Author

Topic: Recovery phrase instead of security question (Read 348 times)

legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
September 16, 2022, 06:53:24 AM
#18
Yeah, have the same seed length as the actual bitcoin wallet will be a lot of fun later.
Imagine in 10-15 years people finding their seed phrases on their drives in the garage and creating 1000 threads like "i used to mine bitcoin back in 2020 and I found my seed but i cannot import it in my wallet", like they do now with the wallet.dat files from some shitcoins back form 2014 asking for help to import them in the bitcoin wallet. Lol.

Let's better keep the things as they are, if you need extra security for your account you stake an address, otherwise it's just a waste of theymos' time and energy, and there are more exiting things that could be implemented...
staff
Activity: 3304
Merit: 4115
September 16, 2022, 05:13:30 AM
#17
The problem with secret questions is that the answers aren't very secret. Many passwords (like "123456") have the same problem. Using 12 words instead of a password would already be better, but I bet then some people would use their Electrum seed phrase on different websites.
This is one of the reasons why passwords haven't been standardised, which is a little bit related to your rant about having different requirements. The thing is, if you have a standardised approach to passwords, it almost encourages users to make it the same password as everything else. For example, if you were to implement a seed for account recovery, you probably don't want it to be 12 words, since as you correctly pointed out, people would just automatically use their wallet seed. So, by requiring 14 words or 18 words you'd at least add additional entropy to their seed. However, some would still probably use their seed, and just add additional words. Honestly, I'd prefer to have less than 12 for that reason, but then you're potentially making your forum recovery weaker.

So, it's a balancing act for me, and I know this shouldn't be the case as this should be taught early on in people's lives, but we've got to somewhat think about clashing with other security implementations which might actually make our entropy weaker.
legendary
Activity: 2212
Merit: 7064
September 16, 2022, 04:23:54 AM
#16
The problem with secret questions is that the answers aren't very secret. Many passwords (like "123456") have the same problem. Using 12 words instead of a password would already be better, but I bet then some people would use their Electrum seed phrase on different websites.
This sounds a lot like people who use one password for all website solution...
I could imagine people would use the same seed words for Electrum, Proton Mail, Bitcointalk forum and other websites that support it, while keeping them online in some cloud server.
Perhaps it would be possible to use separate passphrases for different websites in that case, but I don't see much difference compared to randomly generated strong password instead.

If anyone have 123456 as their secret question answer or password then they deserved to be hacked. If you ask them to enter a 12 word phrase then they will go like, 1234 5678 9101 1121 3141 5161 7181 9202 1222 3242 5262 7282 LOL. Let them not owning any online account 😂
I don't think they literally use 12345 password anymore (I hope so), but they probably use stuff like birthdays and other dates a lot, and none of that is randomly generated.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
September 15, 2022, 09:27:11 PM
#15
The problem with secret questions is that the answers aren't very secret. Many passwords (like "123456") have the same problem.
If anyone have 123456 as their secret question answer or password then they deserved to be hacked. If you ask them to enter a 12 word phrase then they will go like, 1234 5678 9101 1121 3141 5161 7181 9202 1222 3242 5262 7282 LOL. Let them not owning any online account 😂

Quote
but I bet then some people would use their Electrum seed phrase on different websites.
As long as the address does not have any balance then it's fine. If the data is encrypted when saving in the database then it should be safer though; even if they have balance. But anyone who will do it they are simply stupid of course.


Quote
Isn't it annoying every website has their own password requirements? Some have a minimum length, some a maximum. Some require certain characters, others refuse them because their system can't handle it. I always have to adjust the parameters of my randomly generated strong password for each site.
I don't know if our password has such requirements but with an over 10 years old SMF software what more you could expect too. 😉
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
September 15, 2022, 02:41:02 AM
#14
We are already in problem with Secret Question feature now you are giving us another problem for this security problem 🤣
The problem with secret questions is that the answers aren't very secret. Many passwords (like "123456") have the same problem. Using 12 words instead of a password would already be better, but I bet then some people would use their Electrum seed phrase on different websites.

Isn't it annoying every website has their own password requirements? Some have a minimum length, some a maximum. Some require certain characters, others refuse them because their system can't handle it. I always have to adjust the parameters of my randomly generated strong password for each site.
One common thing is that many websites try to educate users on password security. That shouldn't be necessary, it should be common sense by now. Why don't they teach this in school? Probably because the teacher uses a simple password too.
And the end result of many people being unable to keep a strong password secure, is that many sites introduce unsafe recovery options. A secret question adds an attack vector, a second email address adds one, and SMS password recovery adds another attack vector too. On top of that, the login on many websites gets more and more annoying: password, email verification, captcha, SMS verification, and more. They keep adding more hoops to jump through.
It gets even more annoying if my bank demands I change the password every 6 months. Many people use a few different passwords that they rotate, and after every change they try every password they know, thereby basically compromising all of them!
TL;DR: people should take their own responsibility and keep their passwords secure.
I'll end my rant now Smiley
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
September 14, 2022, 09:34:42 PM
#13
Since it was quickly implemented, adding it was fairly simple. I have actually seen a lot of them, many users support the majority of the good features that have been suggested for the forum,. However, it's possible that they won't be considered essential moving forward or that they could damage the forum's software/ user interface if they are added. The implementation of new software may necessitate numerous debates and observations, but I believe that this will allow for a larger range of suggestions of the later effect.

Literally any update to any software has a chance of wrecking the platform; it's not something unique to Bitcointalk or the SMF software. Theymos just simply seems to not want to put much effort into upgrading Bitcointalk anymore. (I don't like it, but I really cant blame him as Bitcointalk is working fine as it is.)
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
September 14, 2022, 05:52:51 PM
#12
The forum must have undergone a significant change when the merit system was added. Additionally, this reduced spam posting and improved the forum experience for users. Not until the latest introduction of the "OP" concept. More ideas, in my opinion should be welcomed, who knows which one he'll decide to include in the near future.

Take a look deeper on older threads concerning forum feature ideas. If I remember correctly, I've seen a good number of decent ideas, but that they'd require a good amount of development time to implement hence why they're just left to rot. I assume this (OP) thing was easy(and good) enough to implement immediately.

Yeah, it was simple to implement because Op attached the script to his request, so theymos could simply copy and paste it. If only other requests came with scripts, perhaps they would be implemented as well. Theymos has already stated that he only implemented it because the script was already there and he did not want to spend time writing those.

Perhaps the Nigerian local board requests should include a script so that theymos can implement it. Who knows  Grin
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
September 14, 2022, 12:56:39 PM
#11
We are already in problem with Secret Question feature now you are giving us another problem for this security problem 🤣
The recent idea that worked was developed by the person who proposed the change. I am not sure if this can be done in your case. If you can then Theymos will just add the code may be LOL

Anyway, I think staking bitcoin address already mentioned by user TheBeardedBaby is working fine. It used to take long time to recover an account but since the recovery team introduced in the forum it's fairly quicker. At least I can vouch it from my own experience.
legendary
Activity: 994
Merit: 1089
September 14, 2022, 12:05:22 PM
#10
However, it's possible that they won't be considered essential moving forward or that they could damage the forum's software/ user interface if they are added. The implementation of new software may necessitate numerous debates and observations, but I believe that this will allow for a larger range of suggestions of the later effect.
I noticed members' have more optimism that their suggestion and ideas can be implemented after the OP thing was, i am not as optimistic as they are, i feel most suggestions will still meet a huge brick wall, and it is not because it could damage the forum's software or interface, Theymos doesn't see most of them as being necessary. The new forum software may necessitate many things, but first let it be released before we talk anymore about it Roll Eyes.
hero member
Activity: 1008
Merit: 702
September 14, 2022, 11:51:24 AM
#9
Take a look deeper on older threads concerning forum feature ideas. If I remember correctly, I've seen a good number of decent ideas, but that they'd require a good amount of development time to implement hence why they're just left to rot. I assume this (OP) thing was easy(and good) enough to implement immediately.

Since it was quickly implemented, adding it was fairly simple. I have actually seen a lot of them, many users support the majority of the good features that have been suggested for the forum,. However, it's possible that they won't be considered essential moving forward or that they could damage the forum's software/ user interface if they are added. The implementation of new software may necessitate numerous debates and observations, but I believe that this will allow for a larger range of suggestions of the later effect.
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
September 14, 2022, 11:31:54 AM
#8
The forum must have undergone a significant change when the merit system was added. Additionally, this reduced spam posting and improved the forum experience for users. Not until the latest introduction of the "OP" concept. More ideas, in my opinion should be welcomed, who knows which one he'll decide to include in the near future.

Take a look deeper on older threads concerning forum feature ideas. If I remember correctly, I've seen a good number of decent ideas, but that they'd require a good amount of development time to implement hence why they're just left to rot. I assume this (OP) thing was easy(and good) enough to implement immediately.
hero member
Activity: 1008
Merit: 702
September 14, 2022, 11:16:20 AM
#7
Not exactly true statement.
Theymos just made forum changes adding OP next to the member who started a topic Smiley

Yea, and as far as I know this (OP) thing was the biggest update we've had on Bitcointalk after the (very important) merit system (and the April fools updates). Saying "rarely" is a total understatement lol.

The forum must have undergone a significant change when the merit system was added. Additionally, this reduced spam posting and improved the forum experience for users. Not until the latest introduction of the "OP" concept. More ideas, in my opinion should be welcomed, who knows which one he'll decide to include in the near future.
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
September 14, 2022, 08:06:15 AM
#6
Not exactly true statement.
Theymos just made forum changes adding OP next to the member who started a topic Smiley

Yea, and as far as I know this (OP) thing was the biggest update we've had on Bitcointalk after the (very important) merit system (and the April fools updates). Saying "rarely" is a total understatement lol.
copper member
Activity: 2128
Merit: 1814
฿itcoin for all, All for ฿itcoin.
September 13, 2022, 04:48:46 PM
#5
why does BTT not use the same idea as I think that update based on BIP39 and the forum originally about Bitcoin, does developing such recovery method difficult or I miss something?
The same reason 2FA has not been implemented in this current forum software despite so many requests from some members. So this might just be one of those ignored suggestions

What you missed is theymos rarely add new features to current forum software (SFM)
Not exactly true statement.
Theymos just made forum changes adding OP next to the member who started a topic Smiley
The key word being rarely  Wink
legendary
Activity: 2212
Merit: 7064
September 13, 2022, 01:49:02 PM
#4
why does BTT not use the same idea as I think that update based on BIP39 and the forum originally about Bitcoin, does developing such recovery method difficult or I miss something?
I don't see how that would be useful for bitcointalk forum, since there is no automated recovery process here, and it can be used hacking accounts, because nay people don't keep seed words correctly offline.
It's much better to add optional 2FA support for better account security.

What you missed is theymos rarely add new features to current forum software (SFM)
Not exactly true statement.
Theymos just made forum changes adding OP next to the member who started a topic Smiley
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
September 13, 2022, 05:46:06 AM
#3
Protonmail's recovery phrase is meant to decrypt your existing emails, which is something you can't do when restoring your account from another email address.
For Bitcointalk, I don't think that's a good idea. All it does it create another angle of attack: someone will store their recovery words in their email and still lose access to their account.

It's much better to setup your own system that ensures you won't lose any of your passwords Smiley
legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
September 13, 2022, 03:47:59 AM
#2
A while ago, ProtonMail launched a recovery phrase, If you've enabled your recovery phrase, you'll be able to
Enter your 12-word phrases to reset your password  

https://proton.me/support/set-account-recovery-methods

why does BTT not use the same idea as I think that update based on BIP39 and the forum originally about Bitcoin, does developing such recovery method difficult or I miss something?

We stake an address and then sign message from that address if needed, it's basically the same but it's not automated and not mandatory.
legendary
Activity: 1596
Merit: 1288
September 13, 2022, 03:29:41 AM
#1
A while ago, ProtonMail launched a recovery phrase, If you've enabled your recovery phrase, you'll be able to
Enter your 12-word phrases to reset your password 

https://proton.me/support/set-account-recovery-methods

why does BTT not use the same idea as I think that update based on BIP39 and the forum originally about Bitcoin, does developing such recovery method difficult or I miss something?
Jump to: