If you don't own your keys, you don't own your assets. Remember that sentence and review your recovery account. Seriously, do it right after reading this article. It's crucial for your digital safety.
TL;DR: if you have steem set as a recovery account, your assets are not secure because you won't be able to recover your account in case someone changes your keys. Change this to your alter account or someone you can trust.
If you're using Hive blockchain, I hope you know how it works. I hope you know that due to blockchain principles, you cannot recover the forgotten password or private key. It is just technically not possible. Nobody stores your private keys or master password, but it's possible to change it by a blockchain-level mechanism. Anyone with a master password or owner key will be able to do it. You will be able to do it, and anyone who knows your password will be able to do it.
Now, try to imaging how someone could obtain your keys or master password:
- it could be guessed if it's short and easy (master password)
- you could publish it within your post by mistake (I bet you do copy your keys from time to time)
- you could send it as a transfer memo by mistake
- you could post it on your discord or another communicator by mistake
- you could publish a screenshot of your desktop screen with keys revealed
- someone could take a photo of your screen with your keys revealed
- you could commit it to your public git repository by mistake (if you're a developer)
Do you think you won't make a mistake? Never? Seriously? I will tell you one thing: we all make mistakes.
But there is a mechanism built-in in a Hive blockchain to recover an account even if you don't know new keys. It's especially useful if someone changes your keys without your permission, aka "your account has been stolen".
Account recovery
The mechanism is quite simple by its idea. If you have your previous keys, you can change the current keys. It's possible during the first 30 days after the change. Why did I say that it's not possible to recover the forgotten password? Because you have to know your previous keys. It's that simple. If you do - it's possible to recover an account. If you don't, you're done.
By the way, that's the reason you have to be careful if you plan to buy an account from someone. Even if you change the keys, the previous owner could recover it, and you could lose your assets already deposited. Please have it in mind, and if you really need to buy an existing account, do not deposit any tokens on it during the first 30 days from changing keys.
Recovery account
It's also crucial to understand how the recovery mechanism works, and basically, it's all about trust. Every Hive account has something like a "recovery account", which is a trusted entity that could make a recovery request for you. Yes, another account needs to make a request to recover your account. You cannot do it by yourself.
This is why you need to take care of your recovery account. By default, it's set to your account creator, which is often steem (if you have an account created by Steemit Inc). If it's your case, you are in danger now. Steemit Inc was bought by a Justin Sun, and he doesn't care about blockchain and its users. You can be sure that he will not be willing to help you with the recovery process.
So what happens if someone changes your keys? Your account is lost with all of its assets because you can do nothing with it. Good luck with contacting Justin Sun to start your recovery process.
Change your recovery account
This process takes 30 days, so do it now if you want your account to be secure. You cannot change your recovery account if someone already changed your keys!
How to check which account is set for you? Just visit https://hiveblocks.com/@youraccount (replace @youraccoynt with your real Hive account of course) and check the left sidebar. There will be a piece of information you're looking for:
Which account should you use? If you have multiple accounts, you can use your second account. If you don't, set your friend, family member, or someone who knows you and whom you trust. In case of emergency, you will need to prove that "you are you", and this account should be able to immediately start the recovering process.
Do not set yourself as a recovery account (don't do self-recovery). You can't start the recovery process if someone changes your keys so it's just like having steam. Always use another account.
How to change the recovery account?
1. Easiest way is to use peakd.com:
You will need your Private Owner key to publish a transaction. After all, you should see something like this:
2. Use hivesigner.com
Prepare the link for yourself:
https://hivesigner.com/sign/change_recovery_account?new_recovery_account=YOUR_SECOND_ACCOUNT
Replace YOUR_SECOND_ACCOUNT with your second account or any other trusted party who you wan't to have as a recovery account. Visit the link and sign the transaction with the Owner Key.
Do not set yourself as a recovery account (don't do self-recovery). You can't start the recovery process if someone changes your keys so it's just like having steam. Always use another account.
I started notifying 243 015 users who should care about it
I've used HiveSQL to get a list of accounts that:
- have
steemset as a recovery account - have a reputation of 25 or more
- have at least 0.001 HBD or HIVE
I'm going send a transfer to each account with proper warning and instruction in a memo.
If you want to know how to start and finish the account recovery process, let me know in a comment section and I will prepare appropriate instruction.
Vote for @engrave witness if you find this notification useful
