I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it
Forced password changes increase the risk instead of making it safer. See:
Topic: Whats your take on adding 2FA key as a Bitcointalk account security features. - page 2. (Read 577 times)
August 14, 2023, 06:38:28 AM
It shouldn't be mandatory because they increase risk of making it safer. I don't like being forced to change my password on the site I'm registered with. As long as I'll need their services I'll do it. If it's an option we're allowed to choose what we want but forcing compliance isn't making users confident.
August 14, 2023, 06:17:45 AM
A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.
This is a bitcoin forum and not a random website or forum. We all know that bitcoin came with some kind of cryptographic uniqueness, such as digital signature. Even if your account is hacked, all you need do is to create a new account and complain in the forum. Then sign a signature from the old account, the account would be returned to the rightful owner.
We also know that not everyone staked their address and not everyone knows to sign messages. So, 2fa alternative is not a bad one. It shouldn't be mandatory for all users.
August 14, 2023, 06:04:40 AM
I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it
Forced password changes increase the risk instead of making it safer. See:Changing password and email occasionally has always been a good security practice what changed now?
People realized it was stupid in the first place 
Read the NCSC:
Regular password expiry is a common requirement in many security policies. However, in the Password Guidance published in 2015, we explicitly advised against it. This article explains why we made this (for many) unexpected recommendation, and why we think it’s the right way forward.
Let’s consider how we might limit the harm that comes from an attacker who knows a user’s password. The obvious answer is to make the compromised password useless by forcing the legitimate user to replace it with a new one that the attacker doesn’t know. This advice seems straightforward enough.
The problem is that this doesn’t take into account the inconvenience to users - the ‘usability costs’ - of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember. Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.
To make matters worse, most password policies insist that we have to keep changing them. And when forced to change one, the chances are that the new password will be similar to the old one.
Attackers can exploit this weakness.
The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.
It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.
The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.
Let’s consider how we might limit the harm that comes from an attacker who knows a user’s password. The obvious answer is to make the compromised password useless by forcing the legitimate user to replace it with a new one that the attacker doesn’t know. This advice seems straightforward enough.
The problem is that this doesn’t take into account the inconvenience to users - the ‘usability costs’ - of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember. Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.
To make matters worse, most password policies insist that we have to keep changing them. And when forced to change one, the chances are that the new password will be similar to the old one.
Attackers can exploit this weakness.
The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.
It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.
The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.
Or PCMag: Stop Changing Your (Strong, Unique) Passwords So Much.
August 14, 2023, 05:06:08 AM
When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.
Sure, but to have that as a requirement for logging in? I wouldn't want to have to either sign a message from an address or do any other sort of 2FA. If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that. But if it was mandatory, forget about it. I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.
I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it using special characters I don't usually use. I'll have to paste it because I won't remember it. If it's optional it's allowing user to make their own minds. 
August 14, 2023, 12:20:11 AM
When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.
Sure, but to have that as a requirement for logging in? I wouldn't want to have to either sign a message from an address or do any other sort of 2FA. If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that. But if it was mandatory, forget about it. I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.
August 13, 2023, 01:21:06 PM
It is the best practice to stake a BTC address to add an extra layer of security but this can be risky for some users as well. Privet key of our BTC address can be compromised and we can not ignore the possibility of losing our privet keys as well. It will be an extra workload for the server but by considering the importance of the security of our bitcoin talk account, having several options to secure our account is not a bad idea as well.
Why would the private key of our wallet be compromised unless we do not follow the best practices for safe guarding the private keys.
Also, as you said that the private keys can be lost, well if anyone is unable to keep his private key safe, then he shouldn't be here
That's the most basic thing that you should not lose your private key of your wallet under any circumstances. You should have 2 copies of the private keys stored at two different locations.
Once you have your private key with you, you can always proof the ownership of your bitcointalk account by signing a message through it.
August 13, 2023, 01:18:55 PM
When we're regularly being told to change password it means we won't be able to memorise any of them. You're getting used to one password it's time to update so it's copy paste. If a keylogger's infiltrated your system you'll have another problem to fix. I'd say it's counterproductive because memorise one long safe password's safer for me to regularly changing it.
If I have a strong password that consists of, say, 20+ random characters, and if that same password is stored in a way that I'm sure it's accessible only to me, what's the point of regularly changing the password? It can even be counterproductive if you pick up a keylogger in the meantime, and by changing your password you actually compromise yourself.
August 13, 2023, 11:53:29 AM
So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.
I don't think we need to add this, it's an additional workload for the server and we have the best option to recover the account which is staking our address, the user will be more careful with their private keys than their 2FA application in their cellphone, backup code or password.
I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.
It is the best practice to stake a BTC address to add an extra layer of security but this can be risky for some users as well. Privet key of our BTC address can be compromised and we can not ignore the possibility of losing our privet keys as well. It will be an extra workload for the server but by considering the importance of the security of our bitcoin talk account, having several options to secure our account is not a bad idea as well.
August 13, 2023, 11:27:20 AM
So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.
I don't think we need to add this, it's an additional workload for the server and we have the best option to recover the account which is staking our address, the user will be more careful with their private keys than their 2FA application in their cellphone, backup code or password.
I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.
August 13, 2023, 06:15:37 AM
Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.
I believe that a password of 20 random characters is more than enough in the sense that it cannot be broken by force in a very long period of time. I can't say if there is a limit to the number of password characters on BTT, but I don't think that's the case, considering that no one should be restricted from setting a password that is impossible to crack.
However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.
I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.
August 12, 2023, 11:55:38 PM
It's not working - some account sellers have carpet rug pulled after the sale to claim back the UID. It's happened in the past.
Can you give an instance of when this has happened? That is the original owner trying to claim back their account which they staked an address on and the hacker still winning ownership of the said account despite not having access to the Bitcoin address used to sign a message.I've been here a short while and cannot remember a single scenario where this happened.
2FA would have prevented a great many people from having been scammed over the years.
2FA and signing a message are not mutually exclusive. We can comfortably have both as recovery features to protect accounts. 
August 12, 2023, 09:14:25 PM
I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.
No matter what situation it is either there's a 2FA in the forum which is good to increase your account's security or no 2FA for the forum account. If 2FA is implemented then it is up to the forum member to enable 2FA in their account or won't enable 2FA at all. Captcha helps preventing bots to access the forum and I don't see any problem about it being annoying since you have to complete it if you have log out of your account and the forum have a bypass for th captcha if you ask me. 
August 12, 2023, 08:25:44 PM
Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.
2FA isn't meant to stop account sales, it's meant to stop accounts from getting compromised.It's not working - some account sellers have carpet rug pulled after the sale to claim back the UID. It's happened in the past.
2FA would have prevented a great many people from having been scammed over the years.
August 12, 2023, 03:45:02 PM
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.
I do have that kind of passwords, a combination of familiar words and numbers but not random characters coz it's way too difficult to remember, you will end up resetting your password again lmao.Also you will always be reliaon copy pasting the exact password since it's very hard to memorize random characters and symbols password. My iphone has a feature that automatically suggest a strong password on all my registrations. It is consist of so many random symbol and letter which is very hard to memorize.
I'm always skipping it because I will be reliant to my phone to access my account while it will give me a problem later on once my phone got broken.
I think most of the phone now has these features. Even when you are going to sign up for a website sometimes google suggest a random password that contains mostly symbol and numbers. Many people nowadays use Keepass to keep their passwords safe so that they do not need to remember them in their next log-in. This is the easy way but sometimes these 3rd party service shows vulnerability.
August 12, 2023, 12:35:48 PM
Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.
You can use the secret question for additional account protection, but even in the explanations in the profile it is written that the use of this feature is not recommended.Stake bitcoin addresses on the forum looks safer by comparison if all precautions are taken to protect access to this wallet address (from which, if necessary, you can confirm your ownership of the account using a signed transaction).
So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.
Most likely, this 2FA key implementation is opposed by the administration of this forum, and perhaps it will even be better, because they are aimed at ensuring maximum account security.Bonus question.
Do I understand correctly that if the forum administration can recover the password to the stolen account (after the owner confirms his ownership), then, in principle, they can gain access to any account? Or does it work in a different way?
August 12, 2023, 12:31:44 PM
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.
I do have that kind of passwords, a combination of familiar words and numbers but not random characters coz it's way too difficult to remember, you will end up resetting your password again lmao.Also you will always be reliaon copy pasting the exact password since it's very hard to memorize random characters and symbols password. My iphone has a feature that automatically suggest a strong password on all my registrations. It is consist of so many random symbol and letter which is very hard to memorize.
I'm always skipping it because I will be reliant to my phone to access my account while it will give me a problem later on once my phone got broken.
August 12, 2023, 12:23:33 PM
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.
I do have that kind of passwords, a combination of familiar words and numbers but not random characters coz it's way too difficult to remember, you will end up resetting your password again lmao. 
August 12, 2023, 12:10:23 PM
Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.
So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.
So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.
I'm quite sure that within few months theymos will implement 2FA patch that PowerGlove shared via his post. I have read almost every comment on that thread and I have seen that theymos also gave merits to that post of PowerGlove and that shows that he's interested in implementing that feature on the forum. The only reason he might be delaying that thing can be the issue of slow down or maybe he's still busy these days with some other projects.
I don't think that Google Authentication would be a good choice for 2FA on the forum. We can search for open source solutions instead that would allow us to complete the 2FA. We can also go with the open source app named "AuthPass" as that one can be more reliable for us. There are many such open source 2FA solutions that we can choose and some of them are cross platform supported as well.
August 12, 2023, 11:47:07 AM
To protect and increase your account security regularly changing of passwords can also help to improve your account safety. security.
~snip~
~snip~
If I have a strong password that consists of, say, 20+ random characters, and if that same password is stored in a way that I'm sure it's accessible only to me, what's the point of regularly changing the password? It can even be counterproductive if you pick up a keylogger in the meantime, and by changing your password you actually compromise yourself.
Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone. However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.
August 12, 2023, 11:36:49 AM
I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.
Jump to: