The Beginner Guide To Not Getting Hacked On Steemit

in steemit •  last year

The afflux of new users, combined with the recent phishing attempts and DDoS attacks can mean only one thing: Steemit is going mainstream.

But with this exposure, a lot of potential problems are now a reality. One of this problems is security. Although the phishing scams were stopped really fast, a few users got caught and they lost their accounts.

Because of that, and because this kind of howto was missing from my introductory articles, I decided to do a very quick and easy writeup, targeted specifically at newcomers. But I hope to be useful to any Steemit user who takes security seriously.

Without further ado, let's start.

Question: Where is my account stored?
Answer: Your account is stored in the blockchain. So your account it's actually a transaction stored in the blockchain, along with posts, comments, votes or tokens transfers. It's not stored in a separate database, that Steemit INC or any other entity can access.

Question: If it's public, it means everybody can access it?
Answer: Everybody can see it exists, can see what it does, like all its posts, comments and transactions, but it cannot be used by somebody else, only by the person who has the keys to it. These keys are your account.

Question: I'm confused, what keys are you talking about?
Answer: In the Steem blockchain, every account has a few capabilities, and each capability is unlocked by a certain key. For instance, your posting capability is unlocked by your posting key. The capability to make token transactions (and transfer tokens to exchanges, for instance) is unlocked by the active key. And the owner key unlocks everything, it's like the "mother of all keys".

Question: What is a public key?
Answer: It's the key that starts with "STM". This is, as the name says, public, and it's used by the blockchain to identify your actions publicly. You have a posting public key that is stored along with all your posts and you have an active key that is stored along with all your transactions.

Question: What is a private key?
Answer: It's the "unlocking" pair of a public key and it starts with "5K" (or "5J"). For instance, when you post something, your content is "tagged" with your public key, but in order to make sure it's actually you who posts that content, you need to "sign" the posting with your private key. This "pairing" makes you the owner of the content, that's why you can modify it. THIS IS THE KEY YOU SHOULD NEVER GIVE AWAY. NEVER. EVER.

Question: What is the Steemit password, then?
Answer: That password - also called "master password" - is an encrypted string derived from your keys and it gives you access to the frontend. If you lose that, you can still access your data via direct interaction with the blockchain, by using your keys. The master password starts with "P5".

Question: What happens if I give my owner key to a bad guy?
Answer: You're screwed. That person will have instant access to your account directly from the blockchain, will be able to post on your behalf and take away your funds.

Question: What happens if I give my master password to a bad guy?
Answer: You're screwed. Read above. The bad guy can access, and, from the Settings section, to see your private keys.

Question: I remember I gave Steemit an email address when I registered? Can't this be used somehow?
Answer: If you remember that email address, or, even better, if you still have access to that email address, then you can initiate a recover process, with Steemit INC. So all is not lost.

Question: So there is a way to get back my account?
Answer: You're not following me. Your account is just a transaction in the blockchain, that can be unlocked by your owner / active / posting key. If you lose those keys, your only chance to recover your account is to remember the email address with which you signed up and then initiate a recovery process with Steemit INC. But while you're doing all this, your account may be dried, so don't rely on this "feature", be proactive and protect your keys.

I guess this is it. If you really understand what's going on and take good care of your keys, you should be ok. Other than that, use sunscreen, don't drive and text, don't drink and drive, you know the drill.

I'm a serial entrepreneur, blogger and ultrarunner. You can find me mainly on my blog at Dragos Roua where I write about productivity, business, relationships and running. Here on Steemit you may stay updated by following me @dragosroua.

Dragos Roua

You can also vote for me as witness here:

If you're new to Steemit, you may find these articles relevant (that's also part of my witness activity to support new members of the platform):

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

You really can't pay enough attention to online secure these days. Even Pornhub is getting attacked by hackers and malware-spreaders these days.

I would also recommend Steemians install an ad blocker on the browser they use to access Stemmit. A lot of viruses and keyloggers area spread through Google/Bing ads.

This post has to be one of the must read post for new users on steemit...thanks for keeping it simple.


It should be added to the info page.

Thanks for this post. It's a MUST READ for everyone who's not sure about those keys.

Thanks for posting this detailed info!

Nice! I've been around a minute or two and enjoyed this still! Thanks!

Thank you for writing and sharing this-- this makes it very CLEAR what's what. I think a lot of people-- and this will get "worse" as Steemit becomes more and more mainstream-- are confused about a site that seems to have (in street terms) "so many passwords."

Public keys, private keys, and different keys to do different things. Most web sites-- as you know-- have ONE password. End of story.

It's important for people to know exactly what each of these ARE and what they DO.



Thanks and glad you find this useful :)

This is a great write up. I go through intro posts and give promising new people beginner information. A "Security" section is part of it. I want to make sure people understand the basics of account security right away.

In addition to the key issue, people should also understand why using "Savings" to store Steem Dollars and Steem Power to store STEEM is so important. The three day withdraw time for Savings and the many week long withdraw time from Steem Power protects your investment here in case you are hacked or have your account compromised.

I'm beginning to think I completely understand the key issue too, but there's still one missing link people fail to mention. Your master key when you get the account starting with P5 is a hint. I was initially getting confused when I looked in my account permissions area and did not see that key. Well, it makes sense, for the key you see listed in the Owner section (same as master) is the public key. The one you get when the account is first made is the private master key. Is that correct? Per traditional PKI knowledge though, that can be confusing. Both should not be shared with anyone. "Public" does not mean it should be given out.

Here's the security blurb I share with new promising accounts when I see them:


Do not use your owner key to log into to post. Use your private posting key instead. Keep your owner key offline as much as possible, and only use it when you must.

Per the advice given by Arcanage, you should only use your owner key to:

  1. Recover your account.
  2. Change the other keys.
  3. Give a present to your children a few minutes before dying.

A lot of scams have been happening on Steemit recently. If you click a link to a site that prompts you to log into it, be extra careful. Double and triple check the address to make sure it is really A recent scam was using "lsteemit" as the domain name, and people were entering their owner keys to log into it. That allowed the scammers to take those user's accounts, empty the money from them, and then ruin their reputation by using the newly hacked accounts to further the scam.

If you find or suspect a scam, please report it in the #steemitabuse channel on

Edits and suggestions are welcome. Thanks everyone for being diligent, patient, and helpful regarding the security of!

Great. That has cleared up a lot of confusion. Thanks

Good info... i never able to use the other keys for instance whenever i post or transfer it doesn't accept other keys (posting/active/owner) but will only accept the masterkey ??


it's a simple hierarchy: memo, posting, active, owner
with the master being able to change the others before and the owner password to change everything, in the case of someone having access to the keys in any case.

post is for general activity, active is for most transactions as well, but you can use any of the higher level permissions as well

Good proactive info! Keep fighting the good fight, fellow witness brother!

this post is very useful for steemit users,
Thanks You so much

I'm still not clear on the difference between private and public keys.
for example...Busy asks for the posting key...what exactly are they asking for?


They want you to sign in using your private posting key, so that they can verify it against your already public posting key. You can think of the public key as the "keyhole/card reader" and the private key as your "physical key/key card".

You can use it to log in on other Steem sites and apps, just remember that the responsibility is with you as a user.

In this case, if someone was to have a look at your private posting key, they would be able to blog and comment using your account. To stop them you would have to change your master key(password), which in turn would change all of the keys including the posting key.


It'd be nice if they were to say "log in with your private posting key" that too much to ask?


Public key is like your house address, everybody knows it, and knows it belongs to you. Private key is the actual key to your house, so you should never give it away.

Busy asks for posting keys because they will have to sign the posting transaction on the blockchain, to pair your article with your identity.

AFAIK, the posting key never really goes to Busy over the internet, it stays on your own computer. It is used by the JS library of Busy to sign the transaction locally and then the transaction is broadcasted to the blockchain.


private and public are p2p answer to security, so messages don't get intercepted pretty much how people sent letter with stamps and seals, now think that only the corresponding recipient can remove the seal with his private key, because you sealed with his public key, then you know only he read the message or whoever is the holder of the other key.

It's cryptography and how blockchains work, that's how you get a trustless system, because users are not trusting the system to do anything else than what it is intended, ie. relay messages.

Cheers :)

I think this is useful for most users not just new ones. Good job at making these things clear.


Thanks, really glad it's useful, it has been a bit of a struggle for me too until I got familiar with all this, so I know how it is.

Don't sign in anywhere else.


There are still plenty other sites that use Steem, that's one of the beauties with this network.

Just make sure you check adresses, try to only use the posting key, never sign in on sites that you know little about and never give it to anyone that messages you asking for it.

(some sample sites:,,, eSteem app for Android/Iphone,


Agreed, you can sign into other sites. I was hesitant in the beginning to do it though. Once a user understands which keys are which and when to use them, they will feel better about using their posting key to log into other sites.


viewly is also one to note, although well so far the apps apart from dsound are quite crappy, the media apps I mean..

busy, esteem and chainbb are great in their respective spheres :)

I wish more of the steem tools got developed :|

· is still fairly young and experimental.

Just be aware of the "Viuly" copycat that seemingly used fake information on their site

There are also the upcoming StreamSpace and Flixxo ICOs outside of the Steemisphere, which might provide some competition.


the environment is competitive, very much so, shamefully most are looking to capitalise on a new market and providing nothing but good marketing and flashy java sites... I'm still hoping good projects come out on top but with how people seem to reach only the surface I kind of doubt anyone will look deep enough into the potential ones.

In any case with so much projects around I'm wondering how anyone is keeping up :)

I can't imagine what it will be like in a year with eos and steem's flying around ..

I did see that post, even laughed a bit, I doubt I will be a good supporter of any project, I scutenise most so much they won't like me, for instance I like viewly, but hate branding .. and the corporate mentality of closing it off, dtube is here and there, good, but functionally speaking it's very lacking, they will need a lot of features to make a working competitor to YT, I might need to find a gnu media encoder or something :D


good one :)))

I like the interactive way you laid it out with question and answer format.

This part below is really hilarious

Question: So there is a way to get back my account?
Answer: You're not following me. Your account is just a transaction in the blockchain, that can be unlocked by your owner / active / posting key. If you lose those keys, your only chance to recover your account is to remember the email address with which you signed up and then initiate a recovery process with Steemit INC.

This post well explains everything a newbie and any old user needs to know about Steemit security.

I have shared(resteemed) to my friends.


Glad you find it useful :)

Very useful post for everyone in steemit. Thanks @dragosroua.

Thanks. This was some helpful information. Appreciate it. :)

Thank you for the clearest explanation I've come across. I wish you posted this a little sooner as my account was stolen about 2 weeks ago.

Best key/ password explanation yet, thank you for your efforts.

GREAT Post my friend! Helped me understand much more about the keys.

This was much needed thanks for the detailed post :)

Well writen and easy to understand for all steemit users 💪

It seems we can't say these things enough, but people don't even read the FAQ. There will be more accounts getting hacked.

hey @dragosroua,
This is good information, you always update the data to facilitate and analyze. This is a good job

Congratulations @dragosroua! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You published 4 posts in one day

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Thank you for all the clarifications. It is a must-read for newcomers.

Interessing post witness with need this infos thanks

thanks for searing.

I like the way you explained in a simple and easy to understand manner. By following this no one should ever lose their account :)

A very good explanation! Thanks for sharing...

supper bro.....your post is always the best.....

What if the bad guy changes the email address which I used to register here? One thing I want to know that I submitted my master key in esteem app so is that a matter of concern and I should change it immediately.

Thank you this is useful and interesting. Although I don't understand how and where you get those other keys. I mean.. I only have my main password to login. I don't see any other password or key to actually be manually entered or used?

If we do get hacked, what is the best thing to do ? Can we still reach people on discord, or should we have emails of other people on Steemit to reach out to ??

P. S. Don't use sunscreen, the chemicals steep into your skin, and that is the start of dis-ease, illness and ailments harming your skin organ...

The rest is all GOOD!

thanks for this helpful post brother :)