Dummies Guide to Basic Steemit Account Security + Account Recovery Guide! Must Read For Steemit Users!

in steemit •  last year

Last night I dealt with two cases of Steemit account thefts. Apparently two users were unable to log-in, and one of their accounts seemed to have some SBDs transferred out. The transfer memos were different; old vs new and things seemed fishy.


Source

They reached out for help on Steemit.Chat and I advised them on how to proceed further. Most users are unaware/careless on the basics of account security. In light of these new developments I felt it would be good to write a quick guide on doing things the right way on Steemit.

Generating Posting & Active Private Keys

This is what 100% of the new members should be doing to protect their account. If you've been around longer and are yet to secure your account then you can simply follow this guide.

At account creation you are given a password. This is the master key or owner key to your account. If you lose this then everything is lost. Ergo, use that that to generate your posting private and active private keys. If you lose it or hacker gets hold of the master key then they can simply change the password and it would be difficult to retrieve your account.

Steps for generating Steemit Private Keys:

  1. Visit Wallet page and click on the Permissions Tab.
  2. Click on Show Posting Private Key and save the Private key
  3. To retrieve your Active key, you must login with your masterkey under 'Active' in the same tab and it will show you Active Private key.
  4. Backup all keys at multiple places (cloud storage, print it, store it in a pen-drive in your locker)

Posting private key allows you to vote, comment and participate on Steemit.

Active key allows you to trade on the internal market, change settings, and most importantly use your wallet page to make transfers, power up, power down etc.

As you can see there is absolutely no need to use your main password to login and use Steemit everyday.

You must read these two articles by @noisy that describes these keys and their use in depth: Article 1 and Article 2.

Witness and top user @pfunk has made an excellent guide on different Steem keys and Passwords as well as securing your account with a new Owner key. Please read these articles to ensure security of your account and assets.

Steemit Account Recovery Guide

Steemit is unlike any other social media platform on the web. Due to the inherent nature of it's monetary system, the blockchain by design makes it difficult to recover your password in the event of a loss or theft as it's difficult to ascertain ownership in some cases. If for some reason you never used the aforementioned keys to secure your account you may still have a chance at recovery but you have to follow these exact steps to ensure quick account recovery.

Conditions That Need To Be Met For Recovery

  1. Your password/keys were changed/lost.
  2. You have the original master password or owner key from account creation.
  3. You complete account recovery within 30 days of when your password/keys were changed.
  4. Access to Email used originally when creating your account.

Steps For Account Recovery:

  1. Enter your username and old master password or owner key by going to Wallet —> Password Tab —> Recover Account Option.
  2. Use the exact Email that was used to create your account. If you use a wrong email this can delay the process or it might not be possible for Steemit to take action.
  3. You have to submit the request within 30 days of loss of access to your account for Steemit to consider your request.
  4. Send an email to Steemit at support at Steemit.com mentioning all the facts related to your situation.

Currently the system is setup to prevent someone from stealing your account and in such a case you can recover it within 30 days of losing access to it. It is entirely upto the user to come forth and attempt account recovery + report to Steemit about loss of account access.


Stupid Mistakes Noobs Do

  1. Never research more into the working of Steemit's blockchain system and certain intricacies of it's working.
  2. Treat this platform as you would treat Facebook/Twitter in terms of account security.
  3. Logging in with Master key on your laptop browsers.
  4. Using master key on mobile browsers instead of using apps like eSteem built by @good-karma.
  5. Sharing keys with each other via unsecure channels when requesting assistance.
  6. Sharing keys in the memo as described by @noisy in his Steemit account hacking article.
  7. There's no dearth of stupid things that we do with our password but you get my point!

Secure Your Systems

  1. Use incognito mode if possible or simply use the private posting key to surf Steemit.com
  2. Use eSteem or similar client on mobile. Don't use the browser when you can avoid it. Generator QR code and use eSteem to load your password with a simple scan.
  3. Use Zenmate or better proxy for your chrome browser.
  4. Use a good anti-virus, firewall and anti-malware software on your windows based systems.
  5. Use Little Snitch for securing your Macs.
  6. Don't trade keys on email on messenger apps. Use Google docs and delete file, also from trash after sharing.
  7. Use Google Authenticator/Authy to log-on to your email/gmail accounts instead of or in addition to phone SMS/OTP and save your backup passwords carefully.
  8. Don't use browser anti-virus extension as it can be a deterrent to your privacy and security.

I hope this article prevents further issues for new and established users who are unaware of these security features of Steemit.com. Maybe in the future, Steemit will make an easier account recovery system but for now it's easier for the end users to protect our accounts by simply being smart about it.

If we are ignorant we will risk losing our work and our Steem/SBD worth a lot of money! There is no point in holding Steemit responsible for being unable to recover your account thereafter.

Kindly re-steem and share this with your Steemit friends and help them secure their accounts

Disclaimer: I'm not a data security expert and this is purely based on my personal understanding of Steemit. Security experts are welcome to advice on better ways to secure Steemit accounts which any layman or newbie can easily follow without confusing themselves.


You may also continue reading my recent posts which might interest you:

  1. Crypto Current Affairs—South Korea Drafting Bills to Legalise Bitcoin & Ethereum!
  2. Crypto Current Affairs—Is Bitcoin Legal Tender in India?

Follow Me: @firepower

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

@firepower, thanks for your blog. Since last few days I was running around to find the private key to active key. Once I pressed the login to find button, I got lost as I did not have any key. I had sent this query to many here in my comments to their blogs. None replied. Sometimes I guess not many read their blog comments and even if they did, they don't have time to respond. I perfectly understand their situation. But I remained perplexed not knowing what to do and how to proceed.
Now I know how to obtain the private key for active key. Thank you.

Now another query. How do I get my owner private key. There is only a public key there and no button. Please let me know how to get the private key for owners key.

I think this post is a very very important one which comprehensively explains the permissions tab in detail and addresses all the security concerns for us, newbies.

Thanks again for your excellent post. Amazing as always. 😊👌

·

Your password that you have when you created your account is the master/owner key. You change that from the password tab and use permissions tab to generate posting/active private keys.

Please keep your current master/owner key safely and only use your posting key.

Thank you for all of this information. I am new here and looking for all the help I can get. I am not a gamer and have no knowledge of or experience with crypto. You might just want to call me a tech-idiot. My 25 year old son used to help me with various tech issues but he is not here with me now, so I have to count on you :)

I had heard of this private key thing before and was going to look into it. It's on my long list for this place. The problem I find is that when I look things up I still don't understand! I did not know what the"private key" meant at all. I really appreciate this detailed and helpful post and I will definitely go through it step by step.

I looked at the "Stupid Mistakes" section above and I am guilty of some (most?) of it. This place has a big learning curve and I am very grateful for the help. I've been ReSteeming the posts the are helping me figure this place out, so I ReSteemed you today. Thank you so much!

·

Many people have written articles that attempt to help new users to navigate this platform, including myself. Not sure if you already know this, but you can look at someone's blog /wall by clicking their name, and when a little box opens up, click their username again and it takes you to their page. You can then scroll through their posts in their blog.

·
·

Yes, I did know that, but maybe someone else does not. So nice of you to offer tips :)

·
·
·

Thank-you. I have no idea why, but I really enjoy helping others. Perhaps something from a past life???

·
·
·
·

@happyme continue helping others! good job! :)

·
·
·
·
·

Thanks! I most certainly will. I'm chomping at the bit to hurry and build my SP so that my votes will actually mean something and I'm able to add some real value to people's posts. In the meantime, I can still try and clarify things and offer any information I have. I plan to continue my games and contests for user engagement as long as people are receptive to them.

·

You're not alone.

·
·

lol - we unite in our ignorance! One day soon we can help others :)

·
·
·

Nice one.

·
·
·

Yeah! Lol!

·
·
·
·

I'm so happy to see all these replies!

·

@fitinfun thank you for the excellent comment! Well I'm glad that your son helped you in many aspects and I'm happy that this post was of some use to you and that you stopped by to leave a comment! :) Very kind!

I hope you will follow the steps outlined to secure your accounts. With newer technologies, there are greater risks of theft as many bad elements will try to steal what is yours. Good luck with Steemit and welcome aboard :)

·
·

Thank you! I do not want to be a victim needing help later :) This was a wonderful post to help me not feel alone. It's so amazing to get all this interaction. I try hard on fb and twitter and pinterest and linkedin but I scream into dead worlds over there. What a breath of fresh air with Steemit entering my life.

·
·
·

You are welcome! Glad you found it useful! :)

Great info, but still confused about the 30 day rule. Let's say your account is 40 days old. Can you still do the account recovery?...If so, would you still need the original pw...or just the pw from 10 days of age?

·

It's not the age of your account, it's the time since your account was compromised. If someone gets your password, logs in, and then changes the password - thereby locking you out, you have 30 days from that point to discover and address the problem.

·
·

Let me ask another way. Can my original pw be used to recover my account once my account is more than 30 days old?

·
·
·
·
·
·
·

Even if I have changed my original password?

I created my account using anon.steem so just trying to figure how secure it is since their system gave me my original password, which I have changed since then. But if my original password can be used to recover my account, then what's the point of changing my pw at all.

·
·
·
·
·

Your question makes a lot more sense with the anonsteem info. I don't have a for sure answer for you. Accounts are created by other accounts, and the creating account becomes the "recovery partner." Accounts registered through Steemit have the @steem account as their partner, so they would verify your identity if an account recovery was needed.
Your account created with @anonsteem will have them as your recovery partner, and I am honestly not sure if they provide continued support after account creation, so recovery may not even be an option. Definitely a good question to ask of them!
I've also created an account now using SteemConnect, so one of my accounts is the recovery partner for my other account! I have no idea how I would go about serving as a recovery partner, I have a feeling it involves a lot of backend stuff and there are no good user interfaces designed for it yet. I also don't know if it's possible to delegate a new recovery partner by choice.
But... to somewhat answer your question... let's assume someone has your old password and there is a recovery partner ready and waiting. If they try to take over your account by fraudulently "recovering" it, they should only have a 30 day window from when you changed the password. So if you've had your new password for more than 30 days you should theoretically be safe.

·
·
·
·
·
·

Thank-you for helping out. Your explanation sounds very logical. I would expect the same thing as what you said. The account should be safe after 30 days have passed from the date of making a new password.

·
·
·
·
·
·

Got it, that makes sense. Thanks for the help!

·
·
·
·
·

You are now adding more details to your original question.
First of all, to recover using the Steemit recovery states that you must have set steemit as your trusted partner. By using anon.steem to set up the account, I bet that was not done. So recovery would likely not succeed in that case. I'm definitely no expert on the subject, but I have read about it and try to help others understand to the best of my ability. Now we are getting out of that range. Sorry.

·
·
·
·
·
·

Yeah, sorry just trying to figure out how to be safe. I was on a waitlist for over a week so went the anon route after seeing it as a possible solution on the help section. I know it complicates things.

·
·

@bryan-imhoff thanks for responding. :)

·
·
·

No prob, I just hope I'm not giving any misinformation! I know enough to get into trouble I guess... Account recovery seems to be an undeveloped tool with a lot of questions surrounding direct registrations, as I mention in my above comment. I'm curious if anyone has any answers for this that I could learn!

·

@financialcritic Yes. Account age is irrelevant. One can only attempt account recovery within 30 days of hostile take over. Which if you use your account daily is easily known. For someone who's account has been hacked comes back after 30 days of theft or loss of master password then it would not be possible to recover.

·
·

Thanks. I'm just trying to figure why I should bother to change my pw at all, if my original one can be used to access my account via recovery.

·
·
·

Because if you mess up in the process, lose your original key for whatever reasons or you don't get a response from Steemit when you shoot an email after attempting recovery then you are screwed! :)

great info thank you so much!!!

·

You are welcome!

Really nice overview! Also a reminder to myself to pay more attention to some of these security issues.

·

It's great to see you stop by dude! I'm glad you found it useful! :)

·
·

It's great to see you very active lately! :)

·
·
·

I'm just getting back on my feet and quite happy that I can work again. :)

Excellent advice. I'm bookmarking this one. As someone who was hacked last summer, I take nothing for granted.

·

Thank you so much for taking a look at this! :) I'm glad it was useful!

Great post brother @firepower youve toich on some vwry good points. The steemit awareness programs seems fun i hope to reach your level in a few months. I would to say thank you for the inspiration. Good job. image

This is useful. What I like about Steemit is its security features. What is important is that steemit users should take care of their password because once it is lost or forgotten, it cannot be recovered. I am glad I found your profile @firepower. I hope I will benefit from your blogs.

·

You are welcome!

Wow! I'm so glad I clicked here. There is so much important information I had not known or thought about. Bookmarking this page for reference. Thanks @firepower.

·

You are welcome!

Great tips man :)

·

You are welcome!

Very important information that I think many Steemians are not aware of, thank you!

·

Thank you!

Last night I dealt with two cases of Steemit account thefts.

How did that happened? I use my posting key most f the time. I only use the master key to make transfers or power up.

·

Use posting + active instead of master key as needed. Mostly user negligence causes these issues.

·
·

Yes negligence, I read it some time back of people posting their master key in the memo section. And lots of people are still making that mistake. Thanks for the warning @firepower

·
·
·

Whoa! I really will try hard to get up to speed on all this. The only thing that bothers me here is not understanding the money flow and the risks involved. More studying!

·
·
·
·

There's a lot to learn but you can do it! Just stick around and it'll all seem normal and easy in a few weeks.

·
·
·

@lucashunter You are welcome! :) Thanks for stopping by.

Thank you for the heads up! I had already followed it when you told me to do it the other day.

Now it seems safe and secure.

·

I'm glad you got it done! :)

·
·

@firepower Very Good Post , Highly Needed and Important. Thanks for Helping out newbies and dummies This Post will help us lot . Thanks for Sharing. Upvoted and Following You. Nice Work Bro :)

·

Great! Glad you liked! :)

Thank you a lot for letting us know ! Very helpful post.

Resteemed & upvoted. I didnt get chance of voting this post twice, else i would do it :)

·

Thanks dude! :)

@firepower, thanks so much for this article. What happens if someone no longer has the original generated password?

·

As long as you have the most recent used master key you should be fine afaik. But as a safety precaution, generate a new master password which afaik also resets posting + active private keys. Save everything again. :)

Great post firepower. Steps that are simple and easy to understand :)

·

Thanks! :)

I am from tokyo, Japan. Thank you for your kind explanation about security. especially, so impressed by 7 rules for security. Have a great day to you. @steemitjp

·

I'm glad you found it very useful! :)

great tips very nice info.

·

You are welcome!

Thanks for the valuable information. Cheers!!!!!!

·

You are welcome!

Thank you very much! Voteup and resteem.

·

Thank you!

Great info Maghan ! I needed this reminder very urgently.
Thanks much!

·

You are welcome! :D

Useful information. I usually use steemit via my mobile browser I guess I have to stop doing that now.

·

Yes you must stop using the browser on mobile!

All too important information that I was clueless to. Thanks a million :)

·

Thank you!

Good Job. Thanks a lot . But I would add some tags like #howto or #security so that to make it more easy to find it later.

·

Sure. Thanks. :)

Great information I love the tiered approach to security viz. unix :) Avoid being the "superuser" if possible dependent upon what you need to do :) Thanks for the post

·

Glad you liked it! :)

Here's a small tip for a great post @firepower. I will be following you.
please visit my blog @steemisupport

·

Thanks for sharing this post it will very helpful for us. wating for your next post and going to resteem this post

·

Thank you!

Very nice tips for account security.

·

Thanks!

This was the post I am looking for as one of my friend lost his password. Will link him this post now.

·

Great! :)

Really good article, thanks a lot for the information you provided us with.

·

Thank you!

This surely is helpful after a few reports of accounts getting hacked.
Thanks for the post. 🙂

·

Thank you!

Woah! Didn't know about a lot of these things. Thanks for sharing @firepower.
Guess I gotta do a lot of homework! :P

·

Indeed! Keep learning and posting bro

Hahaha.. pretty detailed. Much needed... especially for noobs. I will make sure to follow these steps. Thanks a lot :)

·

You are welcome!

useful! thanks

·

You are welcome!

this is a reall really useful post, thanks so much for posting this, heading away to take steps to secure my account.

·

Glad it was useful!

Thanks for sharing these tips. I have backed up my keys.

·

Thank you!

excelente pos

·

thanks

thanks you very much @firepower for sharing this guide

·

You are welcome!

Resteemit to get the words of wisdom out to others! Thank You for posting and sharing other articles!

·

You are welcome!

Thank you for this article.

·

You are welcome!

It is really a helpful post . Thank you very much for shearing.

·

You are welcome!

All good stuff and great ideas for the new user. Thanks for sharing your knowledge on this.

·

You are welcome!

This is great info. Going to read this later on again and check boxes if I am taking all the precautions necessary. Nice job @firepower

·

Glad you found it useful!

Cool

·

Well, I am not a noob and this post still had a few good tips I can use to beef up how secure my experience is. Well done! :-)

·

Cheers!

I Will try this post. Because i believed

·

Thank you!

That's interesting, my own passwords seemed to have stopped working today, randomly. Then I realized that I had changed my password and forgotten about it. facepalm

·

I hope you were able to get it sorted! :)

This information is much appreciated thanks.

·

Thank you!

Very informative... Always looking forward for valuable guidance from you... With your support steemit journey seems smooth and progressive :) steeming on n on :)

·

You are welcome!

Thanks

·

You are welcome!

Tons of useful information here. Thank you.

·

You are welcome!

Very helpful tips

·

thanks!

This is great info. Wish I had read this before I screwed up and locked myself out of my new account. Really appreciate the contribution to the site.

·

You are welcome!

oooOOOooo boy...everything's broken...good thing I'm broke ;)

Thanks for letting me know how much I have to learn here...thanks a lot!

resteemed for any of my followers that WILL be able to put this all to good use

·

You are welcome!

It is a great post about steemit i ever seen. Thank you so much sir for sharing. Keep it up sir.

·

You are welcome!

Thank you! very detailed!

·

You are welcome!

Great advice. What if you have changed your master key. Do you use the last known master key to recover your account if needed? I would suspect most wouldn't keep the original master key if they have changed it at some stage. Cheers

·

Yeah that'll work too afaik! :)

Thanks! Excellent Post! Up-voted!

·

You are welcome!

Thank you very much for all your hard work; very dedicated to your principles. I am amazed by all these Crypto talks. Very complicated for beginners! Glad to know that there are real life angels looking after us! Upvoted and follow your ardent outputs. Cheers

·

You are welcome!

Thanks, good article. :)
Also watch out for tabnabbing and clickjacking (phishing)!
https://steemit.com/security/@gaottantacinque/steemit-chat-is-unsafe

Thank you for all of this information. I am new here and looking for all the help I can get. I am not a gamer and have no knowledge of or experience with crypto. You might just want to call me a tech-idiot. My 25 year old son used to help me with various tech issues but he is not here with me now, so I have to count on you :)

I had heard of this private key thing before and was going to look into it. It's on my long list for this place. The problem I find is that when I look things up I still don't understand! I did not know what the"private key" meant at all. I really appreciate this detailed and helpful post and I will definitely go through it step by step.

I looked at the "Stupid Mistakes" section above and I am guilty of some (most?) of it. This place has a big learning curve and I am very grateful for the help. I've been ReSteeming the posts the are helping me figure this place out, so I ReSteemed you today. Thank you so much!

I wish I could resteem this article, but it is too late. Great article, @firepower!

Hello! I have a friend who was hacked three days ago (10-12-17). Someone changed his password, transferred his money to Blocktrades and activated the button "Power Down". Is there any possibility to recover the account? The user who was hacked is: dmalaver

·

It might be possible, please ask for help in #help on Steemit.Chat and ask your friend to attempt recovery from the same email used for steemit a/c signup and shoot an email to support at steemit.com from the registered email mentioning all details of this hack.

Hi @firepower, my account is hacked, i have sent the authentication request as per instructions, but up to a week and i have not received email verification from Steemit, can you help me?

@firepower, Thanks for the critical information. This is very useful for new users like me. You have answered all the queries the typical new users will have and given enough alerts and check points. Great!!!

Hi @firepower thanks for providing this useful Information. I've actually been searching for this.