HAVE I BEEN HACKED OR BLOCKED?
Yesterday I was logged out of my Steemit account. My first thought was "Oh Crap, I've been hacked"
A quick look around Steemit revealed no end of hacked accounts.
To try to find out more @kiwideb did a post saying my account had been hacked.
@kiwideb/no-not-me-phew-but-sift666-has-been-hacked
A whole bunch of awesome people commented with ideas and suggestions. But I hadn't actually done any of the things they suggested that would lead to being hacked.
The typical hacking stories were like these: that-glitch-scam-post-do-not-click-or-enter-your-details and birjudanak-is-pulling-a-phishing-scam
But it turned out I hadn't really been hacked - I'd been blocked
Since first joining Steemit in August 2016 we have always done the same thing - we just open up our browsers and are automatically logged in. The idea of having to log in or out of Steemit manually doesn't even enter our minds.
Logins are just another one of the complexities of modern life - something to be set up, done, and ignored as fast as possible.
Like many people I have a list of all my website log ins. There are 145 different sites on my list, all with different logins and passwords. I realise Steemit is like other cryto currrencies and needs a higher level of security, but the truth is I tend to just think of it as another website, like Pinterest or the online shop where I buy printer cartridges and A4 paper
We have five different computers permanently connected to the internet, as well as two Android tablets that connect through WIFI.
All of them have multiple browsers installed, and we generally use three - Chrome, Firefox, and Opera. Different browsers work better with different sites, but that will have to be another post!
Steemit works fine on all three so we literally have more than a dozen browsers all permanently logged into our Steemit accounts. They do this automatically without any thought or input from us.
Using different browsers for Steemit means that we can just decide which Steemit account we will be logged into by choosing which browser to open. No logging in or out required.
But the problem in this case was not that I was hacked - it was that I was locked out of my account "to save me from myself"
What actually happened was that I was randomly logged out in one of my browsers (no idea why) and I tried to log in with the key stored in that browser (Opera) - but that had been there since last year, it was my Master Key, and it's not safe to use that one, (it worked OK the first time, so I never thought about it again) and my account - @sift666 - was then locked up to save it from being hacked.
I never knew about needing different log in keys because it's been over a year since I last logged in, and I didn't have copies of the other log ins - only the original one.
While looking into this I read a post by @gtg - Memos, keys and passwords, Balrogs and Fields of Despair. Be safe
What I didn't realise when I first read that post is that my account wasn't hacked because I didn't do that security stuff properly - it's true, I didn't, but my account had actually been blocked by a bot created by @gtg in order to prevent my account being hacked in the future
On the one hand it's great that security experts like GTG are looking out for us, and I certainly needed a wake up call.
But on the other hand, if I had been told what had been done and given some more information, it would have been a lot less stressful.
This is all very new - in fact, only last week @kiwideb decided to try out a new browser - Brave (it's pretty good, well worth a try) so she logged into her Steemit account on it. As usual she copied and pasted her original password. All worked fine, no problem - and this was only LAST WEEK.
So when I did the same thing this week, it never occurred to me that things were different now. I guess that's what comes of doing something without thinking for 13 months.
A car analogy
Many people drive a car every day, even though they barely understand any of the mechanics of cars. Until one day they can't even open the door to get in it. "Oh Crap" they say, "my car is buggered"
In actual fact it's just a flat battery, but they had no idea that batteries need to be replaced about every five years. Maybe they are not actually very interested in cars, they just drive one, or maybe this is the first car they have ever had for more than five years, so they have never replaced a battery before
Logins now need to be held to a higher level of security, with bots to "save us from ourselves", but I suspect that 90% of Steemians are just as in the dark about all this as I was.
So I think it needs to be explained in much more simple terms. With pictures, and using more words like "Oh Crap" "Buggered" and "WTF" so that people like me don't just go "WTF is this boring crap? - buggered if I can be arsed reading all this"
So basically this is what you need to do:
Keep several very safe copies of your Master Password offline (When you setup your Steemit account, you get a Master Password)
But don't use this to log in after the first time (that is what I did by default because I've never logged in or out of Steemit for 13 months).
Instead go to your wallet and click on PERMISSIONS to see your public keys
Then click on "show your private keys" and save copies of them in a safe offline place.
From now on log in to Steemit using your PRIVATE POSTING KEY and not your MASTER KEY key.
This is what the keys look like (note - these are not actual keys):
Public Key of any type (Owner, Active, Posting, etc) - starts with STM and looks like this:
STM6n8WV3imRd454CMY8akRFY4CLbyJVvWS3UdVDWw1dayf4xU47Z
Private Key of any type (Owner, Active, Posting, etc) - starts with 5 looks like this:
5JNyFp1pWNYaHCDEiR7mop5cRzpHcA2psLNRdykhzgbjPzxsqcg
Master Password (KEEP REALLY SAFE!) - starts with P5 and looks like this:
P5KjZuqMC9q7MR1iKeXA2KzpRhnMHyhLQNyBHSDnSSiTiKnjyUCN
With the Master Password you can do everything with your account, because it is used to derive all the keys for your account. And if you lose it or someone else gets it, all your crap will be buggered...
To learn about all this properly from someone who really understands all this go HERE
MY MINIMALIST STEEMIT SIGNATURE
For more info, see MY WHOPPING BIG STEEMIT SIGNATURE
Hi @sift666! @rebeccabe is sending you 0.2 SBD tip and @tipU upvote
:)
@tipU - send tips by writing tip! in the comment, get share of the profit :)That must have been a very bad experience. I'm glad to see it ended well.
Yes - it did freak me out a bit, but the good side is that we have now got all this security much better sorted - I really was a password muppet!
@sift666 this is important information about security. We need to treat this very wisely. Thanks for sharing how the differnt keys work. It is important to keep them safe. Just upvoted. @gold84
Thanks, yes I feel like I sort of get the basics now and am not just a hack victim waiting to happen
@sift666 I agree with you. Will do the same. @gold84
Eh? So all this kerfuffle telling me not to lose my password and then a bot is going to change it without telling me! We can log in with our posting key? Nobody told me this, this is important! I'm resteeming because my followers must know!
I was pleased it was that rather than a hack - but it certainly wasn't obvious what had happened and it seems to be a very new bot (last few days?) so unless it's gives some better notifications, I think a lot of people will be freaking out...
Thanks for the resteem!
Great post. This is something that a lot of new users really don't understand and there's is not a lot of definitive information about what to do with all the keys. If you have not worked with blockchains before you would probably just use your main password and cached it.
Thanks so much for posting a step by step there. I found this after reading @kiwideb's post, and I couldn't quite get my head around what was wrong!
Now I've read your step by step I get it. And also, I'm in the same boat - logged in all the time after that first master keyword log in. AND I haven't even copied out my permissions keys yet, so thanks - I'm off to get all this sorted now!
Great!
I realised after I wrote this that most of the people who understand this stuff think it's obvious so they don't explain it in ways I can understand, and in order to understand it I had to try to explain it in my simple ways.
Ha! Yup, now this is the perfect picture for me too with all this stuff. Very enjoyable to learn and get my head round it all though. :)
same here great job! upvoted, resteemed, and thanking you with a additional tip! 0.20
Many thanks for that - I've never had a tip on Steemit before - Cheers :)
Tks sift666 for taking the time to explain your situation.. So much technical stuff to know you can start to gag. Will check out using private key. One question when you say save password off line, do you mean write it on a piece of paper?
I'm using a USB stick so I can copy and paste them - actually two USB sticks - one in the house and one not - and not plugged in when the computer is linked to the internet
Thanks sift666 that's easy enough . Plus written can't hurt.
Thanks for information but I found out the hard way. What you described happened to me a couple of days ago. Did you use account recovery to get the new password?
Yes I did and it all worked fine - just a bit of stress until I worked out what had happened.
Were you hacked or blocked?
Like you, I don't really know. When I'm doing a post, I have 2 windows with steemit on so I can see the category list. When I switched back to the posting window, it asked me to login. I did and it said the password is wrong. I knew that it was the correct password because I copy and paste. I also (like you) thought I was hacked but after reading your post, I think I was stupid and used the master password instead of the posting password. I did get a message from the keyhunter so I think I did exactly what you did.
Nice car (in front of the sushi place) is that a challenger, super bee?
It's really confusing and stressful isn't it? - I hope they come with better notifications and instructions.
I don't know what the car is - I heard it coming and took a photo - cars like that are really rare in New Zealand - I also like the ride to work sign behind it
Here is another big American beast I saw:
Honestly, I take the blame for my screw up. I didn't really spend a lot of time reading the directions / instructions (as the wife says 'a typical guy thing'). I'm just glad I got it resolved.
I'm pretty sure that orange car was some kind of plymouth. I really liked those cars, I was a mopar guy. I had a plymouth fury III, actually it was dad's / family car. But I use to drive it to school. Only bad thing is it had a 318 (I think) the monster was a 383 hp (the one I wish he got). The blue car is a chevrolet, not sure of the year. I'd guess a 1963 and it might be a belair. Old chevys were good cars too.
This should definitly be made more clearly from the moment you create an account. I didn't know this either, but from now on I will be using the active key instead of the owner.
Glad to hear you got your account back :)
Not the active key - that's for transfers - for logging in use the posting key
Yeah ty, I just figured it out and changed both keys. Posting for logging in, active for transfers ;)