Whats your take on adding 2FA key as a Bitcointalk account security features.

arabspaceship123

full member

Activity: 896

Merit: 193

web developer for hire

Quote from: Timelord2067 on August 23, 2023, 01:25:38 AM

Quote from: sokani on August 18, 2023, 01:41:46 PM

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

They should've known it's designed for personal login to escape captcha in a safe way but every user doesn't know how it works. He should've taken your advice to change his bypass code because he's made it public info by mistake. It's still operational.

Quote from: NotATether on August 24, 2023, 06:32:06 AM

Go to https://bitcointalk.org/captcha_code.php and click the Reset button to invalidate the captcha code and get a new one.

When users don't change browsers they won't notice captcha. Some don't know a captcha bypass address that's available. It won't be easy for hackers trying to force a login but if they've posted the bypass code it's public info so they've got to reset it.

DVlog

full member

Activity: 504

Merit: 212

Quote from: LoyceV on August 25, 2023, 04:26:52 AM

Quote from: NotATether on August 24, 2023, 06:32:06 AM

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

That doesn't make it "easy" to brute-force your password, if you use any decent password they'll never be able to guess it (at 1 guess per second).
Besides, I'm kinda hoping theymos added some additional rate limit to the captcha bypass link: it would be good to show a captcha again after entering, say, 1000 incorrect passwords.

It's safe to use a decent password for your account but how many users log out from their account and again log in every time they use their account? Most of them just log in and forget about it. So if someone uses a unique logged password what will happen after a few months when he forgets his password? He needs to reset it with his mail. So if someone uses a short password and there is a 2FA feather he uses no one will be able to access his account even if they know the password.

Flexystar

full member

Activity: 1092

Merit: 227

Quote from: PX-Z on August 10, 2023, 05:21:20 PM

Quote from: Cantsay on August 10, 2023, 12:42:33 PM

... I don't think Theymos has the intention of implementing 2FA authentication in this forum anytime soon.

He is, and theymos already give a thumbs up on what PowerGlove is creating^[1], it will be up anytime soon actually. But let's see until theymos implement it successfully coz it's something a pain in the as merging to the current forum.

[1] https://bitcointalksearch.org/topic/a-concise-2fatotp-implementation-smf-patch-5457330

PowerGlove seems to be making this into a reality soon. I think adding 2FA definitely has got many advantages. It id one of it's kind that can secure your identity for sure. I know that signing a message can be done effectively on this forum and it is already been done with staked bitcoin addresses however there is no harm at all in having additional security like this. If one address can be staked then hundreds of them can be stakes from different accounts too. I think there are loop holes to it for sure.

Quote from: libert19 on August 26, 2023, 10:43:28 PM

It's frequent phenomenon that people lose their 2fa keys and if it's decentralized app there is no recovery option available and they get locked out. If 2FA gets implemented, we all should be aware of the possibility of this to happen here on bitcointalk as well.

My idea is to leverage the combination of 2FA + Staked BTC address to enhance the security of user account, this is by giving user an option to recover 2FA keys with staked Bitcoin address in case user loses the 2FA key. While enabling 2FA, staking Bitcoin address should be must.

Also, 2FA implementation shouldn't be based on mobile number, mobile numbers are weak link in many crypto attacks. Stick with authenticator app, thank you!

This is also excellent thought. Having 2FA based on your cryptographic identification. May be something related to your signed message only. This signed message can be synched up with the back end algorithm that will verify it on continuous basis and then verify the real identity of the account. This way bot the things can get verified, address holder, the account holder, and will have amazing security too.

libert19

hero member

Activity: 2520

Merit: 952

It's frequent phenomenon that people lose their 2fa keys and if it's decentralized app there is no recovery option available and they get locked out. If 2FA gets implemented, we all should be aware of the possibility of this to happen here on bitcointalk as well.

My idea is to leverage the combination of 2FA + Staked BTC address to enhance the security of user account, this is by giving user an option to recover 2FA keys with staked Bitcoin address in case user loses the 2FA key. While enabling 2FA, staking Bitcoin address should be must.

Also, 2FA implementation shouldn't be based on mobile number, mobile numbers are weak link in many crypto attacks. Stick with authenticator app, thank you!

tread93

hero member

Activity: 1344

Merit: 583

Quote from: EarnOnVictor on August 23, 2023, 09:36:59 PM

Quote from: tread93 on August 23, 2023, 09:16:47 PM

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

As much as I support you that this is of no need, even hacked accounts could be recovered if proper channels are followed, I will not support you that 2FA is not good.

It's a higher layer of security and can't be as less secure as using only passwords. The only issue is that it can lead to more privacy compromise depending on what layer of 2FA they are adding.

You know what you're right about the hacked accounts but if it leads to your personal info being online and susceptible to being hacked some how, what is the best way to remain completely anonymous with 2fa? Is there a way? Because to my understanding it has to be linked somehow to the original account owner. So as long as it's burner account info I guess it's good. What is generally the best practice for discreet 2fa?

Peanutswar

legendary

Activity: 1708

Merit: 1280

Top Crypto Casino

Quote from: Dr.Bitcoin_Strange on August 10, 2023, 08:14:48 PM

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

There's a need for 2FA integration in the forum. just as PowerGlove has also suggested on the thread provided by un_rank, and many reputable members have also concurred with the idea because of the importance of more security features.

Imagine someone gaining access to your account and taking a non-collateral loan of $5,000, or maybe the person posts a malware link that results in your account being banned.

e.g. Someone Loan using My Account

With this issue I've been experiencing I change my password. makes a 2FA with the security email connected and makes sure I always receive a notification with the telegram bot and email, also one of LoyceV recommendations is to check the IP Address so every time I visit the community I check the listed IP if it changes, also if possible to be included there's a restriction of deleting thread in the lending board to prevent this might happen again.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: NotATether on August 24, 2023, 06:32:06 AM

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

That doesn't make it "easy" to brute-force your password, if you use any decent password they'll never be able to guess it (at 1 guess per second).
Besides, I'm kinda hoping theymos added some additional rate limit to the captcha bypass link: it would be good to show a captcha again after entering, say, 1000 incorrect passwords.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Timelord2067 on August 23, 2023, 01:25:38 AM

Quote from: sokani on August 18, 2023, 01:41:46 PM

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

Actually, let's make it more clear:

The Captcha bypass code lets everybody, well, bypass the Captcha test, so it will be easy for bots to come in and try to brute-force your password because they won't need to solve captcha after each attempt.

Go to https://bitcointalk.org/captcha_code.php and click the Reset button to invalidate the captcha code and get a new one.

EarnOnVictor

hero member

Activity: 826

Merit: 641

Leading Crypto Sports Betting & Casino Platform

Quote from: tread93 on August 23, 2023, 09:16:47 PM

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

As much as I support you that this is of no need, even hacked accounts could be recovered if proper channels are followed, I will not support you that 2FA is not good.

It's a higher layer of security and can't be as less secure as using only passwords. The only issue is that it can lead to more privacy compromise depending on what layer of 2FA they are adding.

tread93

hero member

Activity: 1344

Merit: 583

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I don't think there is any need here for this due to the back door account password which I believe can't be changed on here. But honestly how effective even is 2fa? There are still security flaws even with that I suspect, but hey its better than nothing right

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Quote from: sokani on August 18, 2023, 01:41:46 PM

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

I think you'll find that's your own personal code to bypass the capture - you may have to get a new one as someone who can guess your password would be able to get in with the code you've cited.

Litzki1990

sr. member

Activity: 1386

Merit: 406

2FA is a very important security system when it comes to account security. While 2FA is an important security system, it can sometimes become a source of annoyance. To activate 2FA, an active gmail or a mobile number is usually required. When we go to login to the account, a certain code will be sent to the mobile number or gmail with which we can login to our account. 2FA may keep your account secure, but many times you won't be able to log into your account yourself by turning on this technology. Due to system problems many times OTP does not come on time while logging into the account with 2FA which makes it a lot of trouble to login the account on time. Considering all these hassles, most members probably don't use the 2FA system on their accounts. If we can keep our Gmail secret then maybe we can keep our account safe from hackers.

If the Gmail account is kept safe and even after the Gmail account is kept safe, if a hacker hacks the account then maybe it is possible to recover the account through special application.

leonair

sr. member

Activity: 1400

Merit: 420

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Such topic has been created and discussed many times before. This forum is structured on decentralized system and has security measures in place. If you are the real owner of an account, you will definitely get your account back no matter how many times it is hacked, and on the other hand, you should use a strong password for your own security. This is enough to keep this forum account secure. And that's why no security system like 2FA is used here

sokani

sr. member

Activity: 658

Merit: 441

Quote from: Bureau on August 12, 2023, 10:36:49 AM

I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.

Use a strong password combination, avoid using someone's computer or mobile to login are just few ways of keeping your account safe. Adding another layer of security is a welcome development and I think we should go for it. With the incessant cases of stolen or hack accounts, 2FA could be what the forum needs to curb account intrusion. But these questions have been raised over and over by some members and from the look of things I doubt if It's happening anytime soon.

Concerning the CAPTCHA challenges normally encountered while trying to login with TOR browser or VPN, the link below is a captcha by-pass created by Thyemos, you can bookmark it.

https://bitcointalk.org/index.php?action=login;ccode=825c85192df41b90e474

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Quote

@Timelord2067 are you implying 2FA will sort this problem of account sales, which I don't think it will

I'm certain the sale of accounts would have been stopped dead in the water UNTIL or IF anyone were to work out how to rought the system (if at all).

Strong passwords only work in tandem with secure emails addresses (I can't recall if an email is even required when signing up for the forum) - verifying emails along with 2FA would improve the security of accounts considerably as would logging out after a maximum of 24 hours logged in.

Woodie

hero member

Activity: 1834

Merit: 879

Rollbit.com ⚔️Crypto Futures

Quote from: Timelord2067 on August 12, 2023, 07:20:15 AM

Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.

It's a dead end security feature.

The same for PGP/GPG keys which can likewise be ported.

@Timelord2067 are you implying 2FA will sort this problem of account sales, which I don't think it will !?? Btw thought 2FA keys 🔑 can equally be sold with the accounts to avoid any detection once an account changes hands...but it's definitely going to be feature that's going to be better than PGP/GPG and wallet private keys as hacker will need 2fa key and password to get hold of an account...unless they get hold of an email address looking at the design of how to reset one's 2FA with SMF software.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Adbitco on August 15, 2023, 03:22:24 AM

~snip~
Secondly I never knew an active account could get hacked since they are active was thinking they won't mind badging into the account to break through since the owner could quickly raised an alarm.

The activity of a BTT account does not mean that the person who hacks such an account cannot do damage using that account, because most people also have their private lives, which probably includes sleeping. If someone hacks you and you are not aware of it for 8+ hours, the hacker can use that time to request a loan or post malicious links or send threats to other members, all of which can result in you receiving a message that your account has been permanently banned. Of course, such a user will have the opportunity to prove that he was not behind all these actions, but sometimes that takes time.

For example, I remember that @LTU_btc was hacked, and also @BitcoinGirl.Club.

Mpamaegbu

legendary

Activity: 2716

Merit: 1225

Once a man, twice a child!

Quote from: DVlog on August 10, 2023, 12:29:05 PM

So why don't we add a Google authentication option as a security feature to the forum?

This line of interest has been cropping up steadily lately and I like it. I'm in for a 2FA on accounts here. Yes, I know many will allude to the signing wallet messages to regain access but those who will do that should remember that signing a wallet to prove account ownership has to do with a stolen or hacked account and not as an antidote to preventing the account from getting hacked. That's what a 2FA does. It strengthens accounts against being hacked.

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

This will be a very cumbersome thing to do. I don't like the idea of the wallet signed message just to log in as we know it could be a regular thing, especially for those who don't have the permanently logged in box ticked.

DVlog

full member

Activity: 504

Merit: 212

Quote from: The Sceptical Chymist on August 13, 2023, 11:20:11 PM

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Sure, but to have that as a requirement for logging in? I wouldn't want to have to either sign a message from an address or do any other sort of 2FA. If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that. But if it was mandatory, forget about it. I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.

I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.

I want it as an optional features. Some do not want to use it when other may find it useful. When the internet is being transitioning from web2 to web3 it is not a bad idea to have a option to use your bitcoin address to sign in to your bitcointalk account. Though i am against it to be a mandatory features but in support of it to be an optional features.

Adbitco

hero member

Activity: 1428

Merit: 653

Leading Crypto Sports Betting & Casino Platform

Quote from: Lucius on August 13, 2023, 05:15:37 AM

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I believe that a password of 20 random characters is more than enough in the sense that it cannot be broken by force in a very long period of time. I can't say if there is a limit to the number of password characters on BTT, but I don't think that's the case, considering that no one should be restricted from setting a password that is impossible to crack.

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

Thank you all through..
Maybe I can increase in my password strength and I never got that thinking that I won't be able to exceed 12 random characters nd also seeing a way to implore additional strong password. Although my choice of chosen password is never that too strong to break in, maybe I might change my password later or in anytime soon to properly secure ones account. Secondly I never knew an active account could get hacked since they are active was thinking they won't mind badging into the account to break through since the owner could quickly raised an alarm.

arabspaceship123

full member

Activity: 896

Merit: 193

web developer for hire

It shouldn't be mandatory because they increase risk of making it safer. I don't like being forced to change my password on the site I'm registered with. As long as I'll need their services I'll do it. If it's an option we're allowed to choose what we want but forcing compliance isn't making users confident.

Quote from: LoyceV on August 14, 2023, 05:04:40 AM

Quote from: arabspaceship123 on August 14, 2023, 04:06:08 AM

I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it

Forced password changes increase the risk instead of making it safer. See:

KingsDen

legendary

Activity: 1288

Merit: 1081

Goodnight, o_e_l_e_o 🌹

Quote from: DVlog on August 10, 2023, 12:29:05 PM

A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

This is a bitcoin forum and not a random website or forum. We all know that bitcoin came with some kind of cryptographic uniqueness, such as digital signature. Even if your account is hacked, all you need do is to create a new account and complain in the forum. Then sign a signature from the old account, the account would be returned to the rightful owner.

We also know that not everyone staked their address and not everyone knows to sign messages. So, 2fa alternative is not a bad one. It shouldn't be mandatory for all users.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: arabspaceship123 on August 14, 2023, 04:06:08 AM

I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it

Forced password changes increase the risk instead of making it safer. See:

Quote from: LoyceV on July 15, 2023, 09:48:10 AM

Quote from: Igebotz on July 13, 2023, 04:36:00 AM

Changing password and email occasionally has always been a good security practice what changed now?

People realized it was stupid in the first place Wink

Read the NCSC:

Quote from: https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry

Regular password expiry is a common requirement in many security policies. However, in the Password Guidance published in 2015, we explicitly advised against it. This article explains why we made this (for many) unexpected recommendation, and why we think it’s the right way forward.

Let’s consider how we might limit the harm that comes from an attacker who knows a user’s password. The obvious answer is to make the compromised password useless by forcing the legitimate user to replace it with a new one that the attacker doesn’t know. This advice seems straightforward enough.

The problem is that this doesn’t take into account the inconvenience to users - the ‘usability costs’ - of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember. Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.

To make matters worse, most password policies insist that we have to keep changing them. And when forced to change one, the chances are that the new password will be similar to the old one.

Attackers can exploit this weakness.

The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.

The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.

Or PCMag: Stop Changing Your (Strong, Unique) Passwords So Much.

arabspaceship123

full member

Activity: 896

Merit: 193

web developer for hire

Quote from: The Sceptical Chymist on August 13, 2023, 11:20:11 PM

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Sure, but to have that as a requirement for logging in? I wouldn't want to have to either sign a message from an address or do any other sort of 2FA. If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that. But if it was mandatory, forget about it. I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.

Feature changes must be optional or else users will be upset. There shouldn't be mandatory requirements for signing wallets as part of 2FA. It's impossible to make a Bitcoin wallet signing feature. If 2FA becomes optional feature it's giving choices to users.

Quote from: The Sceptical Chymist on August 13, 2023, 11:20:11 PM

I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.

I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it using special characters I don't usually use. I'll have to paste it because I won't remember it. If it's optional it's allowing user to make their own minds.

The Sceptical Chymist

legendary

Activity: 3500

Merit: 6981

Top Crypto Casino

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Sure, but to have that as a requirement for logging in? I wouldn't want to have to either sign a message from an address or do any other sort of 2FA. If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that. But if it was mandatory, forget about it. I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.

I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.

virasog

legendary

Activity: 3136

Merit: 1172

Leading Crypto Sports Betting & Casino Platform

Quote from: DVlog on August 13, 2023, 10:53:29 AM

It is the best practice to stake a BTC address to add an extra layer of security but this can be risky for some users as well. Privet key of our BTC address can be compromised and we can not ignore the possibility of losing our privet keys as well. It will be an extra workload for the server but by considering the importance of the security of our bitcoin talk account, having several options to secure our account is not a bad idea as well.

Why would the private key of our wallet be compromised unless we do not follow the best practices for safe guarding the private keys.

Also, as you said that the private keys can be lost, well if anyone is unable to keep his private key safe, then he shouldn't be here Sad

That's the most basic thing that you should not lose your private key of your wallet under any circumstances. You should have 2 copies of the private keys stored at two different locations.

Once you have your private key with you, you can always proof the ownership of your bitcointalk account by signing a message through it.

arabspaceship123

full member

Activity: 896

Merit: 193

web developer for hire

When we're regularly being told to change password it means we won't be able to memorise any of them. You're getting used to one password it's time to update so it's copy paste. If a keylogger's infiltrated your system you'll have another problem to fix. I'd say it's counterproductive because memorise one long safe password's safer for me to regularly changing it.

Quote from: Lucius on August 12, 2023, 08:32:17 AM

If I have a strong password that consists of, say, 20+ random characters, and if that same password is stored in a way that I'm sure it's accessible only to me, what's the point of regularly changing the password? It can even be counterproductive if you pick up a keylogger in the meantime, and by changing your password you actually compromise yourself.

DVlog

full member

Activity: 504

Merit: 212

Quote from: robelneo on August 13, 2023, 10:27:20 AM

Quote from: DVlog on August 10, 2023, 12:29:05 PM

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Yes there is a modification software that will add 2FA in an SMF forum SMFPacks Two Factor Authentication
I don't think we need to add this, it's an additional workload for the server and we have the best option to recover the account which is staking our address, the user will be more careful with their private keys than their 2FA application in their cellphone, backup code or password.

Quote from: Lucius on August 13, 2023, 05:15:37 AM

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

I agree 2FA cannot prove ownership, and passwords and 2FA can be compromised.

It is the best practice to stake a BTC address to add an extra layer of security but this can be risky for some users as well. Privet key of our BTC address can be compromised and we can not ignore the possibility of losing our privet keys as well. It will be an extra workload for the server but by considering the importance of the security of our bitcoin talk account, having several options to secure our account is not a bad idea as well.

robelneo

legendary

Activity: 3416

Merit: 1225

Quote from: DVlog on August 10, 2023, 12:29:05 PM

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Yes there is a modification software that will add 2FA in an SMF forum SMFPacks Two Factor Authentication
I don't think we need to add this, it's an additional workload for the server and we have the best option to recover the account which is staking our address, the user will be more careful with their private keys than their 2FA application in their cellphone, backup code or password.

Quote from: Lucius on August 13, 2023, 05:15:37 AM

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

I agree 2FA cannot prove ownership, and passwords and 2FA can be compromised.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I believe that a password of 20 random characters is more than enough in the sense that it cannot be broken by force in a very long period of time. I can't say if there is a limit to the number of password characters on BTT, but I don't think that's the case, considering that no one should be restricted from setting a password that is impossible to crack.

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

Upgrade00

legendary

Activity: 2114

Merit: 2248

Playgram - The Telegram Casino

Quote from: Timelord2067 on August 12, 2023, 07:25:44 PM

It's not working - some account sellers have carpet rug pulled after the sale to claim back the UID. It's happened in the past.

Can you give an instance of when this has happened? That is the original owner trying to claim back their account which they staked an address on and the hacker still winning ownership of the said account despite not having access to the Bitcoin address used to sign a message.

I've been here a short while and cannot remember a single scenario where this happened.

Quote from: Timelord2067 on August 12, 2023, 07:25:44 PM

2FA would have prevented a great many people from having been scammed over the years.

2FA and signing a message are not mutually exclusive. We can comfortably have both as recovery features to protect accounts.

nakamura12

hero member

Activity: 2268

Merit: 669

Bitcoin Casino Est. 2013

Quote from: Bureau on August 12, 2023, 10:36:49 AM

I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.

No matter what situation it is either there's a 2FA in the forum which is good to increase your account's security or no 2FA for the forum account. If 2FA is implemented then it is up to the forum member to enable 2FA in their account or won't enable 2FA at all. Captcha helps preventing bots to access the forum and I don't see any problem about it being annoying since you have to complete it if you have log out of your account and the forum have a bypass for th captcha if you ask me.

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Quote from: LoyceV on August 12, 2023, 08:48:43 AM

Quote from: Timelord2067 on August 12, 2023, 07:20:15 AM

Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.

2FA isn't meant to stop account sales, it's meant to stop accounts from getting compromised.

It's not working - some account sellers have carpet rug pulled after the sale to claim back the UID. It's happened in the past.

2FA would have prevented a great many people from having been scammed over the years.

DVlog

full member

Activity: 504

Merit: 212

Quote from: dimonstration on August 12, 2023, 11:31:44 AM

Quote from: PX-Z on August 12, 2023, 11:23:33 AM

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I do have that kind of passwords, a combination of familiar words and numbers but not random characters coz it's way too difficult to remember, you will end up resetting your password again lmao.

Also you will always be reliaon copy pasting the exact password since it's very hard to memorize random characters and symbols password. My iphone has a feature that automatically suggest a strong password on all my registrations. It is consist of so many random symbol and letter which is very hard to memorize.

I'm always skipping it because I will be reliant to my phone to access my account while it will give me a problem later on once my phone got broken.

I think most of the phone now has these features. Even when you are going to sign up for a website sometimes google suggest a random password that contains mostly symbol and numbers. Many people nowadays use Keepass to keep their passwords safe so that they do not need to remember them in their next log-in. This is the easy way but sometimes these 3rd party service shows vulnerability.

m2017

legendary

Activity: 1792

Merit: 1296

Crypto Casino and Sportsbook

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

You can use the secret question for additional account protection, but even in the explanations in the profile it is written that the use of this feature is not recommended.

Stake bitcoin addresses on the forum looks safer by comparison if all precautions are taken to protect access to this wallet address (from which, if necessary, you can confirm your ownership of the account using a signed transaction).

Quote from: DVlog on August 10, 2023, 12:29:05 PM

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Most likely, this 2FA key implementation is opposed by the administration of this forum, and perhaps it will even be better, because they are aimed at ensuring maximum account security.

Bonus question.
Do I understand correctly that if the forum administration can recover the password to the stolen account (after the owner confirms his ownership), then, in principle, they can gain access to any account? Or does it work in a different way?

dimonstration

hero member

Activity: 2716

Merit: 698

Dimon69

Quote from: PX-Z on August 12, 2023, 11:23:33 AM

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I do have that kind of passwords, a combination of familiar words and numbers but not random characters coz it's way too difficult to remember, you will end up resetting your password again lmao.

Also you will always be reliaon copy pasting the exact password since it's very hard to memorize random characters and symbols password. My iphone has a feature that automatically suggest a strong password on all my registrations. It is consist of so many random symbol and letter which is very hard to memorize.

I'm always skipping it because I will be reliant to my phone to access my account while it will give me a problem later on once my phone got broken.

PX-Z

hero member

Activity: 1554

Merit: 880

pxzone.online

Quote from: Adbitco on August 12, 2023, 10:47:07 AM

I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I do have that kind of passwords, a combination of familiar words and numbers but not random characters coz it's way too difficult to remember, you will end up resetting your password again lmao.

SamReomo

hero member

Activity: 784

Merit: 672

Top Crypto Casino

Quote from: DVlog on August 10, 2023, 12:29:05 PM

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

I'm quite sure that within few months theymos will implement 2FA patch that PowerGlove shared via his post. I have read almost every comment on that thread and I have seen that theymos also gave merits to that post of PowerGlove and that shows that he's interested in implementing that feature on the forum. The only reason he might be delaying that thing can be the issue of slow down or maybe he's still busy these days with some other projects.

I don't think that Google Authentication would be a good choice for 2FA on the forum. We can search for open source solutions instead that would allow us to complete the 2FA. We can also go with the open source app named "AuthPass" as that one can be more reliable for us. There are many such open source 2FA solutions that we can choose and some of them are cross platform supported as well.

Adbitco

hero member

Activity: 1428

Merit: 653

Leading Crypto Sports Betting & Casino Platform

Quote from: Lucius on August 12, 2023, 08:32:17 AM

Quote from: Adbitco on August 12, 2023, 05:45:01 AM

To protect and increase your account security regularly changing of passwords can also help to improve your account safety. security.
~snip~

If I have a strong password that consists of, say, 20+ random characters, and if that same password is stored in a way that I'm sure it's accessible only to me, what's the point of regularly changing the password? It can even be counterproductive if you pick up a keylogger in the meantime, and by changing your password you actually compromise yourself.

Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters, though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone. However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.

Bureau

sr. member

Activity: 490

Merit: 279

I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: Timelord2067 on August 12, 2023, 07:20:15 AM

Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.

2FA isn't meant to stop account sales, it's meant to stop accounts from getting compromised.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

I have nothing against additional security when it comes to our BTT accounts, but I wonder to what extent even 2FA would protect those who behave carelessly in protecting their private data. As we know, most CEX (perhaps even all of them) have some type of 2FA, but even such accounts are often hacked, because no one should be fooled that 2FA is some kind of ultimate solution for absolute security.

Quote from: Adbitco on August 12, 2023, 05:45:01 AM

To protect and increase your account security regularly changing of passwords can also help to improve your account safety. security.
~snip~

If I have a strong password that consists of, say, 20+ random characters, and if that same password is stored in a way that I'm sure it's accessible only to me, what's the point of regularly changing the password? It can even be counterproductive if you pick up a keylogger in the meantime, and by changing your password you actually compromise yourself.

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.

It's a dead end security feature.

The same for PGP/GPG keys which can likewise be ported.

Adbitco

hero member

Activity: 1428

Merit: 653

Leading Crypto Sports Betting & Casino Platform

To protect and increase your account security regularly changing of passwords can also help to improve your account safety. As reputable user you don't need to stressed yourself much and besides the dream of this forum is enable everyone has a seamless access and will power to control their account without any restrictions that limit people especially newbies not to have the utmost accessibility to the forum. The forum is place to teach and learn things that are related to bitcoin advancement and progression, adding any restrictions is like bridging the mission of Bitcointalk forum, henceforth any one and everyone are liable for their account security.

Cryptomultiplier

full member

Activity: 952

Merit: 232

I was thinking more in the direction as to why it couldn't be possible to develop this Bitcointalk forum into an app that can be downloaded, or if it already exists, or the idea had been downplayed, please hint.
Otherwise and still, any good thought as this concerning security and privacy of accounts is always a welcomed read for me.

Sandra_hakeem

hero member

Activity: 798

Merit: 1045

Goodnight, ohh Leo!!! 🦅

The fuckin' SMF patch is yet to be enacted by Theymos... This also makes me feel he sees everything that's happening in here.., especially here in the meta- verse Tongue

_{he gave some merit to the post as well}
I keep saying this - If it ain't safe, then it ain't worth the stress this whole time.... I don't think anyone would stay happy if Thier accounts are compromised all of a sudden.

Sandra 🧑‍🦰

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: Husires on August 11, 2023, 02:10:28 AM

Recently, Google added the option of restoring the service by uploading data to the cloud, and certainly your data may be shared across several parties on the Internet. So Google authentication is bad for privacy and security.

If it is an option, does this mean by default they won't do it? It would be terrible if they store your secret key somewhere and allowed someone to access it to expose everything.

Quote from: Husires on August 11, 2023, 02:10:28 AM

As much as 2FA is important, but all the data in this forum is available to everyone, there is rarely anything of interest in PM, and the steps to recover the account are quick, hacking forum accounts is nothing more than sabotage activity or for personal reasons.

It would be different for each user of course. A legendary account that has records of trading or something similar is a good target to attack if they want to scam someone. A good example is also given above. Adding more security features is always a welcome addition as long as it doesn't compromise anything else imo.

Husires

legendary

Activity: 1596

Merit: 1288

Quote from: DVlog on August 10, 2023, 12:29:05 PM

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Recently, Google added the option of restoring the service by uploading data to the cloud, and certainly your data may be shared across several parties on the Internet. So Google authentication is bad for privacy and security.

As much as 2FA is important, but all the data in this forum is available to everyone, there is rarely anything of interest in PM, and the steps to recover the account are quick, hacking forum accounts is nothing more than sabotage activity or for personal reasons.

dzungmobile

sr. member

Activity: 854

Merit: 424

I stand with Ukraine!

Many times it was asked and Bitcointalk with SMF software will not deploy it offcially. It is also because of limited human resource as theymos is the only who manage the forum software and he does not want to deploy new things which can cause potential security problems.

You must know that 2FA is not a perfect protection for your account if you have practice. If your practice is good with password, Internet using, it is enough to protect your account without 2FA.

Stake your Bitcoin address, message and PGP key too.

[Guide] How to use strong and secure password
Stake your PGP key here
Stake your Bitcoin address and message here

Dr.Bitcoin_Strange

hero member

Activity: 770

Merit: 538

Leading Crypto Sports Betting & Casino Platform

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

There's a need for 2FA integration in the forum. just as PowerGlove has also suggested on the thread provided by un_rank, and many reputable members have also concurred with the idea because of the importance of more security features.

Imagine someone gaining access to your account and taking a non-collateral loan of $5,000, or maybe the person posts a malware link that results in your account being banned.

e.g. Someone Loan using My Account

PX-Z

hero member

Activity: 1554

Merit: 880

pxzone.online

Quote from: Cantsay on August 10, 2023, 12:42:33 PM

... I don't think Theymos has the intention of implementing 2FA authentication in this forum anytime soon.

He is, and theymos already give a thumbs up on what PowerGlove is creating^[1], it will be up anytime soon actually. But let's see until theymos implement it successfully coz it's something a pain in the as merging to the current forum.

[1] https://bitcointalksearch.org/topic/a-concise-2fatotp-implementation-smf-patch-5457330

un_rank

hero member

Activity: 644

Merit: 661

- Jay -

2FA is a good security measure to prevent account thefts and has been suggested several times on the forum. Staked address is a measure to restore an already stolen account which can already have some damage dealt to the user, but 2FA prevents the damage from happening if done properly from the user.

@PowerGlove created an SMF patch ^[1] to make it easier for theymos and he dropped some merits there suggesting that theymos is open to including it just as he did with the OP tag on the thread starter. Let us wait a bit and see if any changes occur.

Quote from: DVlog on August 10, 2023, 12:29:05 PM

A user can add secret questions

Secret questions have been disabled on the forum due to security risk.

Quote from: DVlog on August 10, 2023, 12:29:05 PM

So why don't we add a Google authentication option as a security feature to the forum?

2FA is good, but Gogle authenticator is the worst privacy option. There are so many preferred ones which the forum can use, or opt for the one created by a forum user.

[1] https://bitcointalksearch.org/topic/a-concise-2fatotp-implementation-smf-patch-5457330

- Jay -

LTU_btc

legendary

Activity: 3234

Merit: 1375

Slava Ukraini!

Quote from: RapTarX on August 10, 2023, 01:21:27 PM

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Signing a message from staked address is solution of issue when account already got compromised. But until case with your account will be resolved, hacker can make significant damage for you. While having 2FA would be prevention that such things wouldn't happen.

RapTarX

hero member

Activity: 1358

Merit: 851

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Cantsay

hero member

Activity: 700

Merit: 541

Bitcoin Casino Est. 2013

This has been discussed several times and with what I have seen I don't think Theymos has the intention of implementing 2FA authentication in this forum anytime soon.

Do you agree to have 2fa Authentication on Bitcointalk.org?

Quote from: hd49728 on June 01, 2019, 12:52:48 AM

2-Factors Authentication

Topics	Date	written by
_______________________________________________________________________________	______________	________________________
Can bitcointalk.org get 2 factor authentication?	17/4/2013	StevenPine
Why doesn't Bitcointalk support 2FA?	14/5/2016	cryptoheadd
2FA on bitcoin talk	05/9/2017	dreamer81
Isn't it time to introduce 2FA to enhance user account security ?	24/3/2018	DdmrDdmr
Bitcointalk.org 2FA option/feature	13/11/2018	tiikol
Should there be an option of adding 2fa for forum accounts?	30/5/2019	iamsheikhadil

DVlog

full member

Activity: 504

Merit: 212

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Topic: Whats your take on adding 2FA key as a Bitcointalk account security features. (Read 622 times)