There seems to be some confusion as to how the Steem blockchain is secured, so I thought I would give a simple introduction into how it works. If you are not familiar with encryption technology, then Steem may seem rather confusing for you.
Traditional computer infrastructure used passwords which are like keys that would open a door, with the data sitting inside the room. The programs and operating systems would then dictate how that data is used based on the settings of that account. The system administrator determines those rules based on the corporate policies and procedures he / she is using to control access to that data. The security of the data rests with the guard at the gate to ensure nobody gets past the perimeter to access the data. Any hole in the perimeter puts the data at risk. Trust me, there are lots of holes in the perimeter and that is why you hear of so many security issues with computer systems.
However, the Steem blockchain is very different. The data is all out in the open, accessible by anybody. There is no guard at the gate waiting to see if you have the right key to open the door. You could download the whole entire database if you want. So how is the data secured? Encryption.
Your wallet and capacity to post on the blockchain is controlled by using public and private encryption keys, not passwords. Public and private encryption technology has been around for years, so how does it work?
Let's assume you wanted to send me a private message. You would need to send it over a public network that anybody could see. So how do we keep it private? Well, if I have a public and private encryption key, I would release the public key to the world and I keep my private key safe and secure. My eyes only. You encrypt the message using my public key and the only key that can then decrypt that message is my private key. Now it is safe for you to send it across any public network as it no longer matters who has a copy of the message. The chances of them breaking the code is very, very small. Only a quantum computer would be able to break that code. (a topic for another post later on)
Well, the Steem blockchain works in a very similar way. Except it is a bit more complex. When you first got your account, you were given a master encryption key. That key allows you to do anything on your account. You really need to write that code down and store it in a very safe place. You lose that code, you lose access to your account, including your wallet that stores all your steem and SBD as you have no way of decrypting the data. If somebody else managed to get access to that code, then they could take over your account, which has happened!
To be safe, we should be using the other encryption keys that have limited access. That way if we lose one of those keys, we can easily reset the encryption keys and lock anybody out who managed to get their hands on our private keys. That is what the master and owner encryption keys are used for. So we should not be using it for our daily tasks. There are people out there working hard to get your encryption keys. Even with due diligence, the best of us slip up. So it is best that we limit the access we have to our own accounts in the event that somebody tricks us to giving them our private keys. If somebody got my private posting key, they cannot do any financial transactions or take my account away from me. That gives me peace of mind and protects myself from errors in judgement and mistakes.
What is neat about this platform is that the system has other keys that allow users to have limit access to the account. Many groups now share a single account. By keeping the master key safe, I could give out my private posting key to others to help me post comments or posts. They don't have access to my wallet, but they can help me with content creation. I could give another user my active key which allows them to deal with financial transactions, steem delegation and do postings as well. So now the flexibility becomes interesting as it allows an account to be shared by larger groups of people holding specific responsibilities.
If you go into your wallet and click on the 'Permissions' option, you will see your public keys. Everyone has access to these public keys. They won't be able to see your public keys through the steemit.com web interface, but they can use www.steemd.com to view your the public keys.
My own public keys.
To find out what your private keys are, go into your wallet and click on 'Permissions' (left side of the screen). You will see all your public keys. To view your private keys, find the small little green buttons to the right of the screen. Some you can click on to toggle between the public and private key, others require that you log in with your master or owner key to view the private key.
When you view your private keys, you will notice that a 'print' option shows up in the top right corner of the screen. Click that button to print off a page with all your private keys. Make sure you store that document in a safe place. If you lose your keys, you lose your account and all the hard work you put into your blog and the rewards you received as a result.
For most of us, we won't have multiple people working on the same account. As such, I recommend that when you post comments or posts, use your private posting key to log onto your account. For example, this post was written while I was logged in with my private posting key. When you want to do any financial transactions, then you will be prompted for your active, owner or master key. Using the Active key is sufficient to perform those tasks. It should be a rare case where you would need an owner or master key. Only use them in the event that you need to reset your encryption keys in the event that the security of your account has been compromised.
If you think somebody has compromised your account, then break out your master or owner key, log in and change your keys and print out the new keys and keep them in a safe place. It has been over 10 years since I retired from a 20+ year career in computers as a network administrator and manager. Please know that the user has always been the weakest link when it comes to security of our data. We all make mistakes and these steps can help protect you from making a mistake that could end up being very costly to you and your family. I hope this helps.
@pfunk wrote a post about 2 years ago about this topic and he has a nice graph to explain what each key can or cannot do.
https://steemit.com/steemit-guides/@pfunk/a-user-s-guide-to-the-different-steem-keys-or-passwords