On Sharing Keys and Passwords with SteemConnect: How Safe Is It?

in #steemconnect7 years ago

While "steem surfing" (Ok, I just coined this term on my own for lack of an official terminology), I managed to encounter some sites where they redirect and require you to sign-in via SteemConnect before proceeding.

For those who don't know, "SteemConnect is the ideal solution for making it easy and safe for users to sign in to 3rd party Steem applications and for developers to build and scale these applications." (Source: https://busy.org/@steemitblog/steemconnect-2-0-easy-fast-efficient-access-to-the-steem-blockchain). This indeed sounds like a great platform. Instead of having to share your Steemit keys with all sorts of different third party apps, SteemConnect acts as a common, familiar and comfortable middleman that handles all your authentication needs with these apps.

There is only one hurdle for me -- SteemConnect will sometimes ask for your active or owner key, or even your master password.

Screen Shot 2018-02-05 at 6.12.13 AM.png

This instantly blares a warning signal in my mind : "Can we trust SteemConnect with our keys and passwords?" I'm sure some of us have also noticed the warning from the Steemit site whenever we check our wallets:

Screen Shot 2018-02-05 at 6.13.52 AM.png

So can we really trust SteemConnect with our keys and passwords?

In summarizing my research, I was able to gather the following three points, which I believe others with the same concerns would appreciate:

  1. SteemConnect is actually an official partnership between Steemit Inc and the Busy team. We do trust our keys and password with Steemit, so to have the official backing and collaboration of the Steemit team themselves with the original developers of SteemConnect is certainly a confidence booster. Check out the post here: https://busy.org/@steemitblog/steemconnect-2-0-easy-fast-efficient-access-to-the-steem-blockchain

  2. The article goes on to say that "SteemConnect is a community project. That’s why it’s open source under MIT license, for anyone to use (and contribute to) as they see fit!" This is another plus point for me. No hidden codes, the entire code is available for everyone to use, study and contribute to.

  3. And finally, I managed to also get a clarification from @Fabien, one of the founders of @Busy.org. Here is his clear and concise reply: "With SteemConnect2 you need to grant @busy.app permission to post on your behalf, so the app busy can post for you. This operation require at least your active key when you authorize the app then you can login with you memo key or posting key. You can revoke @busy.app anytime using this link http://steemconnect.com/revoke/@busy.app
    The active key is only used to make the operation in your browser then discarded, nothing stay or goes to the server."

After internalizing all my research, I'm quite reassured. I hope this also adds valuable inputs to those who are worried about this particular concern.

As always, let me know your thoughts and feedback on this matter. Have a great week ahead!

Sort:  

But what, if http://steemconnect.com is ever hacked and manipulated to fish the Master passwords in this process ??

Hi @overunitydotcom, I'm not an expert in security. But I think getting hacked is certainly within the realm of possibility. There are some things we can do to reduce this possibility. First, make sure the steemconnect must be accessed via a secure HTTPS connection, so you'll need to make sure you see this on your browser:

Screen Shot 2018-03-30 at 6.43.28 AM.png

Second, always use the Posting Key if all you're gonna be doing are upvoting, posting and commenting. If you do need to transfer Steem or SBD, or grant an app access to your account, use the Active Key. In short, never ever use your Owner Key -- reserve the owner key only for changing passwords.

Third, if you have any SBD or Steem in your wallet, move them to Savings or Power Up to Steem Power.

These should minimize your risk exposure. Hope this helps.

Hmm, but steeemconnect wants to have your master key, not just your posting key...
So who is running Steemconnect.com ?
They don´t even have an impressum ( about us) on their website... Why should I trust them with my master keys ???

Hi @overunitydotcom,

They don't store the keys that you enter in steemconnect. Also, you'll have the option of either the active key or the owner key (master password). I always use active key. Never use the owner key as much as possible.

Steemconnect was developed by the busy.org team (the team behind https://busy.org). They've been endorsed specifically by the Steemit team to develop it.

Just to let you know, I've used Steemconnect countless times and have not encountered any issue so far. So I'm reasonably confident in it now.

Can I really also use just the posting key when signing in into Steemconnect ?
I tried this , but they wanted always to have the active key... I would be more comfortable to use it, if I just only could use the posting key only...
Why is that not sufficient ?

Where is then my Masterkey stored ? On the Steemconnect.com database or where ?
Who can access it ?

I’ve been using Steemconnect on Musing and dLike... however today upon trying to login, it doesn’t offer the option to click my usual account, but it starting from scratch asking for my username and key - which has never happened since I first input it months ago...

Wondering if this is anything to be concerned about, if there has been an app-wise reset, this is normal, etc...

you happen to know what's up?

Deffinitely We can trust on it.I agreed with you...

Great to hear your affirmation. Cheers! :)

thanks, i have had the same concerns, but now I am going to use steemconnect

Informative post and comments, but I think it's generally a mess. Steemit should have this feature built-in, we shouldn't have to use 3rd party website.

They don't store the keys that you enter in steemconnect.

Ok, that's interesting, so where is it stored? In a cookie? I hope it's at least properly encrypted...

Edit: Maybe I was too harsh calling it a mess, we have to remember it's all build on top of blockchain.

Thanks for this post, really helpful :)

i cant login into steemconnect, is the password the same as my master key then? im a little confused and its really aggravating me

Getting an error when I try to log in. Says not enough mana?