Pages:
Author

Topic: [Proposal: prevent account hack] A complete new login system for BitcoinTalk - page 2. (Read 371 times)

copper member
Activity: 630
Merit: 420
We are Bitcoin!
it has been about 6 months since my account was hacked and I sent proof.
Legendary account got hacked - 4 months gone - Admin is Sleeping - Wake Up Admin
Account Hacked - No Response From Theymos/Cyrus - Please tag account

Background
Sadly I see a lot of accounts to get hacked. Poor account holders create alt accounts and try to recover their hacked account with the staked bitcoin address (if they signed one before). Unfortunately, if they do not sign a bitcoin address then they never can recover their lost account. I would like to thank Tomatocage for this great idea of recovering BitcoinTalk account.

The current system for recovering a hacked account is manual. I assume we do not have many mods too so obviously it takes a lot of time to get back a hacked account even if you have a signed message on stake your bitcoin address topic.

I learnt from one of my topic that theymos wanted to give us an experience of being anonymous. But with current registration system, we are asked for a valid email address. The leak of the system is, you can create a BitcoinTalk account with an email address that is not even your own, the system do not verify your given email address. The idea of not verifying the email address is, to keep the user anonymous1.

It is obvious that theymos wanted us to use our Bitcoin address for account registration and maintaining the BitcoinTalk account. May be when theymos (actually satoshi) started the forum that time SMF did not have registration with Bitcoin, login with Bitcoin feature. I doubt if still SMF added this feature.

I guess improving the registration system and login system will help us to avoid the unfortunate account hack issue of the members. This will also automate the entire account recovery system or may be we won't even need an account recovery feature.

The proposal
I have two proposals. Let me be very quick on describing them.

Proposal One Inspired from ledger neno affiliate signup and login page


Registration process input fields
ImageLoading...
Click here if unable to see image

Instead of the email address field ask for the username.

Once the user submit the data then give the user a Secret Key (system generated) and advice the user to keep the Secret Key safe. Because for login they will use this secret key. It's like losing your 12 phrase of your bitcoin wallet. There will be no need for account recovery.

Login input field
ImageLoading...
Click here if unable to see image

Proposal Two Inspired from a-ads affiliate signup and login page

Registration process input fields will be only your Bitcoin address.
Additionally the registration page can ask for a username.

Login input field
ImageLoading...
Click here if unable to see image

At the time of login always ask for signing a message in the Bitcoin address that was used for registration and authenticate that message for login. Again there will be no need for an account recovery.

Limitation
Applying first proposal will be difficult (not impossible) in my opinion because every existing user will need the secret key which we do not have now. It is easier when a system starts from the initial stage.

Proposal two is really possible to add with our existing system. Give enough time (may be 6 months or a year, really a long time) to the current users to add their Bitcoin address with the system. Those who are regular they will do it easily and those who are not regular and discover it after the new login and registration system will be implemented, they can use the stake your bitcoin topic and use their staked BTC address to recover their lost account manually. Keep the stay logged in feature so that the users won't need to go though the sign a message process every time to login with BitcoinTalk.


Conclusion
If we can adopt with any of the above proposed registration and login process then account hacking will dramatically drop (may be zero) also the mods will not have an extra load of manually recovering hacked account or lost account.

PS: Apology for my messed up formatting


1 Does this mean when we create a blockchain.info wallet, we are not actually anonymous? They verify our email address.  
Pages:
Jump to: