Pages:
Author

Topic: PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT (Read 4556 times)

legendary
Activity: 1456
Merit: 1000
Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You can (can't you??). But you probably should not.

It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)
Quote
Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.

If you made it now it is not that the question would make it vulnerable.  It is that there was a past security breach where the ones at that time were compromised.   So a security question in itself is not really making it vulnerable, but the problem is account's that have same security question now as time of breach.    It also becomes even harder with inactive accounts as chances of changing security question are none.

So the security question now locks to prevent compromise.   It is a pain for those who hit it but it is considered known now, and we really have a LOT less using security questions now then we did say in October of 2015.  If you look back there was quite a few more then say today it has went down drastically that more users know it locks account's.
legendary
Activity: 2352
Merit: 1268
In Memory of Zepher
It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)
Quote
Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.
It won't anymore, it will just be useless considering the account would just be locked if it were used.

What that quote is saying is about secret questions in general. Accounts only began to be locked after the forum was last compromised, as the secret questions and answers were leaked and could be decrypted to hack into accounts.
legendary
Activity: 1302
Merit: 1005
New Decentralized Nuclear Hobbit
Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You can (can't you??). But you probably should not.

It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)
Quote
Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.
legendary
Activity: 1246
Merit: 1024
Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You do not want to set a secret question. If you use it to recover your password your account will be immediately frozen.
hero member
Activity: 2268
Merit: 960
100% Deposit Match UP TO €5000!
Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere
legendary
Activity: 1210
Merit: 1024
I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.





I originally set it to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.



~BCX~

BitcoinEXpress, cheeky question: Since you are able to make changes to the forum, are you also able to unlock accounts?

Unfortunate typo as English is not my primary language.

I meant to say


It was originally set to display red text "You have a secret question set, this is not recommended" if there was a secret question set.



Only Theymos and BadBear have the technical abilities to unlock accounts.


I'm just a regular member.



~BCX~
hero member
Activity: 924
Merit: 526
GIF by SOCIFI
I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.





I originally set it to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.



~BCX~

BitcoinEXpress, cheeky question: Since you are able to make changes to the forum, are you also able to unlock accounts?
legendary
Activity: 1210
Merit: 1024
I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.





I was originally set to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.



~BCX~
legendary
Activity: 1246
Merit: 1024



Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though  Smiley


There is.

Leave both fields blank in the secret question section.

It will disable it.


~BCX~

I understand that you can have it turned off, I actually had it turned off before, but thought I'd improve the security. I ment it's strange that the possibility of adding a secret question is still in there, if the feature is bugged and gets people locked out (for months).

Unfortunately it is not a bug. A while back the user database of the forum was hacked. Logins were compromised. Theymos did it so the hackers could not get the password via the reset option. And they purposely kept it secret so the hackers would not know about it. They won't be turning it off. Just need to know or once you do it and get your account reinstated you will never do it again. But someone who did have a BTC address six months prior in a post or signature has no chance of recovering the account.
hero member
Activity: 924
Merit: 526
GIF by SOCIFI



Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though  Smiley


There is.

Leave both fields blank in the secret question section.

It will disable it.


~BCX~

I understand that you can have it turned off, I actually had it turned off before, but thought I'd improve the security. I ment it's strange that the possibility of adding a secret question is still in there, if the feature is bugged and gets people locked out (for months).
copper member
Activity: 2996
Merit: 2374



Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though  Smiley


There is.

Leave both fields blank in the secret question section.

It will disable it.


~BCX~
I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.

legendary
Activity: 1246
Merit: 1024

Yes

Blanking the fields and saving them will not lock your account.



~BCX~

Thank you.
legendary
Activity: 1210
Merit: 1024



Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though  Smiley


There is.

Leave both fields blank in the secret question section.

It will disable it.


~BCX~

Can this be done after the question is set by blanking them out and saving? I was already burned by this and had my account locked. It was frustrating, to say the least, to get my account restored many months later.


Yes

Blanking the fields and saving them will not lock your account.



~BCX~
staff
Activity: 3458
Merit: 6793
Just writing some code
Can this be done after the question is set by blanking them out and saving? I was already burned by this and had my account locked. It was frustrating, to say the least, to get my account restored many months later.
Yes, that is how you disable the security question for your account.
legendary
Activity: 1246
Merit: 1024



Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though  Smiley


There is.

Leave both fields blank in the secret question section.

It will disable it.


~BCX~

Can this be done after the question is set by blanking them out and saving? I was already burned by this and had my account locked. It was frustrating, to say the least, to get my account restored many months later.
newbie
Activity: 56
Merit: 0
thank you for creating the thread to give information about it to every one..
legendary
Activity: 1210
Merit: 1024



Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though  Smiley


There is.

Leave both fields blank in the secret question section.

It will disable it.


~BCX~
hero member
Activity: 924
Merit: 526
GIF by SOCIFI
Shit.....just got locked out of my account by answering the secret question. I can't believe they haven't taken this out or disabled it yet. I'm afraid I won't get control back of my "main" account for a long time....

Be patient and persistent sending messages to Theymos. It took me about two to three months of a signed message a week before he finally responded and apologized for the late response.

It does take patience in some of the cases it is kinda seen as a lessor issue with it being known I think.  It is hard to get info about it to every user I bump a thread I made in beginner about once a month - https://bitcointalksearch.org/topic/message-to-beginners-do-not-use-secret-question-to-reset-account-it-locks-it-1214627 .   The good news is overall it has slowed down a ton, it was multiple a day at first.   Now it's much much slower.

I would suggest starting your own thread in meta about issue though.   List user and problem about lock.    And then the patience part comes in, I would bump your thread and send email once a week.  I would not do it any more then that as you don't want to be a pain to admins. 

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though  Smiley
legendary
Activity: 1456
Merit: 1000
Shit.....just got locked out of my account by answering the secret question. I can't believe they haven't taken this out or disabled it yet. I'm afraid I won't get control back of my "main" account for a long time....

Be patient and persistent sending messages to Theymos. It took me about two to three months of a signed message a week before he finally responded and apologized for the late response.

It does take patience in some of the cases it is kinda seen as a lessor issue with it being known I think.  It is hard to get info about it to every user I bump a thread I made in beginner about once a month - https://bitcointalksearch.org/topic/message-to-beginners-do-not-use-secret-question-to-reset-account-it-locks-it-1214627 .   The good news is overall it has slowed down a ton, it was multiple a day at first.   Now it's much much slower.

I would suggest starting your own thread in meta about issue though.   List user and problem about lock.    And then the patience part comes in, I would bump your thread and send email once a week.  I would not do it any more then that as you don't want to be a pain to admins. 
legendary
Activity: 1246
Merit: 1024
Shit.....just got locked out of my account by answering the secret question. I can't believe they haven't taken this out or disabled it yet. I'm afraid I won't get control back of my "main" account for a long time....

Be patient and persistent sending messages to Theymos. It took me about two to three months of a signed message a week before he finally responded and apologized for the late response.
Pages:
Jump to: