The day before yesterday I wrote a post that prompted a comment and discussion regarding account security.
While I am quite aware of potential security issues we have by continuously using our private keys (even the private active key), I chose to ignore it for a long time.
But besides the issue of continuing to trust a party to do what it says it will with our private key and that their servers won't get hacked (it happened, for example, we were urged in the past to immediately revoke posting permissions from Utopian app because of such an unfortunate incident, which, if I remember correctly, was an inside job, not a hack per se).
But I also believe the more you use your private keys yourself (as in copy-paste them, for example), the likelier it is to make really bad mistakes. From using the wrong private key where not needed (meaning with higher permissions), to much worse, like putting your private keys in the open, like in the memo field, and many have done that and got their accounts compromised. Or submitting them to phishing sites.
So, while I'm not a security freak or something like that, and while the stake of all my accounts combined doesn't even add up to a dolphin level, I began to take some stricter security measures.
One of them is an ongoing process, and I began it a few weeks ago, and that will move my SP from my main account to a SP holding account, and from there I'll delegate back to the main account. I started explaining it here, but it is a series of posts that followed.
It's not for everyone, I'd say, because it makes the SP much harder to move, once in the SP holding account and delegated to your main account. But I won't insist on this point.
The other aspect that I considered more seriously at the end of this week is using Steem Keychain.
There are certain advantages to using Keychain:
- it's installed locally in your browser, as an extension (with the disadvantage that if you use multiple browsers you have to install it and set it up in all of them, but it's an easy process)
- you only enter private keys ONCE, and they are stored securely in the Keychain extension
- supports multiple accounts
- I'll quote from @yabapmatt below:
When using a Steem-based site that has integrated with the Keychain extension, you no longer have to copy and paste your private keys into the website, which can be a serious security concern. Instead, the site will request that the Keychain extension use the appropriate key to sign and broadcast transactions on its behalf.
Keychain has multiple wallet functionalities, including delegation management (for which the private active key is needed).
You can look at the broader presentation Matt gave Steem Keychain in his last post on this subject, about two month ago.
https://steemit.com/utopian-io/@yabapmatt/steem-keychain-update-firefox-version-now-available
Keychain still needs more adoption, especially on the steemit.com interface, but more and more dApps are offering it as an alternative to SteemConnect.
I haven't used it up until now for two reasons:
- I was waiting to see if it will be adopted at first, but now I don't think that will be an issue
- I use the Brave and Opera browsers, and was under the impression the extension was only for Chrome and Firefox so far, even though both Brave and Opera use the Chromium open-source browser engine from Google which powers Chrome too (but Chrome is much slower than Opera, from my experience).
On the second point, it appears Brave natively supports Chrome extensions, so it can be installed on Brave just as if it were on Chrome. On Opera, thanks to Matt who pointed it out, I installed an extension first 'Download Chrome Extension', then Keychain. If you need directions for Opera, you can find them here, for example.
Here's how it looks, by the way:
Pretty cool, huh?