Yesterday I went into the HiveDevs channel to ask a few questions.
Now that @steem is no longer a trustworthy source for account recovery, my account is at risk. I'm on a mission to change my recovery account using an offline device so I know the transition is 100% secure (but mostly because it's a good dev exercise). Once I figure that out it should be pretty easy to change my keys in the same way. After everything is said and done I should have an account that is 100% secure against all malicious attacks that don't involve a home invasion (and maybe even then when recovery is accounted for).
I never wrote down the Owner key for my account.
I only wrote down the master key as I never understood what the owner key was for. Apparently I've come to find out that it's actually the master key that really doesn't do anything except generate the other keys. You have to sign transactions with those other keys. Therefore, I need my owner key if I want to change my recovery account or if I want to change my keys.
var key = dsteem.PrivateKey.fromLogin('username', 'password', 'posting')
I found this little morsel in the dsteem documentation and it ended up working. By replacing 'username' with 'edicted' and 'password' with my master key and 'posting' with 'owner' I'll be able to derive my owner key from an offline device.
However...
This is the code I've been using in all my scripts to utilize dsteem. Everytime I run a Hive script it imports the code from unpkg.com... obviously if I'm doing this stuff on an offline device this will not be possible. Therefore, I finally figured out how to get a physical copy of the dsteem code from GitHub and import it locally to my machine. In the end all it required was downloading a file called dsteem.js and dsteem.js.map from the source code.
By putting this source code into the same folder as my scripts I can now run it without connecting to the unpkg.com website. Sorted. Although I couldn't find version 10 and the physical copy that I'm using is version 9, I'm sure that doesn't matter considering I'm only doing the bare-bones basics.
Making accounts for your friends/family.
This is what I really wanted to talk about. I realized the other day (from the master key generator function and by using SteemWorld account creation) that the name of your account plays a part in how your keys are generated.
var key = dsteem.PrivateKey.fromLogin('username', 'password', 'posting')
This is really cool because it solves a problem that I've been having. The people who I told to make Steem accounts have all lost their passwords (except for the ones that I specifically saved for them). They all just assumed they could recover their accounts using a centralized service. Then they got mad and blamed our platform for being bad (lol go figure). This happens all the time and it will keep happening. We need to centralize the security of low-value accounts so noobs stop losing them.
How does this feature help?
Well, now every time I create an account for someone, I can use the same master password to generate the keys for dozens of accounts, and none of those accounts will have the same keys or know what master password was used to create them. If anyone I create an account for loses their keys, I can regenerate their keys knowing it's all centralized to the same master password.
Obviously this kind of centralization is a security risk. What if someone gets a hold on my master password and steals dozens of accounts? However, the combined value of all these accounts will be very low, so it's not a big deal. Also, I will instruct anyone I create an account for about how insecure their account is and they need to take security more seriously if their account ever becomes worth a significant amount.
The majesty of recovery accounts.
Even in a situation where I became malicious and tried to steal the accounts I created with the master key, I would not be able to steal the accounts I created if the recovery account points to someone else. Again, this is another super valuable feature of Steem. I would have full access to ALL the private keys of dozens of accounts, yet I would not be able to steal any of those powered up funds (or even coins locked in the bank account for 3 days). How many other platforms can boast such powerful security? Only Graphene-based ones.
Example
I make an account for my friend with my master key. My friend powers up 100k Hive but never changes his keys. My friend sleeps with my wife. I try to steal his account; I change his keys and start a powerdown. My ex-friend contacts his recovery account and changes the owner key back under his control. Even when I had access to everything (except the recovery account) I could not steal his money. This is truly amazing.
Conclusion
The Graphene platform is really complicated but I'm slowly learning the ropes.
I see Hive as a network that I could learn and develop on for life as a career.
These are just the opening moves of something much greater.
Return from Master Key Magic Making to edicted's Web3 Blog