With massive number of people joining steemit everyday, I have observed that a large number of majority is rather casual towards their Steemit Account Security. Your Steeemit account is not just a blogging site account. It is also your Steem and SBD Cryptocurrency wallet. I have also seen a lot of people securing their other crypto wallets with utmost care yet somehow their steemit account keys are not as secured as they should be.
This guide is being compiled for fellow steemians which shall deliver following agenda points:-
- To educate Steemit community about different kinds of passwords / keys and how to secure them.
- To Inform the community about which key to use for what purposes.
- To guide the community on how to save their accounts from possible hack attacks by using the best anti-virus.
Why Does Your Account Need Security
Your account needs security because it contains money. That is as simple as it gets. This is not your Facebook or Youtube user account. This is far more important.. So it needs the same level of security as your bank accounts.
At this point, you must be thinking that when you signed up for steemit, you were assigned with a rather excruciatingly long master password that is very safe to say the least so you don't need to worry about anything..
I am here to tell you, "thats where you are wrong..."
But before jumping into how to secure your account, it is mandatory that you must learn about all types of keys assigned to you by steemit, which you might have already casually looked at in your wallet under the section "Permissions". If you haven't, It is time to do it.. You can reach your permissions section like this:-
Types of Passwords and Keys on Steemit
There are total 4 types of keys along with 1 Master Password for your steemit account. Each has its own functionality and they must be used as per their directed usage.
1. Posting Key:-
This is the key that every steemian must use to login to their steemit account everyday. This key will keep your account secure. If you login with this key, the only actions you can perform on steemit are:-
(a) to make a post (b) to comment on posts (c) to upvote posts (d) to follow / unfollow / mute / unmute profiles.
This is pretty much each of us do when we login to steemit. This key does not let you perform any other action aside from those that are stated above. You cannot change your passwords, transfer funds, visit internal market etc when logged in with this key.
2. Memo Key
When logged in with this key, you cannot perform any other function on steemit other than following two:-
(a) to decrypt and read private messages (b) to create and send encrypted private messages
This function is still not available on steemit but I believe there will be one once steemit goes out of beta. This is just for info. Otherwise, this key is pretty much useless in current circumstances.
3. Active Key:-
When logged in with active key, it can perform following functions:-
(a) all the functions of posting key (b) to make funds transfers (c) to make trades in internal market (for both Steem and SBD) (d) to perform power up / power down to and from Steem Power respectively (e) to vote for witnesses
Active Key takes you one step further to what Posting Key is capable of doing. This is my second recommended key after Posting Key that most steemians can use as part of their daily steemit activities since it covers pretty much everything that we normally do on steemit plus some advanced features as well.
Be warned : If someone else gets hold of this key, they may login to your account and clear out your Steem and SBDs holdings in a heartbeat and that will be unrecoverable.
4. Owner Key:-
As per latest update of Steemit, Owner Key is same as Master Password. The Owner Key that you see on your "Permissions" section, is the just the public key (Which cannot be used to login to steemit). The private key of the same Owner Key is the Master Password itself.
That is why you cannot see either "Show Private Key" or "Login to see" options infront of Owner Key. As of now, The Owner Key is dormant. In previous versions, it used to have its own significance and specific usage. May be in future updates, Owner Key will be revived with revised functionalities associated with it.
I still chose to include Owner Key separately here to avoid confusion amongst people who would probably go to their Permissions Section and will wonder that what is Owner Key..
5. Master Password:-
Here is that Password with long string of characters that was assigned to you when you signed up for steemit and this is probably the key you have been using to sign in to your steemit account since then. The Master Password is the private key of Owner Key that you see in your "Permissions section". The Master Password can do all possible functions that your steemit account has to offer including regenerating the Master Password itself..
The Master Password is not to be used for your daily activities on steemit. Please, be warned: if the password is stolen, Your entire account can be drained of funds, defaced, brought down to its knees and can prevent you from ever using your account again. Hence, in the beginning of this post, I recommended using Posting Key Or in case of accessing wallet, the Active Key to perform your day to day tasks on steemit.
As a quick reference, please see the Password / Keys functions and their importance in the chart below:-
What to Do if You Lose Your Master Password and Keys
Nothing. There is nothing you can do. If you lose the master password, you are done. Even if you know your posting key, but you lost active and master passwords then all you can do is login, post, upvote, comment, follow / unfollow, mute / unmute.. and thats it...
What to Do if Someone Takes Over Your Account and Changes the Password
If someone has gotten hold of your master password and has changed the password and all the keys in order to lock you out, then there is hope for you. Follow these steps to recover your account:-
- Go to Stolen Account Recovery Page. The link is also available in main site menu.
- Provide you account name.
- Provide the master password that was used in last 30 days (The one that you know and was active before someone else changed it).
- Provide the email address that you used to register your account with.
30 days limit is the key here. I cannot emphasize this enough. Because once that 30 day line crosses, say goodbye to your account forever.
How Can Someone Hack Your Account
Today's techniques are more simple and sophisticated. I am willing to bet 100 Steems that those amongst you who use iPhones and MacBooks have stored their steemit password / keys in Notes application. I am willing to bet 100 more Steems on the fact that almost 95% of those users have Notes Sync enabled through iCloud. So all I need is to retrieve your iCould password, which is a walk in the park for anyone who has some knowledge on how to do it.
The most efficient way by which someone can retrieve your password is via Phishing Attack. A person can send you a link to their post / comment that looks exactly like steemit link. The fake link will open a page (Which will look exactly like steemit interface) that will ask you to first put in your login and password and you will end up giving it to that page. And your account will be gone since the person who sent you the link has now got your username and password.
You can also provide your own password to someone on a silver platter. How?
- By storing your master password in browsers as autofill and then losing your device
- By losing your phone / laptop where your password might be sitting very nicely in Notes or Word / Excel file
- By handing over your device to someone for longer periods
- By keeping your password copied in clipboard and then unsuccessfully copying a link to share it with someone and then accidentally pasting your password instead on that particular thread. (believer it or not, this happens a lot)
How to Best Secure Your Steemit Account
There are alot of means to do that. But I will emphasize on the most effective and the most practical ones.
- By putting your Master Password in Cold Storage (On paper or on offline storage) and never using them unless you absolutely want to.
- By using only Posting Key for your daily Steemit usage / activities.
- By looking out for phishing pages and links. (if you are already logged in, steemit will not ask you to login again to see a comment or a post).
- By not giving someone your private posting key to do upvotes and comments on your behalf (yes.. people do that).
- By rechecking your copied link of anything in your device first that the intended link has infact been copied and you will not accidentally paste your password on a chat.
- Never use public computers to login your steemit (as they may contain Key Loggers).
Hey @jbn, You said something about using the best anti-virus in the start of the post. What is it?
Aaah yes.. I use an anti-virus that almost makes it impossible for anyone to take over my account. This best part is that it is free. That Anti-Virus is COMMON SENSE. If you use your common sense while being online, I can guarantee you that all of your assets / passwords / keys / drives etc will remain secure forever.
How to Reset Your Password
As of Current, Steemit does not allow for generation of separate keys. So if you would like to change a specific key, You will have to reset your master password that will automatically change all the keys in your Permissions section.
Master Password Reset is recommended when you are in doubt that someone else might also be controlling your account or even at the slightest of hints that your account may have been compromised.
To Reset Master Passwords and all keys, please follow these steps:-
- Go to Wallet --> Password (which is right next to Permissions).
- Once inside, please write your username and your current master password.
- Click on "Generate New Password" button. Your new generated password will appear.
- Please make a copy of it and place it in cold storage.
- Rewrite your new password in the field, "Re-enter generated password"
- Check both boxes that say "I understand steemit cannot recover lost passwords" and "I have securely saved my generated password".
- Click "Update Password"
- You will receive a success notification on left bottom of the page and you will be automatically logged out of steemit.
- Login again with your new password.
- Go back to Permissions after logging in again
- Please make a note of all of your keys as they have all been changed as well.
- Now you can choose the key from which you would like to log in to steemit.
please see the picture below to reset your Master Password:
The criticality of this topic demands that education related to steemit account security must be imparted to all steemians from time to time(specially to new comers). This way, we can all contribute towards making this platform better, stronger and more secure.
Kindly consider to upvote and resteem this post
UPDATE 1.0 TO THE POST
Please note that few changes have been made to the post.
Following Additions have been made:
- How to reset your password / keys
Following Headers have been edited:
- Owner Key
- Master Key
- Flow Chart describing all keys and their functions
All images are mine except the second one that was taken from pixabay