Topic: When will the account recovery problem be solved? - page 2. (Read 486 times)

From this fear, I proposed some solutions long ago and I have seen a lot of others did have different ideas but seems like we need to wait more to see any changes. I assume theymos has other priorities than looking at this issue.

[Proposal: prevent account hack] A complete new login system for BitcoinTalk <== https://bitcointalksearch.org/topic/proposal-prevent-account-hack-a-complete-new-login-system-for-bitcointalk-3371718


I just hope for the best.

---

update:
Oh thanks ETFbitcoin for bringing the topic before me.

Yes, this is why I made the thread, it could happen to any of us, and it would leave us out of the forum for months, maybe years, making an huge gap of inactivity which you would need to explain every time you want to do business with someone, and there's a risk they will just not believe it.


Indeed, the verification process could be speed up with some automation, but still, it will need human review, this takes time and I doubt Cyrus and theymos will spend the required time to speed up the process, to benefit from said database we still need someone reviewing it, we would need more Staff looking at each individual cases anyway. Automating the verification of the message would help a lot tho.

I concur with the other opionions in this thread, altough i doubt it's merely a problem of the speed or effort of the signature verification process. Personally, i think the complete workflow might be long overdue for a complete overhaul.
I've got some experience writing scripts using the json-rpc interface of a bitcoin node, i think it should be fairly simple to automate the complete process up to the point where a human just needs to look at the end result of a request and click a button to either confirm or deny a password reset/account unlock.

Basically, if one would write a simple form where a random string is shown and where a user can enter the post where he/she staked his address, the address itself, the reset email address and the signature he made using the staked address signing the random string. The script could then just use the json-rpc query of a locked node to verify the message and save this data into a simple relational database.

An admin would have an admin interface with a view of this database showing the qouted post + post history (was this post edited or not) and the result of the signature, maybe combined with some account info fetched from the db (like logintimes, ip's, password changes,...). When this info is given in a simple way, the admin should be able to either confirm or deny the password request with the click of a button.
I haven't looked at smf's data model, but i can only imagine that resetting a password is just a matter of generating a random string, hashing it, updating the user's entry in the users info table and creating an email to send the unhashed password to the entered email (together with instructions for a password reset).

Yeah, this is very important as they are legit users. Most of them with quoted signed messages... I see some of them are having their account back, but it takes too long.

I think people look at those post where people ask for help and most users may think that they have nothing to do with it.

But we all could have our accounts hacked... This is a problem that concerns every legit user.

Maybe this process of address signature verification could be made faster.

Does it scare you when you think if your account gets hacked or anything happen and then you wait weeks after weeks or months after months without any result to get your account back?

It does scare me a lot, because I am addicted to this forum.  

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.