
Over the past week, my ears caught wind that two people close to me had their STEEM accounts hacked (cracked is the real term but we'll save semantics for another day). I met these two through STEEM communities on Discord.
So today, we are going to walk through how to keep our STEEM accounts safe from hackers. The more we understand what all the keys are and how to create good passphrases instead of lousy passwords, the safer we will be. It crossed my mind that we talked about passphrases in the past.
It turned out that we only touched on it lightly. The content at length was in podcast form from before I began posting to STEEM regularly. It is very important that all of us understand how to keep our accounts as secure as we can. When money is involved, the incentive for hackers rises.
Passphrases Not Passwords
This is an important distinction. The term 'password' indicates a single word instead of multiple words. The longer a passphrase is, the better. This is because each new character adds more entropy. Entropy is what makes the passphrase hard to guess by both computers and people.
The best method to form a passphrase is to use a system that has no ties to us. A passphrase that has our school name, birth month, and the name of our first pet may be long, but these days information is bought and sold. It does not take long for someone to learn such information about us.
Dice Lists
This is where dice lists are the most useful. A dice list is a list of thousands of words next to numbers. Search online for "EFF Diceware List" and download the file. To use this list to make a strong passphrase we take five dice and roll them. Write down the numbers and roll again. Do this five or six times.
Now those numbers we wrote down correspond to words on the list. What we get is a passphrase that looks something like this:
ramble-chowtime-modified-twins-flyable-brutishly
A string of random words that have no relation to us at all. Since it is words, it is easy for us to memorize, but due to its length it is extremely hard to guess.

Crack-ability
Look at it this way: if we can assume that any one hacker can run one trillion guesses per second, how long will it take to guess the passphrase above?
3,505 years!
That's some good odds in our favor. But let's see how fast passphrases with one less word can be cracked at one trillion guesses per second.
165 days
See how big a difference one word makes! Now keep in mind that we cannot be expected to remember a passphrase like this for every site we use. However, we need to use a different passphrase on every site. Enter password managers.
Password Managers
A password manager is a program that encrypts and stores your passwords for every site you visit. Most of them will even make a secure and random password for you. The one I use is called LastPass, and I hear good things about OnePass.
The dice-generated passphrase you make should only ever be used to log into LastPass. Never use it anywhere else or the chances that it gets stolen greatly increase.
How This All Works With STEEM
We had to cover all of that so that we can make logging into STEEM as secure as possible. We need to use LastPass or another manager to help us be sure that we are on Steemit or Busy. It is much easier for a hacker to make a fake STEEM site and steal our keys.
Once we sign up for LastPass and install the browser extension we can create the login. To do this, click on the extension icon and then click "Open my Vault." Once the page loads there is a small red circle with a + in the middle. Hover the mouse pointer over that and the + will change to a new icon; click the new icon. It should say "Add Site" off to the left, as well.
Now we see a blank version of the image below.

image from the LastPass App
- Add https://steemit.comhere (or whatever site you use).
- Enter your STEEM username.
- Copy and paste your STEEM master password here (we want to keep it safe for when we need it).
- Paste your private posting key here.
Grabbing the Keys
In order to get the keys and add them to LastPass, we need to log in with the master password or the active key (if the master password is already safe).

image from steemit.com
- Click wallet
- Click permissions
- Click "Show Private Key"
The private posting key then replaces the public key. Copy the private key and use it in Step 4 above. If you never plan on logging in with your master key, it is good to save your active private key as we did in Step 3 of LastPass.
Before we test everything out, double check all the keys and make sure there are no mistakes. The most reasonable way to do this is to make sure the first five characters of the pasted keys match what is shown on Steemit. Do the same for the last five characters in each key, as well.
It is well worth our time and effort to make sure this is all in place. Logging it with the master or active key every time is a big security risk. The day may come when we enter our key on a fake Steemit site, and then all is lost.
There is some reprieve if we are only logging in with our posting key. Then, at least, the worst the attacker can do is make posts, comments, and upvotes as us. That still is less than ideal and that is why we use LastPass. If the site is not really Steemit.com, then LastPass will not show our login options. It's a security must for all Steemians.
Bonus Tip
You can set each key as it's own login on LastPass. Then when you go to log in you can choose which to use. Just follow the steps above as we mentioned.
Thanks for reading!
If you have any questions please ask and I will do my best to get you the answer. If you have input that may make something in this post more clear please share!