com/steemit-guides/@pfunk/your-steem-account-is-worth-money-how-to-secure-it-with-a-new-owner-key-to-keep-it-yours-forever

Updated password, I can login to my steemit account yesterday (POSTING, OWNER, ACTIVE key). But, today I can not log (I am not copying them with an extra space at the beginning or end).

I've entered the correct password, but I still can not connect. I can login to my steemit account yesterday

·
59
  ·  10 months ago

Image of Yaktocat

63
  ·  9 months ago

I tried this and the icons next to each password are completely different than in the screencap above. All I have is a button that shows or hides private keys for posting, active and memo. No editing is allowed.

I can't do anything with the owner key; there is no button, no icon. I logged out and tried logging in again with the owner key and got a warning message that that was not allowed. It said I must use a private key, not a public key. What's that all about? Is this tutorial out-of-date?

53
  ·  10 months ago

What is this OWNER password?

·
41
  ·  10 months ago

This is your main password (owner account). You may change other keys with it. Don't show primary and owner passwords nobody!

54
  ·  10 months ago

Thank you for the guide. But if we want mass adoption this process must be easier

42
  ·  10 months ago

Thank you for the guide. i will keep secure my steemit.

44
  ·  10 months ago

Thanks you just what I was looking for.

55
  ·  10 months ago

Thank you for your guide!

33
  ·  10 months ago

We must secure our account and password like The Wall Street keep their Golds...thank you for sharing information

44
  ·  10 months ago

Nice post, but it all sound gibberish to me ... I'm confused please

69
  ·  10 months ago

thanks

55
  ·  10 months ago

great job dear friend it will secure every one in steemit. thanks once again for briefing such an important point about securing steemit account.

25
  ·  10 months ago

Is this guide still accurate? I just signed up but I do not see these pencil icons on my permissions page, even though I am logged in.

·
53
  ·  10 months ago

I've encountered this same thing. Only allows me to change the password to a different random on-site generated password.

·
37
  ·  10 months ago

I'm in the same boat. No pencils.

35
  ·  10 months ago

gracias por la info

25
  ·  10 months ago

Useful for me

58
  ·  10 months ago

I like this one, they run a podcast about security: https://www.grc.com/passwords.htm

Who is this? http://world.std.com/~reinhold/diceware.html