Topic: Major Flaw in Security - page 2. (Read 5424 times)
Bump
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman
Because not everyone includes only the letters of the alphabet in their passwords like you.
If you include special characters in your password then my arguement is stronger because it would take longer to guess a passwordYou're confusing me
I think the confusion here comes from the fact that you took his quote:
All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very low
Only if its coupled with email verification though
and made it a reason to show how difficult it is to actually bruteforce someone's password. I read his quote as agreeing with the idea that passwords are not guessable, given that he says the chances of guessing someone's password are "very low". The thing is, you begin your reply by saying:
Just to put it into perspective as to how easy it is to guess someone's password:
Which sounds like you are disagreeing with him if you take that sentence out of context. He probably read this and assumed your post was contradicting his, which is why he responded to you with hostility, even though you both actually agree. You're both confused because you believe the other person has the opposite view, when you actually both agree that passwords are very secure. That's how I read your conversation at least.
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman
Because not everyone includes only the letters of the alphabet in their passwords like you.
If you include special characters in your password then my arguement is stronger because it would take longer to guess a passwordYou're confusing me
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman
Because not everyone includes only the letters of the alphabet in their passwords like you.
If you include special characters in your password then my arguement is stronger because it would take longer to guess a passwordYou're confusing me
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman
Because not everyone includes only the letters of the alphabet in their passwords like you.
If you include special characters in your password then my arguement is stronger because it would take longer to guess a password (we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman
Because not everyone includes only the letters of the alphabet in their passwords like you.
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman
All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very low
Only if its coupled with email verification though
There are 26 potential english letters and 10 potential numbers that can be used in your password (we can ignore all the special characters that someone could potentially use as well as capital letters).
If an attacker knew that a specific account's password was exactly 6 digits (I don't even think the forum allows for passwords to be this short) then the number of potential passwords would be 36^6 or written in base 10 scientific form 2176782336 ~2.17 * 10^9 or 2,176,782,336 or ~2.1 billion possibilities. Considering that an attacker can only attempt to "guess" a password once every 45 seconds, it would take 816,293,376 hours (34,012,224 days) to guess a password if the attacker has 100% luck (the attacker correctly guessed the correct password exactly half way though all the potential passwords).
tl;dr it is not realistically possible to guess someone's password without some kind of social engineering and/or exploiting some kind of weakness of the person who owns the account (the owner somehow being at fault).
All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very low
Only if its coupled with email verification though
Many other forums follow this procedure; I wasn't aware that this one didn't. +1; I think it could be made an option available to users...if they want to enable e-mail verification, then they can, for those more concerned with security, whereas for those who are lazier and would prefer not to go to their e-mail upon a change, they could have it disabled
All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very low
Only if its coupled with email verification though
I completely agree with this feature request 100%. My original account which got compromised, could have been prevented if something as simple as email confirmation was in place. In fact, I made this exact suggestion on my hacked account thread.
As of this time, I still haven't received any reply to my recovery PM from theymos (and yes I followed the recovery procedures outline here). I don't understand how a cryptocurrency forum that deals with money can be so lax in its security department. All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
As of this time, I still haven't received any reply to my recovery PM from theymos (and yes I followed the recovery procedures outline here). I don't understand how a cryptocurrency forum that deals with money can be so lax in its security department. All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
Hacker let we cannot update the individual forum speech record?
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
It probably should be removed if a confirmation is not required. People who use fake emails just leave themselves wider open to be hacked.
I agree. IMO an email should be send when registering and when changing 'Account Related Settings'.
~~MZ~~
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
It probably should be removed if a confirmation is not required. People who use fake emails just leave themselves wider open to be hacked.
Bitcointalk's account security is a joke. I received '0' emails about my account creation details
Yup because it doesn't require you to do any email confirmation. In fact, you can register a bitcointalk account with an email like [email protected]
Why not just make the email field optional then?
Bitcointalk's account security is a joke. I received '0' emails about my account creation details
Yup because it doesn't require you to do any email confirmation. In fact, you can register a bitcointalk account with an email like [email protected]
Wouldn't mind your reply to the above posts, Theymos.
did you not see the huge fiscao with bayuo/zedicus in meta a few months ago? If you are taking possession of an account you need to get a signed message from a btc address on an unedited post that is "old". This especially applies to taking accounts as collateral for a loan as the process to lend is much quicker then to buy an account. The only exception to this is if you are lending to someone who farms accounts but the reason you would lend to an account farmer is
(This really only applies if you are buying accounts and have bought from them before)
I agree with you,this should be fixed!
Wouldn't mind your reply to the above posts, Theymos.
Jump to: