Topic: Secret Question issue: theymos, consider hassle to recover locked account (Read 163 times)

Bill the forum is not perfect. I accept it. I hope you do as well (there is nothing bad in not to be perfect). What we are doing is - trying to improve our experience for the forum. You, me, everyone who cares about the forum we all are doing the same. It's theymos's and other admins job what to chose and what not to coz they know better than you and me on what exactly need to do for the forum. They are the ultimate deciders.

Let's say I agree with you. The most don't even set one but the least (including me) who set, I guess they are the most serious BitcoinTalk users, right? Those most do not care much may be so, they don't look for any security. Don't we need to think about those least serious BitcoinTalk users in this case?

1.
It should not be like to deal with bunches of codes. In the front panel part, a little html change can disable users to take input of Secret Question.

The standard one

With disabled attribute.

Closely see the difference. It's only adding a disabled attribute in the HTML will not allow the users to set a secret question.

2.
On the password remainder page just delete the HTML cheackbox that represents for ask me my question.

These should not be harder than unlocking a lot of locked account for Secret Question issue. Plus the amount of hassle the members go through on recovering the locked account I guess.

How do you propose we organize this ocean of information? It is not meant to be perfectly organized, it is a forum and it operates as such. Any improvements are probably going to be seriously considered, and theymos would love to hear them. The information that you and I have not encountered can be accessed through the "Search" function. If you are asking for a re-cap of everything that's ever happened on the forum, good luck with that. There is not a single soul that is aware of everything going on here, or all of the information being presented. Indeed, I have forgotten more information that I've read here than I can remember. There is no "perfect" system to organize millions of people's thoughts and discussions.


You must misunderstand me. I am not saying that someone is expected to know "everything about everything", but I am suggesting that people should spend a few minutes researching what should be high-priority issues. A very high-priority issue, would include things like Account Security, Bitcoin Security, Rules, Guidelines, How Bitcoin Works, etc.


I see the fears and I share them with you guys. The security question has been proven to be a security flaw and so most people do not even have one set, from what I understand. I think it is goofy that it operates the way it does, too. I wish that it was fixed as much as the next user, because it's like a booby-trap to lock someone out of their own account. I imagine that with the new forum software being developed this will be a problem of the past.

I simply say it will be pushed aside, because it has been discussed to death and the result is where we are now. It's not an unreasonable thing to discuss, but it has already been done and I see nothing new being presented at this point.

Of course not. I do not know how the SMF reset function work but the stander reset procedures should be....
...When the Secret answer match with the users input then send a reset link or a new pass to the registered email. 

However I understand the issue here. Since we do not need to verify an email at the time of registration so it's complected.

---

Bill I said IMO. Please please don't through out argues out of no where. Please do not blame me saying...


Please bill please... Thank you for understanding.

That is a good question... when my normal account got locked yesterday, I was resetting my password and just did the secret question since it popped up there, I wasn't even thinking.  (I have an unlock thread also, just waiting for theymos to help).

I was considering disabling the secret question option if and when my regular account is unlocked, but afraid to touch it as well.

When I registered, I knew nothing about the forum and I had this option enabled. Now I'm wondering what will happen if I try to remove it, maybe lock my account, but for now I'm not touching it.
If anyone has disabled this function successfully, please let me know, I'm not willing to try myself.

Your suggestion will almost certainly be pushed aside and forgotten about. Secret questions have done more good than harm when it comes to protecting and recovering accounts. You talk about how much you hate to see how long it takes for people to recover their accounts, but this length of time will only increase if there is no "Secret Question". I'm a little uninformed on this issue, in the sense that I don't know if the Secret Question works at all. I've just avoided it like the plague since a few years back when all the hubbub around it happened.


You believe that it is a fairly advanced that doesn't read stickies or educate themselves on the security of their accounts?
The forum is not lacking in FAQ, because there are stickies in almost every single section that effectively act as such.

The secret question is usually the last thing that people will resort to when they have lost their password. With an email, you can retrieve the password through a simple reset. When a user doesn't have an email/loses their email wouldn't it make sense to lock an account for verification if they reset using the secret question?

Especially considering the fact that the answer is usually far less secure than passwords.

This is what I learnt today (lucky that it caught my eyes)...
I was about to reply the post then I though to create this new topic so that I can get attention of theymos and also can help few readers to know to be careful about using their secret question feature.

- My suggestion (no pressure) is why not then remove the secret question feature from the profile setting page? This will help to save unnecessary locks.

i.e: To secure my account when I joined I did set my secret question. A fairly advanced user like me will do it always. But after seeing this post I am feeling lucky now that I will never touch the secret question section. There are/will be many members who are/will not aware of this and they will be locked easily. The way I see account hacking and locking is happening I wonder what would I do if my one get hacked. It really is frustrating to see people are trying to recover their account from months and still unsuccessful (some have really legit proof).

The forum is lacking organised FAQ section IMO.  

EDIT:
Please advice how do I remove secret question since I already set up one