The Importance Of Steem Keychain

in #steemkeychain5 years ago (edited)

I've noticed that some of my followers I've been talking to have not yet taken up using Steem Keychain. Instead, they've been putting their private keys into websites, which always involves some degree of risk. I'll now discuss what Steem Keychain is and why using it can significantly improve the security of using Steem apps and why Steem Keychain is better than SteemConnect.

Before SteemConnect came along, each Steem app would ask the user's posting key at a minimum. The posting key allows the user to post, comment, upvote and claim rewards. If using an app required any type of money transfers including delegating Steem Power, the app required the user to put their active key into it every time an action was taken. The browser would encrypt and store the key like any password in its internal password database to spare the user of having to manually insert the keys each and every time. That was naturally risky because anyone with access to the browser in that particular computer could use the keys as they pleased. Of course, the keys wouldn't necessarily have to leave the browser. That would be the case if the application logic were performed by Javascipt code run in the browser downloaded from a server on the internet.

When SteemConnect was introduced, applications were no longer required to deal with the users' private keys. What SteemConnect would do is allow the user to navigate to the SteemConnect web page at which point Javascript code would be downloaded to the user's browser, which would deal with all the private keys. What that code would do is ask the user to insert a private key (usually the active key) with which it would then create a permission token for the desired type of transaction. It is my understanding (not knowledge) that SteemConnect would never store anybody's private keys anywhere but access tokens that have a limited lifespan (typically months). Sounds quite safe, doesn't it. There is one problem with this and that is the possibility of the SteemConnect website being hacked or the user navigating to a website pretending to be SteemConnect, in which the user could end up having malicious code run in their browser.

Steem Keychain remedies the problem of security risks involved in always loading the code dealing with one's keys from a website into one's browser. That's because Steem Keychain is a browser extension/add-on that is downloaded exactly once. When an account is added to Steem Keychain, it asks for either the private posting key or the private master key for the account being added. If you give the master key, it will generate all the private keys (posting, active and memo) from the private master key. But it doesn't store the master key! You will still have to keep your private master key stored carefully and keep it offline as much as possible! Steem Keychain stores the other, weaker private keys securely encrypted and protects them with a password it asks every time when sufficient time has passed without the user doing anything.

For some use cases, Steem Keychain is not sufficient, though. For example, when a user wishes to grant their posting authority to an app to be used when they're offline, then using an access token created by SteemConnect is needed.

Steem Keychain comes in very handy with apps that are capable of using it. What they do is request Steem Keychain to sign whatever transaction needed with the right private key. Each request must be confirmed by the user unless the user opts out of having to confirm the transactions. Steem Keychain then broadcasts the signed transaction to the Steem blockchain on behalf of the application. The user is liberated from having to copy keys to the clipboard, which in itself is a security risk. Steem Keychain is also a fully functional Steem wallet that allows transfers to be made, Steem Power to be delegated/undelegated. It also works as a wallet for Steem-Engine tokens.

SteemKeychain can be downloaded from Chrome Web Store.

P.S. A desktop version of SteemConnect has recently been published. It's safer to use than the web based version for the same reason as Steem Keychain.