Pages:
Author

Topic: Why changing the email and the password is so easy !!!! (Read 550 times)

member
Activity: 966
Merit: 31
Which is why I think that the best solution is to simply verify via SMS and link the account that way.
This totally ignores one of the most important arguments against it: privacy! At best, I could use a prepaid number, which means I have to add balance at least twice a year. If I forget it, I lose the number, and thus access to my account.

Well, then this is not for you like I don't feel like staking my Bitcoin address would be something that would be beneficial to me. Especially if I have to wait for long periods of time for my account to be reinstated. But I believe that lots of users in this forum would be relieved to have that option. You want to remain completely anonymous, okay, I get it. I'm not suggesting a mandatory security measure here. I'm suggesting an option that would benefit me as many other users who prefer to lose part of their anonymity in favor of not losing their account and frankly, I don't know why we keep circling back to the issue of anonymity here. Privacy should be people's right, and to me this means they should be able to give some of it away if they wish in exchange for something more beneficial to them.
member
Activity: 154
Merit: 29
Just remember one thing: high rank account in this site means money. We can debate this as much as you like, but this is the reality.
High rank accounts are monetizing their position and some of them gain quite a lot from this forum.
So security must be increased. Having only a user/password pair is way to less for current online security.
You don't like a phone number, that's fine. i wouldn't choose such an option either. But something must be done.
I said 2FA, there are concerns about google authenticator, but there should not be. You don't need a phone to generate google codes.
If needed I can explain how you can do it without a phone or how to recover seed codes from google authenticator app  on android.
I'm quite sure there are other possibilities too, only the will to implement them is required.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Which is why I think that the best solution is to simply verify via SMS and link the account that way.
This totally ignores one of the most important arguments against it: privacy! At best, I could use a prepaid number, which means I have to add balance at least twice a year. If I forget it, I lose the number, and thus access to my account.
member
Activity: 966
Merit: 31
Edit: LoyceV, I will give some thought to your suggestion on the matter of the paper wallet. However, I believe that a forum such as bitcointalk should offer its members some sort of extra protection.
A staked address is a very easy method to offer this protection, although I do agree account recovery often takes too long.

Also asking the user for confirmation before doing a critical change to the account should be mandatory.
That means at least sending a mail with a confirmation code. That's minimum security, any site has such an option implemented.
I've had most of my forum accounts longer than most of my phone numbers and email addresses, and this forum account has already outlived at least 2 of my phones (although not my phone number). I consider losing my phone much more likely than losing access to my account, and in that case it will only lead to more support requests.
It's the opposite for me. I still keep my first e-mail address, although now I have others, and my phone, even though it's obviously not the same device, still has the same number that I had in middle school, which was ages ago  Grin

Which is why I don't understand why it's an inconvenience to have your account linked to your phone number. I've lost phone devices and then I went with my ID to my cell provider and simply got a new SIM card with the same number and a new phone. It's certainly easier than asking some moderator to recover my account and wait for I don't know how long for this process.

Now, 2FA, that can be a tricky one if you use Google Authenticator. I haven't lost a device recently, but I know that if you lose your phone which has the 2FA app, you're screwed. But there are other 2FA apps out there.

Which is why I think that the best solution is to simply verify via SMS and link the account that way. Again, because some people don't listen, I think that this should be an option and not mandatory. When I referred to it as a solution to spamming I was talking about another thing entirely which would require a much bigger conversation and frankly, I don't care much to have it. I'm lazy  Cheesy
member
Activity: 154
Merit: 29
I've had most of my forum accounts longer than most of my phone numbers and email addresses, and this forum account has already outlived at least 2 of my phones (although not my phone number). I consider losing my phone much more likely than losing access to my account, and in that case it will only lead to more support requests.

That's now what I tried to say. I'm simply asking that before you can change a critical part of your account (like email or password), you should receive an email at the current email address and you have to confirm that you really are the person who initiated the change. That means to click on a link or get a confirmation code in the email. Without using that link or confirmation code you should not be able to make the change you want. Of course it is possible that you don't have access anymore to the current email address, so an alternative way of confirmation should be available (a second email, sms, phone call, 2FA code). Sms or voice call are not something that some people would want for lack of anonymity, but the other 2 can be safely used from this point of view.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Edit: LoyceV, I will give some thought to your suggestion on the matter of the paper wallet. However, I believe that a forum such as bitcointalk should offer its members some sort of extra protection.
A staked address is a very easy method to offer this protection, although I do agree account recovery often takes too long.

Also asking the user for confirmation before doing a critical change to the account should be mandatory.
That means at least sending a mail with a confirmation code. That's minimum security, any site has such an option implemented.
I've had most of my forum accounts longer than most of my phone numbers and email addresses, and this forum account has already outlived at least 2 of my phones (although not my phone number). I consider losing my phone much more likely than losing access to my account, and in that case it will only lead to more support requests.
member
Activity: 966
Merit: 31
Forum was created in a period when bitcoin was probably the only coin available. That times are over.
Most of the people nowadays use bitcoin (if they even use it, because there are other alternatives)
only as a meaning to an end: to convert altcoins into fiat. And for that you don't even need a personal wallet,
the one(s) from exchange(s) is(are) more than enough for the purpose. Asking for a signed message with
bitcoin address as the only way to be able to recover an account seems rather archaic and leave a lot of people without a real option.

2FA is the way to go. It doesn't need to be phone connected, there are plenty of other alternatives.
Any TOTP code can be obtained on any computer as long as seed is known; you don't need a phone for that.
Also asking the user for confirmation before doing a critical change to the account should be mandatory.
That means at least sending a mail with a confirmation code. That's minimum security, any site has such an option implemented.
Friend, if I had a merit I would have given it to your post  Grin
member
Activity: 154
Merit: 29
Forum was created in a period when bitcoin was probably the only coin available. That times are over.
Most of the people nowadays use bitcoin (if they even use it, because there are other alternatives)
only as a meaning to an end: to convert altcoins into fiat. And for that you don't even need a personal wallet,
the one(s) from exchange(s) is(are) more than enough for the purpose. Asking for a signed message with
bitcoin address as the only way to be able to recover an account seems rather archaic and leave a lot of people without a real option.

2FA is the way to go. It doesn't need to be phone connected, there are plenty of other alternatives.
Any TOTP code can be obtained on any computer as long as seed is known; you don't need a phone for that.
Also asking the user for confirmation before doing a critical change to the account should be mandatory.
That means at least sending a mail with a confirmation code. That's minimum security, any site has such an option implemented.
member
Activity: 95
Merit: 28

1- Improve the bitcointalk account security using email verification when anyone login with a new device into the account.
2- Add a phone verification in case of login with a new device.
3- Add a new procedure for recovering a hacked account that doesn't take too much time.

i can be more agree than that

you can add this option too :

 delete the personal security question , because even if we answer correctly to this one, we are locked for manual review.... and we wait we wait we....

like me here https://bitcointalksearch.org/topic/almost-1-year-hero-account-locked-please-unlock-i-have-many-proofs-2851296

member
Activity: 966
Merit: 31
I'm not sure a discussion over whether I am using Bitcoin or not is worth having with a person who doesn't have a phone.

Neither did Satoshi Nakamoto, in this context.  Not that that would matter to one of the ovine imbeciles who exclusively keeps money on exchanges.  Baa, baa.  Do you even know what a private key is?  It is self-evident that you neither know nor care why private keys are important.

Written from my phone  Grin

That’s not something to brag about.  That you think it is, says much about you.  But not as much about you as your attitude about private keys.

The Bitcoin Forum is for users of Bitcoin.  By definition, such people have private keys.  Those who don’t are serfs, living on a master’s estate and at his mercy.  As a serf, you should know your place, and never expect anybody to take your opinion seriously.  How dare you come on the Bitcoin Forum and complain that it’s such an imposition to have a private key?

Well, for starters, I don't care if it's mandatory or not. Which is why I added it as a PS, an afterthought if you will,

Logic failure.  What you said was this:

PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.

How could that even try to solve any spam problems, if it were not mandatory?  I do not expect that spammers would “opt-in”.  Had you been advocating optional SMS “verification”, you would not have suggested it to be an antispam measure.
Mate, are you serious? I have a lot of altcoin wallets, just no Bitcoin wallets. I didn't know it was a prerequisite to have a Bitcoin wallet to be able to regain your account in bitcointalk after someone has hacked it, maybe it should be on the registration page. In fact, even comparing the two, having a bitcoin wallet and a phone number, makes you look like a fool. What percentage of the world population has a Bitcoin wallet and is it bigger than those who have a phone number? Even assuming that because I don't have a Bitcoin wallet I actually keep Bitcoin in exchanges is idiotic since I never even suggested such a thing. Bitcoin is the way to exchange my fiat into altcoins and vice versa but of course, someone so stuck on Bitcoin would never understand that  Grin

Again, my PS was just a suggestion, to be considered. I already told you that. The logic failure is yours. I already told you that linking an account to a phone number would be beneficial to me and many users in here. Just call us dinosaurs for having a phone still, I don't care. The truth of the matter is that this is an easy way to prevent account hacking. Whether it can actually benefit the moderators from lowering the number of spam accounts, requires a bigger conversation. I believe it can. But I am talking about two separate things here and there's a reason I suggested it as an afterthought, which you just don't want to or cannot understand. That's okay. Not everyone can understand the way I'm thinking  Roll Eyes

"The Bitcoin Forum is for users of Bitcoin"

That's a load of crap and you know it. Just check the number of posts in the altcoins section. I don't come here to read news and analysis about Bitcoin, I come here for the altcoin section. And if there was a way to make a poll about the reasons people are in this forum, you'd see that despite the name, people come here for different reasons than that. Only people who have yet to scratch the surface of this forum think that all these users come here because of Bitcoin. Are you one of these people  Cheesy

Edit: LoyceV, I will give some thought to your suggestion on the matter of the paper wallet. However, I believe that a forum such as bitcointalk should offer its members some sort of extra protection. I've been in forums that have 2FA as an option and they're definitely smaller than this one, so I don't know what the big deal is about doing this or having the option (again, I'm suggesting it to be optional) to link your phone number to your account to make sure it's not easily hackable.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I wouldn't like to see 2FA added, it's another layer that can fail and take away my access to the forum. Besides, there's another reason why phone or email verification is a bad thing: privacy! Theymos respects privacy, and privacy shouldn't be compromised for security.

That means a randomly generated password of sufficient length, used only for this site and nowhere else.  May I suggest use of a good password manager (non-“cloud”-based).
I use KeePass (for Windows), KeePassX for Linux, or a different version for anything from iPad to Blackberry.
If you're not using one yet: get a decent password manager, spend a few hours setting it up for all your accounts (don't forget to backup the database!), and keep it updated for all new passwords you create in the future.
I'm pretty sure nobody will ever be able to brute-force my password, but I changed my password anyway after the forum got hacked (a few years back).

One of my first thoughts on seeing anything Bitcoin-related is, “Why isn’t public-key crypto used for all authentication?”  Of all places, the Bitcoin Forum should lead with that!  If you use Bitcoin, you should also use PGP, at the bare minimum; and the attention brought by Bitcoin makes for an opportunity to introduce more people to what old cypherpunks call “crypto”, resulting in more security all-around.
I regret not being more private when I joined here, but it's too late to change that now.

To be honest, I find the security measures in this forum ludicrous especially if you consider that many accounts here belong to members who are trying to start or promote a business, whether that is a cryptocurrency coin/token or trading or something else. There's no confirmation e-mail even. At first, when I signed up I thought I had made a mistake in typing my e-mail and it had gone to a wrong address. There's no 2FA, no SMS verification, nothing... It's basically a hacker's paradise.
I have never in my life had any forum account compromised. It's entirely up to you to keep your account secure.

Quote
Staking Bitcoin address? Well, sorry that I don't have a permanent one. All my Bitcoin addresses are given to me by exchange sites so there would be no point.
You can easily print a paper wallet, stake the address, and keep it secure in case you need it.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
I'm not sure a discussion over whether I am using Bitcoin or not is worth having with a person who doesn't have a phone.

Neither did Satoshi Nakamoto, in this context.  Not that that would matter to one of the ovine imbeciles who exclusively keeps money on exchanges.  Baa, baa.  Do you even know what a private key is?  It is self-evident that you neither know nor care why private keys are important.

Written from my phone  Grin

That’s not something to brag about.  That you think it is, says much about you.  But not as much about you as your attitude about private keys.

The Bitcoin Forum is for users of Bitcoin.  By definition, such people have private keys.  Those who don’t are serfs, living on a master’s estate and at his mercy.  As a serf, you should know your place, and never expect anybody to take your opinion seriously.  How dare you come on the Bitcoin Forum and complain that it’s such an imposition to have a private key?

Well, for starters, I don't care if it's mandatory or not. Which is why I added it as a PS, an afterthought if you will,

Logic failure.  What you said was this:

PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.

How could that even try to solve any spam problems, if it were not mandatory?  I do not expect that spammers would “opt-in”.  Had you been advocating optional SMS “verification”, you would not have suggested it to be an antispam measure.
member
Activity: 966
Merit: 31
PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.

That would do little against spammers who can easily avail themselves of bulk numbers for SMS; but it would instantly evict me from the forum.  Mandatory phone “validation”!?  It is reprehensible even to suggest that on a forum where many legitimate users, including Satoshi Nakamoto, exclusively connect(ed) through anonymity networks.

Fortunately, this has absolutely zero chance of ever happening here; and it’s a waste of everybody’s time for you to even mention it.

Staking Bitcoin address? Well, sorry that I don't have a permanent one. All my Bitcoin addresses are given to me by exchange sites so there would be no point.

If you don’t control your own private keys, then you are not using Bitcoin.  Forgive me if I am underwhelmed by your opinions about the Bitcoin Forum.
Well, for starters, I don't care if it's mandatory or not. Which is why I added it as a PS, an afterthought if you will, that the moderators should consider it. I would like the phone number validation to be an option, though. Most people have a phone.

I'm not sure a discussion over whether I am using Bitcoin or not is worth having with a person who doesn't have a phone.

Written from my phone  Grin
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.

That would do little against spammers who can easily avail themselves of bulk numbers for SMS; but it would instantly evict me from the forum.  Mandatory phone “validation”!?  It is reprehensible even to suggest that on a forum where many legitimate users, including Satoshi Nakamoto, exclusively connect(ed) through anonymity networks.

Fortunately, this has absolutely zero chance of ever happening here; and it’s a waste of everybody’s time for you to even mention it.

Staking Bitcoin address? Well, sorry that I don't have a permanent one. All my Bitcoin addresses are given to me by exchange sites so there would be no point.

If you don’t control your own private keys, then you are not using Bitcoin.  Forgive me if I am underwhelmed by your opinions about the Bitcoin Forum.
full member
Activity: 250
Merit: 106
The security mechanisms here in the forum are smart and forward-looking.
In the event, that an account is hacked here and the password / email address is changed, a link is sent to the old email, with which the account can be blocked.
Read this thread for further info:
https://bitcointalksearch.org/topic/m.23164732
In case, that the email address is lost, the email address here can easily be changed.
And it is easy to generate a Bitcoin address that can be staked here
https://bitcointalksearch.org/topic/stake-your-bitcoin-address-here-996318 and be used to sign a message. Just study the section "Beginners & Help".
member
Activity: 966
Merit: 31
To be honest, I find the security measures in this forum ludicrous especially if you consider that many accounts here belong to members who are trying to start or promote a business, whether that is a cryptocurrency coin/token or trading or something else. There's no confirmation e-mail even. At first, when I signed up I thought I had made a mistake in typing my e-mail and it had gone to a wrong address. There's no 2FA, no SMS verification, nothing... It's basically a hacker's paradise.

Staking Bitcoin address? Well, sorry that I don't have a permanent one. All my Bitcoin addresses are given to me by exchange sites so there would be no point. I think that the powers that be of this forum should try to look at this from the members' point of view. There's a huge chance that at some point many of our accounts will be hacked. I've seen it happen and I've seen the huge inconvenience it has caused.

So, please, if any moderator reads this, do not act defensively to my words. I only seek to protect myself and the rest of the members. Please, give us a second security measure besides our password to ensure that we'll be safer and that our accounts will not fall into the wrong hands. Remember, accounts in the wrong hands won't be beneficial for you guys either since these guys will probably sell these accounts to third parties of scammers or spammers.

PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.
hero member
Activity: 924
Merit: 512
Actually, this works like this on almost all the forums in same way. I am not sure what protection is here for brute force attacks.

As of now they will send the push  notification to previous e-mail when the password and email address has been changed. However, you will be able to report the moderator hilariouscando and Theymos about account hacking issue.
OP mentioned would be good idea to secure the forum reputation from the hackers stealing accounts. After blocking and recovering and all a burden and extra efforts for moderators crew but implementing the Authentication push up to mail would better to secure everyone account.

Or directly take out the password and reset option under every account and implement the link 'change password' this should push reset link to concern email. For email, authentication link first to the old email and verification link to new email. This is also works better.
jr. member
Activity: 46
Merit: 1
Actually, this works like this on almost all the forums in same way. I am not sure what protection is here for brute force attacks.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
I think this actually might be helpfull because, new people don't know about signed messages until its too late and they got their accounts stolne,

This is why I think user education is important.  For a forum dealing with what is now colloquially called “crypto”, only an astonishly small proportion of users are crypto-savvy.

One of my first thoughts on seeing anything Bitcoin-related is, “Why isn’t public-key crypto used for all authentication?”  Of all places, the Bitcoin Forum should lead with that!  If you use Bitcoin, you should also use PGP, at the bare minimum; and the attention brought by Bitcoin makes for an opportunity to introduce more people to what old cypherpunks call “crypto”, resulting in more security all-around.

having a good or a bad password is not the issue,

Password crackers would beg to differ.  Most passwords are laughably weak.  The way you said that, I am guessing that that includes your password, too.

anyone is vulnerable to get hacked,

In this context, that’s the wrong attitude; it encourages people to give up and keep their security weak.  Yes, everything out there is broken.  The state of the industry is horrific.  Most people have bad security because they don’t care about security, don’t put any effort into it—and won’t pay for it, which is why the state of the industry is horrific.

I think the NSA could probably hack me.  I’m sure that forum account thieves can’t.  So much for “anyone is vulnerable”.
sr. member
Activity: 1414
Merit: 283
Recently my friend's bitcointalk account got hacked and unfortunatly for him he was not able to recover it, the hacker was able to change the email and password without being stopped due to the fact that bitcointalk system only sends you a notification mail to let you know that your informations were already changed, and the only way you can recover your account is by having a signed message which people only know about when it's too late, or by pming one of the administrators who have a busy schedule and probably won't reply to you even if you have a proof of ownership of the account.

What i'm suggesting here is to add another layer of security, so that when you want to change the email or the password, a verification mail would be sent to the current email and the owner would have the option to accept it or not and also know if he is being hacked.
I think this actually might be helpfull because, new people don't know about signed messages until its too late and they got their accounts stolne, having a good or a bad password is not the issue, anyone is vulnerable to get hacked, and there is nothing worst than losing your account that you spend a lot of time on it.
Pages:
Jump to: