The keys of an EOS account differ from other blockchains, such as Bitcoin. An EOS account has two public-private key pairs corresponding to the Owner's and the manager's authority. However, for simplicity, many EOS account registration services set the two public-private key pairs to the same public-private key pair for users. Hence, users only need to secure one private key. The disadvantage is that some of the account's security is lost.
Active and Owner keypair/permission
What is an active and Owner keypair? Why is it a best practice to have two different private keys?
EOS accounts have an owner and active permission. Both keys have a public and a private key. With the Owner's permission, you are allowed to change all keypairs. With active permission, you are only allowed to change the active keypairs. You are not allowed to change the Owner permissions keypair. Having two different private keys increase security. Therefore, the best practice is to change your active key if both keypairs are the same. This allows users to generate a new active keypair since they can access their owner key.
Your EOS Account has
Account name (This is your deposit address, where you receive EOS-related tokens)
Active public key
Active private key (Use with your EOS wallet. Allows a user to change only the active keypair)
owner public key
Owner's private key (This allows a user to change Owner and active keypairs. Keep your Owner's private key on a cold storage and not your computer.)
Set up eMail and Telegram alerts for your EOS account.
To prevent hackers or scammers from transferring your tokens when your active private key is exposed, stake your EOS to a service that provides an unstaking period. For example, the REX savings account has an unstaking period of 4 days. First, you lend your tokens to REX; then, after they are in the REX, you move them into the savings account, which provides an unstaking period).
Scenario: If your active private key got compromised (you got hacked or scammed), the first thing the scammer or hacker has to do is to unstake your tokens. You will get an account alert from EOS Authority when a hacker unstakes your tokens. Due to the four-day delay, users have time to change their keys. Use your Owner's private key and change your EOS account's active keypair.
Step-by-step tutorial "How to change your keypairs for your EOS Account?".
Read more about how you can protect your EOS account even better in the article "How to configure your EOS Account in Safemode."
Author: Dario Cesaro
Editor: Randall Roland
Sources & References: