Never (Ever) Copy/Paste Your Secret Key
20 years ago, people made their first steps with email and online payments. Many of them learned the hard way. For scammers, it was an age of abundance. Things improved thanks to two keys: education and better software design. Today, that’s exactly what crypto needs and, users are fortunate, the rules are simple. Rule 1. Keep your secret key secret / Rule 2. Never (ever) break rule 1. Let’s talk about it.
Public-key Cryptography
When coming across a title such as “Public-key Cryptography”, some of you may feel like they clicked on the wrong link… Rest assured you did not. Cryptography is indeed a complicated matter, but what one needs to know to use it safely is definitely within reach. Here’s the Wikipedia introduction about it:
Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. […] Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.
In Stellar, the private key is generally referred at as the “secret key”, and starts with an S. The public key starts with a G. Sometimes, we use addresses such as MisterTicot*keybase.io instead of G keys − but under the hood, it is turned into a G key again.
The Dos and Don’ts
To keep things simple, you can see your public key (G) as your account number − that's what you share to receive payments. You can see your private key (S) as your account password − it grants full control over your money. This comparison is not perfectly correct, but almost.
Then the rules are simple: as long as your private key stays secret, and assuming your wallet is well-secured, no one other than yourself can move your funds. As soon as you share it with someone, and this includes any application out there, you are not the only one who can spend those coins any more.
That’s not something you want to happen and, if you’re not convinced about it, let’s look at a few facts together.
Fact #1: Sharing Secret Makes Scams Easy
Unfortunately, when it comes to Stellar, many application developers feel perfectly fine asking for your secret. Worse, they don’t let you know about the consequences and often make it look like something casual.
This unsafe trend has been initiated by the Stellar Development Foundation itself, as its official account viewer offers to “sign-in” with secret keys.
Feeding such a habit led many users to lose money. In fact, redirecting people to an imitation of that account viewer has proven to be one of the most effective ways to harvest Lumens at people’s expense. If scammers were the only ones to ask for private keys, few people would fall into the trap.
However, scammers are not the only threat out there, and you face risks even when pasting that secret into reputable applications.
Fact #2: Your Clipboard Is Not Secure
The clipboard is the shared interface where data gets stored when copy/pasting. It works by making anything that gets copied visible to each & every software on your machine, so they can implement their paste function. In other words, as soon as you copy it, your secret is not secret anymore.
In terms of difficulty, peeking at the clipboard to retrieve private keys is within the 3~10 lines of codes range. It uses a system functionality the intended way, so application stores and security software are unlikely to flag that code as malicious.
That’s also a concern for the passwords, so if you took that habit of copy/pasting them I recommend that you switch to a well-designed password manager instead.
Fact #3: The Application You Use Is Not As Secure As You Think
Let’s be honest. If a software asks you for your private key, there are two options:
- The developers don’t understand public-key cryptography.
- The developers understand it but don’t care.
In both cases, you can legitimately assume they won’t do good at protecting your secret. But that’s the very thing with secrets: as soon as you leak them, how can you expect others not to do the same?
For the most part, people writing cryptocurrency-related applications are not security experts. In a few cases, they did not educate themselves about security at all.
While one should expect a cryptocurrency wallet to have strong security, it is unrealistic to ask the same for every crypto-related application out there.
Fact #4: You Are Responsible for the Security of Your Account
The same way that you are responsible for locking your car or hiding your credit card pin-code, you are the one responsible for keeping that private key secret.
The very point of cryptocurrency is to get rid of untrustable third-parties. It puts the power in your hands & makes you the only one in control of your account. But everything worth doing comes with a learning step: driving a vehicle, cooking some meal and even playing a game.
Don’t listen to whoever wants you to believe that you can use that new fancy technology without any effort — or conversely, that you can’t use it at all because it would be too complicated.
Learning is power and should not be seen as an inconvenience. Cryptocurrency simply requires a little understanding to be able to make sound choices.
Fact #5: You Have Friends Out There
It is the developers responsibility to provide you with the well-though software you need to explore that space.
A growing number of applications are using solutions such as Sep7 or your servitor’ Cosmic.link to make things safer & easier. I could also mention StellarPort’s keystore, which is a well-designed way to store and use a secret key (but not to share it between apps!).
Of course, people who have significant amounts in crypto should use a hardware wallet as they are the most secure solution(Ledger or Trezor). I’d say that anybody involved over $500 should have one.
Ultimately, you are the one who chooses which software you trust in. Ultimately, you are the one who chooses which software will be successful. Keep focus & make a good call!
