As the technology of cryptocurrency and blockchain goes mainstream, us normies (non-computer science trained people) are finding ourselves like tourists in the jungle. Even though we may be fairly intelligent, with a voracious appetite to dig in, we are still ill prepared for the sheer amount of new species of dangers we will face. Couple that with the fact that for the vast majority of us we are experimenting with our limited resources (money is a store of our physical labor and mental man-hours) means we are walking a fairly thin tightrope. We find ourselves over our heads and often being educated people who will benefit from our ignorance.
One of the concepts that is the most exciting and beneficial to the masses is that of decentralizing. It has been a long time in history since individuals had the possibility to really own their own labor, and be able to trade amongst each other without a highly controlled and manipulated currency dictating and hindering us. This is exciting, and we NEED to be in this space as much as possible while it is in its infancy so we can grasp the possibilities before the Ripples of the world trick us back in our place. Humans are very well trained, and it has been shown that one of the most import keys to our success as a species is our ability to memorize and perform rote actions on a large scale. We stand on each others shoulders, and are able to be lifted so high because we are not weighed down by having to fully understand everything we utilize. We delegate responsibility and specialization in a truly awe inspiring fashion: from mechanics to medicine we have more by entrusting others. The downside is we find ourselves victims of ignorance and our dependency leaves us vulnerable. To take our power back we have to relearn how to care for ourselves, and mistakes are inevitable.
It is ingrained in us that somewhere, somebody at the bank/internet company etc etc has the ability to get our passwords back if we lock ourselves out of our account, that our money is 'insured' against stolen credit card purchases and other such safety nets. Our autopilot has to be completely reprogrammed if we are going to survive and thrive in the blockchain. I think of people getting used to paper currency when it first found its way to the lower class, where months worth of work could be misplaced or dropped, whole seasons of crops up in smoke when a breeze swept your notes to the fireplace, and all of the myriad other issues from lacking the proper behavior patterns conducive to a new technology . We need to understand the whys so we can trigger our warning alarms while we retrain ourselves on the whats.
Now for some simplified "Whats" about Steemit passwords and security ;) :
For all crypto-currencies and truly decentralized blockchain accounts YOU will be the only one who can access these. Just like hiding cash around your house, if you misplace your passwords you have misplaced your money/data. This is more to reiterate how your crypto currency wallets will function. It is like a real wallet vs money in a bank, you have sole possession of it, and if you lose it or get it stolen, it is gone.
For Steemit specifically there are levels of passwords, understanding these will save you a lot of stress and loss.
Your Master Password is used ONLY for when you first log in, to change your settings or reset your password. I will explain how I and many others were hacked and how I could have easily prevented the loss below. But repeat this to yourself: I do NOT need to use the mater password, I do NOT need to use the master password. This password you should print or some other method ( now is your chance to get body tattoo clues Memento style) and keep it offline. This is like your lock box, safe or storage unit key.
Posting Key is what you use to log in to another device and post, comment, or upvote. This is the only password you should keep handy and really the only key you would use on a regular basis. If you insist on 'saving' your password on your computer or phone for easy logging in, this would be the ONLY one to save. If someone steals it, they can do some damage, but it will be mostly superficial and easily remedied.
-Active Key is what you use when you are doing any transactions in your wallet, transferring money in or out. If somebody gets this, they will be able to immediately transfer your Steem tokens and your SBD to another account. It is then gone, just as if you had been pick-pocketed. Even though we can see where it goes, unless you have the expertise or connections to some how track this to an end user and exact revenge, there is no other entity to cover the losses. A bank insures your money, but in exchange they are able to have access to it, and they use it to make themselves more money ( find ways to charge you fees, or lend it to others and keep the profit). The insurance you get from them is not 'free'. IF you have your active key stolen or hacked, the hackers WILL get your liquid money, but you will be able to immediately use your master password to lock them out and regain control, meaning all of your Steem Power ( SP-which is the bulk of your account) will be untouched, and you will be able to mitigate the damage they can do from posting or using your votes.
Phishing : This is not a new scam. Hackers have been phishing since online accounts began, but now we have to be extra vigilant, as we do not have a parent company to depend on to save us from mistakes. Its very simple: some link or email brings you to a screen that asks you log into your account, once you log in they now have your password and access to your account. They will immediately change the passwords and lock you out. You may ask yourself, "Who would be dumb enough to click a link or email and then give their password? " and he answer is A LOT of people because you don't have to be dumb to get tricked. The phishing scams are getting more elegant, and created in a such a way that if you, like most people, have a lot on your mind and maybe function on autopilot while you respond to messages or emails you will not realize anything is amiss. The scam that got me was a comment that I was clicking through to see a curation trail that had supposedly picked up my post (this is not weird, there are lots of groups that look for specific types of posts and then curate them to their followers). I was chatting with my boyfriend about dinner ideas, while having my dog jump on and off my lap for pets, so I didn't notice that that link brought me to this specific page. The page that came up was to login in to my Steemit account, it looked identical in every way except a single letter change in the web-address at the top. I don't keep my password saved and my internet is spotty sometimes, so it is not uncommon for me to accidentally log out of accounts while I'm using them. Of course NOW I will always look thrice at the address at the top, but even if you did look at it, this had said Steemil.com so most brains would see those letters and give the greenlight. I also had the misfortune of not really understand what the different passwords and keys were used for, because I am not on many accounts that have even more than a single master password. If I had made this mistake and only put my posting key, it would have been a much more benign event. But, like a donk, I gave my master and BOOM- SBD gone, and comment spam pouring forth from account at a dizzying rate.
Damage control
If this has happened to you, and you signed up using Steemit.com (the other option is to have a friend sponsor and make your account) you can click stolen accounts recovery on the side bar, and they may be able to help you. If you did it the alternative way, and you gave your master password to the phishing site, the account is gone. I'm very sorry, it is devastating , and to add insult to injury, lots of the "cool computer kids" with say stuff about learning your lesson- screw them, they are heartless jerks . It sucks and you will be very upset, and anyone pretending they have never made costly mistakes in their life is lying. Also, while you are waiting for recovery, or even if the account is gone, you can reach out to @patrice and the @steemcleaners crew on discord, and they will be able to flag the comments coming from your account to help stop others from having the same fate. I have had a couple people reach out to me because they got tricked by a comment coming from my account, and it feels really bad to know that my mistake affected other people as well.
If you have any questions, even dumb ones that only a donk would ask, please feel free to ask. And remember to take the time to educate any friends you bring to Steemit on these different passwords. I had read about them before the hack, but the way it was explained obviously didn't really click for me. Feel free to link this post or reuse any parts you felt were useful. **just make sure to credit the parts you use as always ;)
**Second photo is property of Blizzard Entertainment. I chose this card because murlocs are annoying, and just like a phishing scam they spread quickly and overwhelm their opponent ;) teehee