Review your recovery account, if you don't want to lose your assets!

in #witness-update7 months ago (edited)

If you don't own your keys, you don't own your assets. Remember that sentence and review your recovery account. Seriously, do it right after reading this article. It's crucial for your digital safety.


TL;DR: if you have steem set as a recovery account, your assets are not secure because you won't be able to recover your account in case someone changes your keys. Change this to your alter account or someone you can trust.


If you're using Hive blockchain, I hope you know how it works. I hope you know that due to blockchain principles, you cannot recover the forgotten password or private key. It is just technically not possible. Nobody stores your private keys or master password, but it's possible to change it by a blockchain-level mechanism. Anyone with a master password or owner key will be able to do it. You will be able to do it, and anyone who knows your password will be able to do it.

Now, try to imaging how someone could obtain your keys or master password:

  • it could be guessed if it's short and easy (master password)
  • you could publish it within your post by mistake (I bet you do copy your keys from time to time)
  • you could send it as a transfer memo by mistake
  • you could post it on your discord or another communicator by mistake
  • you could publish a screenshot of your desktop screen with keys revealed
  • someone could take a photo of your screen with your keys revealed
  • you could commit it to your public git repository by mistake (if you're a developer)

Do you think you won't make a mistake? Never? Seriously? I will tell you one thing: we all make mistakes.

But there is a mechanism built-in in a Hive blockchain to recover an account even if you don't know new keys. It's especially useful if someone changes your keys without your permission, aka "your account has been stolen".

Account recovery

The mechanism is quite simple by its idea. If you have your previous keys, you can change the current keys. It's possible during the first 30 days after the change. Why did I say that it's not possible to recover the forgotten password? Because you have to know your previous keys. It's that simple. If you do - it's possible to recover an account. If you don't, you're done.

By the way, that's the reason you have to be careful if you plan to buy an account from someone. Even if you change the keys, the previous owner could recover it, and you could lose your assets already deposited. Please have it in mind, and if you really need to buy an existing account, do not deposit any tokens on it during the first 30 days from changing keys.

Recovery account

It's also crucial to understand how the recovery mechanism works, and basically, it's all about trust. Every Hive account has something like a "recovery account", which is a trusted entity that could make a recovery request for you. Yes, another account needs to make a request to recover your account. You cannot do it by yourself.

This is why you need to take care of your recovery account. By default, it's set to your account creator, which is often steem (if you have an account created by Steemit Inc). If it's your case, you are in danger now. Steemit Inc was bought by a Justin Sun, and he doesn't care about blockchain and its users. You can be sure that he will not be willing to help you with the recovery process.

So what happens if someone changes your keys? Your account is lost with all of its assets because you can do nothing with it. Good luck with contacting Justin Sun to start your recovery process.

Change your recovery account

This process takes 30 days, so do it now if you want your account to be secure. You cannot change your recovery account if someone already changed your keys!

How to check which account is set for you? Just visit https://hiveblocks.com/@youraccount (replace @youraccoynt with your real Hive account of course) and check the left sidebar. There will be a piece of information you're looking for:

Which account should you use? If you have multiple accounts, you can use your second account. If you don't, set your friend, family member, or someone who knows you and whom you trust. In case of emergency, you will need to prove that "you are you", and this account should be able to immediately start the recovering process.

Do not set yourself as a recovery account (don't do self-recovery). You can't start the recovery process if someone changes your keys so it's just like having steam. Always use another account.

How to change the recovery account?

1. Easiest way is to use peakd.com:

You will need your Private Owner key to publish a transaction. After all, you should see something like this:

2. Use hivesigner.com

Prepare the link for yourself:
https://hivesigner.com/sign/change_recovery_account?new_recovery_account=YOUR_SECOND_ACCOUNT

Replace YOUR_SECOND_ACCOUNT with your second account or any other trusted party who you wan't to have as a recovery account. Visit the link and sign the transaction with the Owner Key.

Do not set yourself as a recovery account (don't do self-recovery). You can't start the recovery process if someone changes your keys so it's just like having steam. Always use another account.


I started notifying 243 015 users who should care about it

I've used HiveSQL to get a list of accounts that:

  • have steem set as a recovery account
  • have a reputation of 25 or more
  • have at least 0.001 HBD or HIVE

I'm going send a transfer to each account with proper warning and instruction in a memo.

If you want to know how to start and finish the account recovery process, let me know in a comment section and I will prepare appropriate instruction.

Vote for @engrave witness if you find this notification useful

Vote for @engrave witness

Sort:  

Thanks for the heads up. I started another account for a project I will soon be doing , but it just links to my original profile.. Is there a way to separate the two, in case of this issue?? Then I can use that as a recovery and visa versa. I will be starting a show in the relatively near future, so I would have needed to do this at some point anyway.. Thanks again for the heads up :)

but it just links to my original profile.

If those accounts have different keys, you will be fine.

Then I can use that as a recovery and visa versa

Yes, you can do this, no problem :)

Ok Thanks a lot :)

Ok, Thanks
I upvoted you as witness
Screenshot_2020_0406_144859.png

Thank you, appreciate :)

Many thanks for advice :)

Thanks a lot. You totally earned my witness vote for spreading the message 😇

You should check in your transfer script if the recovery account is already changed. It takes 30 days to be effective.

Fair point, I'm going to take that into account. Thanks!

yeah guys I just realised 30 day's also that's quite a long time.

30 days? Really?

Thanks for letting me know .... I shall sort and you get my vote for witness!!

I had no clue. Thank you very much. voted @engrave as a witness

When I got that right and I own @welovesteemit too. I should choose @welovesteemit recovery account instead of @steem.
Is that right?
Rehived.

That's correct. Don't lose your keys :)

That is the point. Is there an other way to do that with a 3 party like steemconnect on hive?
I do not like to give my owner key direct away and with steemconnect I had the best peace of mind feeling when doing that.
Thank you.

That's my question exactly. I would like to do it in a safe way with steemconnect or hive keychain, but I am not entering it on any website.

I'm currently working on a beempy update that allows it to change the recoveryaccount without python knowledge :).

I don't know that but I deem it rather likely that it works with vessel as well. Also, if you know a bit of python you could use @holger80's beem to achieve what you want. Using beem probably is the "safest" way if you know what you are doing but also requires the most knowledge and can go horribly wrong if you don't know what you're doing.

hi there, you sent me a message and i am trying to figure this out. Thank you

Thanks for the heads up, I've changed it! Much appreciated, I would have never thought of that one. Can't trust that justin guy.

Thanks for reminding me about this. Done it now on Steem and Hive

Voted for your witness, you've been doing some useful things for the community and I appreciate it :-) Cheers!

Thank you, I appreciate that :)

Great, I'm worried about this since first day of HIVE because my account trustee is Steem. So now what can I do the main problem is that how can I prove my ownership on account this is the Matter of concern if I set you to my account trustee. The second is that how can I contact you in case of an emergency.

Suppose if I set my another account to my account trustee then how can I recover account in case of emergency because I'm not a developer . There is any tool on Hive to do that like steenworld

Yeah, seconded

It would be better to set your second account or a friend/family member rather than me. I will write a tutorial about how to do it on Hive so stay tuned and follow my account ;) There are some tools that allow you to do it.

Can you please write a Tutorial about recovery process on Hive for simple user while font know about developing.

I would love to read that too.

Do you manage any community, which I could subscribe to?

Unfortunately not, but you can follow my account.

definitely include the process if you are the person they want to recover your account, on how to do it..

I right now would have no idea..

also thanks for the rmeinder!

I guess you should do it as described for Hive AND in addition on Steem too if you still have STEEM in your account. For Steem you can use steempeak.com and login via PeakLock.

Hey @engrave,

A great article, thanks for sharing!

Thanks for the follow, I followed you back and voted for you as a witness too! ;)

Great, thank you, I really appreciate it!

We got @blocktrades set as recovery account, is that safe @engrave?

Should be fine but if you have someone you can trust and within direct contact, set him. Or your alter account if you have more than one.

Thanks a lot for your memo and this tutorial!

I'm glad you've read that and responded. Keep your recovery account updated and you will be fine :)

@engrave Thank you for this vital information...
I will really be appreciated if you drop a detailed process on how it is done

Ok, I will write a tutorial soon, follow @engrave and stay tuned :)

Thanks for the information. Much appreciated

No problem :)

Can I use @engrave? I mean everything is better now than @steem, right?

Do you own more than one account? Or maybe your friend or someone you know personally is also on Hive? If so, use them. As I wrote in a post, it's all about trust.

Hi friend, thanks for the helpful info. I will wait for your textbook :)

You can change your recovery account with peakd.com. I hope you will never need to start the recovery process but I suggest doing it as soon as possible.

We say that God protects the one who is protected :)

Exactly :) So we need to take care of ourself :)

Thanks for the memo 😉 I had already changed my recovery and it will be effective in 11 days 😊
Your post is so very useful and will help many, you may want to add that it takes 30 days for the change to be effective, so that people don't freak out if they do not see any change in the meantime..?

It's already mentioned in a post but I will rewrite it to make it clear :)

Private Owner key, is that one different than active & posting? Thanks so much for putting this reminder out there! Your instructions are really easy to understand. Hopefully, we never need to use this. It would be crazy to have account stolen!! Yeesh. Changing mine, it's set to steem now. Thanks again! ❤☀️

Yes, exactly, you don't use Owner Key on a daily basis. I'm glad it's helpful :)

Another question, from what i understand the recovery account needs to know how to work with blockchain back end. So, it's better to have maybe a witness be back-up. Would @blocktrades be s good choice instead?

Not really, starting the recovery process is as easy as changing the recovery account. You just need to type the keys and broadcast a transaction.

Thanks a lot for your kind reminder! I was going to change that but after your message I am doing this now.

Thanks a lot! Important hint.

!invest_vote

@freiheit50 denkt du hast ein Vote durch @investinthefutur verdient! ----> Wer ist investinthefutur ?
@freiheit50 thinks you have earned a vote of @investinthefutur !----> Who is investinthefutur ?

I completely forgot. Thx for reminding me

You're welcome :)

I just received your memo:

I've noticed you have a recovery account set to @steem, which is not secure anymore. Review your recovery account if you don't want to lose your tokens! Read more: https://peakd.com/witness-update/@engrave/review-your-recovery-account-if-you-dont-want-to-lose-your-assets

Thank you for letting me know. Absolutely appreciate it.

ps. is there any way to DM you? Discord/telegram/linkedin?

Pozdrawiam :)
Piotrek

done it, why it need 30 days?

Security reason. If your master password is compromised, for example, someone could change your keys and your recovery account so you wouldn't be able to recover your account.

Thanks for the tip! I change my recovery account!!!

Haven't been active here in the last few months, this change is new to me.
But either way, thanks for the headsup! Much appreciated.

Thank you very much - I didn't think that it would still be steem on the Hive ;)
!invest_vote

Only you can change that so it's just like before the Hive hard fork.

That's true and I have changed it a minute ago. Thank you very much again, have a great Sunday @engrave :)

And that happens when you have multiple accounts to edit and forget to switch back to your main account before you reply 😂

@johannpiber denkt du hast ein Vote durch @investinthefutur verdient! ----> Wer ist investinthefutur ?
@johannpiber thinks you have earned a vote of @investinthefutur !----> Who is investinthefutur ?

Thank you very much for the memo, and I already been on that path after talking to a friend that I trust and Will have as my recovery person..now I know what key to use as I was told it was my active key or posting and it didn't work.. Now I know.. Thank you 🙏

This is important, thank you for the reminder!

You're welcome :)

I'm trying to change it in peakd but getting this:

Error during 'change recovery account' broadcast:
Missing Owner Authority brianoflondon

Not sure what's wrong, I'm giving it the correct owner password. I'm signed in to PeakD via Keychain. And thanks for the reminder to do this!

Try changing node to anyx.io or api.hive.blog and try again. You can find it under settings tab on peakd.com

I had the wrong key noted in my password manager. Recovered the correct one from peakd and all is good.

Good to hear, cheers!

It takes a full month for it too change?
Thanks for the heads up tho. I just changed mine.

Thank you for the reminder
I have already changed it but it takes a month to take effect
So there's four days before the switch.. :D

Ok, sorry for unnecessary notification.

Oh not at all
No need to apologise
I'm good with it :D

You contacted me. Can you tell me how I get a second account myself to use as my recovery acct. without getting it from someone else?

You can use peakd.com to create a new account if you have 3 HIVE or enough Resource Credits.

Screenshot from 20200405 164149.png

I tried to Claim Account Creation Token, (the only option other than powerdown that shows up), but when I click for it to do it I get this message:

I have 2200 HP

I also have a little over 9 hive so how do I do it with 3 hive? I didn't see that option.

Update: I had a fiend who knows more about doing this stuff than me, and he can't see how to create a second account in peakd with the 3 hive you mentioned either.

Is there another way to make a second acct. for 3 hive without using peakd, since apparently peakd isn't working?

Update 2: I got help with creating a new acct. (used blocktrades) and used your instructions then to complete changing my recovery account. Thank you for posting this because I doubt I would have known otherwise that I even had to do this!

I'm glad I could help :) Consider voting on my witness!

I'd like to give you a witness vote, but it looks like most, if not all of your projects are for steem. I think that, for me, would present a conflict of interest for also being a hive witness. I don't think it's right to vote for a witness who has interests in steem. I do appreciate the info though.

Well, I do not support Steem at all, as you can read here: Moving all ENGRAVE projects to Hive. Steem Pruner was aimed to delete Steem posts, not to support it ;)

Thanks, I have now voted for your witness, and will do so with my recovery acct. too.

Thank you, keep your keys safe :)

Thanks for the note and a good idea. I have my recovery count already in progress should move in the next 4 days. Started it right after the shenanigans started to happen. It's going to an account that I created... Good Idea to let everyone else know.

Thanks for your warning..! Greetings from Venezuela..! Firma Fermionico11 post.png

An error pops up.
image.png

You're trying to use a wrong key for sure.

I'm using the owner key too and I'm getting that same error.

So you are using wrong key or master password. You can try with hivesigner.

I thought the Owners Key was the Master Password....

RIGHT, so this is all very confusing, and was never well presented in steemit user interface:

Master Key: IS MASTER and opens up all keys to be viewed in the wallet
OWNER KEY: is really not used that much usually... and I had to use my master key on steemit.com to find my owner key revealed FIRST, THEN i went to peakd.com and got the rest of my account changes done. I was really hung up on how peakd.com and hivesigner want things, owner key vs master password, but this route really helped me get all my keys changed on both sites!

Ya i figured it all out eventually lol. Initiate 1 account so far, gona attempt to change the password and then initiate an account recovery and see how that goes. I've never done it before so this will be my test ;)

Same here. I have several accounts I used for communities, and they were all "@blocktrades" which I was able to change ALL the keys, password and recovery account.
BUT: The two original accounts I used on steem, have recovery accounts of "@steem" and my Owner Keys do not work for them on peakd.com, as user above NOTES!
Active key works, Posting key works, Owner key does not work. I believe I created these accounts before I knew what a Master Key was, or before that even existed, not sure. Assumed I was fine if I had my Owner key, now they don't seem to work on Hive?

I went to steem, entered my master pass and it revealed my owner key.
I guess I could have done same on peakd.com but it was not clear to me at first, how to do it..

Thank you very much for your reminder, I just changed it. So, its safe now until next 30 days? Waiting for your tutorial to recover account for non dev user.

You will be able to start the recovery process after the change takes place (after 30 days). But even if someone will change your keys now, you will have at least a few hours at the end of this period to recover it ;) Make sure you follow me as I won't send another memos to not spam people.

Thank you, this is indeed very important and useful! You have my vote and witness approval now, cheers!

Thank you, I really appreciate :)

Hi @engrave

Thanks for the memo. and also thanks for this post.

I followed the steps indicated but at the end of the process of placing my key to authorize it did not do any other function.

I look forward to your next tutorial and memo to indicate that you did it.

Saludos.

Follow @engrave account if you don't want to miss the post as I won't send another memo. I don't want to be a spammer :)

Hi @engrave

I'm already following him.

When I finished doing the process, I got a popup with this message.

Error during 'change recovery account' broadcast:
Missing Owner Authority lanzjoseg

It means you entered an invalid key.

I wasn't aware of this. Thank you so much for the notification!

I wish I understood this plus I do not understand the difference between a Steem or Hive account. Peakd.com does not show me what you see underneath "settings".

I tried to explain as well as possible. If you still don't get it, just ask a specific question and I will try answering it.

I think I found it. I could not see the options on my phone. Sorry for the confusion. A lot of words make it all chaotic and hard for me to understand. Btw I had @partiko instead of @steem. Thank you. 💕

Thank you very much for this information!

Thank you so much for the heads up. I changed my recovery account just now.

I got your notice. And I changed my recovery account as you suggested. Thank you for advice.

No problem, keep your keys safe!

Thanks a lot! Your transfer made me aware of this! :)
Problem is I know nobody for real on hive :( I don't know who to set as my recovery acc

If you have another account, you can use it.

Yeah I know I have carefully read your post :D Unfortunately I don't have one :/ Should I create one?

EDIT: I created one ;) I don't want steem to be my recovery budy

I appreciate the reminder... I totally spaced it. Recovery account changed. Thank you!!

You're welcome :)

Thank you for posting this.

I have a main account and a few alt accounts, so I'll be setting one of these as my recovery account, and set the others to have one of mine as a recovery account too.

Question: Is it necessary to reset all of my private keys and master passwords? Is there any possible way for Justin Sun, or whoever owns Steem, to alter its blockchain to view everyone's old passwords and private keys?

I don't want to change them unless there is any reason my keys are at risk.

It's not necessary to change your keys, it is not possible to view your private keys.

Thank you @engrave for letting me know. Much appreciated. I shall wait for your detailed tutorial.

You can change the recovery account with peakd.com and it's described in a post. I hope you won't have a need to recover your account actually ;)

A question; does the recovery account get access to your keys? I ask this as a lot of people have said "change your keys from steem keys" but is that really necessary if you have changed your recovery account?

Nobody has access to your private keys and there is no need to change them. Your recovery account is just a trusted entity that will start the process if someone hacks your account. You will need to prove that you have your keys (by broadcasting a transaction) and you should never show your private keys even to your recovery account.

Thanks. I thought as much but just wanted some confirmation. There is always risk when changing your master keys.

Thanks for the message @engrave ;)
2 questions:
Why is what was set on "steem" not automatically set on "hive"?
If i check "Stolen Account Recovery" Hive even mentions that
Hive gotta be put as trustee...
This person of trust you talk about, gotta have a hive account right?
And if i don't have this person of trust in Hive?
Thanks for your time

Noone but you can change the recovery account. It was set to steem because Steemit created your account and now you should change it. I bet you know someone from a community in which you contribute? Or maybe you have a second account?

Is it too late to set up a second account?

Thanks for the reminder @engrave, although my recovery account wasn't Steem, I used the opportunity to set it to one of my alts... a bit of "housecleaning" I should have taken care of a long time ago!

Great to hear that, keep you keys safe!

Thanks for the heads up. I voted for you

Thank you :)

Thanks for the memo. I did mine and waiting for the longest 30 days ever.
Thanks again for the reminder

Thank you for that information.
Extremely useful.

I have steemmonsters and blocktrades as recovery accounts, but I really admire the way you are going the extra mile to warn everyone. Thank you for being an essential part of our blockchain world. Voting for you as witness!

I think that's fine but I bet it's better to have someone to whom you have direct contact :) Thank you for your vote!

Can't we do something at blockchain level to change it to something in hive for all these users ? Do we think, Justin will evade hive ? I understand he has control over steem, but can he manipulate things on hive ?

Changing this without user permission would be inappropriate. Justin cannot do much here on Hive (at least if he doesn't use another exchange to vote for witnesses). Having an invalid account as your recovery account is just a threat to your assets because only that account can start the recovery process. So if someone changes your keys, you won't be able to get your account back.

What happens if I create a claimed account and put that as my recovery account and my account will be recovery account for that anyways. Does that cause a circular dependency and not allowed ?

It is allowed and it won't cause any problems.

Thanks for the reminder! I will get on it.

Thank you for the memo! I have just changed my recovery account. It's an easy and useful tutorial!

Thanks for the reminder. Completely forgot about this.

Thanks, this was overlooked by me

How do I create another account? I don`t have any friends or family on Hive, so I am just going to have to create another account.

You can use peakd.com if you have enough Resource Credits or hiveinvite.com to "self-invite" (you need to spend 3 HIVE to create an account).

Okay. I will try that later since I need to work now. Thanks. :)

Appreciate the reminder @engrave. Thanks.

Thanks, for the heads up!

Thanks for the warning @engrave!

Lucky my lovely dog will be my recovery account in 16 days :)

image.png

...set your friend, family member, or someone who knows you and whom you trust.

If that friend dies or leaves the blockchain, then you're stuck.
Perhaps it would be better to set a group account as the Recovery Account, so that if one member disappears, another member of the group can assist?

If that friend dies or leaves the blockchain, then you're stuck.

Then you change the account again. You can do it many times, the crucial part is to keep it up to date.

THanks for the reminder memo and tutorial. I just read your witness post and I didn't know you were Mr DBlog. I also didn't know about Engrave so sorry!
Best wishes fella. Witness vote is on its way :-)

Thank you :)

Thanks for the notification

If you believe there’s no chance however for anyone to get your owner keys to be able to change your password, would it matter who or what your account recovery password is?

Do you really think that you will never make any mistake and won't compromise your password or key? Recovery account is just a safety valve, it should be kept up to date.

Alright, thank you

@engrave, Thanks for giving us a warning about it.

My recovery Account = SteemHunt.
Is it Ok or I need to change it?

I would suggest changing it to your another account or someone who you trust.

Thanks Again for quick reply
Ok, Can I set anyone I trust?
Or first talk to my trustee to approve me for it?

You can set anyone but have in mind that this account needs to start the recovery process manually. It means you will need to reach this account and ask for doing this, so it's better to set someone you have direct contact with.

So is there anyone, to whom we Trust.
The person who invited me to Steemhunt also set "STEEM" as his recovery account

Do you know if we ever received the owner key by email from steemit? If yes, do you know from which e-mail address? I have Active Active but no owner key :-( I think i have a password too. Thanks!

I'm pretty sure Steemit never sent private keys by email. If you have a master password, you can always generate your private keys, for example using this tool.

Thank you, have changed it on Hive, but how can i do it on Steem, i want it there too. But peakd is now only for hive!?

steempeak.com is working for Steem

thanks, just did it.

Good to hear that but you shouldn't use the same account as recovery account! If someone changes your keys, you won't be able to start the recovery process.

Thanks so much for this, all updated now! 👍

Got your message. Thanks for the warning. I started the recovery account change process last month, though, so it should be done soon.

Thanks for the invitation.
I've already considered a change, but I don't have an account to request a renewal yet

Came by to say thank you for the hint!! I did set my recovery account now :) - have a great time - stay safe!

Some for you and Hive on!

Thanks for making the effort to warn so many community members about the possible dangers for this :-)

I see Holger80 already mentioned this, but in my case I had already set a new recovery account, but still have to wait 13 days for it to get into effect :D So I'm 'on my way' to safety at least!

Thanks again :-)
Cheers :-)

Yes, I've prepared the list without taking that into account and the tool to notify users was already fired up. It's my mistake but after all, I think it's better to send few unnecessary memos than not sending it :)

"I've noticed you have a recovery account set to @steem, which is not secure anymore. Review your recovery account if you don't want to lose your tokens! Read more: https://peakd.com/witness-update/@engrave/review-your-recovery-account-if-you-dont-want-to-lose-your-assets"

Hello you left this message in my purse thank you very much I will be attentive @engrave.

Yes, I did, please read the post to know more :)

kay thanks, doing it right now

Thank you. That's a really important thing! 😯