Two months ago I wrote that You shall not (leak your) pass.
My security research is an ongoing process, I'm trying to protect Steem users from hurting themselves by leaking their keys and passwords.
(Also with the help of @almost-digital's dsteem powered tools)
Apparently, it's not as easy as stopping Balrog.
Lately I've successfully secured hundreds of liquid SBD and STEEM and almost $100,000 worth of Steem Power. But there's not always a happy ending. Sometimes malicious users are faster. Sometimes you can't even tell if the current owner is the original one. Sometimes account recovery is needed. Sometimes it's just too late to do anything.
- "Steem Wizardry" by Inber
Fields of Despair: Memo
The most common user error was to put private material into the memo field while doing transfers.
Keys, both public and private, should NOT be placed in memo fields.
Memo fields are used to distinguish one transfer from another.
Whatever you enter in a memo field will be available to the public. Forever.
Valid use cases include:
- When Alice transfers
10 SBDto Bob she could enterWednesday's Pizzain the memo field to let Bob know what it is for. - When Dylan appreciates Bob's new lyrics, he sends him
100 STEEMwith the memoDude, "Masters of War" is a cool song, but Tatiana's version is so much better - When Frank wants to get a flag from Charlie, he sends his post's url as a memo.
Memo fields used while making deposits (sending money) to exchanges
Sometimes however, you have to set your memo exactly as directed.
Exchanges, such as bittrex, blocktrades, changelly, poloniex and others require you to set the memo to an exact value when you are sending money to them. They are using that specific memo value to distinguish transfers. Each user has their own distinct memo value but it has nothing to do with your keys or passwords! To get your proper memo value, you need to follow the exchange's deposit instructions. If you don't, you will lose your funds.
Please note that usually there's a different memo for sending SBD and a different one for sending STEEM.
This is how a bittrex memo might look like:
0ab23c4de5fa67bc8de
This is how a blocktrades memo might look like:
a1b234c5-de67-8f90-1a2b-c345d6e78fa9
This is how a changelly memo might look like:
1a79a4d60de6718e8e5b326e338ae533
This is how a poloniex memo might look like:
1abcd23456789012
A memo is never your key or password.
Memo fields used while making withdrawals (sending money) from exchanges
For many digital currencies, your address is the key. Steem is different. Your address on Steem is your account name.
When alice wants to send STEEM to bob, she just needs to put bob in the address field. The memo field is optional in this case. Regardless of the memo value (which can be empty), bob will receive those funds.
How can I lose my key?
Unfortunately, there are many, many ways users can leak their keys and passwords.
Do you think that this post is not about you?
Are you sure? I've already seen hundreds of leaked keys.
For over a year, it was never a software error. It was always a BKAC one.
There are people that are well aware of the importance of keeping private stuff private.
Errors, however, can happen.
Even to smart people.
Even to you.
Sometimes one miss-click is enough.
You have copied your key and pasted it in the login window?
Have you checked that link you've used was to https://steemit.com?
Or just a site looked the same?
Are you logging in using your private computer?
Or maybe you had a strong urge to upvote something while using a public PC in a library?
You keep your Master Password in your mailbox, so what could possibly go wrong?
Maybe you wanted to paste a link to cute kittens that you found just after logging in to Steemit and Ctrl+C didn't work for the link, but Ctrl+V did for the password?
You've used a cool tool that upvotes and stuff, but are you sure that it doesn't send your password through the net?
If you have any doubts, change your password/keys immediately.
Keys? Passwords? Whaaa?
The first rule of Steemit is: Do not lose your password.
The second rule of Steemit is: Do not lose your password.
The third rule of Steemit is: We cannot recover your password.
The fourth rule: If you can remember the password, it's not secure.
The fifth rule: Use only randomly-generated passwords.
The sixth rule: Do not tell anyone your password.
The seventh rule: Always back up your password.
Master Password: one password to rule them all.
When you setup your account through Steemit, you get a Master Password.
With the Master Password you can do everything with your account, because it "contains" all the keys to control it. In fact, the Master Password is used to derive all keys for your account.
What if you leak it?
All the bad things will happen, as if you leaked your Private Owner Key (see below for the consequences and instructions)
What if you lose it?
If you have your Private Owner Key saved somewhere, then you can use it instead.
If you don't have it, then GAME is OVER
Nobody will help you, because nobody can.
A more secure way is to use individual keys when appropriate.
Keys
Private Owner Key
It can do everything with your account, including changing other keys and the owner key itself, or doing account recovery. Keep it secret, keep it safe. You don't need it for daily use. Don't lose it. It is best to write it down and lock it in your safe or secret basement. It's your last resort in case your other keys are compromised.
What if you leak it?
You will lose control over your account, your keys will be changed, your liquid funds will be stolen instantly, your saving funds will be stolen after 3 days, your vested funds will be stolen at the rate of 1/13 of the funds every week for 13 weeks.
Try to change your keys immediately.
If it is too late, you have 30 days starting from the day it was changed to proceed with Stolen Accounts Recovery. It might or might not work and you might or might not be eligible to use it. If for some reason it doesn’t succeed, you will never regain access to your that (soon to be empty) account.
What if you lose it
GAME OVER
Nobody will help you, because nobody can.
Private Active Key
You can use it to do almost everything except for changing Private Owner Key. You can vote for witnesses, change your account properties such as your profile picture or cover image, change your Private Posting Key, and most importantly: transfer your funds. Use it only when you need to perform such actions.
What if you leak it?
You will lose control over your account, your active and posting keys will be changed, your liquid funds will be stolen instantly, your saving funds will be stolen after 3 days, your vested funds will be stolen at the rate of 1/13 of your funds every week for 13 weeks.
However, you can use your Private Owner Key or Master Password to change leaked Private Active Key.
What if you lose it?
Use your Private Owner Key or Master Password to set a new one.
Private Posting Key
You can use it to post, upvote, follow, resteem, but not to transfer your funds. The best option for day-to-day use. Still, use it with care. Despite being only a "Posting" it is still "Private" and it is still a "Key".
What if you leak it?
Your posts and comments might get vandalized, malicious users might post, upvote, downvote, resteem etc. on your behalf. You can use your Private Active Key, Private Owner Key or Master Password to change leaked Private Posting Key.
What if you lose it?
Use your Private Active Key, Private Owner Key or Master Password to a set new one.
Other keys
Signing Private Key and Memo Private Key are not in the scope of this post. If you need to use them, you already know what they are used for and why.
How do those keys look?
This is how a Public Key of any type (Owner, Active, Posting, etc.) can look like:
STM6n8WV3imRd454CMY8akRFY4CLbyJVvWS3UdVDWw1dayf4xU47Z
(please note that it starts with STM)
This is how a Private Key of any type (Owner, Active, Posting, etc) can look like:
5JNyFp1pWNYaHCDEiR7mop5cRzpHcA2psLNRdykhzgbjPzxsqcg
(please note that it starts with 5)
This is how a Master Password can look like:
P5KjZuqMC9q7MR1iKeXA2KzpRhnMHyhLQNyBHSDnSSiTiKnjyUCN
(please note that it starts with P5)
Never send your keys online
A Private Key is called PRIVATE for a reason.
You cannot post it online.
Never.
"- OK, but when I log in on steemit.com I post my key so the site knows it's me, right?"
No. The Steemit site is written in a way that your key is kept locally in your browser at all times. When you post or comment or upvote, such transactions are signed with your key.
The signature is sent with the transaction but your private key isn't.
Everytime when you enter your key or password in some app or site, you need to trust it.
There are many scenarios in which you might lose your key:
- the author of an app might be malicious and instead of keeping your keys locally to sign transactions, he will send them to his server and misuse them
- the author of an app might be not skilled enough and manage your key in an unsecure way, thus putting your account at risk
TL;DR:
You will lose your funds if you disclose your private key.
Do not learn from your own mistakes, learn from the mistakes of other users.
If you believe I can be of value to steem, please vote for me (gtg) as a witness on Steemit's Witnesses List or set (gtg) as a proxy that will vote for witnesses for you.
Your vote does matter!
You can contact me directly on steemit.chat, as Gandalf
Steem On
Be Safe