You are viewing a single comment's thread from:

RE: If Something Smells Phishy, It Most Likely Is!

in #community6 years ago

Yes, however,
It is never clear what the difference is between the Active and the master key.

the posting key often dos not work / is not accepted.

Then users go into 'aaaah fuck it mode' and just use the key that always works.
and there you have the plot to a disaster. :-)

I'm now on Busy and can't check the actual key names on steemit right away to make my point. As I forgot the exact reason why i get the keys messed up.

The thing is this, is people loose full access to their accounts that is proof that they use the main / master password key phrase or something with an even more interesting name. This is probably the main reason for the confusion since steemit uses a mix these words to describe the same key.

This is where the mess begins

I try to point out why people loose the main key due to the way steemit causes confusion and people just use the master key to get rid of the hassle.

Sort:  

Ahh, okay.

It is never clear what the difference is between the Active and the master key.

My understanding is that the MASTER key is your all-4-one key. You can post, use it for wallet transactions, and change the account password. The last part is important, master key can be used to change the account password!

As for the ACTIVE key, you can use it to post and for wallet transactions, but it can NOT be used to change the account password. So a user who is "phished" out of the active key could lose the steem/sbd in the account, but a hacker cannot change the password on the account. If lucky, the user could log back in immediately with the master key and change all the passwords and lock the hacker out of the account before funds are stolen.

The thing is this, is people loose full access to their accounts that is proof that they use the main / master password key phrase or something with an even more interesting name.

I think the problem starts with Steemit Inc. giving users the master key as the password to use when starting their account. New users don't know that they are supposed to go grab all their passwords (posting, active, memo), and then store away the master key. Most probably are using the master key, and as a result, are giving hackers an all-4-one key to their account.

I'm now on Busy

I just started using Busy, and I don't really like the fact that they require the user to use the active key to log on. I use busy to write a post, but then switch back to steemit which is safer since I only have to use my posting key. Dapps like busy that require users to log on with their active key doesn't help with the phishing issue because users are "accustomed" to using the active key to use the platform. As a result, when there is a phishing attack, the user is then giving the hacker their active key, which would result in stolen funds.

If I have some time, I'll try to write a post to help newbies clarify the different keys and how they should be used. I'm not an expert on the matter, but perhaps one or two users would find it helpful.

My understanding is that the MASTER key is your all-4-one key. You can post, use it for wallet transactions, and change the account password. The last part is important, master key can be used to change the account password!
And that last one should somehow NOT be included IN the combo key.

The master key should ONLY be able to change the 'key chain' (all the user keys) AND to request a fresh master key Yet it should NOT open all the locks including the master lock.

I hope that this is still making sense as it is hard not to confuse the key names that already are a bit mixed up. :-)

I think the problem starts with Steemit Inc. giving users the master key as the password to use when starting their account. New users don't know that they are supposed to go grab all their passwords (posting, active, memo), and then store away the master key. Most probably are using the master key, and as a result, are giving hackers an all-4-one key to their account.

Good point, yet people would then ask MANY annoying questions right from the start. :-D

I just started using Busy, and I don't really like the fact that they require the user to use the active key to log on. I use busy to write a post, but then switch back to steemit which is safer since I only have to use my posting key. Dapps like busy that require users to log on with their active key doesn't help with the phishing issue because users are "accustomed" to using the active key to use the platform. As a result, when there is a phishing attack, the user is then giving the hacker their active key, which would result in stolen funds.

Ah , that explains why i could not log in with any other key LOL I thought it was due to my keys, but now i get it!
As steemit annoys me with a policy wall and 2 checkboxes that i need to click to get to 'MY' money that kinda pisses me off.
Even my bank would not do such a stupid thing. People should always be able to access their money regardless of policy changes. That they are used from the blog stuff thats probably not such a big issue. So i moved to Busy, as that does not lock me out with a BS policy wall. A website should first respect it's users, then users will eventually respect the policy BS if it is reasonable. This is why i never used facebook, and commited 'collective MySpace Suicide' This was a solution cooked up by people who could no-longer live with the policy changed that MySpace forced on people.
It deleted the 'friends list' and all the personal data before it deleted the account.

If I have some time, I'll try to write a post to help newbies clarify the different keys and how they should be used. I'm not an expert on the matter, but perhaps one or two users would find it helpful.

There are many guides out there already and they all add to the confusion
As the way the keys work is a bit weird. And the naming of the keys adds to the weirdness. It would be best if steemit would do something about that. And make it more intuitive and separate the master key from the 'functionality keys'
But i guess the developers would be a bit reluctant about making changes to the key system. :-D

People should always be able to access their money regardless of policy changes.

Don't get me started. I went through the same thing with coinbase. Of course I relented though because they held my money hostage until I confirmed identity. At least you are able to log on to steem with other dapps! That's one good thing.

As for the keys..well, a complicated system require complicated keys! We all know it definitely is not simple on here. Nothing is ever black or white.

@bifilarcoil

And this one :D

Perhaps I will slowly creep back up the engagement league. Being somewhere in the middle ranking is a good starting point.😀