PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT

notlist3d

legendary

Activity: 1456

Merit: 1000

Quote from: ndnh on June 19, 2016, 08:39:17 AM

Quote from: FFrankie on June 19, 2016, 04:50:56 AM

Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You can (can't you??). But you probably should not.

It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)

Quote

Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.

If you made it now it is not that the question would make it vulnerable. It is that there was a past security breach where the ones at that time were compromised. So a security question in itself is not really making it vulnerable, but the problem is account's that have same security question now as time of breach. It also becomes even harder with inactive accounts as chances of changing security question are none.

So the security question now locks to prevent compromise. It is a pain for those who hit it but it is considered known now, and we really have a LOT less using security questions now then we did say in October of 2015. If you look back there was quite a few more then say today it has went down drastically that more users know it locks account's.

minifrij

legendary

Activity: 2324

Merit: 1267

In Memory of Zepher

Quote from: ndnh on June 19, 2016, 08:39:17 AM

It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)

Quote

Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.

It won't anymore, it will just be useless considering the account would just be locked if it were used.

What that quote is saying is about secret questions in general. Accounts only began to be locked after the forum was last compromised, as the secret questions and answers were leaked and could be decrypted to hack into accounts.

ndnh

legendary

Activity: 1302

Merit: 1005

New Decentralized Nuclear Hobbit

Quote from: FFrankie on June 19, 2016, 04:50:56 AM

Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You can (can't you??). But you probably should not.

It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)

Quote

Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.

jackbox

legendary

Activity: 1246

Merit: 1024

Quote from: FFrankie on June 19, 2016, 04:50:56 AM

Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You do not want to set a secret question. If you use it to recover your password your account will be immediately frozen.

FFrankie

hero member

Activity: 2254

Merit: 960

100% Deposit Match UP TO €5000!

Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

BitcoinEXpress

legendary

Activity: 1210

Merit: 1024

Quote from: muleroaa on June 18, 2016, 02:14:12 PM

Quote from: BitcoinEXpress on June 18, 2016, 01:51:31 PM

Quote from: Quickseller on June 18, 2016, 01:57:11 AM

I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.

I originally set it to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.

~BCX~

BitcoinEXpress, cheeky question: Since you are able to make changes to the forum, are you also able to unlock accounts?

Unfortunate typo as English is not my primary language.

I meant to say

It was originally set to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

Only Theymos and BadBear have the technical abilities to unlock accounts.

I'm just a regular member.

~BCX~

muleroaa

hero member

Activity: 924

Merit: 526

GIF by SOCIFI

Quote from: BitcoinEXpress on June 18, 2016, 01:51:31 PM

Quote from: Quickseller on June 18, 2016, 01:57:11 AM

I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.

I originally set it to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.

~BCX~

BitcoinEXpress, cheeky question: Since you are able to make changes to the forum, are you also able to unlock accounts?

BitcoinEXpress

legendary

Activity: 1210

Merit: 1024

Quote from: Quickseller on June 18, 2016, 01:57:11 AM

I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.

I was originally set to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.

~BCX~

jackbox

legendary

Activity: 1246

Merit: 1024

Quote from: muleroaa on June 18, 2016, 07:47:58 AM

Quote from: BitcoinEXpress on June 17, 2016, 10:22:11 PM

Quote from: muleroaa on June 17, 2016, 09:02:46 PM

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though

There is.

Leave both fields blank in the secret question section.

It will disable it.

~BCX~

I understand that you can have it turned off, I actually had it turned off before, but thought I'd improve the security. I ment it's strange that the possibility of adding a secret question is still in there, if the feature is bugged and gets people locked out (for months).

Unfortunately it is not a bug. A while back the user database of the forum was hacked. Logins were compromised. Theymos did it so the hackers could not get the password via the reset option. And they purposely kept it secret so the hackers would not know about it. They won't be turning it off. Just need to know or once you do it and get your account reinstated you will never do it again. But someone who did have a BTC address six months prior in a post or signature has no chance of recovering the account.

muleroaa

hero member

Activity: 924

Merit: 526

GIF by SOCIFI

Quote from: BitcoinEXpress on June 17, 2016, 10:22:11 PM

Quote from: muleroaa on June 17, 2016, 09:02:46 PM

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though

There is.

Leave both fields blank in the secret question section.

It will disable it.

~BCX~

I understand that you can have it turned off, I actually had it turned off before, but thought I'd improve the security. I ment it's strange that the possibility of adding a secret question is still in there, if the feature is bugged and gets people locked out (for months).

Quickseller

copper member

Activity: 2870

Merit: 2298

Quote from: BitcoinEXpress on June 17, 2016, 10:22:11 PM

Quote from: muleroaa on June 17, 2016, 09:02:46 PM

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though

There is.

Leave both fields blank in the secret question section.

It will disable it.

~BCX~

I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.

jackbox

legendary

Activity: 1246

Merit: 1024

Quote from: BitcoinEXpress on June 18, 2016, 12:29:32 AM

Yes

Blanking the fields and saving them will not lock your account.

~BCX~

Thank you.

BitcoinEXpress

legendary

Activity: 1210

Merit: 1024

Quote from: jackbox on June 18, 2016, 12:25:23 AM

Quote from: BitcoinEXpress on June 17, 2016, 10:22:11 PM

Quote from: muleroaa on June 17, 2016, 09:02:46 PM

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though

There is.

Leave both fields blank in the secret question section.

It will disable it.

~BCX~

Can this be done after the question is set by blanking them out and saving? I was already burned by this and had my account locked. It was frustrating, to say the least, to get my account restored many months later.

Yes

Blanking the fields and saving them will not lock your account.

~BCX~

achow101

staff

Activity: 3374

Merit: 6530

Just writing some code

Quote from: jackbox on June 18, 2016, 12:25:23 AM

Can this be done after the question is set by blanking them out and saving? I was already burned by this and had my account locked. It was frustrating, to say the least, to get my account restored many months later.

Yes, that is how you disable the security question for your account.

jackbox

legendary

Activity: 1246

Merit: 1024

Quote from: BitcoinEXpress on June 17, 2016, 10:22:11 PM

Quote from: muleroaa on June 17, 2016, 09:02:46 PM

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though

There is.

Leave both fields blank in the secret question section.

It will disable it.

~BCX~

Can this be done after the question is set by blanking them out and saving? I was already burned by this and had my account locked. It was frustrating, to say the least, to get my account restored many months later.

nitesh1995p

newbie

Activity: 56

Merit: 0

thank you for creating the thread to give information about it to every one..

BitcoinEXpress

legendary

Activity: 1210

Merit: 1024

Quote from: muleroaa on June 17, 2016, 09:02:46 PM

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though

There is.

Leave both fields blank in the secret question section.

It will disable it.

~BCX~

muleroaa

hero member

Activity: 924

Merit: 526

GIF by SOCIFI

Quote from: notlist3d on June 17, 2016, 07:31:03 PM

Quote from: jackbox on June 17, 2016, 08:51:52 AM

Quote from: muleroaa on June 17, 2016, 08:44:16 AM

Shit.....just got locked out of my account by answering the secret question. I can't believe they haven't taken this out or disabled it yet. I'm afraid I won't get control back of my "main" account for a long time....

Be patient and persistent sending messages to Theymos. It took me about two to three months of a signed message a week before he finally responded and apologized for the late response.

It does take patience in some of the cases it is kinda seen as a lessor issue with it being known I think. It is hard to get info about it to every user I bump a thread I made in beginner about once a month - https://bitcointalksearch.org/topic/message-to-beginners-do-not-use-secret-question-to-reset-account-it-locks-it-1214627 . The good news is overall it has slowed down a ton, it was multiple a day at first. Now it's much much slower.

I would suggest starting your own thread in meta about issue though. List user and problem about lock. And then the patience part comes in, I would bump your thread and send email once a week. I would not do it any more then that as you don't want to be a pain to admins.

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though

notlist3d

legendary

Activity: 1456

Merit: 1000

Quote from: jackbox on June 17, 2016, 08:51:52 AM

Quote from: muleroaa on June 17, 2016, 08:44:16 AM

Shit.....just got locked out of my account by answering the secret question. I can't believe they haven't taken this out or disabled it yet. I'm afraid I won't get control back of my "main" account for a long time....

Be patient and persistent sending messages to Theymos. It took me about two to three months of a signed message a week before he finally responded and apologized for the late response.

It does take patience in some of the cases it is kinda seen as a lessor issue with it being known I think. It is hard to get info about it to every user I bump a thread I made in beginner about once a month - https://bitcointalksearch.org/topic/message-to-beginners-do-not-use-secret-question-to-reset-account-it-locks-it-1214627 . The good news is overall it has slowed down a ton, it was multiple a day at first. Now it's much much slower.

I would suggest starting your own thread in meta about issue though. List user and problem about lock. And then the patience part comes in, I would bump your thread and send email once a week. I would not do it any more then that as you don't want to be a pain to admins.

jackbox

legendary

Activity: 1246

Merit: 1024

Quote from: muleroaa on June 17, 2016, 08:44:16 AM

Shit.....just got locked out of my account by answering the secret question. I can't believe they haven't taken this out or disabled it yet. I'm afraid I won't get control back of my "main" account for a long time....

Be patient and persistent sending messages to Theymos. It took me about two to three months of a signed message a week before he finally responded and apologized for the late response.

Topic: PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT (Read 4459 times)