Bitcointalk Forum's Security - page 2.

francisdean

hero member

Activity: 544

Merit: 500

Quote from: ToucheCoin on September 19, 2016, 02:11:11 PM

I got no confirmation email from bitcointalk when i joined the forum. it is very esy to change the email without confirming the email ownership. we can set security question to secure our accounts from hacker.every time if you want to change your password/email you must answer the security question to prove the account is still under your control.

this is a great idea!

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: francisdean on September 19, 2016, 01:56:49 PM

You don't get it. If the hacker was able to change the email address instantly like what happened to us here then we "instantly" don't have and can't access our accounts anymore.

If he can't change our email address instantly, then the account won't do him any good.

In some cases like what you're stating before, what if both account and email was hacked? Then that's where the 24 hour process comes in.

Let's say you can't access your account so you use your email to retrieve it, (you can still retrieve your account using your old email because it takes 24 hours to update your profile) but what if the email was hacked as well, then you have 24 hours to retrieve your email before everything goes into shit.

It's very easy to retrieve email accounts as long as it's really yours.

If both your email and your Bitcointalk are hacked, then the 24 hours doesn't help you at all. You won't be able to access your email either so you can't fix anything.

ToucheCoin

member

Activity: 119

Merit: 100

I got no confirmation email from bitcointalk when i joined the forum. it is very esy to change the email without confirming the email ownership. we can set security question to secure our accounts from hacker.every time if you want to change your password/email you must answer the security question to prove the account is still under your control.

francisdean

hero member

Activity: 544

Merit: 500

Quote from: achow101 on September 19, 2016, 01:39:13 PM

Quote from: francisdean on September 19, 2016, 01:29:01 PM

24 hour process until the user's account is updated with the newly registered email address.

That is not a good idea. What website takes 24 hours to update an email address? There are very few cases where this would be useful at all. It provides no security to do that, and may be even more insecure. The security is in requiring users to confirm that they are changing their emails, not having to wait for the change to happen.

Quote from: francisdean on September 19, 2016, 01:29:01 PM

I think people aren't dumb enough to use one password for all his accounts.

You'd be surprised, but you really shouldn't be. A lot of people use the same password or some variation of the same password. Once you know one of them, you can get the rest. Common word mangling makes that very easy. Just google it, there are tons of studies of how people reuse passwords, use simple passwords, and are very vulnerable to dictionary attacks.

You don't get it. If the hacker was able to change the email address instantly like what happened to us here then we "instantly" don't have and can't access our accounts anymore.

If he can't change our email address instantly, then the account won't do him any good.

In some cases like what you're stating before, what if both account and email was hacked? Then that's where the 24 hour process comes in.

Let's say you can't access your account so you use your email to retrieve it, (you can still retrieve your account using your old email because it takes 24 hours to update your profile) but what if the email was hacked as well, then you have 24 hours to retrieve your email before everything goes into shit.

It's very easy to retrieve email accounts as long as it's really yours.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: francisdean on September 19, 2016, 01:29:01 PM

24 hour process until the user's account is updated with the newly registered email address.

That is not a good idea. What website takes 24 hours to update an email address? There are very few cases where this would be useful at all. It provides no security to do that, and may be even more insecure. The security is in requiring users to confirm that they are changing their emails, not having to wait for the change to happen.

Quote from: francisdean on September 19, 2016, 01:29:01 PM

I think people aren't dumb enough to use one password for all his accounts.

You'd be surprised, but you really shouldn't be. A lot of people use the same password or some variation of the same password. Once you know one of them, you can get the rest. Common word mangling makes that very easy. Just google it, there are tons of studies of how people reuse passwords, use simple passwords, and are very vulnerable to dictionary attacks.

francisdean

hero member

Activity: 544

Merit: 500

Quote from: achow101 on September 19, 2016, 01:21:29 PM

Quote from: francisdean on September 19, 2016, 12:54:02 PM

A lot of users have been hacked this past few days, weeks or months. I'm not sure. I'm one of those who have been recently hacked.
And thanks to Cyrus and Theymos i managed to get my account back. The things is i don't want this kind of thing to keep on happening!
I don't want this to happen to other users and i think my idea would be a great leap to our forum's security.

So here's how it's going to work. Most of us that we're hacked weren't able to regain access on our account because our email was changed.
What if every time a user wants to change his email he needs to authenticate that request using the current email address registered to his account.
And after authenticating the request there will be a 24 hour process. The user can still cancel it within 24 hours if he change his mind.

24 hour process for what? You have to wait 24 hours to change the email? That's just plain stupid. What if the hacker got into your email as well?

The only good idea here is to validate that the email or password was changed. Unfortunately that isn't going to happen since a lot of users here just registered with a fake email address.

Quote from: francisdean on September 19, 2016, 12:54:02 PM

I also think that it would be great if we add the service like Cloudflare to completely secure our forum. Of course all of us should be a part of this.
We should all contribute on this. We should build a donation address for this plan.

No. This has been discussed before. Cloudflare does not provide any additional security whatsoever, in fact, they actually reduce your security. Cloudflare acts as a man in the middle, they can see all of your communication in plaintext, not encrypted as it should be. This opens up a whole other attack vector and a bunch more problems.

Quote from: francisdean on September 19, 2016, 12:54:02 PM

Let this post serve as a petition to make our forum more secure and greater than before!

The forum is already very secure; it's part of the reason that the SMF version hasn't been updated, many many changes have been made to significantly increase the security. The problem is when people fall for phishing scams, use weak passwords, or set a security question. There is only so much the forum can do to protect you from yourself.

24 hour process until the user's account is updated with the newly registered email address. I think people aren't dumb enough to use one password for all his accounts.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: francisdean on September 19, 2016, 12:54:02 PM

A lot of users have been hacked this past few days, weeks or months. I'm not sure. I'm one of those who have been recently hacked.
And thanks to Cyrus and Theymos i managed to get my account back. The things is i don't want this kind of thing to keep on happening!
I don't want this to happen to other users and i think my idea would be a great leap to our forum's security.

So here's how it's going to work. Most of us that we're hacked weren't able to regain access on our account because our email was changed.
What if every time a user wants to change his email he needs to authenticate that request using the current email address registered to his account.
And after authenticating the request there will be a 24 hour process. The user can still cancel it within 24 hours if he change his mind.

24 hour process for what? You have to wait 24 hours to change the email? That's just plain stupid. What if the hacker got into your email as well?

The only good idea here is to validate that the email or password was changed. Unfortunately that isn't going to happen since a lot of users here just registered with a fake email address.

Quote from: francisdean on September 19, 2016, 12:54:02 PM

I also think that it would be great if we add the service like Cloudflare to completely secure our forum. Of course all of us should be a part of this.
We should all contribute on this. We should build a donation address for this plan.

No. This has been discussed before. Cloudflare does not provide any additional security whatsoever, in fact, they actually reduce your security. Cloudflare acts as a man in the middle, they can see all of your communication in plaintext, not encrypted as it should be. This opens up a whole other attack vector and a bunch more problems.

Quote from: francisdean on September 19, 2016, 12:54:02 PM

Let this post serve as a petition to make our forum more secure and greater than before!

The forum is already very secure; it's part of the reason that the SMF version hasn't been updated, many many changes have been made to significantly increase the security. The problem is when people fall for phishing scams, use weak passwords, or set a security question. There is only so much the forum can do to protect you from yourself.

francisdean

hero member

Activity: 544

Merit: 500

A lot of users have been hacked this past few days, weeks or months. I'm not sure. I'm one of those who have been recently hacked.
And thanks to Cyrus and Theymos i managed to get my account back. The things is i don't want this kind of thing to keep on happening!
I don't want this to happen to other users and i think my idea would be a great leap to our forum's security.

So here's how it's going to work. Most of us that we're hacked weren't able to regain access on our account because our email was changed.
What if every time a user wants to change his email he needs to authenticate that request using the current email address registered to his account.
And after authenticating the request there will be a 24 hour process. The user can still cancel it within 24 hours if he change his mind.

I also think that it would be great if we add the service like Cloudflare to completely secure our forum. Of course all of us should be a part of this.
We should all contribute on this. We should build a donation address for this plan.

Getting hacked feels really bad. And i don't want that to happen to any of you.

So what do you guys think?

I really want this post to be noticed by our mods, staff and admins! So if you agree with me reply to this post saying that you want to make this forum secure as well.
Or if you have other ideas put it here as well

Let this post serve as a petition to make our forum more secure and greater than before!

Topic: Bitcointalk Forum's Security - page 2. (Read 1764 times)