Steem Basics: Understanding Private Keys

in #steem6 years ago (edited)

Steem Basics Private Keys v4.jpg

In a previous post we discussed how we are in the process of splitting Condenser (the open source software that powers steemit.com) into two separate applications that will work together seamlessly. One application will handle all the financial functions (wallet) that require a higher level of security, and the other application will handle all the social functions that require a relatively lower level of security. The end result will be two applications that are more secure and optimized for their specific functions.

Private Key Management

This “separation of concerns” is similar in concept to the different types of keys every Steem account holder is given when they create an account. These keys “unlock” different levels of control over an account. One of the advantages of the split will be that it will enable us to create a more intuitive user experience with respect to the use of your keys. For that reason we thought we would take this opportunity to educate any users who are still confused by the private key system on what these keys do and how they can be used safely.

Posting Key

In today’s post we want to focus primarily on the Posting Key and Master Password as these help explain the overall design of Steem’s private key system. Steem’s private keys are “hierarchical” which means that each one enables the key holder to perform a wider variety of activities with the associated account. The “Posting Key” is at the bottom of the hierarchy because it can do the least. It can only be used to perform social activities like posting, commenting, upvoting and downvoting. While these activities are common, they do not require a high level of security, because they do not authorize any operations which can negatively impact token balances.

If you prefer watching to reading, check out this video in which Steemit’s Content Director (@andrarchy) explains Steem’s Private Key system:

Screen Shot 2019-02-20 at 1.55.11 PM.png

To retrieve your Posting Key, go to the permissions tab inside your Steemit wallet. Your public Posting Key will be at the top of the page and alongside it you will see a button that says “SHOW PRIVATE KEY.” When you click on that button you will be prompted to input your Active Key or Master Password. Once you do so, your private Posting Key will be displayed. At this point you might want to consider saving this key to a password manager like LastPass or Dashlane for safe storage.

Permissions v2.png

A user’s keys are vulnerable any time they are entered into an application. A malicious actor could create a fake interface at a domain that is a common misspelling of steemit.com and that requests you input your private keys (phishing). A malicious browser plugin can also gain access to keys stored in your computer’s memory or your web browser’s cookies. Having a Posting Key ensures that the key that is used the most–and is therefore most likely to be acquired by a malicious actor–conveys the least authority. Even if a hacker does get this key, the only things they can do with the account are the social activities (as opposed to financial).

Key Hierarchy v2.jpg

Because the Posting Key has the fewest authorities, there is no harm in always attempting to use the Posting Key if you are not confident about which key should be used. In other words, if all of this sounds confusing, all you need to remember is that the safest option is to only use your Posting Key. If a key with higher authority is required to perform the action, you will be informed by the interface that the Posting Key is insufficient and that another key is required.

In the vast majority of such cases, you will then use your Active Key. But remember to be more cautious in those circumstances. That being said, the Posting Key can certainly be abused too, so users should always be vigilant. We will continue to release posts like this to educate users about how they can protect themselves within the Steem ecosystem.

Master Password

While a hacker acquiring a Posting Key might be unpleasant for the account holder, as long as the rightful account owner still has their Master Password (or their Owner Key), they can always change all the other keys and regain total control over their account.

Password v. Key

One might wonder why the Master Password isn’t also called a “key.” That’s because all of the keys are actually derived from this single password. That’s why it’s called the “Master” password. It is also called the “seed” because it is the first password that is created, and it is from that the rest of the keys spring forth. That’s why it can be used to perform any function on Steem, from social activities to financial activities. Its convenience has led many to use this password for everything, but this is the precise opposite of its intended use.

Since keys can be used to do any activity in Steem apps like steemit.com, the Master Password should be securely stored in a password manager (like LastPass or Dashlane), or offline entirely, and only used for highly-trusted applications, minimizing the risk it could be acquired by a malicious actor. Remember, if you use your private keys right, you be unlikely to use the Master Password ever, therefore sacrificing some convenience for the benefit of security is a worthwhile tradeoff.

Steem Connect and Keychain

Users should always be careful when signing into any site that requests any of their private keys. We at Steemit, Inc. can only speak to the security of steemit.com. Otherwise, we recommend only signing into websites through SteemConnect which is an open-source, universal, login layer for Steem Apps, built by a community developer (@fabien) in collaboration with Steemit, Inc. Think of it as “Facebook Connect” for Steem apps.

Users who do not want to input their private keys into Steem-powered websites can use the the Keychain extension created by the @steemmonsters team. Keychain stores Steem keys in a browser extension which can automatically provide the appropriate keys when prompted by a Steem app, thereby foregoing the need for users to expose their keys by copy-and-pasting them into a website.

steemconnect keychain.jpg

Summary

The goal of this post was to focus primarily on the Posting Key and Master Password because understanding these two items delivers the most insight into the overall design of the system. The Posting Key is at the very bottom of the hierarchy because it grants the least authority, but it is also the key Steemians should be using the most since it governs social functions. The Master Password, on the other hand, is at the very top of the hierarchy because it grants the most authority and is almost never necessary.

We will cover the rest of the keys in future posts, so if you found this informative, be sure to follow @steemitblog and please share this post with anyone who is trying to gain a better understanding of the private key system.

The Steemit Team

Sort:  

Great post. What is the memo key for and where does it fit in the security hierarchy?

Posted using Partiko iOS

Muy buena pregunta, estoy interesado también en esa clave que no entendí como usarla.

I agree about the Memo key and where it fits or is it a security risk. I feel vulnerable with all the changes going on with the wallet security. If you read my blog the other day I was frustrated and angery enough to get what I could and get lost. I need some one line solutions and I could settle down and hash my way through it, until then the old hawgwild is on a short leave, (Doctors orders; don't get to stressed out).

hola soy nuevo alguien me puede explicar como comenzar en la actividad, y que paginas serian mas productivas para unirme a la comunidad steem

This is crazy I upvoted you hours ago. maybe I didn't press post button hard enough the comment for you end up below danielndt or maybe it is because I was messing around with my setting, but my post of 11 hours ago was meant for you apshamilton.

I see you post under mine. The changes are confusing but for the better eventually I think. I use SteemPeak and Partiko rather than Steemit in any case.

Confusing plus I am going to just take it slow let all the info soak in thanks for your reply and advise. I will be following you.

hellooooo

hellooooo

Holaaaaa

good

good

when i try to view my private posting key it wont let me, i click reveal, log in, and then im logged in but it is still hidden, how do i fix this?

Magic Dice has rewarded your post with a 3% upvote. Thanks for playing Magic Dice.

Very nice tutorial! So glad to see this coming from the Steemit blog, simple to understand information like this is exactly what new users need. I agree with Crim, we need this in one easy to find location with some other FAQ. Nice progress!

Easy for you to say, I still feel vulnerable with things being changed fast.

This is really well put together! Well done~ I'm going to carry it through into some of the new user communities. I hope to see this rolled into the FAQ here or into however you refresh the introductory new user experience for front ends with the upcoming split~

Thanks Crim! That's the idea!

Superb video. Having things like this to send new users to when they ask about the keys, or even linking to from the FAQ in different dApps will be really helpful!

Shame I can't flag people who comment on YouTube though.

lol, why'd you make me look?!

Great video! This really breaks it down so it's useful to newbies but many users that have been here for a long time might have an 'aha' moment too :-)

Thanks for commenting, things are getting better in #Steemit and at #Steem network especially in the area of communication, information, advertising, and projecting Steem to the far ends of the planet earth!

Thanks @steemitblog for the reminder cum information.

I'd hope everyone uses a password manager if some sort as you need unique passwords for each site anyway. Something like Lastpass also reduces risk as it will only supply the password for the real site and not for a fake one.

감사합니다

I never got this one:
Master Password (or their Owner Key).
Are these two different names for the same thing or I'm missing something?

Yes I was confused by this as well for a long time but I'm pretty sure that yes Master/Owner key is the same, then you have the active and the posting key.

@oldtimer, @direwolf: No, they are not the same.
Owner Key is derived from the Master Password in a same way as Posting Key.

Let's say user bob is setting his new Master Password.
It will look like this: P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R.
Steem blockchain however, doesn't know anything about Master Password as such.
It uses keys, such as Posting Key, Active Key, Owner Key that are derived from the Master Password.
In such case bob will have:
Private Owner Key:
5JiD4BEytbFWMGeN3Zk9JfFFgFCTvfcDhDGReG7jt2DREY8JzMa
Private Active Key:
5K6p5g2ob577bA53qgLMGDGY3L3D7M4ccaY2qFSJppgEvJkeLFn
Private Posting Key:
5KW5yYgmPf7bRn6BFEWboLr9bj4QtmVJMNAm2SiErDN5BCGtWH5
How I know it? There's a cli_wallet functionality that lets you derive key pairs from the Master Password. It's used for convenience, as you need to securely store one, instead all four.
To derive Owner Key from Master Password, bob would need to use:
get_private_key_from_password bob owner P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R
Same for every role.

In fact you don't need to have Master Password at all. Your private keys can be generated and changed independently.

What is a cli-wallet and where can I find it?

There's a cli_wallet functionality that lets you derive key pairs from the Master Password. It's used for convenience, as you need to securely store one, instead all four.
To derive Owner Key from Master Password, bob would need to use:
get_private_key_from_password bob owner P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R

cli_wallet is a command line tool, a part of https://github.com/steemit/steem
You can either build it yourself or extract it from a docker image.

Thanks for the info. And where is the master password? Never seen it. I only got the four keys.

You get Master Password at the time of account creation through Steemit site (which I believe is what you got yours). You don't need it as long as you have all your private keys, or at least your private owner key, so you can set all the others.

Is there a scenario, where the private owner key is not enough and where you need the master password? e.g. account recovery?

No. Steem blockchain doesn't know about your Master Password.
Master Password is like a Master Key, that allows you to open doors on all levels of the building. You can use that one or separate keys. Separate key for the highest level in the building is enough to open it.
Also, if you change the lock in that door, Master Key will no longer be able to open it.

Ok. Now I know what's my error. I thought that I have the 4 private keys active, memo, posting and owner. I thought my password is missing. But: I do have the password and only the three private keys active, memo and posting. I don't know my owner private key, because it is not shown in the Steemit wallet. I think it is genarated automatically if I enter my password in Steemit.

Ist there a way to get the private owner key?

To oldtimer(74) Another old timer with some steem power and experience and you don't know either that's puzzling a minnow like me does not have a chance it seems. I wish I could give you the answer. Another fear of mine is bungling around and making the same mistake 3 or so times and lock myself out of my own blog and wallet sites. I thought I was locked out an hour ago, luckily I recorded all these keys and codes on paper 3 months ago. I had to try 3 of them and finally the type fest ended. whoever is implementing these changes would slow down so us Minnows can have some fun Please

Definitely one of the most useful posts on sorting steemit out I have seen in a long time excellent post.

This video was very good ... and it helps lot :)

This spam is courtesy of @fulltimegeek! A real piece of shit who flags manual curation projects like @themadcurator because he's a spiteful cunt!!!

What fack is this ? @lyndsayblowes

This spam is courtesy of @fulltimegeek! A real piece of shit who flags manual curation projects like @themadcurator because he's a spiteful cunt!!!

What is this ?????

This spam is courtesy of @fulltimegeek! A real piece of shit who flags manual curation projects like @themadcurator because he's a spiteful cunt!!!

Excellent work with this! :)

Thank you @steemitblog
This information is very useful especially for new users on our pride platform...

I agree.

Thank you,
This was a good review of an important topic.
I will resteem this post.

Muy buena la inducciòn acerca del manejo de las claves de seguridad de steemit. Gracias.

yes!

I resteemed this article. Thank you for the information.

Posted using Partiko iOS

nice tutorial :-)

Definitely very helpful and concise!

esteem app asks for master password. What can you say about that?

Esteem has SteemConnect support. It's a great app that has been around for a long time and has a great developer behind it, @good-karma.

Glad to know, im a huge fan

Nowadays you people are very active. it is very good ♥

We've always been active, we're just communicating a lot more ;) Thanks!

glad to hear this... boss

Good post. I will translate this and share it with our local communication members.

Interesting. Shared with my followers :-)

You separated the Owner Password from the Master Password in your diagram, but aren't they the same thing?

They are not! The Master Password is used to generate all the other keys, including the Owner Key. The confusion is usually around the fact that we don't even allow you to view your Master Password through steemit.com. That's because the only reason you should ever really be using your Master Password is when you are going through the account recovery, in which case you should be retrieving the Master Password from your safe storage. The Master Password is the password you get upon signing up. You should then take that password, go to your Steemit.com wallet, retrieve all the other keys, and only use those keys going forward. Hope that helps!

Is there a way to change the Master Password?

Yes, by clicking your avatar and selecting "Change Password." The password being referred to there and in the following page is the Master Password, because remember, there is only ONE password on Steem, the rest are KEYS.

Screen Shot 2019-02-22 at 9.15.57 AM.png

Thank you @steemblog that will help me so much!

It's high time that an official statement was made about the use of keys. Steemit has to be the only site I know of that has left its use and functions to be explained by 3rd parties. These important details need to be front and center for all users, all the time!

I'm glad to see progress finally being made in this regard.

Since steem.centerwiki has already done an excellent job of making sense of Steem, it would be prudent and most efficient to simply link to it as a great reference manual.

Good idea! Thanks!

Bookmark

Posted using Partiko iOS

Allow me to translate this post into Indonesian :)

Great! Steemit needs more official tutorials. This may also be of interest: Steemconnect login with posting key instead of active key

Great tutorial. Quite informative even though short. Would like to know, which category does the password generated using the link sent to our emails during sign-up, fall in?

Hi. I visited for the first time.

Im confised. I have 1 password and after some days i got one transaction id ..what is that then?

And when i have to use master key?

Thanks.. This post is very good

STEEM, is a token that can be transferred and traded like Bitcoin. STEEM can be converted to STEEM POWER.... Steem is the best. I think, Steem is A Proof of Concept (POC) and are a small exercise to test the design idea or assumption.

For me absolute stupid way here. Plaese dont name it private key if it is server key. Real private keys should be generate offline and never put into any open file on internet.

I'm having immense trouble with this - I can't get into my wallet to obtain the private key because it requires a private key to get in.

Is there a way to reset this with Steem or is there another way to get this securely?

Mi pregunta con cual clave ingreso a mi monedero para gestionar?

Again and again I try to withdraw SBD to Bittrex from my wallet and get -
"Transaction broadcast error"
I did it before hundreds of times.
I have read all instructions and manuals here,
I enter my Active Key
I enter memo and...
Again the same...
"Transaction broadcast error"
What is going on? Could anyone help me?

PS. OK, guys I have helped myself.
I have read the instructions one more time and it helped)))))
So, for transactions Withdrawal SBD for example - you need NOT all those keys, that are mentioned in your account. But that one, that is saved (if you had done transactions before, at Google Password manager.
IMPORTANT. This password start not from "S", or "5" but from "P" only.

dams ahole are gonna try stealing our Steem - having the same issue. This platform is getting to be a joke.

Very nice tutorial & very helpful and concise.

I don't get it yet :(
I click on the reveal button but the passwords stay the same (***************) like that.
I click reveal, I log in, but any of the keys reveal
help me out please?

Much more informative writings.

I think the picture of wallet should be changed as below.

I cant sell my steem... everytime i try to transfer to blocktrades it says "transaction broadcast error missing active authority..." it's driving me crazy! Help me i want the money back

I understand the key process and its' need but what I don't understand is when I log into my account and navigate to "key/permissions" and try to copy any key so I can save it outside my account , I cannot. I click "reveal" and it takes me to the log in page. I log in and that sends me back to permissions where I hit reveal again and I am sent back to login. How do i reveal my keys??????? Help!

Very nice tutorial! So glad to see this coming from the Steemit blog, simple to understand information like this is exactly what new users need.

Thanks, I could enter again

So, I should avoid logging on a Steem app I don't trust, even using my posting key?

I notice that when I login Dtube or Steem Monsters, I'm inside their domain, so I'm actually sending my password to their web server.

Some Steem App then can verify my password on blockchain, and save it? And use it on other Steem Apps? Or be hacked and have my password stolen and used?

Sorry, if my password is sent directly to a Steem App's web server and it's the one validating it on Steem blockchain, I don't feel secure about it. Shouldn't it be using some kind of token or single sign on? In example, many sites allow us to use a standard SSO to log on them, but in this case they redirect us to a SSO authoritative's website (Google in example) and it's in that one we login, then we're redirected back to original site who just recognize the authentication without ever seeing our password.

Yes, or you could use Steem Connect.

 6 years ago Reveal Comment