The keys of an EOS account differ from other blockchains such as Bitcoin. An EOS account has two public-private key pairs, corresponding respectively to the authority of the Owner and the authority of the manager Active. However, for simplicity, many EOS account registration services set the two public-private key pairs to the same public-private key pair for users, so that users only need to secure one private key. The disadvantage of this is that some of the security of the account is lost.
Active and Owner keypair/permission
What is an active and Owner keypair? Why is it a best practice to have two different private keys?
EOS accounts have an owner and active permission. Both keys have a public and a private key. With the Owner's permission, you are allowed to change all keypairs. With active permission, you are only allowed to change the active keypairs. You are not allowed to change the owner permissions keypair. Having two different private keys increase security. Therefore, the best practice is to change your active key if both keypairs are the same. This allows users to generate a new active keypair since they would have access to their owner key.
Your EOS Account has
Account name (This is your deposit address, where you receive EOS related tokens)
Active public key
Active private key (Use with your EOS wallet. Allows a user to change only the active keypair)
owner public key
Owner's private key (Allows a user to change Owner and active keypairs. Keep your owner private key on a cold storage and not on your computer.)
Set up eMail and Telegram alerts for your EOS account https://eosauthority.com/alerts?network=eos 6.
To prevent hackers or scammers from transferring your tokens when your active private key is exposed, stake your EOS to a service that provides an unstaking period. For example, the REX savings account has an unstaking period of 4 days. First, you lend your tokens to REX; then, after they are in the REX, you move them into the savings account, which provides an unstaking period).
Scenario: If your active private key got compromised (you got hacked or scammed), the first thing the scammer or hacker has to do is to unstake your tokens. You will get an account alert from EOS Authority when a hacker unstakes your tokens. Due to the four-day delay, users have time to change their keys. Use your owner's private key and change your EOS account's active keypair.
Step by step tutorial "How to change your keypairs for your EOS Account?":