Two months ago I wrote that You shall not (leak your) pass.
My security research is an ongoing process, I'm trying to protect Steem users from hurting themselves by leaking their keys and passwords.
(Also with the help of @almost-digital's dsteem powered tools)
Apparently, it's not as easy as stopping Balrog.
Lately I've successfully secured hundreds of liquid SBD and STEEM and almost $100,000 worth of Steem Power. But there's not always a happy ending. Sometimes malicious users are faster. Sometimes you can't even tell if the current owner is the original one. Sometimes account recovery is needed. Sometimes it's just too late to do anything.
- "Steem Wizardry" by Inber
Fields of Despair: Memo
The most common user error was to put private material into the memo field while doing transfers.
Keys, both public and private, should NOT be placed in memo fields.
Memo fields are used to distinguish one transfer from another.
Whatever you enter in a memo field will be available to the public. Forever.
Valid use cases include:
- When Alice transfers
10 SBDto Bob she could enterWednesday's Pizzain the memo field to let Bob know what it is for. - When Dylan appreciates Bob's new lyrics, he sends him
100 STEEMwith the memoDude, "Masters of War" is a cool song, but Tatiana's version is so much better - When Frank wants to get a flag from Charlie, he sends his post's url as a memo.
Memo fields used while making deposits (sending money) to exchanges
Sometimes however, you have to set your memo exactly as directed.
Exchanges, such as bittrex, blocktrades, changelly, poloniex and others require you to set the memo to an exact value when you are sending money to them. They are using that specific memo value to distinguish transfers. Each user has their own distinct memo value but it has nothing to do with your keys or passwords! To get your proper memo value, you need to follow the exchange's deposit instructions. If you don't, you will lose your funds.
Please note that usually there's a different memo for sending SBD and a different one for sending STEEM.
This is how a bittrex memo might look like:
0ab23c4de5fa67bc8de
This is how a blocktrades memo might look like:
a1b234c5-de67-8f90-1a2b-c345d6e78fa9
This is how a changelly memo might look like:
1a79a4d60de6718e8e5b326e338ae533
This is how a poloniex memo might look like:
1abcd23456789012
A memo is never your key or password.
Memo fields used while making withdrawals (sending money) from exchanges
For many digital currencies, your address is the key. Steem is different. Your address on Steem is your account name.
When alice wants to send STEEM to bob, she just needs to put bob in the address field. The memo field is optional in this case. Regardless of the memo value (which can be empty), bob will receive those funds.
How can I lose my key?
Unfortunately, there are many, many ways users can leak their keys and passwords.
Do you think that this post is not about you?
Are you sure? I've already seen hundreds of leaked keys.
For over a year, it was never a software error. It was always a BKAC one.
There are people that are well aware of the importance of keeping private stuff private.
Errors, however, can happen.
Even to smart people.
Even to you.
Sometimes one miss-click is enough.
You have copied your key and pasted it in the login window?
Have you checked that link you've used was to https://steemit.com?
Or just a site looked the same?
Are you logging in using your private computer?
Or maybe you had a strong urge to upvote something while using a public PC in a library?
You keep your Master Password in your mailbox, so what could possibly go wrong?
Maybe you wanted to paste a link to cute kittens that you found just after logging in to Steemit and Ctrl+C didn't work for the link, but Ctrl+V did for the password?
You've used a cool tool that upvotes and stuff, but are you sure that it doesn't send your password through the net?
If you have any doubts, change your password/keys immediately.
Keys? Passwords? Whaaa?
The first rule of Steemit is: Do not lose your password.
The second rule of Steemit is: Do not lose your password.
The third rule of Steemit is: We cannot recover your password.
The fourth rule: If you can remember the password, it's not secure.
The fifth rule: Use only randomly-generated passwords.
The sixth rule: Do not tell anyone your password.
The seventh rule: Always back up your password.
Master Password: one password to rule them all.
When you setup your account through Steemit, you get a Master Password.
With the Master Password you can do everything with your account, because it "contains" all the keys to control it. In fact, the Master Password is used to derive all keys for your account.
What if you leak it?
All the bad things will happen, as if you leaked your Private Owner Key (see below for the consequences and instructions)
What if you lose it?
If you have your Private Owner Key saved somewhere, then you can use it instead.
If you don't have it, then GAME is OVER
Nobody will help you, because nobody can.
A more secure way is to use individual keys when appropriate.
Keys
Private Owner Key
It can do everything with your account, including changing other keys and the owner key itself, or doing account recovery. Keep it secret, keep it safe. You don't need it for daily use. Don't lose it. It is best to write it down and lock it in your safe or secret basement. It's your last resort in case your other keys are compromised.
What if you leak it?
You will lose control over your account, your keys will be changed, your liquid funds will be stolen instantly, your saving funds will be stolen after 3 days, your vested funds will be stolen at the rate of 1/13 of the funds every week for 13 weeks.
Try to change your keys immediately.
If it is too late, you have 30 days starting from the day it was changed to proceed with Stolen Accounts Recovery. It might or might not work and you might or might not be eligible to use it. If for some reason it doesn’t succeed, you will never regain access to your that (soon to be empty) account.
What if you lose it
GAME OVER
Nobody will help you, because nobody can.
Private Active Key
You can use it to do almost everything except for changing Private Owner Key. You can vote for witnesses, change your account properties such as your profile picture or cover image, change your Private Posting Key, and most importantly: transfer your funds. Use it only when you need to perform such actions.
What if you leak it?
You will lose control over your account, your active and posting keys will be changed, your liquid funds will be stolen instantly, your saving funds will be stolen after 3 days, your vested funds will be stolen at the rate of 1/13 of your funds every week for 13 weeks.
However, you can use your Private Owner Key or Master Password to change leaked Private Active Key.
What if you lose it?
Use your Private Owner Key or Master Password to set a new one.
Private Posting Key
You can use it to post, upvote, follow, resteem, but not to transfer your funds. The best option for day-to-day use. Still, use it with care. Despite being only a "Posting" it is still "Private" and it is still a "Key".
What if you leak it?
Your posts and comments might get vandalized, malicious users might post, upvote, downvote, resteem etc. on your behalf. You can use your Private Active Key, Private Owner Key or Master Password to change leaked Private Posting Key.
What if you lose it?
Use your Private Active Key, Private Owner Key or Master Password to a set new one.
Other keys
Signing Private Key and Memo Private Key are not in the scope of this post. If you need to use them, you already know what they are used for and why.
How do those keys look?
This is how a Public Key of any type (Owner, Active, Posting, etc.) can look like:
STM6n8WV3imRd454CMY8akRFY4CLbyJVvWS3UdVDWw1dayf4xU47Z
(please note that it starts with STM)
This is how a Private Key of any type (Owner, Active, Posting, etc) can look like:
5JNyFp1pWNYaHCDEiR7mop5cRzpHcA2psLNRdykhzgbjPzxsqcg
(please note that it starts with 5)
This is how a Master Password can look like:
P5KjZuqMC9q7MR1iKeXA2KzpRhnMHyhLQNyBHSDnSSiTiKnjyUCN
(please note that it starts with P5)
Never send your keys online
A Private Key is called PRIVATE for a reason.
You cannot post it online.
Never.
"- OK, but when I log in on steemit.com I post my key so the site knows it's me, right?"
No. The Steemit site is written in a way that your key is kept locally in your browser at all times. When you post or comment or upvote, such transactions are signed with your key.
The signature is sent with the transaction but your private key isn't.
Everytime when you enter your key or password in some app or site, you need to trust it.
There are many scenarios in which you might lose your key:
- the author of an app might be malicious and instead of keeping your keys locally to sign transactions, he will send them to his server and misuse them
- the author of an app might be not skilled enough and manage your key in an unsecure way, thus putting your account at risk
TL;DR:
You will lose your funds if you disclose your private key.
Do not learn from your own mistakes, learn from the mistakes of other users.
If you believe I can be of value to steem, please vote for me (gtg) as a witness on Steemit's Witnesses List or set (gtg) as a proxy that will vote for witnesses for you.
Your vote does matter!
You can contact me directly on steemit.chat, as Gandalf
Steem On
Be Safe
Just for the sake of it and to be double sure about the privacy of my keys, I'm going to reassign them to new codes a.s.a.p. I can't thank you enough for this information you are sharing with us today, it goes deeper into the functions of what keys are and their potential ramifications. They are so powerful, yet so vulnerable...
Namaste :)
will have to read this - and many other posts on the subject - over and over again... with time I am sure and full of hope... I will understand more and more... Greetings from a newbee and tech autist... but willing and eager to learn and find out! Thank you for your post, Gandalf! had a smile on my face when I looked on the drawing with the pipe... here you can see why - hubby and best friend on our porch :-)
Awesome :-)) say hello to those guys :-)
Steem platform is like nothing else, so it is really not that easy to get familiar with all technical details, however, in time, it would make more and more sense to you.
Good luck.
Too late to ask a question 4 months later? :-)
I thought that Master and Owner key are one and the same, so I checked and yes I only have Owners key, well I have all keys but Master.
Question, is there a way to retrieve a Master key with Owners private key?
If you are dealing with your keys through steemit.com site it is most likely that you have a Master Password that you got while creating your account. It's the one that starts with
P. Owner key and others are derived from that password. So no, you can't get Master Password while having Owner private key, but you can get Owner private key from your Master Password (assuming that individual keys wasn't changed from derived ones).Thank you very much!
I thought I have lost it since I didn't know Master exist also, didn't paid attention at registration but I just found it saved on my CD. Phew!
Good to know, that Master is ultimate key, above all other. I just mislead someone who I brought to Steemit. I need to fix this, thanks again for clarification.
Thank you for this post, you've really made me realise I need to be much more careful!
Sorry to ask but I'm still confused still about a few of things.
I use Chrome and my google smart lock settings remember my password when I log into Steemit. Is this a problem?
In my wallet I have four categories of Keys - Posting Key, Active Key, Owner Key & Memo Key. My Owner Key is the only one that doesn't have a "show private key" tab next to it. It says: "The private key or password for the owner key should be kept offline as much as possible." I got really confused by this ie. what is the password for the owner key and where would I find it? Is it the original password that was emailed (starts with PK)
Private active key. It says "the active key is used to make transfers and place orders in the internal market". A few services like Streemian have asked for the private active key. Is that normal? Why can't they just use the STM version of the active key instead? Also when I first logged onto Streemian I entered my private key into the first app they had on the page but then when I hit enter it came up with an error and I then noticed it didn't have a secure lock on the URL, so I tried the second app (the .js one) and it did have a secure lock and worked okay. Is Streemian safe or should I consider changing my keys?
If I want to change my keys I can only find one option which is to reset Password. Does that reset all the keys as well? If I'm still using the first password I was given on acceptance/login to Steemit is that a mistake and should I have changed it?
Thanks for your article, sorry to ask what are probably obvious/annoying questions! Have just voted for you as Witness.
Ad. 1. Saving password in your browser is as safe as the weakest link in the chain: browser - operating system - computer. Up to date Chrome browser is a safe choice. Make sure you don't use any shady extensions. Also, make sure that this is not the only place where your password is stored (what if you lose access to it?).
Also:
Using appropriate keys > Using Master Password
Ad.2. That
P5....thing is the Master Password. Under the hood it does nothing except being a source for your keys that are derived from it and used when appropriate. So you can use Master Password for posting and same Master Password for transferring funds. That's for convenience. For better security it's better to posting / active when needed.There's no way currently to display owner key in the browser, but you don't really need it when you have Master Password that can serve same role (also for account recovery).
If you really want to you can use
cli_walletfor that:get_private_key_from_password angusg owner P5HerePutYourMasterPasswordAd.3. When any service asks you for your password / key you should be very careful and general rule is to refuse if you are not absolutely sure that it's ok.
streemian is a well known service made by a reputable steemian - @xeroc
If you trust that site and its owner then you might want to take that risk.
I did with my
gandalfaccount. :-)Streemian is using your Private Active Key to sign transaction that adds appropriate posting authority to your account, so later on Streemian can do voting on your behalf (without knowing your Private Active Key or even your Private Posting Key). That's proper way of doing things. Currently however, it's even better way to do that without worrying about entering your key to a unknown site. It's called SteemConnect v2.
If you have any doubts - change your keys to be sure.
Ad. 4. Yes. Changing password changes your Master Password, from new one new keys are derived and replace old ones. Changing initial password is not required.
Thank you Gandalph! That really puts my mind to rest also thx for the cli_wallet tip. I signed up for SteemConnect V2 yesterday after reading your article and I'm just figuring that out. I'm also going to check my Google extensions and disable any I'm unsure about. I don't have many. I've backed up my keys and password and I think I'm going to take the risk on Streemian because I already connected for my Discord verification.
I can see that the possibilities for services and apps that extend Steemit is almost limitless, so security is always going to be one of the biggest nightmares.
Thank you for caring about our security and wellbeing and for taking the time to spell it out so clearly!
Just curious (not sure if I understand correctly)
How are those two things related?
I thought I remembered having to connect Streemian in order to registering for the PALnet/MinnowsSupportProject on Discord but it was actually just through my main Steemit wallet. Was hunting just now for the first post I followed that had the instructions and it was this one.
https://steemit.com/minnowsupportproject/@discordiant/registration-tutorial-msp-palnet
So I couldn't remember what it was I'd been asked to do in Streemian then I remembered it was this post which was to do with joining TeamAustralia instead, I was following the instructions about halfway down.
https://steemit.com/teamaustralia/@scooter77/supporting-centerlink-and-teamaustralia-all-sbd-from-this-post-donated-to-centerlink-program-how-can-you-ensure-your-upvoting
On Discord one of the instructions in the pinned messages on the teamaustralia page registration was to follow the banjo bot and minnowssupport bots and send them $0.01 each to authenticate, then to go to steemvoter and set up a rule to follow minnowsupport, then to go to Streemian, authenticate the Streemian account also with $0.01 then follow the @centerlink curation trail, then to let an admin know.
Can't remember the exact order I did it in. I just remember that the first time I logged onto streemian they had two authentication apps and the first one crashed and went to an unlocked (not https) page and the second one was a .js app and worked okay. I'm on windows 7 so it may be different for a mac user.
OK, thank you for clarification.
Gandalf is steeming some really good stuff.
Thanks for sharing that information! There were some times when I nearly pasted my key into the memo field.
Too many 3rd party websites ask me for my Steem keys. This is a ubiquitous bad practice encouraged by the community. steemit.com needs something like an oauth - a single secure protocol to manage access without the need to disclose the keys.
The answer is: SteemConnect v2
This is great! I never realized there's actually a working solution. Thanks for pointing it out!
I agree. I want to test out the many interesting services built on top of Steem without trusting them with my Steem keys yet.
So basically use common sense?
That should work :-)
Private key starts with "5j" , but also memo key starts the same, right?
All keys, whether is is Owner, Active, Posting or Memo comes in pairs: Private and Public.
Private keys start with
5Public keys start with
STMWell I am stupid like a broken brick. I proclaimed myself as 'IT security enthusiast' and what I did in my first transfer from bittrex? Put my public memo key in memo field. And it was after I've read posts of @lukmarcus and @noisy about not doing it. What a moron. I have planed a self-sterilization for this evening so no more chances for my genes to survive. And all of these greatly explains my avatar image selection (this sentence is kind of offending for apes, sorry guys, didn't mean to).
It is not helping my despair that it was only public key. No keys means no keys.
Sending public key doesn't make any harm, it's just an indicator that you are doing something wrong which might lead to some bigger mistakes in the future. Fortunately you've realized that on time and now it's good.
So... nie ma tego złego co by na dobre nie wyszło ;-)
Thank you so much for your help, and for keeping us safe. I got my account back and I really appreciate everything you do.
Thank you for your kind words.
You don't have to thank me, you did all the work 😆 really am thankful
gtg is awesome hum. Glad you recovered Dear. He protect steemians!! cya sweetie
He really does 😆
Thank you, this is a great reminder to take care of our passwords and that these things happen to even the best of us.
Isn't this fixed? Didnt they block posting keys in the memo field?
Thanks for all the good info, very useful
This is much broader case than just key in memo field.
Of course app providers can restrict memo field in a way to not allow posting key material. Some of exchanges do that already.
Also, even if app provider doesn't check memo field, recent nodes would block most of such transactions (but at this point key is in fact already leaked at least to such node).
Unfortunately there are a lot more possibilities here, like posting such key on social media, chats or other public places.
Great write up. Passwords is something anyone can slip up on. Everyone needs a reminder from time to time.
Thanks for the share! Resteeming for that gentle reminder :)
Thank you :-)
good info I am new to steemit and just learning I still have never sent any SBD to anyone or anywhere and want to learn as much as I can so I do it safely for someone new like me can you recommend a link or post that has some step by step instructions for how to power up or what the best practices are to maximize how much steem I can earn? I am not the best with computers or tech language and a lot of these post seem to overwhelm me so some simple info to help would be best thanks so much will upvote for you as a witness as well.
Thank you :-)
I would recommend to start with Quickstart Guide and Frequently Asked Questions.
I never knew just how secure these keys are until I read your post. I didn't really have much value in my account but that could change and losing the little I have there is still a thought I don't want to entertain. Thank you for the education.
Thanks for sharing this, always good to inform newbies and refresh it for experienced crypto users about the risks which come with controlling your own money (and "bank accounts" in that sense).
Might be worth mentioning that those tips apply more or less to all cryptos, not just Steem!
It was somewhat surprising how often this seems to happen. But then it ALMOST happened to me... A simple copy paste that did not turn out as expected! Luckily a habit of double and triple checking caught the mistake!
This is a very handy article and I will be sure to remember what you said.
Safety first, I can't stop thanking you for this lecture . Your are a cheerful giver, thanks @gtg
Great post. I can't wait until SteemConnect2 is releases since I like to delegate SP to My wife or Minnowboosters but always worry to use the existing tools (Except of Vessel) because of your reasons mentioned.
Thanks again for saving my account!!!! I will never do the same mistake) anyway i will try lol 😁😁😁
Your post is very useful for people like me)) Thanks for writting it for us and for warning about this danger!
Thanks for your time to this post, cos i know how busy you are) 😉😉
I'm glad it ended well. :-)
Me too 😂😁😁
Good thing to know. You're making me worried now, but a little concern is a good thing.
I still dont understand what keys are used for though. Is that like some kind of backup password or something?
You might think about Master Password as a container with all the keys inside to make life simpler for users that are not used to managing key material. In fact, under the hood, Steem doesn't know anything about Master Password. Steem uses keys. Steemit site, on browser side (i.e. locally, on your device) gets proper key from Master Password and uses it to perform actions on Steem. Changing Master Password generates all new key pairs and replaces them.
Thanks for the reminders about the password... lots of hard work could be wasted if you aren't careful!
Account safety is really important. I mean you work for a year on steemit, gather 10k steem and for a hacker it takes just few minutes to take it all if we are not careful. really liked your examples when we can reveal our keys by mistake. And I guess that can happen to anyone.
Man, you're a mystery comparing to other witnesses I've checked.
I've checked your posts all the way to the first one and all I found about you is you are into witness node security, user key security and you have a cat.
Well, somebody needs to be concern about security stuff so, you have my vote ^_^
PS: I didn't TL;DR this post, I'll be careful.
Thank you :-)
I literally just logged in here via mobile for the first time. The password wasn't valid. I nearly panicked. I checked my notes again and cross checked with a handwritten one. Somehow, my notes on my phone had the password doubled and copied in length with one letter missing. Thank goodness for my handwritten one I keep on my person at all times. I don't even know how this screwed up!
Another excellent post by a key member of the community. Thank you. As you may recall I'm new, lost, and confused on all fronts here......but less so these days thanks you and others like @lukestokes, @karenmckersie. But a special thank you to you and this post here. As I plan on transferring out a little steam to my bitpay card through bittrex. Will be my first time doing this. So perfect timing to read this post, before I go ahead and put my password in the memo field or some other total rookie mistake. Great post and keep up the great work! -Dan
Thank you for your important work and also to emphasize on the difference between public and private keys! Because the keys are so abstract, just a string we/somebody don't relate to their value or the funds we invested sometimes. We are used to have physical objects like cards, keys and are often very careful with these touchable things but with such virtual string chains it is sometimes not so obvious or we are simply not aware.
We have hundreds of passwords for the internet and sometimes no secure password paper wallet or tool. Sometimes also STRG+C, STRG+V can be dangerous.. just one moment of lacking in concentration and a private key is posted somewhere.. better to be calm with such things is my recommendation, because it's easier to paste a string than use a key made of steel!
It seems that you are an expert when it comes to security. The Empire has a very significant security issue but my moronic, puke-inducing, decrepit, old boss The Emperor refuses to address it. What would you suggest for this?
My boss says not to worry because it is only only about 2 meters across, but he's a freaking idiot so I try not to listen to his gravely voice.
If you think of something, The Empire would appreciate it if you left your suggestion here or in the comments of my latest transmission.
Oh my, that looks like a serious security vulnerability. Some serious bugs could slip through such hole causing Kernel Panic or Blue
StarScreen of Death.Patch it, you should.
Sadly this is who my boss has put in charge of IT.
I keep telling my idiot boss this needs to be patched ASAP, but you know how old people are with technology .
I'm just the most powerful being who ever lived, what would I know?
Some day I swear I'm going to throw my boss down a bottomless shaft.
You deserve my witness vote. Good luck gtg!
Thank you :-)
Thanks for the info, I'll make sure I take proper care. But I still hope that some day steem gets easier to use for everyone, especially since millons will be adding up before the next year ends.
Safe and easy authorization? Sounds like a nobel prize challenge. ;-)
True, lol.
Thank you. I have to read this again at home when I can chew on it. Don't you have to give your posting key to steemian to use their services? Isn't that a problem too?
For regular user it is very hard to tell if app is using your key only locally to sign transactions or is it sending that key somewhere and storing it online for malicious or ignorance reasons.
SteemConnect v2 is going to solve most of such concerns, it is an awesome service that would help both developers and users.
I'm looking forward for wider adoption.
Really alarming and so much scarry picture i have seen due to little ignorance, thank you dear @gtg for this information.
Interesting your posts. I love to read each and every post of yours. Sometimes I don't get time to read the full content but I make sure that whenever I am free I read the whole thing. Thanks for sharing... :)
Yeah, for sure. You've posted that very same comment under multiple posts, but none of those posts was loved enough to get your precious upvote. Unlike every of your own comments.
Seriously?
Sometimes, you just have to wonder????
Great info - much appreciated :D
Very useful for SteeMians!
thanks for sharing.
Thanks for this
a debt of gratitude is in order for sharing.
Hi.. I'm new Here, I need a push , thank you for up vote this post
Hi.. I'm new Here, I need a push , thank you for up vote this post
Spamming with such comments doesn't make you succeed on this platform. Create original, good quality content, work hard, then you have a chance to be noticed. Taking shortcuts doesn't pay well here.
Very informative! Thanks for sharing this with us. You saved me...I will be careful now.
great tips...upvote and resteem
this is @originalworks
The @OriginalWorks bot has determined this post by @gtg to be original material and upvoted it!
To call @OriginalWorks, simply reply to any post with @originalworks or !originalworks in your message!
To nominate this post for the daily RESTEEM contest, upvote this comment! The user with the most upvotes on their @OriginalWorks comment will win!
For more information, Click Here!
waw ... nice post @gtg
very useful for me. so that our future should be more careful again
thanks :-)
Good Info
As someone who already knows the difference between the keys.
I found the practical tips you gave still very usefull :)
Good post @gtg :)
Good words.
great info! nice picture steemit
Resteemed.