Memos, keys and passwords, Balrogs and Fields of Despair. Be safe. Almost $100k wasn't.

in #steem7 years ago

Two months ago I wrote that You shall not (leak your) pass.

My security research is an ongoing process, I'm trying to protect Steem users from hurting themselves by leaking their keys and passwords.
(Also with the help of @almost-digital's dsteem powered tools)

Apparently, it's not as easy as stopping Balrog.

Lately I've successfully secured hundreds of liquid SBD and STEEM and almost $100,000 worth of Steem Power. But there's not always a happy ending. Sometimes malicious users are faster. Sometimes you can't even tell if the current owner is the original one. Sometimes account recovery is needed. Sometimes it's just too late to do anything.

Gandalf's stories
- "Steem Wizardry" by Inber

Fields of Despair: Memo

The most common user error was to put private material into the memo field while doing transfers.
Keys, both public and private, should NOT be placed in memo fields.
Memo fields are used to distinguish one transfer from another.
Whatever you enter in a memo field will be available to the public. Forever.

Valid use cases include:

  • When Alice transfers 10 SBD to Bob she could enter Wednesday's Pizza in the memo field to let Bob know what it is for.
  • When Dylan appreciates Bob's new lyrics, he sends him 100 STEEM with the memo Dude, "Masters of War" is a cool song, but Tatiana's version is so much better
  • When Frank wants to get a flag from Charlie, he sends his post's url as a memo.

Memo fields used while making deposits (sending money) to exchanges

Sometimes however, you have to set your memo exactly as directed.
Exchanges, such as bittrex, blocktrades, changelly, poloniex and others require you to set the memo to an exact value when you are sending money to them. They are using that specific memo value to distinguish transfers. Each user has their own distinct memo value but it has nothing to do with your keys or passwords! To get your proper memo value, you need to follow the exchange's deposit instructions. If you don't, you will lose your funds.
Please note that usually there's a different memo for sending SBD and a different one for sending STEEM.

This is how a bittrex memo might look like:
0ab23c4de5fa67bc8de
This is how a blocktrades memo might look like:
a1b234c5-de67-8f90-1a2b-c345d6e78fa9
This is how a changelly memo might look like:
1a79a4d60de6718e8e5b326e338ae533
This is how a poloniex memo might look like:
1abcd23456789012

A memo is never your key or password.

Memo fields used while making withdrawals (sending money) from exchanges

For many digital currencies, your address is the key. Steem is different. Your address on Steem is your account name.
When alice wants to send STEEM to bob, she just needs to put bob in the address field. The memo field is optional in this case. Regardless of the memo value (which can be empty), bob will receive those funds.

How can I lose my key?

Unfortunately, there are many, many ways users can leak their keys and passwords.
Do you think that this post is not about you?
Are you sure? I've already seen hundreds of leaked keys.
For over a year, it was never a software error. It was always a BKAC one.

There are people that are well aware of the importance of keeping private stuff private.
Errors, however, can happen.
Even to smart people.
Even to you.

Sometimes one miss-click is enough.

You have copied your key and pasted it in the login window?
Have you checked that link you've used was to https://steemit.com?
Or just a site looked the same?
Are you logging in using your private computer?
Or maybe you had a strong urge to upvote something while using a public PC in a library?
You keep your Master Password in your mailbox, so what could possibly go wrong?
Maybe you wanted to paste a link to cute kittens that you found just after logging in to Steemit and Ctrl+C didn't work for the link, but Ctrl+V did for the password?
You've used a cool tool that upvotes and stuff, but are you sure that it doesn't send your password through the net?
If you have any doubts, change your password/keys immediately.

Keys? Passwords? Whaaa?

The first rule of Steemit is: Do not lose your password.
The second rule of Steemit is: Do not lose your password.
The third rule of Steemit is: We cannot recover your password.
The fourth rule: If you can remember the password, it's not secure.
The fifth rule: Use only randomly-generated passwords.
The sixth rule: Do not tell anyone your password.
The seventh rule: Always back up your password.

Master Password: one password to rule them all.

When you setup your account through Steemit, you get a Master Password.
With the Master Password you can do everything with your account, because it "contains" all the keys to control it. In fact, the Master Password is used to derive all keys for your account.

What if you leak it?

All the bad things will happen, as if you leaked your Private Owner Key (see below for the consequences and instructions)

What if you lose it?

If you have your Private Owner Key saved somewhere, then you can use it instead.
If you don't have it, then GAME is OVER
Nobody will help you, because nobody can.

A more secure way is to use individual keys when appropriate.

Keys

Private Owner Key

It can do everything with your account, including changing other keys and the owner key itself, or doing account recovery. Keep it secret, keep it safe. You don't need it for daily use. Don't lose it. It is best to write it down and lock it in your safe or secret basement. It's your last resort in case your other keys are compromised.

What if you leak it?

You will lose control over your account, your keys will be changed, your liquid funds will be stolen instantly, your saving funds will be stolen after 3 days, your vested funds will be stolen at the rate of 1/13 of the funds every week for 13 weeks.
Try to change your keys immediately.
If it is too late, you have 30 days starting from the day it was changed to proceed with Stolen Accounts Recovery. It might or might not work and you might or might not be eligible to use it. If for some reason it doesn’t succeed, you will never regain access to your that (soon to be empty) account.

What if you lose it

GAME OVER
Nobody will help you, because nobody can.

Private Active Key

You can use it to do almost everything except for changing Private Owner Key. You can vote for witnesses, change your account properties such as your profile picture or cover image, change your Private Posting Key, and most importantly: transfer your funds. Use it only when you need to perform such actions.

What if you leak it?

You will lose control over your account, your active and posting keys will be changed, your liquid funds will be stolen instantly, your saving funds will be stolen after 3 days, your vested funds will be stolen at the rate of 1/13 of your funds every week for 13 weeks.
However, you can use your Private Owner Key or Master Password to change leaked Private Active Key.

What if you lose it?

Use your Private Owner Key or Master Password to set a new one.

Private Posting Key

You can use it to post, upvote, follow, resteem, but not to transfer your funds. The best option for day-to-day use. Still, use it with care. Despite being only a "Posting" it is still "Private" and it is still a "Key".

What if you leak it?

Your posts and comments might get vandalized, malicious users might post, upvote, downvote, resteem etc. on your behalf. You can use your Private Active Key, Private Owner Key or Master Password to change leaked Private Posting Key.

What if you lose it?

Use your Private Active Key, Private Owner Key or Master Password to a set new one.

Other keys

Signing Private Key and Memo Private Key are not in the scope of this post. If you need to use them, you already know what they are used for and why.

How do those keys look?

This is how a Public Key of any type (Owner, Active, Posting, etc.) can look like:
STM6n8WV3imRd454CMY8akRFY4CLbyJVvWS3UdVDWw1dayf4xU47Z
(please note that it starts with STM)

This is how a Private Key of any type (Owner, Active, Posting, etc) can look like:
5JNyFp1pWNYaHCDEiR7mop5cRzpHcA2psLNRdykhzgbjPzxsqcg
(please note that it starts with 5)

This is how a Master Password can look like:
P5KjZuqMC9q7MR1iKeXA2KzpRhnMHyhLQNyBHSDnSSiTiKnjyUCN
(please note that it starts with P5)

Never send your keys online

A Private Key is called PRIVATE for a reason.
You cannot post it online.
Never.

"- OK, but when I log in on steemit.com I post my key so the site knows it's me, right?"

No. The Steemit site is written in a way that your key is kept locally in your browser at all times. When you post or comment or upvote, such transactions are signed with your key.
The signature is sent with the transaction but your private key isn't.

Everytime when you enter your key or password in some app or site, you need to trust it.
There are many scenarios in which you might lose your key:

  • the author of an app might be malicious and instead of keeping your keys locally to sign transactions, he will send them to his server and misuse them
  • the author of an app might be not skilled enough and manage your key in an unsecure way, thus putting your account at risk

TL;DR:

You will lose your funds if you disclose your private key.

Do not learn from your own mistakes, learn from the mistakes of other users.



If you believe I can be of value to steem, please vote for me (gtg) as a witness on Steemit's Witnesses List or set (gtg) as a proxy that will vote for witnesses for you.
Your vote does matter!
You can contact me directly on steemit.chat, as Gandalf



Steem On
Be Safe

Sort:  

Just for the sake of it and to be double sure about the privacy of my keys, I'm going to reassign them to new codes a.s.a.p. I can't thank you enough for this information you are sharing with us today, it goes deeper into the functions of what keys are and their potential ramifications. They are so powerful, yet so vulnerable...

Namaste :)

will have to read this - and many other posts on the subject - over and over again... with time I am sure and full of hope... I will understand more and more... Greetings from a newbee and tech autist... but willing and eager to learn and find out! Thank you for your post, Gandalf! had a smile on my face when I looked on the drawing with the pipe... here you can see why - hubby and best friend on our porch :-)

Awesome :-)) say hello to those guys :-)
Steem platform is like nothing else, so it is really not that easy to get familiar with all technical details, however, in time, it would make more and more sense to you.
Good luck.

Too late to ask a question 4 months later? :-)

I thought that Master and Owner key are one and the same, so I checked and yes I only have Owners key, well I have all keys but Master.

Question, is there a way to retrieve a Master key with Owners private key?

If you are dealing with your keys through steemit.com site it is most likely that you have a Master Password that you got while creating your account. It's the one that starts with P. Owner key and others are derived from that password. So no, you can't get Master Password while having Owner private key, but you can get Owner private key from your Master Password (assuming that individual keys wasn't changed from derived ones).

Thank you very much!
I thought I have lost it since I didn't know Master exist also, didn't paid attention at registration but I just found it saved on my CD. Phew!

Good to know, that Master is ultimate key, above all other. I just mislead someone who I brought to Steemit. I need to fix this, thanks again for clarification.

Thank you for this post, you've really made me realise I need to be much more careful!

Sorry to ask but I'm still confused still about a few of things.

  1. I use Chrome and my google smart lock settings remember my password when I log into Steemit. Is this a problem?

  2. In my wallet I have four categories of Keys - Posting Key, Active Key, Owner Key & Memo Key. My Owner Key is the only one that doesn't have a "show private key" tab next to it. It says: "The private key or password for the owner key should be kept offline as much as possible." I got really confused by this ie. what is the password for the owner key and where would I find it? Is it the original password that was emailed (starts with PK)

  3. Private active key. It says "the active key is used to make transfers and place orders in the internal market". A few services like Streemian have asked for the private active key. Is that normal? Why can't they just use the STM version of the active key instead? Also when I first logged onto Streemian I entered my private key into the first app they had on the page but then when I hit enter it came up with an error and I then noticed it didn't have a secure lock on the URL, so I tried the second app (the .js one) and it did have a secure lock and worked okay. Is Streemian safe or should I consider changing my keys?

  4. If I want to change my keys I can only find one option which is to reset Password. Does that reset all the keys as well? If I'm still using the first password I was given on acceptance/login to Steemit is that a mistake and should I have changed it?

Thanks for your article, sorry to ask what are probably obvious/annoying questions! Have just voted for you as Witness.

Ad. 1. Saving password in your browser is as safe as the weakest link in the chain: browser - operating system - computer. Up to date Chrome browser is a safe choice. Make sure you don't use any shady extensions. Also, make sure that this is not the only place where your password is stored (what if you lose access to it?).
Also:
Using appropriate keys > Using Master Password

Ad.2. That P5.... thing is the Master Password. Under the hood it does nothing except being a source for your keys that are derived from it and used when appropriate. So you can use Master Password for posting and same Master Password for transferring funds. That's for convenience. For better security it's better to posting / active when needed.
There's no way currently to display owner key in the browser, but you don't really need it when you have Master Password that can serve same role (also for account recovery).
If you really want to you can use cli_wallet for that:
get_private_key_from_password angusg owner P5HerePutYourMasterPassword

Ad.3. When any service asks you for your password / key you should be very careful and general rule is to refuse if you are not absolutely sure that it's ok.
streemian is a well known service made by a reputable steemian - @xeroc
If you trust that site and its owner then you might want to take that risk.
I did with my gandalf account. :-)
Streemian is using your Private Active Key to sign transaction that adds appropriate posting authority to your account, so later on Streemian can do voting on your behalf (without knowing your Private Active Key or even your Private Posting Key). That's proper way of doing things. Currently however, it's even better way to do that without worrying about entering your key to a unknown site. It's called SteemConnect v2.
If you have any doubts - change your keys to be sure.

Ad. 4. Yes. Changing password changes your Master Password, from new one new keys are derived and replace old ones. Changing initial password is not required.

Thank you Gandalph! That really puts my mind to rest also thx for the cli_wallet tip. I signed up for SteemConnect V2 yesterday after reading your article and I'm just figuring that out. I'm also going to check my Google extensions and disable any I'm unsure about. I don't have many. I've backed up my keys and password and I think I'm going to take the risk on Streemian because I already connected for my Discord verification.

I can see that the possibilities for services and apps that extend Steemit is almost limitless, so security is always going to be one of the biggest nightmares.

Thank you for caring about our security and wellbeing and for taking the time to spell it out so clearly!

Just curious (not sure if I understand correctly)

I'm going to take the risk on Streemian because I already connected for my Discord verification.

How are those two things related?

I thought I remembered having to connect Streemian in order to registering for the PALnet/MinnowsSupportProject on Discord but it was actually just through my main Steemit wallet. Was hunting just now for the first post I followed that had the instructions and it was this one.
https://steemit.com/minnowsupportproject/@discordiant/registration-tutorial-msp-palnet

So I couldn't remember what it was I'd been asked to do in Streemian then I remembered it was this post which was to do with joining TeamAustralia instead, I was following the instructions about halfway down.
https://steemit.com/teamaustralia/@scooter77/supporting-centerlink-and-teamaustralia-all-sbd-from-this-post-donated-to-centerlink-program-how-can-you-ensure-your-upvoting

On Discord one of the instructions in the pinned messages on the teamaustralia page registration was to follow the banjo bot and minnowssupport bots and send them $0.01 each to authenticate, then to go to steemvoter and set up a rule to follow minnowsupport, then to go to Streemian, authenticate the Streemian account also with $0.01 then follow the @centerlink curation trail, then to let an admin know.

Can't remember the exact order I did it in. I just remember that the first time I logged onto streemian they had two authentication apps and the first one crashed and went to an unlocked (not https) page and the second one was a .js app and worked okay. I'm on windows 7 so it may be different for a mac user.

OK, thank you for clarification.

Gandalf is steeming some really good stuff.

Thanks for sharing that information! There were some times when I nearly pasted my key into the memo field.

Too many 3rd party websites ask me for my Steem keys. This is a ubiquitous bad practice encouraged by the community. steemit.com needs something like an oauth - a single secure protocol to manage access without the need to disclose the keys.

The answer is: SteemConnect v2

This is great! I never realized there's actually a working solution. Thanks for pointing it out!

I agree. I want to test out the many interesting services built on top of Steem without trusting them with my Steem keys yet.

So basically use common sense?

That should work :-)

Private key starts with "5j" , but also memo key starts the same, right?

All keys, whether is is Owner, Active, Posting or Memo comes in pairs: Private and Public.

Private keys start with 5
Public keys start with STM

Well I am stupid like a broken brick. I proclaimed myself as 'IT security enthusiast' and what I did in my first transfer from bittrex? Put my public memo key in memo field. And it was after I've read posts of @lukmarcus and @noisy about not doing it. What a moron. I have planed a self-sterilization for this evening so no more chances for my genes to survive. And all of these greatly explains my avatar image selection (this sentence is kind of offending for apes, sorry guys, didn't mean to).

It is not helping my despair that it was only public key. No keys means no keys.

Sending public key doesn't make any harm, it's just an indicator that you are doing something wrong which might lead to some bigger mistakes in the future. Fortunately you've realized that on time and now it's good.
So... nie ma tego złego co by na dobre nie wyszło ;-)