Steemit Account Security

Before proceeding, if you haven't read the Steem Private and Public Keys Demystified guide, do it. If you don't understand it fully, read it again and again until you do. For the rest of this guide, I will be talking about the PRIVATE keys, for the sake of clarity, I won't be typing "private" every time. To know the difference between private and public keys, refer to the guide I just mentioned. My emphasis will be on the Password. Steem is not the average easy platform. It's a complicated environment. It's a learning curve. During your first login, the system asked you to generate a new password. The password is the same thing as the password. It was repeated many times: Do not lose your password. Guess what, despite the warnings, people still manage to lose it! Every week we get cases of lost passwords in the help channel on Steemit.Chat, whether it's a new user just logging for the first time, or someone not having a backup of their password. And when the poop hits the fan, they rush freaking out about it. 99% of the time, it's the user's fault. Here's a good example: NEARLY Losing Access To $7,000 On Steemit. Despite his precautions and good practice, that user managed to mess things up by accident, but luckily he was able to recover his account. It's a rare case where the guy got lucky!


What's in a Wallet?

Your Steem account is a wallet. It earns you money, it holds your money. Treat it with respect. The password is the key to your safe, which contains your money, if you lose it, you lose your money. Notice how many times I said money? People will pay attention when they hear money (no pun intended). So pay attention to your password. Don't come crying if you got hacked, lost your password, and can't access your hard earned money, while someone is draining it. Don't be reckless.


Securing the Password

Icon_of_two_keys_on_a_keyring-small

Back up the passoword offline (cold storage), it means some place that is not connected to the Internet. It could be a in a text file saved on multiple USB keys; the more the merrier. If you can encrypt the file (PGP/GPG for example) or compress it with a password, that's even better. Of course, don't forget the zip password or lose your PGP keys, right? Also, it could be written or printed on a paper then secured in a safe, away from fire and other earthly hazards, such as your faithful dog who loves to chew on your things, or your cute baby drooling over your desk. However, keep in mind the password is case-sensitive, if you mistype it when you need it, you will be denied access to your account. The password starts with P5 while the private keys start with 5. Whatever you do, never ever send yourself an email with your password. That's the riskiest backup method. Emails are the prime target for hackers; if they stumble on your password, they can wreak havok on your account!

And most importantly, double check that the password you backed up on file, printed or written on that paper is working, before you can breathe with assurance. Open a new browser instance and try it. It goes without saying, never share your password or private keys with anyone, unless you completely trust them, like a family member or a loved one.


📌 Copy/Paste Tip

Sometimes the commonly used copy/paste method (CTRL-C, CTRL-V) can change the character encoding of the string, depending on the apps being used. If your password isn't working all of a sudden, it may be related to that issue. Make sure the password is in a plain text file, not a Word or other text processing document. Try to copy with CTRL-INSERT and paste with SHIFT-INSERT, this can solve this rare problem. These instructions are for a PC (Windows/Linux).


How Bad Can It Get?

There are two outcomes for a troublesome account.

  1. You completely lose the password. In which case there's no way to recover your account. You'll be locked out forever. You need to create a new account. However, if you have your posting and active keys you can still manage to secure your funds to a new account you create. But without the password, you won't have total control over your account.
  2. Someone gets a hold of your password, logs into your account, changes the password and key set, steals your funds (SBD, STEEM), then initiates a power down. Steem has a mechanism which allows the account recovery by the trustee that created your accoun. For example, steem is the main account creator controlled by Steemit.com. You can initiate a Stolen Account Recovery at https://steemit.com/recover_account_step_1, on the condition that you have the old password. If someone else created your account, they can follow the instructions in this article: How the Steem account recovery works (and why your trustee can't steal your account)

Steem Little Secret: Granting Permissions

Topsecretsidebar

It's not a secret really, developers know this, but are you aware you can allow another account/key to interact with your own account? Yes you can, by granting posting, active or owner permissions! Granting posting permissions is usually done when people subscribe to trails, on streemian.com for example. If you give posting permissions to someone else, they can log into your account using their posting key, and post/upvote/downvote for you. Cool isn't it? Granting access can be done with cli_wallet, or more easily with steem-python. The command line is different in cli_wallet.

Here is the command for steempy: steempy allow --permission active --account your_account foreign_account

If you don't want people to see which account was granted permission, you can use its public key (posting, active or owner) like this: steempy allow --permission active --account your_account foreign_public_key

The permission parameter can be posting, active or owner.

To revoke a permission, you use disallow instead of allow.

This is practical. You can create a backup account, grant it access to your main account, and in the case of a problem, you have an ace in your sleeve and can at least rescue your funds. This method is not user friendly, I can write a more detailed post about it, if you guys are interested.


About Bittrex.com

An important note about Bittrex.com transactions. Their transaction page can be misleading because it's not very clear to new users. The Memo field is optional, but they don't mention it! You can leave it empty or write whatever your like. Dozens of people have made the mistake of writing their password or private keys in there! Never do that, because it will show up on the blockchain and in your wallet. A malicious person can take advantage of that. So, again, never share or use your private keys with anyone (including third-party websites), especially the Owner or Active keys. Also, always do a small test transaction and check your wallet, before doing a bigger one.

Here's a recommended article about leaked keys: You shall not (leak your) pass!


Conclusion

  • Use the posting key to login for your daily blogging activity.
  • Have the active key handy when you want to make funds transactions.
  • Safeguard your password as if your life depended on it, and don't use it unless you really need to.
  • Be smart, be careful, be secure.