Steem Phishing: What You Need To Know To Stay Secure

in #technology7 years ago (edited)

steem-phishing

I wrote about a very similar topic in the post called How To Keep Your STEEM Account Hacker Free a few months back here on the Steem blockchain. Now with all the phishing activity around Steemit, it is time I revisit this topic with the aim of keeping your account secure from phishing attacks.

A lot of this text will be from that old post since the steps have not changed since it's creation. I also added the information about creating passwords from the post but if you want a more in depth look at passwords and pass phrases please check out my post titled, How To Create Easy and Secure Passwords.

What Is Phishing?

Phishing is when a malicious person sets up a site to look exactly like the one you use every day. Facebook is probably one of the most phished sites out there due to the enormous user base. These fake sites will use a name that is very close to the original to look like the correct URL at a glance.

Common ways are to use a lower case "L" in place of a capital "I" in the English language, and there are many more for all languages. You may hear that all you need to do is make sure the green lock on your browser is there and you'll be on the correct site.

This is only partly true since anyone can get an SSL certificate without much hassle but is a good first step. Never rely on the green lock as a fool proof way to know you are on the correct site but instead use it as one of many signals that you are where you wish to be.

Using Browser Extensions To Increase Security

Before we get into LastPass and how to use it, so we have another barrier protect us I want to give a few words of caution. Since apps like LastPass are online, there is always a chance that they get compromised and your information leaks into the ether.

Always practice safe password techniques when creating master passwords and never use the same password twice. If you are using LastPass, there is no reason why you will have to remember more than one password anyway.

Using LastPass To Protect Your Self From Phishing Attacks

Create Your Master Lastpass Passphrase

Calling it a passphrase is an important distinction. The term 'password' indicates a single word instead of multiple words. The longer a passphrase is, the better because with each new character you add more entropy. Entropy is what makes the passphrase hard to guess by both computers and people.

The best method to form a passphrase is to use a system that has no ties to us. A passphrase that has our school name, birth month, and the name of our first pet may be long, but these days information is bought and sold. It does not take long for someone to learn such information about us.

dont-get-phished03

Use Dice & A Diceware Word List

A dice list is a list of thousands of words next to numbers. Search online for "EFF Diceware List" and download the file. To use this list to make a strong passphrase we take five dice and roll them. Write down the numbers and roll again. Do this five or six times.

Now those numbers we wrote down correspond to words on the list. What we get is a passphrase that looks something like this:

directive-pushy-awaken-barcode-unnoticed-hurling-cavalier

A string of random words that have no relation to us at all. Since it is words, it is easy for us to memorize, but due to its length, it is tough to guess. Make sure to use real dice and not an online generator because outside of nature we can never be sure if the outcomes are truly random.

Proof These Work

If we can assume that an attacker can run one trillion guesses per second, how long will it take to guess the passphrase above?

27,255,689 years!

That's some good odds in our favor. But let's see how fast passphrases with one less word is cracked (on average) at one trillion guesses per second.

3,505 Years

See how big a difference one word makes! Now keep in mind that we cannot be expected to remember a passphrase like this for every site we use because we need to use a different passphrase on every site. A password like this on every site is overboard and is why we use password managers such as LastPass.

How To Secure Your Steem Account

Once you sign up for LastPass and install the browser extension, you can create the login passphrase. To do this, click on the extension icon and then click "Open my Vault." Once the page loads, there is a small red circle with a + in the middle. Hover the mouse pointer over that, and the + will change to a new icon; click the new icon. It should say "Add Site" off to the left, as well.

You will see a blank version of the image below.
dont-get-phished-01
image from the LastPass App

  1. Add https://steemit.com here (or https://steemconnect.com for @busy).
  2. Enter your STEEM username.
  3. Copy and paste your STEEM master password here (we want to keep it safe for when we need it).
  4. Paste your private posting key here.

Side Note: you do not have to save your master password in LastPass if you do not want to have it stored in an online encrypted vault. Keeping the key there is just an option.

Grabbing the Keys

To get the keys and add them to LastPass, we need to log in with the master password or the active key (if the master password is already safe).

dont-get-phished-02
image from steemit.com

  1. Click wallet
  2. Click Permissions
  3. Click "Show Private Key"

The private posting key then replaces the public key. Copy the private key and use it in Step 4 above. If you never plan on logging in with your master key, it is good to save your active private key as we did in Step 3 of LastPass.

Before we test everything out, double check all the keys and make sure there are no mistakes. The most reasonable way to do this is to make sure the first five characters of the pasted keys match what is on Steemit. Do the same for the last five characters in each key, as well.

It is well worth our time and effort to make sure this is all in place. Logging it with the master or active key every time is a massive security risk. The day may come when we enter our key on a fake Steemit site, and then all is lost.

There is some reprieve if we are only logging in with our posting key. Then, at least, the worst the attacker can do is make posts, comments, and upvotes as us. That still is less than ideal, and that is why we use LastPass. If the site is not really steemit.com, then LastPass will not show our login options.

It's a security must for all Steemians.

Extra Tip

If you use your active key a lot on Steemit than add it to LastPass with the same steps above, so you are less likely to use it on a fake site. I have it set up this way, and if I am ever on a fake Steemit or SteemConnect site, I will know when I go to use LastPass, and the active key is not shown.

Thanks For Reading!

If you have any topics that you would like me to cover pleas feel free to comment them below and I'll add them all to my list!

All images came from royalty and attribution free sources unless specified.

Looking to take your Steem based creations to the next level?
Join us over at the Creators' Guild Discord group! We are here to encourage, support and increase the creation of quality content.

If you have any questions about the future of Steem
or my witness please feel free to message jrswab#3134 on Discord.

vote-jrswab-for-steem-Witnesses—Steemit.gif

Click here to vote with SteemConnect!
Or go to https://steemit.com/~witnesses


Looking to support my content creation efforts outside of the Steem Blockchain?
Check out jrswab.com/support

smart-steem-gif

Sort:  

Very good tutorial and it came at the right time. My passwords are kept safe but I was thinking about how to solve this phishing problem.

I was thinking about having some kind of browser extension that notifies you when you are leaving the site. For example, if you are on steemit and you click a malicious link, it will say "you will be redirected to [URL].com Click OK or Cancel."

I'm not a programmer so I don't know how to make such an extension (I'm sure it would be pretty easy though for a programmer to do). If there already exists such an extension, let me know!

Very good tutorial :)

@jrswab thank you very much for this helpful tutorial which I will resteem to help more of us learn how to keep our accounts secure on Steem!

Thank you so much for your support! I hope your followers find it helpful in keeping their accounts safe.

Thank you for the post @jrswab and all the advice to be safe on Steemit. I also use lastpass and once it saved me from a site because it won't log in. After looking at the Url I realized it was another Url.

Hi @jrswab, I just stopped back to let you know your post was one of my favourite reads and I included it in my Steemit Ramble. You can read what I wrote about your post here.

Join us on Thursdays for Pimp Your Post Thursday at 11am EDT or 7PM EDT in the Steemit Ramble Discord or:

If you’d like to nominate someone’s post just visit the Steemit Ramble Discord

One of the unintentional benefits of using LastPass with really long passwords (I default to 100 characters) shows which of the sites you use don't allow strong passwords. I find it really dumb that a social media site will allow 100 characters but my bank won't!

Wow, thank you much. I'm probably the worst person with passwords, but I'm better informed now. Thank you.

Great post you share some great tips here

Security of password is very important for everyone. Many persons do not care about their passwords. Thank you for informing us to create and keep safe our passwords.

I have never used LastPass but it sounds like it is worth looking at. I currently use Dashlane and find it to be an effective tool for password security. Thanks for the post.