I wonder how many people actually use their private posting key rather than the master password. You have always been able to login to Steemfiles without your active key. What do you think of sites that use Steem Connect and you have to give your active key to login to them?
I think still many people use their master password instead of their posting key which is a security issue but this is still something non-tech people don't understand yet.
I trust SteemConnect v2 (you can tell by the URL), they are using your Active Key only to setup a proxy account setting into your Steem account, this allow the site to post and upvote on your behalf without the need of knowing your Posting Key. Neither SteemConnect v2 nor the site will store neither of your Active Key or your Posting Key, they use an authorisation token instead.
There has been case where a SteemConnect v2 powered site has been compromised (utopian.io), the hacker didn't get access to any private keys but got access to the authorization token, all he/she could do was upvote some posts. Users who gave permission to utopian via SteemConnect v2 to post/upvote on their behalf only needed to connect to SteemConnect and revoke the access token and generate a new one by authorizing Utopian again (using the Active Key one more time).
Honestly, I get confused between all of the passwords for Steemit, especially when used on sites other that Steemit such as busy.org, tasteem, or SteemConnect, or whatever else. I understand that there are legitimate reasons why there are different ones...just doesn't feel natural. Maybe it's just me. The passwords are in weird characters so I don't remember them. So I save them on a public email so that I can access it when I am using a different device (which is probably not what the administrators of steemit intend for)... It's a mess.
Agree, it does not feel natural but that's part of the crypto world. Those passwords are not only used to access your account, they are also used to encrypt and sign your transactions as to prove they are coming from you. With Steem you have multiple of them to make it safer, so you can give your posting key to another app to post and upvote for you without giving them the power to take your money. Then you have the Owner Key (master password) that has the power to generate all the other keys if you ever loose them.
I use a password manager such as LastPass to remember those complicated passwords for me. Then my master password to access LastPass itself is the only password I need to remember but I make it strong still because whoever can guess my master Lastpass password will have access to all my passwords.
That sounds like a really useful tool when you're getting that hardcore into things :O And nice foresight on your part to look into these things well before they were in any danger of becoming an issue.
I wonder how many people actually use their private posting key rather than the master password. You have always been able to login to Steemfiles without your active key. What do you think of sites that use Steem Connect and you have to give your active key to login to them?
I think still many people use their master password instead of their posting key which is a security issue but this is still something non-tech people don't understand yet.
I trust SteemConnect v2 (you can tell by the URL), they are using your Active Key only to setup a proxy account setting into your Steem account, this allow the site to post and upvote on your behalf without the need of knowing your Posting Key. Neither SteemConnect v2 nor the site will store neither of your Active Key or your Posting Key, they use an authorisation token instead.
There has been case where a SteemConnect v2 powered site has been compromised (utopian.io), the hacker didn't get access to any private keys but got access to the authorization token, all he/she could do was upvote some posts. Users who gave permission to utopian via SteemConnect v2 to post/upvote on their behalf only needed to connect to SteemConnect and revoke the access token and generate a new one by authorizing Utopian again (using the Active Key one more time).
Honestly, I get confused between all of the passwords for Steemit, especially when used on sites other that Steemit such as busy.org, tasteem, or SteemConnect, or whatever else. I understand that there are legitimate reasons why there are different ones...just doesn't feel natural. Maybe it's just me. The passwords are in weird characters so I don't remember them. So I save them on a public email so that I can access it when I am using a different device (which is probably not what the administrators of steemit intend for)... It's a mess.
Agree, it does not feel natural but that's part of the crypto world. Those passwords are not only used to access your account, they are also used to encrypt and sign your transactions as to prove they are coming from you. With Steem you have multiple of them to make it safer, so you can give your posting key to another app to post and upvote for you without giving them the power to take your money. Then you have the Owner Key (master password) that has the power to generate all the other keys if you ever loose them.
I use a password manager such as LastPass to remember those complicated passwords for me. Then my master password to access LastPass itself is the only password I need to remember but I make it strong still because whoever can guess my master Lastpass password will have access to all my passwords.
That sounds like a really useful tool when you're getting that hardcore into things :O And nice foresight on your part to look into these things well before they were in any danger of becoming an issue.
It feels like I'm the president of the US sharing a nuclear missile launch passcode to the generals hahahaha
Exactly what I feel after reading your post, haha