Memos, keys and passwords, Balrogs and Fields of Despair. Be safe. Almost $100k wasn't.

in steem •  7 years ago 

Two months ago I wrote that You shall not (leak your) pass.

My security research is an ongoing process, I'm trying to protect Steem users from hurting themselves by leaking their keys and passwords.
(Also with the help of @almost-digital's dsteem powered tools)

Apparently, it's not as easy as stopping Balrog.

Lately I've successfully secured hundreds of liquid SBD and STEEM and almost $100,000 worth of Steem Power. But there's not always a happy ending. Sometimes malicious users are faster. Sometimes you can't even tell if the current owner is the original one. Sometimes account recovery is needed. Sometimes it's just too late to do anything.

Gandalf's stories
- "Steem Wizardry" by Inber

Fields of Despair: Memo

The most common user error was to put private material into the memo field while doing transfers.
Keys, both public and private, should NOT be placed in memo fields.
Memo fields are used to distinguish one transfer from another.
Whatever you enter in a memo field will be available to the public. Forever.

Valid use cases include:

  • When Alice transfers 10 SBD to Bob she could enter Wednesday's Pizza in the memo field to let Bob know what it is for.
  • When Dylan appreciates Bob's new lyrics, he sends him 100 STEEM with the memo Dude, "Masters of War" is a cool song, but Tatiana's version is so much better
  • When Frank wants to get a flag from Charlie, he sends his post's url as a memo.

Memo fields used while making deposits (sending money) to exchanges

Sometimes however, you have to set your memo exactly as directed.
Exchanges, such as bittrex, blocktrades, changelly, poloniex and others require you to set the memo to an exact value when you are sending money to them. They are using that specific memo value to distinguish transfers. Each user has their own distinct memo value but it has nothing to do with your keys or passwords! To get your proper memo value, you need to follow the exchange's deposit instructions. If you don't, you will lose your funds.
Please note that usually there's a different memo for sending SBD and a different one for sending STEEM.

This is how a bittrex memo might look like:
This is how a blocktrades memo might look like:
This is how a changelly memo might look like:
This is how a poloniex memo might look like:

A memo is never your key or password.

Memo fields used while making withdrawals (sending money) from exchanges

For many digital currencies, your address is the key. Steem is different. Your address on Steem is your account name.
When alice wants to send STEEM to bob, she just needs to put bob in the address field. The memo field is optional in this case. Regardless of the memo value (which can be empty), bob will receive those funds.

How can I lose my key?

Unfortunately, there are many, many ways users can leak their keys and passwords.
Do you think that this post is not about you?
Are you sure? I've already seen hundreds of leaked keys.
For over a year, it was never a software error. It was always a BKAC one.

There are people that are well aware of the importance of keeping private stuff private.
Errors, however, can happen.
Even to smart people.
Even to you.

Sometimes one miss-click is enough.

You have copied your key and pasted it in the login window?
Have you checked that link you've used was to
Or just a site looked the same?
Are you logging in using your private computer?
Or maybe you had a strong urge to upvote something while using a public PC in a library?
You keep your Master Password in your mailbox, so what could possibly go wrong?
Maybe you wanted to paste a link to cute kittens that you found just after logging in to Steemit and Ctrl+C didn't work for the link, but Ctrl+V did for the password?
You've used a cool tool that upvotes and stuff, but are you sure that it doesn't send your password through the net?
If you have any doubts, change your password/keys immediately.

Keys? Passwords? Whaaa?

The first rule of Steemit is: Do not lose your password.
The second rule of Steemit is: Do not lose your password.
The third rule of Steemit is: We cannot recover your password.
The fourth rule: If you can remember the password, it's not secure.
The fifth rule: Use only randomly-generated passwords.
The sixth rule: Do not tell anyone your password.
The seventh rule: Always back up your password.

Master Password: one password to rule them all.

When you setup your account through Steemit, you get a Master Password.
With the Master Password you can do everything with your account, because it "contains" all the keys to control it. In fact, the Master Password is used to derive all keys for your account.

What if you leak it?

All the bad things will happen, as if you leaked your Private Owner Key (see below for the consequences and instructions)

What if you lose it?

If you have your Private Owner Key saved somewhere, then you can use it instead.
If you don't have it, then GAME is OVER
Nobody will help you, because nobody can.

A more secure way is to use individual keys when appropriate.


Private Owner Key

It can do everything with your account, including changing other keys and the owner key itself, or doing account recovery. Keep it secret, keep it safe. You don't need it for daily use. Don't lose it. It is best to write it down and lock it in your safe or secret basement. It's your last resort in case your other keys are compromised.

What if you leak it?

You will lose control over your account, your keys will be changed, your liquid funds will be stolen instantly, your saving funds will be stolen after 3 days, your vested funds will be stolen at the rate of 1/13 of the funds every week for 13 weeks.
Try to change your keys immediately.
If it is too late, you have 30 days starting from the day it was changed to proceed with Stolen Accounts Recovery. It might or might not work and you might or might not be eligible to use it. If for some reason it doesn’t succeed, you will never regain access to your that (soon to be empty) account.

What if you lose it

Nobody will help you, because nobody can.

Private Active Key

You can use it to do almost everything except for changing Private Owner Key. You can vote for witnesses, change your account properties such as your profile picture or cover image, change your Private Posting Key, and most importantly: transfer your funds. Use it only when you need to perform such actions.

What if you leak it?

You will lose control over your account, your active and posting keys will be changed, your liquid funds will be stolen instantly, your saving funds will be stolen after 3 days, your vested funds will be stolen at the rate of 1/13 of your funds every week for 13 weeks.
However, you can use your Private Owner Key or Master Password to change leaked Private Active Key.

What if you lose it?

Use your Private Owner Key or Master Password to set a new one.

Private Posting Key

You can use it to post, upvote, follow, resteem, but not to transfer your funds. The best option for day-to-day use. Still, use it with care. Despite being only a "Posting" it is still "Private" and it is still a "Key".

What if you leak it?

Your posts and comments might get vandalized, malicious users might post, upvote, downvote, resteem etc. on your behalf. You can use your Private Active Key, Private Owner Key or Master Password to change leaked Private Posting Key.

What if you lose it?

Use your Private Active Key, Private Owner Key or Master Password to a set new one.

Other keys

Signing Private Key and Memo Private Key are not in the scope of this post. If you need to use them, you already know what they are used for and why.

How do those keys look?

This is how a Public Key of any type (Owner, Active, Posting, etc.) can look like:
(please note that it starts with STM)

This is how a Private Key of any type (Owner, Active, Posting, etc) can look like:
(please note that it starts with 5)

This is how a Master Password can look like:
(please note that it starts with P5)

Never send your keys online

A Private Key is called PRIVATE for a reason.
You cannot post it online.

"- OK, but when I log in on I post my key so the site knows it's me, right?"

No. The Steemit site is written in a way that your key is kept locally in your browser at all times. When you post or comment or upvote, such transactions are signed with your key.
The signature is sent with the transaction but your private key isn't.

Everytime when you enter your key or password in some app or site, you need to trust it.
There are many scenarios in which you might lose your key:

  • the author of an app might be malicious and instead of keeping your keys locally to sign transactions, he will send them to his server and misuse them
  • the author of an app might be not skilled enough and manage your key in an unsecure way, thus putting your account at risk


You will lose your funds if you disclose your private key.

Do not learn from your own mistakes, learn from the mistakes of other users.

If you believe I can be of value to steem, please vote for me (gtg) as a witness on Steemit's Witnesses List or set (gtg) as a proxy that will vote for witnesses for you.
Your vote does matter!
You can contact me directly on, as Gandalf

Steem On
Be Safe

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Just for the sake of it and to be double sure about the privacy of my keys, I'm going to reassign them to new codes a.s.a.p. I can't thank you enough for this information you are sharing with us today, it goes deeper into the functions of what keys are and their potential ramifications. They are so powerful, yet so vulnerable...

Namaste :)

will have to read this - and many other posts on the subject - over and over again... with time I am sure and full of hope... I will understand more and more... Greetings from a newbee and tech autist... but willing and eager to learn and find out! Thank you for your post, Gandalf! had a smile on my face when I looked on the drawing with the pipe... here you can see why - hubby and best friend on our porch :-)

Awesome :-)) say hello to those guys :-)
Steem platform is like nothing else, so it is really not that easy to get familiar with all technical details, however, in time, it would make more and more sense to you.
Good luck.

Too late to ask a question 4 months later? :-)

I thought that Master and Owner key are one and the same, so I checked and yes I only have Owners key, well I have all keys but Master.

Question, is there a way to retrieve a Master key with Owners private key?

If you are dealing with your keys through site it is most likely that you have a Master Password that you got while creating your account. It's the one that starts with P. Owner key and others are derived from that password. So no, you can't get Master Password while having Owner private key, but you can get Owner private key from your Master Password (assuming that individual keys wasn't changed from derived ones).

Thank you very much!
I thought I have lost it since I didn't know Master exist also, didn't paid attention at registration but I just found it saved on my CD. Phew!

Good to know, that Master is ultimate key, above all other. I just mislead someone who I brought to Steemit. I need to fix this, thanks again for clarification.

  ·  7 years ago (edited)

Thank you for this post, you've really made me realise I need to be much more careful!

Sorry to ask but I'm still confused still about a few of things.

  1. I use Chrome and my google smart lock settings remember my password when I log into Steemit. Is this a problem?

  2. In my wallet I have four categories of Keys - Posting Key, Active Key, Owner Key & Memo Key. My Owner Key is the only one that doesn't have a "show private key" tab next to it. It says: "The private key or password for the owner key should be kept offline as much as possible." I got really confused by this ie. what is the password for the owner key and where would I find it? Is it the original password that was emailed (starts with PK)

  3. Private active key. It says "the active key is used to make transfers and place orders in the internal market". A few services like Streemian have asked for the private active key. Is that normal? Why can't they just use the STM version of the active key instead? Also when I first logged onto Streemian I entered my private key into the first app they had on the page but then when I hit enter it came up with an error and I then noticed it didn't have a secure lock on the URL, so I tried the second app (the .js one) and it did have a secure lock and worked okay. Is Streemian safe or should I consider changing my keys?

  4. If I want to change my keys I can only find one option which is to reset Password. Does that reset all the keys as well? If I'm still using the first password I was given on acceptance/login to Steemit is that a mistake and should I have changed it?

Thanks for your article, sorry to ask what are probably obvious/annoying questions! Have just voted for you as Witness.

Ad. 1. Saving password in your browser is as safe as the weakest link in the chain: browser - operating system - computer. Up to date Chrome browser is a safe choice. Make sure you don't use any shady extensions. Also, make sure that this is not the only place where your password is stored (what if you lose access to it?).
Using appropriate keys > Using Master Password

Ad.2. That P5.... thing is the Master Password. Under the hood it does nothing except being a source for your keys that are derived from it and used when appropriate. So you can use Master Password for posting and same Master Password for transferring funds. That's for convenience. For better security it's better to posting / active when needed.
There's no way currently to display owner key in the browser, but you don't really need it when you have Master Password that can serve same role (also for account recovery).
If you really want to you can use cli_wallet for that:
get_private_key_from_password angusg owner P5HerePutYourMasterPassword

Ad.3. When any service asks you for your password / key you should be very careful and general rule is to refuse if you are not absolutely sure that it's ok.
streemian is a well known service made by a reputable steemian - @xeroc
If you trust that site and its owner then you might want to take that risk.
I did with my gandalf account. :-)
Streemian is using your Private Active Key to sign transaction that adds appropriate posting authority to your account, so later on Streemian can do voting on your behalf (without knowing your Private Active Key or even your Private Posting Key). That's proper way of doing things. Currently however, it's even better way to do that without worrying about entering your key to a unknown site. It's called SteemConnect v2.
If you have any doubts - change your keys to be sure.

Ad. 4. Yes. Changing password changes your Master Password, from new one new keys are derived and replace old ones. Changing initial password is not required.

Thank you Gandalph! That really puts my mind to rest also thx for the cli_wallet tip. I signed up for SteemConnect V2 yesterday after reading your article and I'm just figuring that out. I'm also going to check my Google extensions and disable any I'm unsure about. I don't have many. I've backed up my keys and password and I think I'm going to take the risk on Streemian because I already connected for my Discord verification.

I can see that the possibilities for services and apps that extend Steemit is almost limitless, so security is always going to be one of the biggest nightmares.

Thank you for caring about our security and wellbeing and for taking the time to spell it out so clearly!

Just curious (not sure if I understand correctly)

I'm going to take the risk on Streemian because I already connected for my Discord verification.

How are those two things related?

I thought I remembered having to connect Streemian in order to registering for the PALnet/MinnowsSupportProject on Discord but it was actually just through my main Steemit wallet. Was hunting just now for the first post I followed that had the instructions and it was this one.

So I couldn't remember what it was I'd been asked to do in Streemian then I remembered it was this post which was to do with joining TeamAustralia instead, I was following the instructions about halfway down.

On Discord one of the instructions in the pinned messages on the teamaustralia page registration was to follow the banjo bot and minnowssupport bots and send them $0.01 each to authenticate, then to go to steemvoter and set up a rule to follow minnowsupport, then to go to Streemian, authenticate the Streemian account also with $0.01 then follow the @centerlink curation trail, then to let an admin know.

Can't remember the exact order I did it in. I just remember that the first time I logged onto streemian they had two authentication apps and the first one crashed and went to an unlocked (not https) page and the second one was a .js app and worked okay. I'm on windows 7 so it may be different for a mac user.

OK, thank you for clarification.

Gandalf is steeming some really good stuff.

Thanks for sharing that information! There were some times when I nearly pasted my key into the memo field.

Too many 3rd party websites ask me for my Steem keys. This is a ubiquitous bad practice encouraged by the community. needs something like an oauth - a single secure protocol to manage access without the need to disclose the keys.

The answer is: SteemConnect v2

This is great! I never realized there's actually a working solution. Thanks for pointing it out!

I agree. I want to test out the many interesting services built on top of Steem without trusting them with my Steem keys yet.

So basically use common sense?

That should work :-)

Private key starts with "5j" , but also memo key starts the same, right?

All keys, whether is is Owner, Active, Posting or Memo comes in pairs: Private and Public.

Private keys start with 5
Public keys start with STM

Well I am stupid like a broken brick. I proclaimed myself as 'IT security enthusiast' and what I did in my first transfer from bittrex? Put my public memo key in memo field. And it was after I've read posts of @lukmarcus and @noisy about not doing it. What a moron. I have planed a self-sterilization for this evening so no more chances for my genes to survive. And all of these greatly explains my avatar image selection (this sentence is kind of offending for apes, sorry guys, didn't mean to).

It is not helping my despair that it was only public key. No keys means no keys.

Sending public key doesn't make any harm, it's just an indicator that you are doing something wrong which might lead to some bigger mistakes in the future. Fortunately you've realized that on time and now it's good.
So... nie ma tego złego co by na dobre nie wyszło ;-)

Thank you so much for your help, and for keeping us safe. I got my account back and I really appreciate everything you do.

Thank you for your kind words.

You don't have to thank me, you did all the work 😆 really am thankful

gtg is awesome hum. Glad you recovered Dear. He protect steemians!! cya sweetie

He really does 😆

Thank you, this is a great reminder to take care of our passwords and that these things happen to even the best of us.

Isn't this fixed? Didnt they block posting keys in the memo field?
Thanks for all the good info, very useful

This is much broader case than just key in memo field.
Of course app providers can restrict memo field in a way to not allow posting key material. Some of exchanges do that already.
Also, even if app provider doesn't check memo field, recent nodes would block most of such transactions (but at this point key is in fact already leaked at least to such node).
Unfortunately there are a lot more possibilities here, like posting such key on social media, chats or other public places.

Great write up. Passwords is something anyone can slip up on. Everyone needs a reminder from time to time.

Thanks for the share! Resteeming for that gentle reminder :)

Thank you :-)

good info I am new to steemit and just learning I still have never sent any SBD to anyone or anywhere and want to learn as much as I can so I do it safely for someone new like me can you recommend a link or post that has some step by step instructions for how to power up or what the best practices are to maximize how much steem I can earn? I am not the best with computers or tech language and a lot of these post seem to overwhelm me so some simple info to help would be best thanks so much will upvote for you as a witness as well.

Thank you :-)
I would recommend to start with Quickstart Guide and Frequently Asked Questions.

I never knew just how secure these keys are until I read your post. I didn't really have much value in my account but that could change and losing the little I have there is still a thought I don't want to entertain. Thank you for the education.

Thanks for sharing this, always good to inform newbies and refresh it for experienced crypto users about the risks which come with controlling your own money (and "bank accounts" in that sense).

Might be worth mentioning that those tips apply more or less to all cryptos, not just Steem!

It was somewhat surprising how often this seems to happen. But then it ALMOST happened to me... A simple copy paste that did not turn out as expected! Luckily a habit of double and triple checking caught the mistake!

This is a very handy article and I will be sure to remember what you said.

Safety first, I can't stop thanking you for this lecture . Your are a cheerful giver, thanks @gtg

Great post. I can't wait until SteemConnect2 is releases since I like to delegate SP to My wife or Minnowboosters but always worry to use the existing tools (Except of Vessel) because of your reasons mentioned.

Thanks again for saving my account!!!! I will never do the same mistake) anyway i will try lol 😁😁😁

Your post is very useful for people like me)) Thanks for writting it for us and for warning about this danger!
Thanks for your time to this post, cos i know how busy you are) 😉😉

I'm glad it ended well. :-)

Me too 😂😁😁

Good thing to know. You're making me worried now, but a little concern is a good thing.

I still dont understand what keys are used for though. Is that like some kind of backup password or something?

You might think about Master Password as a container with all the keys inside to make life simpler for users that are not used to managing key material. In fact, under the hood, Steem doesn't know anything about Master Password. Steem uses keys. Steemit site, on browser side (i.e. locally, on your device) gets proper key from Master Password and uses it to perform actions on Steem. Changing Master Password generates all new key pairs and replaces them.

Thanks for the reminders about the password... lots of hard work could be wasted if you aren't careful!

Account safety is really important. I mean you work for a year on steemit, gather 10k steem and for a hacker it takes just few minutes to take it all if we are not careful. really liked your examples when we can reveal our keys by mistake. And I guess that can happen to anyone.

Man, you're a mystery comparing to other witnesses I've checked.
I've checked your posts all the way to the first one and all I found about you is you are into witness node security, user key security and you have a cat.
Well, somebody needs to be concern about security stuff so, you have my vote ^_^
PS: I didn't TL;DR this post, I'll be careful.

Thank you :-)

I literally just logged in here via mobile for the first time. The password wasn't valid. I nearly panicked. I checked my notes again and cross checked with a handwritten one. Somehow, my notes on my phone had the password doubled and copied in length with one letter missing. Thank goodness for my handwritten one I keep on my person at all times. I don't even know how this screwed up!

Another excellent post by a key member of the community. Thank you. As you may recall I'm new, lost, and confused on all fronts here......but less so these days thanks you and others like @lukestokes, @karenmckersie. But a special thank you to you and this post here. As I plan on transferring out a little steam to my bitpay card through bittrex. Will be my first time doing this. So perfect timing to read this post, before I go ahead and put my password in the memo field or some other total rookie mistake. Great post and keep up the great work! -Dan

Thank you for your important work and also to emphasize on the difference between public and private keys! Because the keys are so abstract, just a string we/somebody don't relate to their value or the funds we invested sometimes. We are used to have physical objects like cards, keys and are often very careful with these touchable things but with such virtual string chains it is sometimes not so obvious or we are simply not aware.

We have hundreds of passwords for the internet and sometimes no secure password paper wallet or tool. Sometimes also STRG+C, STRG+V can be dangerous.. just one moment of lacking in concentration and a private key is posted somewhere.. better to be calm with such things is my recommendation, because it's easier to paste a string than use a key made of steel!

It seems that you are an expert when it comes to security. The Empire has a very significant security issue but my moronic, puke-inducing, decrepit, old boss The Emperor refuses to address it. What would you suggest for this?

My boss says not to worry because it is only only about 2 meters across, but he's a freaking idiot so I try not to listen to his gravely voice.

If you think of something, The Empire would appreciate it if you left your suggestion here or in the comments of my latest transmission.

Oh my, that looks like a serious security vulnerability. Some serious bugs could slip through such hole causing Kernel Panic or Blue Star Screen of Death.
Patch it, you should.

Sadly this is who my boss has put in charge of IT.

I keep telling my idiot boss this needs to be patched ASAP, but you know how old people are with technology .

I'm just the most powerful being who ever lived, what would I know?

Some day I swear I'm going to throw my boss down a bottomless shaft.

You deserve my witness vote. Good luck gtg!

Thank you :-)

Thank you. I have to read this again at home when I can chew on it. Don't you have to give your posting key to steemian to use their services? Isn't that a problem too?

For regular user it is very hard to tell if app is using your key only locally to sign transactions or is it sending that key somewhere and storing it online for malicious or ignorance reasons.
SteemConnect v2 is going to solve most of such concerns, it is an awesome service that would help both developers and users.
I'm looking forward for wider adoption.

Thanks for the info, I'll make sure I take proper care. But I still hope that some day steem gets easier to use for everyone, especially since millons will be adding up before the next year ends.

Safe and easy authorization? Sounds like a nobel prize challenge. ;-)

True, lol.

Really alarming and so much scarry picture i have seen due to little ignorance, thank you dear @gtg for this information.

Interesting your posts. I love to read each and every post of yours. Sometimes I don't get time to read the full content but I make sure that whenever I am free I read the whole thing. Thanks for sharing... :)

I love to read each and every post of yours.

Yeah, for sure. You've posted that very same comment under multiple posts, but none of those posts was loved enough to get your precious upvote. Unlike every of your own comments.


Sometimes, you just have to wonder????

Great info - much appreciated :D

Very useful for SteeMians!
thanks for sharing.

Thanks for this

a debt of gratitude is in order for sharing.

Dear friend! I really liked your post, well written. I'm asking you to go to my page and mark "like" or leave a comment in the posts. Did you like it and you subscribe to me? I will reciprocate and You will be very grateful. Thank you! :))

Lol so funny

Hi.. I'm new Here, I need a push , thank you for up vote this post

Hi.. I'm new Here, I need a push , thank you for up vote this post

Spamming with such comments doesn't make you succeed on this platform. Create original, good quality content, work hard, then you have a chance to be noticed. Taking shortcuts doesn't pay well here.

Very informative! Thanks for sharing this with us. You saved me...I will be careful now.

great tips...upvote and resteem

The @OriginalWorks bot has determined this post by @gtg to be original material and upvoted it!

To call @OriginalWorks, simply reply to any post with @originalworks or !originalworks in your message!

To nominate this post for the daily RESTEEM contest, upvote this comment! The user with the most upvotes on their @OriginalWorks comment will win!

For more information, Click Here!

waw ... nice post @gtg

very useful for me. so that our future should be more careful again

thanks :-)

Potate potato

@gtg This information is priceless. Now I am beginning to understand a lot more. Thank You Deeply.

  ·  7 years ago (edited)

Thanks buddy awesome article account security is of the utmost importance.
I know i would hate loosing my account to some guy who has not taken the time build this account.
You actually making me think how safe is our browser's really!!!!

thanks for sharing things like this we need

Congratulations @gtg, this post is the most rewarded post (based on pending payouts) in the last 12 hours written by a Superhero or Legend account holder (accounts hold greater than 100 Mega Vests). The total number of posts by Superhero and Legend account holders during this period was 25 and the total pending payments to posts in these categories was $1084.47. To see the full list of highest paid posts across all accounts categories, click here.

If you do not wish to receive these messages in future, please reply stop to this comment.

You shall not pass! But I passed a one month period of steem life here :p it's my birthday here, yay! I know, I'm not in topic, but wanted to share my positives

Happy birthday :-)

Thank you :3

Knowledgeable sharing for fresher and experienced steemians... we have to secure ourselves from hackers...

Congratulations @gtg!
Your post was mentioned in the hit parade in the following category:

  • Pending payout - Ranked 4 with $ 341,74

Congratulations, your post received one of the top 10 most powerful upvotes in the last 12 hours. You received an upvote from @blocktrades valued at 102.53 SBD, based on the pending payout at the time the data was extracted.

If you do not wish to receive these messages in future, reply with the word "stop".

Usefull post. Thanks!!!

Good Info

This was very helpful. Thanks for sharing @gtg!

thanks for the information. what your news is useful for us all ..

Thanks for distinguishing the uses of the different keys and different levels of precautions that should be taken with each. Unfortunately, I think having to manage and safeguard Steem keys manually is a huge deterrent for the average consumer. I think that some sort of password managing tool will have to be adopted in the future before the mass market is onboarded onto Steem services.

This is amazing info but I need to read it again 🙀

great post

I have a bad experience on my account, I am diligent writing, suddenly 8 SBD I lost, for me 8 SBD is very useful because I just use steemit. thanks for the information @gtg.

@bukharisulaiman From Aceh-Indonesia

  ·  7 years ago (edited)

Very good article...

This is very informatif sob

Dear friend! I really liked your post, well written.

Very useful for SteeMians!
Good to see you for long time.

Pretty nice advices. Thank you so much

help me to earn dollars

Maybe go find a job instead wasting your time on spamming with this comment all around?

thank you for your sharing

Thnaks for sharing this info

We have elected to put our money and faith in a mathematical framework that is free of politics and human error



Awesome! I just checked out your page after you left a comment on my video, and you have some great stuff on here! Def gunna follow ya! Cheers!

Very, very helpful. Many thanks! I'm bookmarking and evaluating my use of keys.

Follow=Follow + 5 upvotes
Please follow me and say hello in the comment, in response I will follow you back and give you 5 upvotes. win win.

Deal is a Deal.

Win win? Not really. How the Steem Platform would gain on that?
Upvote for upvote doesn't make any good.
Upvoting original, high quality content profit us all.

Great post my friend.helpfull information.

Amazing thakyou foto please follow and vote me @bilqis07

Thanks so much @gtg. You are doing an excellent job. If you believe in God, I would say God bless you.

I have a question: Why is there a public and private memo key?

You can encrypt memo message with receiver's public key, so they can decrypt it with their private key.


a lesson well learnt

great info! nice picture steemit

Interesting! Thank you for the info!

Hi, I'm Venezuelan, I like your post. Can you give me your vote in my post? @gtg

Wow I never realised the situation was that bad

buen post

Hi GTG, thank you for this very important post which I almost missed. I only found it because I have just voted you as my witness. I would be so happy if you could support me a little. Please also check out my post for some good vitamins:

I never used my Private Key which is printed since I created my account!

I Just used my active for transfers and every day I use Post key. I keep them in a pen drive encrypted and I use a Mac Book Pro, not windows which is hard to be hacked, but not impossible.

So I really dont know what happened to my account today earlier. After my keys were not working I tried to put my owner keyin login to change and even my owner key was hijacked :=/

I'm awaiting the recover link from steemit.

Tks for all the information @gtg

PS: I hope @steemit can increase safety measures with 2FA or so with more people coming now. This is a lack of security since I'm not a dumb and I never shared my key in memos or with anyone ;-)

Very wise words indeed. I will need to reread this several more times to let it soak in since I am a newbie here. This is important information and needs to be spread. Upvoted and resteemed for all newbies...

hey, I have a friend that was hacked today just like me about some 4 hours ago +, and she didn't share any key for sure. I already recovered my account in just 3 hours, she is waiting the link yet @saffisara and there is another guy @mikepm74 that is waiting for days now the link.

Another friend account @michaeldavid and @sneaky-ninja was just hacked and more than 800 usd was sent to bittrex and he doesn't use bittrex account.

well, there is something going on here for sure today and I will try to figure out and would appreciate your help.


thanks for posting this raph. For reference, mikepm74 (My real account) has been locked since Saturday afternoon, I was able to pull an old copy of my key and submit account recovery Saturday evening. The system said it received and I should await verification of my identity. I'm just wondering how long that process takes.


this is weird!!! really weird mate!! I never shared my key, I use a MAc OS and run antivirus.

This seems a pretty well-coordinated attack here on @steemit

Steemit should increase some security issues quickly

@saffisara leaked her password to the public and was changed by bot. For some reason notification wasn't sent but I can confirm it was locked by bot just as yours.
Other accounts you mentioned wasn't spotted by bot on time or at all and might be unrelated to this research.

tks @gtg for keep us safe. :-) Maybe the others are unrelated to this research yep!! tks a lot

  ·  7 years ago (edited)

Hi - none of this stuff is my gig - I barely understand any of it and my head is spinning just looking at this - but here is what I think has happened:

I was randomly logged out (no idea why) and went to log in with the key stored in my browser (Opera) - but that has been there since last year and it's my original key - but from reading your post I'm guessing is no longer OK to use that, (it must have been OK last time I used it )so my account - @sift666 - has been locked up.

I never knew about needing different log in keys because it's probably over a year since I last logged in, and I don't have copies of the other log ins - only the original one

How do I go about sorting this account log in?

(I'm currently using a temporary account so I can see this post and comments)

Couldn't you have just send me a message saying I needed to use a different password? I know how to see them all now, but I can't get to them in my account because i'm logged out

Everybody on Steemit was saying I had been hacked because I clicked on a dodgy link - but I hadn't. This seems a stressful way to go about all this...

Jeepers I'm confused now!

You have not been hacked, you just posted your master password to the public at some point. By the way, you should have backups of your password. Storing it in a browser as the only copy is risky.

I couldn't send you a message because I don't know "you" and since master password of a given account was leaked, no one can tell who is using given account because whole world can have access to it.

Thanks - I've just posted response to all this here:

Good words.

Thank you for this article. Most of us think we are smart enough to not lose or expose our keys. But things happen. I have bookmarked it and will past it on as the resteem option has expired.

Congratulations @gtg! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the total payout received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Dude that photo of GTG with the Steem pipe smoke is SO AWESOME!

This is an article everyone should read and understand!

We live in a world where we depend more and more on passwords, Lockhart and virtual transfers of... almost everything:))

I'm sending some love today and many thanks:)

@gtg I sent steem from Poloniex to my account here with my private memo key in the memo field... Is this fine? (Now I know there is no reason just worried its out there)

It is not fine, because it shouldn't be disclosed to the public even if currently it's use case is minimal.
If you ever used your Private Memo Key for encrypting your private communication or you've sent transfers with encrypted memo - all those information can be revealed by anyone who possess your key.
Fortunately this key can't directly harm your account (can't post, can't transfer).
Change your keys instead of being worried. :-)

Whoa you really scared me at first. I will never share it again. I can change my memo key correct? Or do I change my whole master key?
Thanks for your time.

I suppose that it's easier to change Master Password.

Ok but if I do not, I should be fine, correct?

"It is not fine, because it shouldn't be disclosed to the public even if currently it's use case is minimal."

Just wondering what can be done with a memo key anyways. Sorry just trying to wrap my head around it.

As I wrote - depends if for example you've been using it for either private messaging (obsolete) or encrypted memo (supported by some exchanges). There might be some social engineering attack vectors because someone could impersonate you by proving being in control of your key (as only you should be able to use it).
Up to you to try. ;-)

As someone who already knows the difference between the keys.

I found the practical tips you gave still very usefull :)

Good post @gtg :)