Thank you for this post, you've really made me realise I need to be much more careful!
Sorry to ask but I'm still confused still about a few of things.
I use Chrome and my google smart lock settings remember my password when I log into Steemit. Is this a problem?
In my wallet I have four categories of Keys - Posting Key, Active Key, Owner Key & Memo Key. My Owner Key is the only one that doesn't have a "show private key" tab next to it. It says: "The private key or password for the owner key should be kept offline as much as possible." I got really confused by this ie. what is the password for the owner key and where would I find it? Is it the original password that was emailed (starts with PK)
Private active key. It says "the active key is used to make transfers and place orders in the internal market". A few services like Streemian have asked for the private active key. Is that normal? Why can't they just use the STM version of the active key instead? Also when I first logged onto Streemian I entered my private key into the first app they had on the page but then when I hit enter it came up with an error and I then noticed it didn't have a secure lock on the URL, so I tried the second app (the .js one) and it did have a secure lock and worked okay. Is Streemian safe or should I consider changing my keys?
If I want to change my keys I can only find one option which is to reset Password. Does that reset all the keys as well? If I'm still using the first password I was given on acceptance/login to Steemit is that a mistake and should I have changed it?
Thanks for your article, sorry to ask what are probably obvious/annoying questions! Have just voted for you as Witness.
Ad. 1. Saving password in your browser is as safe as the weakest link in the chain: browser - operating system - computer. Up to date Chrome browser is a safe choice. Make sure you don't use any shady extensions. Also, make sure that this is not the only place where your password is stored (what if you lose access to it?).
Also:
Using appropriate keys > Using Master Password
Ad.2. That
P5....
thing is the Master Password. Under the hood it does nothing except being a source for your keys that are derived from it and used when appropriate. So you can use Master Password for posting and same Master Password for transferring funds. That's for convenience. For better security it's better to posting / active when needed.There's no way currently to display owner key in the browser, but you don't really need it when you have Master Password that can serve same role (also for account recovery).
If you really want to you can use
cli_wallet
for that:get_private_key_from_password angusg owner P5HerePutYourMasterPassword
Ad.3. When any service asks you for your password / key you should be very careful and general rule is to refuse if you are not absolutely sure that it's ok.
streemian is a well known service made by a reputable steemian - @xeroc
If you trust that site and its owner then you might want to take that risk.
I did with my
gandalf
account. :-)Streemian is using your Private Active Key to sign transaction that adds appropriate posting authority to your account, so later on Streemian can do voting on your behalf (without knowing your Private Active Key or even your Private Posting Key). That's proper way of doing things. Currently however, it's even better way to do that without worrying about entering your key to a unknown site. It's called SteemConnect v2.
If you have any doubts - change your keys to be sure.
Ad. 4. Yes. Changing password changes your Master Password, from new one new keys are derived and replace old ones. Changing initial password is not required.
Thank you Gandalph! That really puts my mind to rest also thx for the cli_wallet tip. I signed up for SteemConnect V2 yesterday after reading your article and I'm just figuring that out. I'm also going to check my Google extensions and disable any I'm unsure about. I don't have many. I've backed up my keys and password and I think I'm going to take the risk on Streemian because I already connected for my Discord verification.
I can see that the possibilities for services and apps that extend Steemit is almost limitless, so security is always going to be one of the biggest nightmares.
Thank you for caring about our security and wellbeing and for taking the time to spell it out so clearly!
Just curious (not sure if I understand correctly)
How are those two things related?
I thought I remembered having to connect Streemian in order to registering for the PALnet/MinnowsSupportProject on Discord but it was actually just through my main Steemit wallet. Was hunting just now for the first post I followed that had the instructions and it was this one.
https://steemit.com/minnowsupportproject/@discordiant/registration-tutorial-msp-palnet
So I couldn't remember what it was I'd been asked to do in Streemian then I remembered it was this post which was to do with joining TeamAustralia instead, I was following the instructions about halfway down.
https://steemit.com/teamaustralia/@scooter77/supporting-centerlink-and-teamaustralia-all-sbd-from-this-post-donated-to-centerlink-program-how-can-you-ensure-your-upvoting
On Discord one of the instructions in the pinned messages on the teamaustralia page registration was to follow the banjo bot and minnowssupport bots and send them $0.01 each to authenticate, then to go to steemvoter and set up a rule to follow minnowsupport, then to go to Streemian, authenticate the Streemian account also with $0.01 then follow the @centerlink curation trail, then to let an admin know.
Can't remember the exact order I did it in. I just remember that the first time I logged onto streemian they had two authentication apps and the first one crashed and went to an unlocked (not https) page and the second one was a .js app and worked okay. I'm on windows 7 so it may be different for a mac user.
OK, thank you for clarification.