Dummies Guide to Basic Steemit Account Security + Account Recovery Guide! Must Read For Steemit Users!

in #steemit7 years ago (edited)

Last night I dealt with two cases of Steemit account thefts. Apparently two users were unable to log-in, and one of their accounts seemed to have some SBDs transferred out. The transfer memos were different; old vs new and things seemed fishy.


Source

They reached out for help on Steemit.Chat and I advised them on how to proceed further. Most users are unaware/careless on the basics of account security. In light of these new developments I felt it would be good to write a quick guide on doing things the right way on Steemit.

Generating Posting & Active Private Keys

This is what 100% of the new members should be doing to protect their account. If you've been around longer and are yet to secure your account then you can simply follow this guide.

At account creation you are given a password. This is the master key or owner key to your account. If you lose this then everything is lost. Ergo, use that that to generate your posting private and active private keys. If you lose it or hacker gets hold of the master key then they can simply change the password and it would be difficult to retrieve your account.

Steps for generating Steemit Private Keys:

  1. Visit Wallet page and click on the Permissions Tab.
  2. Click on Show Posting Private Key and save the Private key
  3. To retrieve your Active key, you must login with your masterkey under 'Active' in the same tab and it will show you Active Private key.
  4. Backup all keys at multiple places (cloud storage, print it, store it in a pen-drive in your locker)

Posting private key allows you to vote, comment and participate on Steemit.

Active key allows you to trade on the internal market, change settings, and most importantly use your wallet page to make transfers, power up, power down etc.

As you can see there is absolutely no need to use your main password to login and use Steemit everyday.

You must read these two articles by @noisy that describes these keys and their use in depth: Article 1 and Article 2.

Witness and top user @pfunk has made an excellent guide on different Steem keys and Passwords as well as securing your account with a new Owner key. Please read these articles to ensure security of your account and assets.

Steemit Account Recovery Guide

Steemit is unlike any other social media platform on the web. Due to the inherent nature of it's monetary system, the blockchain by design makes it difficult to recover your password in the event of a loss or theft as it's difficult to ascertain ownership in some cases. If for some reason you never used the aforementioned keys to secure your account you may still have a chance at recovery but you have to follow these exact steps to ensure quick account recovery.

Conditions That Need To Be Met For Recovery

  1. Your password/keys were changed/lost.
  2. You have the original master password or owner key from account creation.
  3. You complete account recovery within 30 days of when your password/keys were changed.
  4. Access to Email used originally when creating your account.

Steps For Account Recovery:

  1. Enter your username and old master password or owner key by going to Wallet —> Password Tab —> Recover Account Option.
  2. Use the exact Email that was used to create your account. If you use a wrong email this can delay the process or it might not be possible for Steemit to take action.
  3. You have to submit the request within 30 days of loss of access to your account for Steemit to consider your request.
  4. Send an email to Steemit at support at Steemit.com mentioning all the facts related to your situation.

Currently the system is setup to prevent someone from stealing your account and in such a case you can recover it within 30 days of losing access to it. It is entirely upto the user to come forth and attempt account recovery + report to Steemit about loss of account access.


Stupid Mistakes Noobs Do

  1. Never research more into the working of Steemit's blockchain system and certain intricacies of it's working.
  2. Treat this platform as you would treat Facebook/Twitter in terms of account security.
  3. Logging in with Master key on your laptop browsers.
  4. Using master key on mobile browsers instead of using apps like eSteem built by @good-karma.
  5. Sharing keys with each other via unsecure channels when requesting assistance.
  6. Sharing keys in the memo as described by @noisy in his Steemit account hacking article.
  7. There's no dearth of stupid things that we do with our password but you get my point!

Secure Your Systems

  1. Use incognito mode if possible or simply use the private posting key to surf Steemit.com
  2. Use eSteem or similar client on mobile. Don't use the browser when you can avoid it. Generator QR code and use eSteem to load your password with a simple scan.
  3. Use Zenmate or better proxy for your chrome browser.
  4. Use a good anti-virus, firewall and anti-malware software on your windows based systems.
  5. Use Little Snitch for securing your Macs.
  6. Don't trade keys on email on messenger apps. Use Google docs and delete file, also from trash after sharing.
  7. Use Google Authenticator/Authy to log-on to your email/gmail accounts instead of or in addition to phone SMS/OTP and save your backup passwords carefully.
  8. Don't use browser anti-virus extension as it can be a deterrent to your privacy and security.

I hope this article prevents further issues for new and established users who are unaware of these security features of Steemit.com. Maybe in the future, Steemit will make an easier account recovery system but for now it's easier for the end users to protect our accounts by simply being smart about it.

If we are ignorant we will risk losing our work and our Steem/SBD worth a lot of money! There is no point in holding Steemit responsible for being unable to recover your account thereafter.

Kindly re-steem and share this with your Steemit friends and help them secure their accounts

Disclaimer: I'm not a data security expert and this is purely based on my personal understanding of Steemit. Security experts are welcome to advice on better ways to secure Steemit accounts which any layman or newbie can easily follow without confusing themselves.


You may also continue reading my recent posts which might interest you:

  1. Crypto Current Affairs—South Korea Drafting Bills to Legalise Bitcoin & Ethereum!
  2. Crypto Current Affairs—Is Bitcoin Legal Tender in India?

Follow Me: @firepower

Sort:  

@firepower, thanks for your blog. Since last few days I was running around to find the private key to active key. Once I pressed the login to find button, I got lost as I did not have any key. I had sent this query to many here in my comments to their blogs. None replied. Sometimes I guess not many read their blog comments and even if they did, they don't have time to respond. I perfectly understand their situation. But I remained perplexed not knowing what to do and how to proceed.
Now I know how to obtain the private key for active key. Thank you.

Now another query. How do I get my owner private key. There is only a public key there and no button. Please let me know how to get the private key for owners key.

I think this post is a very very important one which comprehensively explains the permissions tab in detail and addresses all the security concerns for us, newbies.

Thanks again for your excellent post. Amazing as always. 😊👌

Your password that you have when you created your account is the master/owner key. You change that from the password tab and use permissions tab to generate posting/active private keys.

Please keep your current master/owner key safely and only use your posting key.

Thank you for all of this information. I am new here and looking for all the help I can get. I am not a gamer and have no knowledge of or experience with crypto. You might just want to call me a tech-idiot. My 25 year old son used to help me with various tech issues but he is not here with me now, so I have to count on you :)

I had heard of this private key thing before and was going to look into it. It's on my long list for this place. The problem I find is that when I look things up I still don't understand! I did not know what the"private key" meant at all. I really appreciate this detailed and helpful post and I will definitely go through it step by step.

I looked at the "Stupid Mistakes" section above and I am guilty of some (most?) of it. This place has a big learning curve and I am very grateful for the help. I've been ReSteeming the posts the are helping me figure this place out, so I ReSteemed you today. Thank you so much!

Many people have written articles that attempt to help new users to navigate this platform, including myself. Not sure if you already know this, but you can look at someone's blog /wall by clicking their name, and when a little box opens up, click their username again and it takes you to their page. You can then scroll through their posts in their blog.

Yes, I did know that, but maybe someone else does not. So nice of you to offer tips :)

Thank-you. I have no idea why, but I really enjoy helping others. Perhaps something from a past life???

@happyme continue helping others! good job! :)

Thanks! I most certainly will. I'm chomping at the bit to hurry and build my SP so that my votes will actually mean something and I'm able to add some real value to people's posts. In the meantime, I can still try and clarify things and offer any information I have. I plan to continue my games and contests for user engagement as long as people are receptive to them.

You're not alone.

lol - we unite in our ignorance! One day soon we can help others :)

Nice one.

I'm so happy to see all these replies!

@fitinfun thank you for the excellent comment! Well I'm glad that your son helped you in many aspects and I'm happy that this post was of some use to you and that you stopped by to leave a comment! :) Very kind!

I hope you will follow the steps outlined to secure your accounts. With newer technologies, there are greater risks of theft as many bad elements will try to steal what is yours. Good luck with Steemit and welcome aboard :)

Thank you! I do not want to be a victim needing help later :) This was a wonderful post to help me not feel alone. It's so amazing to get all this interaction. I try hard on fb and twitter and pinterest and linkedin but I scream into dead worlds over there. What a breath of fresh air with Steemit entering my life.

You are welcome! Glad you found it useful! :)

Great info, but still confused about the 30 day rule. Let's say your account is 40 days old. Can you still do the account recovery?...If so, would you still need the original pw...or just the pw from 10 days of age?

It's not the age of your account, it's the time since your account was compromised. If someone gets your password, logs in, and then changes the password - thereby locking you out, you have 30 days from that point to discover and address the problem.

Let me ask another way. Can my original pw be used to recover my account once my account is more than 30 days old?

Even if I have changed my original password?

I created my account using anon.steem so just trying to figure how secure it is since their system gave me my original password, which I have changed since then. But if my original password can be used to recover my account, then what's the point of changing my pw at all.

Your question makes a lot more sense with the anonsteem info. I don't have a for sure answer for you. Accounts are created by other accounts, and the creating account becomes the "recovery partner." Accounts registered through Steemit have the @steem account as their partner, so they would verify your identity if an account recovery was needed.
Your account created with @anonsteem will have them as your recovery partner, and I am honestly not sure if they provide continued support after account creation, so recovery may not even be an option. Definitely a good question to ask of them!
I've also created an account now using SteemConnect, so one of my accounts is the recovery partner for my other account! I have no idea how I would go about serving as a recovery partner, I have a feeling it involves a lot of backend stuff and there are no good user interfaces designed for it yet. I also don't know if it's possible to delegate a new recovery partner by choice.
But... to somewhat answer your question... let's assume someone has your old password and there is a recovery partner ready and waiting. If they try to take over your account by fraudulently "recovering" it, they should only have a 30 day window from when you changed the password. So if you've had your new password for more than 30 days you should theoretically be safe.

Thank-you for helping out. Your explanation sounds very logical. I would expect the same thing as what you said. The account should be safe after 30 days have passed from the date of making a new password.

Got it, that makes sense. Thanks for the help!

You are now adding more details to your original question.
First of all, to recover using the Steemit recovery states that you must have set steemit as your trusted partner. By using anon.steem to set up the account, I bet that was not done. So recovery would likely not succeed in that case. I'm definitely no expert on the subject, but I have read about it and try to help others understand to the best of my ability. Now we are getting out of that range. Sorry.

Yeah, sorry just trying to figure out how to be safe. I was on a waitlist for over a week so went the anon route after seeing it as a possible solution on the help section. I know it complicates things.

@bryan-imhoff thanks for responding. :)

No prob, I just hope I'm not giving any misinformation! I know enough to get into trouble I guess... Account recovery seems to be an undeveloped tool with a lot of questions surrounding direct registrations, as I mention in my above comment. I'm curious if anyone has any answers for this that I could learn!

@financialcritic Yes. Account age is irrelevant. One can only attempt account recovery within 30 days of hostile take over. Which if you use your account daily is easily known. For someone who's account has been hacked comes back after 30 days of theft or loss of master password then it would not be possible to recover.

Thanks. I'm just trying to figure why I should bother to change my pw at all, if my original one can be used to access my account via recovery.

Because if you mess up in the process, lose your original key for whatever reasons or you don't get a response from Steemit when you shoot an email after attempting recovery then you are screwed! :)

great info thank you so much!!!

You are welcome!

Really nice overview! Also a reminder to myself to pay more attention to some of these security issues.

It's great to see you stop by dude! I'm glad you found it useful! :)

It's great to see you very active lately! :)

I'm just getting back on my feet and quite happy that I can work again. :)

Excellent advice. I'm bookmarking this one. As someone who was hacked last summer, I take nothing for granted.

Thank you so much for taking a look at this! :) I'm glad it was useful!

Great post brother @firepower youve toich on some vwry good points. The steemit awareness programs seems fun i hope to reach your level in a few months. I would to say thank you for the inspiration. Good job. image

This is useful. What I like about Steemit is its security features. What is important is that steemit users should take care of their password because once it is lost or forgotten, it cannot be recovered. I am glad I found your profile @firepower. I hope I will benefit from your blogs.

You are welcome!

Wow! I'm so glad I clicked here. There is so much important information I had not known or thought about. Bookmarking this page for reference. Thanks @firepower.

You are welcome!

Great tips man :)

You are welcome!