Pages:
Author

Topic: Whats your take on adding 2FA key as a Bitcointalk account security features. (Read 633 times)

full member
Activity: 896
Merit: 193
web developer for hire
Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.
They should've known it's designed for personal login to escape captcha in a safe way but every user doesn't know how it works. He should've taken your advice to change his bypass code because he's made it public info by mistake. It's still operational.

Go to https://bitcointalk.org/captcha_code.php and click the Reset button to invalidate the captcha code and get a new one.
When users don't change browsers they won't notice captcha. Some don't know a captcha bypass address that's available. It won't be easy for hackers trying to force a login but if they've posted the bypass code it's public info so they've got to reset it.
full member
Activity: 504
Merit: 212
The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.
That doesn't make it "easy" to brute-force your password, if you use any decent password they'll never be able to guess it (at 1 guess per second).
Besides, I'm kinda hoping theymos added some additional rate limit to the captcha bypass link: it would be good to show a captcha again after entering, say, 1000 incorrect passwords.

It's safe to use a decent password for your account but how many users log out from their account and again log in every time they use their account? Most of them just log in and forget about it. So if someone uses a unique logged password what will happen after a few months when he forgets his password? He needs to reset it with his mail. So if someone uses a short password and there is a 2FA feather he uses no one will be able to access his account even if they know the password.
full member
Activity: 1092
Merit: 227
... I don't  think Theymos has the intention of implementing 2FA authentication in this forum anytime soon.
He is, and theymos already give a thumbs up on what PowerGlove is creating[1], it will be up anytime soon actually. But let's see until theymos implement it successfully coz it's something a pain in the as merging to the current forum.

[1] https://bitcointalksearch.org/topic/a-concise-2fatotp-implementation-smf-patch-5457330

PowerGlove seems to be making this into a reality soon. I think adding 2FA definitely has got many advantages. It id one of it's kind that can secure your identity for sure. I know that signing a message can be done effectively on this forum and it is already been done with staked bitcoin addresses however there is no harm at all in having additional security like this. If one address can be staked then hundreds of them can be stakes from different accounts too. I think there are loop holes to it for sure.
 
It's frequent phenomenon that people lose their 2fa keys and if it's decentralized app there is no recovery option available and they get locked out. If 2FA gets implemented, we all should be aware of the possibility of this to happen here on bitcointalk as well.

My idea is to leverage the combination of 2FA + Staked BTC address to enhance the security of user account, this is by giving user an option to recover 2FA keys with staked Bitcoin address in case user loses the 2FA key. While enabling 2FA, staking Bitcoin address should be must.

Also, 2FA implementation shouldn't be based on mobile number, mobile numbers are weak link in many crypto attacks. Stick with authenticator app, thank you!

This is also excellent thought. Having 2FA based on your cryptographic identification. May be something related to your signed message only. This signed message can be synched up with the back end algorithm that will verify it on continuous basis and then verify the real identity of the account. This way bot the things can get verified, address holder, the account holder, and will have amazing security too.
hero member
Activity: 2520
Merit: 952
It's frequent phenomenon that people lose their 2fa keys and if it's decentralized app there is no recovery option available and they get locked out. If 2FA gets implemented, we all should be aware of the possibility of this to happen here on bitcointalk as well.

My idea is to leverage the combination of 2FA + Staked BTC address to enhance the security of user account, this is by giving user an option to recover 2FA keys with staked Bitcoin address in case user loses the 2FA key. While enabling 2FA, staking Bitcoin address should be must.

Also, 2FA implementation shouldn't be based on mobile number, mobile numbers are weak link in many crypto attacks. Stick with authenticator app, thank you!
hero member
Activity: 1386
Merit: 599
Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right
As much as I support you that this is of no need, even hacked accounts could be recovered if proper channels are followed, I will not support you that 2FA is not good.

It's a higher layer of security and can't be as less secure as using only passwords. The only issue is that it can lead to more privacy compromise depending on what layer of 2FA they are adding.

You know what you're right about the hacked accounts but   if it leads to your personal info being online and susceptible to being hacked some how, what is the best way to remain completely anonymous with 2fa? Is there a way? Because to my understanding it has to be linked somehow to the original account owner. So as long as it's burner account info I guess it's good. What is generally the best practice for discreet 2fa?
legendary
Activity: 1750
Merit: 1329
Top Crypto Casino
When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

There's a need for 2FA integration in the forum. just as PowerGlove has also suggested on the thread provided by un_rank, and many reputable members have also concurred with the idea because of the importance of more security features.

Imagine someone gaining access to your account and taking a non-collateral loan of $5,000, or maybe the person posts a malware link that results in your account being banned.

e.g. Someone Loan using My Account

With this issue I've been experiencing I change my password. makes a 2FA with the security email connected and makes sure I always receive a notification with the telegram bot and email, also one of LoyceV recommendations is to check the IP Address so every time I visit the community I check the listed IP if it changes, also if possible to be included there's a restriction of deleting thread in the lending board to prevent this might happen again.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.
That doesn't make it "easy" to brute-force your password, if you use any decent password they'll never be able to guess it (at 1 guess per second).
Besides, I'm kinda hoping theymos added some additional rate limit to the captcha bypass link: it would be good to show a captcha again after entering, say, 1000 incorrect passwords.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

Actually, let's make it more clear:

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

Go to https://bitcointalk.org/captcha_code.php and click the Reset button to invalidate the captcha code and get a new one.

hero member
Activity: 896
Merit: 654
Leading Crypto Sports Betting & Casino Platform
Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right
As much as I support you that this is of no need, even hacked accounts could be recovered if proper channels are followed, I will not support you that 2FA is not good.

It's a higher layer of security and can't be as less secure as using only passwords. The only issue is that it can lead to more privacy compromise depending on what layer of 2FA they are adding.
hero member
Activity: 1386
Merit: 599
Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right
legendary
Activity: 3696
Merit: 2219
💲🏎️💨🚓
Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.
sr. member
Activity: 1386
Merit: 406
2FA is a very important security system when it comes to account security. While 2FA is an important security system, it can sometimes become a source of annoyance. To activate 2FA, an active gmail or a mobile number is usually required. When we go to login to the account, a certain code will be sent to the mobile number or gmail with which we can login to our account. 2FA may keep your account secure, but many times you won't be able to log into your account yourself by turning on this technology. Due to system problems many times OTP does not come on time while logging into the account with 2FA which makes it a lot of trouble to login the account on time. Considering all these hassles, most members probably don't use the 2FA system on their accounts. If we can keep our Gmail secret then maybe we can keep our account safe from hackers. 

If the Gmail account is kept safe and even after the Gmail account is kept safe, if a hacker hacks the account then maybe it is possible to recover the account through special application.
sr. member
Activity: 1400
Merit: 420
Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.
Such topic has been created and discussed many times before. This forum is structured on decentralized system and has security measures in place.  If you are the real owner of an account, you will definitely get your account back no matter how many times it is hacked, and on the other hand, you should use a strong password for your own security.  This is enough to keep this forum account secure. And that's why no security system like 2FA is used here
sr. member
Activity: 658
Merit: 441
I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.
Use a strong password combination, avoid using someone's computer or mobile to login are just few ways of keeping your account safe. Adding another layer of security is a welcome development and I think we should go for it. With the incessant cases of stolen or hack accounts, 2FA could be what the forum needs to curb account intrusion. But these questions have been raised over and over by some members and from the look of things I doubt if It's happening anytime soon.

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474
legendary
Activity: 3696
Merit: 2219
💲🏎️💨🚓
Quote
@Timelord2067 are you implying 2FA will sort this problem of account sales, which I don't think it will

I'm certain the sale of accounts would have been stopped dead in the water UNTIL or IF anyone were to work out how to rought the system (if at all).




Strong passwords only work in tandem with secure emails addresses (I can't recall if an email is even required when signing up for the forum) - verifying emails along with 2FA would improve the security of accounts considerably as would logging out after a maximum of 24 hours logged in.
hero member
Activity: 1834
Merit: 879
Rollbit.com ⚔️Crypto Futures
Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.

It's a dead end security feature.

The same for PGP/GPG keys which can likewise be ported.
@Timelord2067 are you implying 2FA will sort this problem of account sales, which I don't think it will !?? Btw thought 2FA keys 🔑  can equally be sold with the accounts to avoid any detection  once an account changes hands...but it's definitely going to be feature that's going to be better than PGP/GPG and wallet private keys as hacker will need 2fa key and password to get hold of an account...unless they get hold of an email address looking at the design of how to reset one's 2FA with SMF software.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
~snip~
Secondly I never knew an active account could get hacked since they are active was thinking they won't mind badging into the account to break through since the owner could quickly raised an alarm.

The activity of a BTT account does not mean that the person who hacks such an account cannot do damage using that account, because most people also have their private lives, which probably includes sleeping. If someone hacks you and you are not aware of it for 8+ hours, the hacker can use that time to request a loan or post malicious links or send threats to other members, all of which can result in you receiving a message that your account has been permanently banned. Of course, such a user will have the opportunity to prove that he was not behind all these actions, but sometimes that takes time.

For example, I remember that @LTU_btc was hacked, and also @BitcoinGirl.Club.
legendary
Activity: 2716
Merit: 1225
Once a man, twice a child!
So why don't we add a Google authentication option as a security feature to the forum?
This line of interest has been cropping up steadily lately and I like it. I'm in for a 2FA on accounts here. Yes, I know many will allude to the signing wallet messages to regain access but those who will do that should remember that signing a wallet to prove account ownership has to do with a stolen or hacked account and not as an antidote to preventing the account from getting hacked. That's what a 2FA does. It strengthens accounts against being hacked.

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.
This will be a very cumbersome thing to do. I don't like the idea of the wallet signed message just to log in as we know it could be a regular thing, especially for those who don't have the permanently logged in box ticked.
full member
Activity: 504
Merit: 212
When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.
Sure, but to have that as a requirement for logging in?  I wouldn't want to have to either sign a message from an address or do any other sort of 2FA.  If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that.  But if it was mandatory, forget about it.  I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.

I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.

I want it as an optional features. Some do not want to use it when other may find it useful. When the internet is being transitioning from web2 to web3 it is not a bad idea to have a option to use your bitcoin address to sign in to your bitcointalk account. Though i am against it to be a mandatory features but in support of it to be an optional features.

hero member
Activity: 1428
Merit: 653
Leading Crypto Sports Betting & Casino Platform
Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters,  though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.


I believe that a password of 20 random characters is more than enough in the sense that it cannot be broken by force in a very long period of time. I can't say if there is a limit to the number of password characters on BTT, but I don't think that's the case, considering that no one should be restricted from setting a password that is impossible to crack.



However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

Thank you all through..
Maybe I can increase in my password strength and I never got that thinking that I won't be able to exceed 12 random characters nd also seeing a way to implore additional strong password. Although my choice of chosen password is never that too strong to break in, maybe I might change my password later or in anytime soon to properly secure ones account. Secondly I never knew an active account could get hacked since they are active was thinking they won't mind badging into the account to break through since the owner could quickly raised an alarm.
Pages:
Jump to: