Addressing recent concerns related to SteemAuto "asking for" our ACTIVE KEYS

2개월 전




Recently I've been helping @Xpilar to test and promote his new "clone" of the old SteemAuto. So far, it has been working much better and it's more reliable than the previous version.

However, several users asked me a few simple yet straightforward questions such as those below:

Is it a must I enter my active private key?

I'm a bit skeptical about the Active Keys

posting key would be fine for me... but active key?

I tried joining the curation trail using my private posting key, but it said the transaction requires an active key. Ideally, a private posting key should be good enough

Have you also wondered about it? I surely did. And it did concern me a little bit.



My personal choice was to put my trust in Xpilar's work, as I have known him for quite some time and I think he would have too much to lose (and too little to gain) if he would like to abuse the trust of all people supporting him as a witness.

I'm fully aware that the previous version of SteemAuto (launched by @steem-supporter) also required an active key to authorize access. I've never really understood why, but during all those months of me using it, I never had an unpleasant experience. My funds were never missing.

So I have even fewer concerns to trust Xpilar.

However, I did ask him to clarify why is an active key required and he finally published a post about it:

There have been questions about the use of active keys when using SteemAuto, We will explain it

I deeply recommend checking it out.

RESTEEM and earn my appreciation :)


I would appreciate every single resteem. Let's help Xpilar's message to reach as many people as possible.

Yours, @crypto.piotr
Founder of Project.hope community

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  trending

Greetings my dear @crypto.piotr, without a doubt it is a hard work that you are doing, which will bring benefits to all of us. It is necessary to keep the community informed which demonstrates the transparency of the process. Thank you for such valuable information.

Thank you very much for the information dear friend, I am about to read the publication and socialize it, have an excellent start of the week.

Hi @crypto.piotr, thanks for this information. Yes, it is a question I also asked myself, if to vote from my blog, comment, make resteem I only need my PostingKey, then why I must enter my active key...It is a valid question. I will check @xpilar's post, to see the justification. Although if I tell you the truth, I do not have any kind of distrust with xpilar, because, so far what he has done has been giving and supporting everyone, for a long time.
Resteem this post.

Thanks for the update.

Hello @cryto.piotr
Thanks for the information, I will review the publication of @xpilar. Reesteemear this post

I was surprised as well when it was asking active private key. I have checked there after discussion with you about their curation trial. Now form both the posts from your and xpillar, its clear to me. thanks.

I also chose to trust and put my password active, I don't think there is any problem

thanks for talking about this nice topic that is a question by many over here. Post esteemed. Thanks again

Actually many users have these queries. Resteemed

Thank you for sharing. I will read @Xpilar post as well.

That was my concern too resteemed to spread the word

Hello friend @crypto.piotr.

Actually these concerns are valid, and therefore, the importance of your publication and that of @Xpilar, thanks for providing this type of information to all of us because in this way we will be calmer. Greetings.

Greetings @Piotr , Thank you very much for clarifying the doubts .
This sentence should clear a lot of doubts .
" the reason why Steemlogin requests your active key is to execute this contract between you and our application, also known as signing the transaction for authorization."

It is very important to know this.....

p.s. edit : as i was getting ready it struck me there, you're talking about an autovoting service so maybe ... *its probably unlikely they can get it via keychain since that grants one-time authority afaik so they would need you to re-affirm for every vote and thats why they need the keys themselves* so neither keychain or steemlogin would help much there * unless * its possible to grant authority thats permanent until revoked, like proxy for witness if i remember correctly (its been a long time since i was actually programming on it) . It could be done i guess if the core code got adapted, and maybe it has been done, i really dont know that, i dont live in the middle of the pond with the big fish but i had the impression that, since the takeover, even if it all feels a lot safer and less hostile now, the absolute focus has been developing *steemIT* not *steem* and the chain-tek behind it. SO maybe its possible to grant one account permanent authority to vote for another without them actually ever receiving the key on their side (as would happen with a one-time keychain or steemlogin authorization) ... to that i dont have the answer lol and i never used any of those things since i got right on it when i found condenser and wrote my own scripts for my own voters , and all of them still seem to work despite showing errors on screen, which , i fear is because nothing gets updated there, least of all the docs ...

pardon the lengthy ps but i had to correct it since it wasnt entirely right, but same thing applies : they cant steal your account with the active key and if someone starts a powerdown you should be able to see that unless you never pay attention to your transactions, i guess thats why they made it that way. You probably remember it was seven weeks in the beginning, not four ... (whew) okay ... have a nice day there :))
(end edit)

well my good man @crypto.piotr ... after 3 or 4 years you'd think they would explain that to newbies :

your posting key can't handle transactions from the wallet, which probably means you need the active key for voting, if you use the cli (which for some reason doesnt seem to be developed anymore) it will ask that too, @tipu has those too but actually they COULD use keychain instead of asking to keep them on their servers, thats one of the reasons why i never logged into steem monsters now

the thing is :

even if they got your active key they cant steal your account, they need the master key for that, once they have that they can change the psw and literally lock you out of posting and transacting anything from json to sending steem and sbd

so if they have the active key what they COULD do (i suppose if things havent changed) is send all your liquid steem away in less than a second and these transactions are irreversible , keeping liquid steem in an account where someone else has the wallet key seems like a bad idea anyway unless its just the minor bits from posting

so if you keep an eye open you can see if they start a power down or if they engaged a withdraw from savings , this takes 3 days or a week (times four for full) so you can monitor that, and if that happens once their business will be ousted

which essentially makes it easy to slander anyone who asks for keys at all lol

but it should be safe for anything but liquid steem present

(i dont follow up anymore though and the documentation as well as development on steem-py / cli is cobwebs at best , no idea why since thats the actual strongpoint of steem)

anyway ....

you could push for them to use the keychain plugin if you get enough ppl asking for it, tipu does that too i think

but thats "made by yabapmatt so maybe not everyone trust that lol"

and so and so ... take care

I am glad you addressed this concern. Thank you.

Thank you for clarifying the doubts

If @crypto.piotr posts their passwords I have no problem doing so, they have a lot to lose in cases of attacking us and very little to gain.

It's a question that I asked myself too, but just like you, I chose to put my trust in Xpilar

Thanks for the information. I'll definitely check Xpilar's post

This is an important issue. Active key is the key of our fund and safeguarding of it is necessary for us.

Thanks for clarifying this for people that have reservations about it. Nice one buddy

Hi sir I am new here .Pls support me .I am excepting support from you.

Thanks for this post @crypto.piotr, at least I have rest of mind now

glad to be part of this. already resteemed to reach a much wider audience

Thank you for this important information @crypto.piotr

This is the first of your publications that I read. And I see that all of them are extremely interesting.

Thank you for sharing them.

Best regards!

Thanks for the clarification.