What is the difference between a password and a private key(s) on Steemit and how to make your account more secure, by using them correctly.

in #security7 years ago (edited)

As we just recently learned, keeping your password private is extremely important. This same goes in regards of all private keys. But many people wonder: what is an actual difference between a password and a private key?

This post is written mostly for an average Joe, who do not know anything about cryptography or even computer science.

The password is a Master Key to your account

... which you should never use!


Master-Key-Lock-Experts-In-Houston.jpg
image source

With a password to your account, you can do everything. You can upvote, post, comment, make transfers, change a description of your profile or change a password for a new one. EVERYTHING. So... it is very handy as long as you do not make your password public by accident.

But you are a PRO, so this will never happen to you, right? Take a look at this conversation of Mike and Amanda:

<Mike> That was really great video, really! You have to watch it!
<Amanda> could send me a link to it? I cannot find it
<Mike> no problem, here you have:
<Mike> p@ssw0rd!19870202
<Mike> fuck!
<Amanda> did you just accidentally paste here your password? :D

Looks familiar? And what would happen to Mike's account if he would paste it on public chat? We are only humans, we all make mistakes!

But I need my password to use Steemit, right?

Actually, you don't.

Steem blockchain has a built-in permission system, which gives you a possibility to use a proper private key as a password, which will give you limited access to certain areas of your account. So, for example, you can log in with private posting key, you still will be able to vote, post and comment but you (or anyone who own your private posting key) will not be able to transfer any funds from your account or change your password.

How to login with Private Posting Key only, without a password:

  1. Obtain a private key from your wallet, from permission section
  2. Log out
  3. Log in with obtained private key as it would be a password

YouTube version of this gif: https://www.youtube.com/watch?v=jBzqZFuenGs

2017-06-11-17-59-28.gif

The rule is: you can log in on Steemit with any of your private keys, but then you will be able to do only things which can be authorized with this type of key.

But what If I will need to make a transfer?

You have 3 possibilities:

  1. Use your obtained private active key only to authorize a transaction when you will be prompted to do so.

  2. Do not use Steemit at all to make transfers. Use Steem Wallet called Vessel, created by @jesta. You can download it and install it on your computer. At the time of writing this post, it is still experimental version, so it is recommended only for beta-testers, but I have to admit it looks very promising.

  3. Use your Master Password, but be very, very careful.

So why I need a Master Password at all?

Technically speaking, you don't need it. If you have your all private keys (posting, active, owner, memo) then you can do everything without a password, even create a new password and a new set of all keys.

Why is that? Because in the whole Steem ecosystem, a password is used only to generate public and private keys from it. But exactly this is done under the hood, I will explain in my next article.


This article belongs to series of articles which describes security on Steemit:

  1. What is the difference between a password and a private key(s) on Steemit? How to make your account more secure, by using them correctly. (this article)
  2. Public and Private Keys - how they are used by Steem, making all of these possible?
  3. Public and Private Keys - how they are working under the hood
  4. How passwords are stored by Steemit in your browser, and why it is secure.
  5. How to set own password, which is not generated by Steemit
  6. How to setup multisig/multiple authorities for your account
  7. ...
    Make sure to follow my account, if you don't want to miss any of these :)
Sort:  

Thanks, very usable piece of info!

Thank you for your post

Always best to get familiar with security features first than implement them further down the line where there's more risk. Nice post!

Greetings from Jordanów @noisy! Hope all is well in Silesia :) A excellent post after your recent white hatting adventures! I told them to have #steemfest2 in Krakow but no one would listen! The Poles are great crypto fiends! I'll just RS this post instead! Steem on!! ... and look out for my Polish post later on ... 'Culture Shock in Poland -- What WAS shocking to me!'

And most important: Never, NEVER paste/write any PRIVATE information in transfer memo from Poloniex (or other markets)!


There is one key to rule them all. But do we always need the master?

If the slave is ready, the ruler comes.

Thank you ! I am new to all of this and truly never take passwords very seriously, but after reading your last post.... well yikes! You make it a bit easier to understand! @noisy I appreciate your post!

I wish i could see the key im logged in with any time!

actually, that is not a good idea for smal improvement! :)

I didn't mean the actual key, just a note like: "you're loged in with the Post / Active / Memo / Master Key"

I get you. Cuts out a lot of clicking and searching to find out the status.

I write about silver. Here is my latest post: https://steemit.com/silver/@hgmsilvergold/if-you-are-a-silver-and-gold-stacker-this-is-for-you

Excellent post! Following and resteeming. This stuff needs to be said over and over again so people can understand how this all works.

I would also encourage everyone to use a password manager like 1Password. If you know any of your passwords, they are probably already insecure and/or you are vulnerable to phishing attacks.

Cybersecurity starts with you.

  1. Keep your OS up to date with security patches.
  2. Always run an updated antivirus system.
  3. Use a password manager like 1Password (you shouldn't know any passwords, they should be generated for you automatically).
  4. Don't download or click on stuff you don't trust.
  5. Don't ignore warning messages! (Also, don't click on pop ups which pretend to be legit warning messages).

While we're on the topic of good computer behavior, I'll also throw in: have multiple backups. Without them, if you lose your private keys or encrypted password database, you'll have a very sad day.

Very true!

Very good and important post. I haven't known about this keys so far. This tutorial helps me a lot. Thank you :).