Topic: Why changing the email and the password is so easy !!!! - page 2. (Read 542 times)
Changing your password and email is easy. This is very convenient for email users. This will help us protect our privacy. If you feel your password is expired then you change it. Or sometimes you forget the password you can get back the password.
All you need currently to keep your account secure is very good password.
That means a randomly generated password of sufficient length, used only for this site and nowhere else. May I suggest use of a good password manager (non-“cloud”-based).
You also need to prevent your computer from being compromised. Accounts are not being hacked. Users are being hacked.
There was discussion about it in the past but seems theymos didn't take care of it.
All you need currently to keep your account secure is very good password. There was a fact of hacking famous members too. I remember how condoras sent btc to one member (can't remember username) and lost it because account was hacked and real owner lose control on it. Condoras trusted blindly and didn't ask for signing a message. (I talk about loans)
Btw real way here is signing a message from your bitcoin adress which must be actively used here and then you need a lot of wait to get response on your pm from moderator, usually from Cyrus. There is another way to prove ownership if you can't sign a message but that will take a lot of time and won't worth for it (messages and etc for example).
All you need currently to keep your account secure is very good password. There was a fact of hacking famous members too. I remember how condoras sent btc to one member (can't remember username) and lost it because account was hacked and real owner lose control on it. Condoras trusted blindly and didn't ask for signing a message. (I talk about loans)
Btw real way here is signing a message from your bitcoin adress which must be actively used here and then you need a lot of wait to get response on your pm from moderator, usually from Cyrus. There is another way to prove ownership if you can't sign a message but that will take a lot of time and won't worth for it (messages and etc for example).
The problem is not on the signed message of the stacked btc address, but in the security weakness.
What security weakness? The users’ security weakness? If you know of a security weakness in the forum, please report it and collect a bounty!
If the hacker knows the pseudo and the password of bitcointalk account, he can easily hack your account, and you can't do anything,
If a hacker knows the username and password, then there is nothing to hack! That’s like saying that if a hacker knows your Bitcoin private keys, he can “hack” your wallet.
1- Improve the bitcointalk account security using email verification when anyone login with a new device into the account.
That would be extremely annoying, and of little or no use to users who know how to secure their own passwords. Also, for Tor users, it would effectually mean an e-mail verification for each and every login.
2- Add a phone verification in case of login with a new device.
I don’t have a phone. (At least, not one that you or the forum will ever know about.) What do you suggest I should do?
3- Add a new procedure for recovering a hacked account that doesn't take too much time.
I have a better idea:
4. Choose a strong password, and keep it secure.
HTH.
I saw a lot of people here in Meta lost their accounts because of hacking, The majority are full members and senior members accounts, and sometimes Hero or legendary accounts. The problem is not on the signed message of the stacked btc address, but in the security weakness. I agree with the OP on that, because I already read a case like that. If the hacker knows the pseudo and the password of bitcointalk account, he can easily hack your account, and you can't do anything, Even the procedure of recovering the hacked account is too much hard, because Theymos and Cyrus take too much time to respond.
What I can suggest
1- Improve the bitcointalk account security using email verification when anyone login with a new device into the account.
2- Add a phone verification in case of login with a new device.
3- Add a new procedure for recovering a hacked account that doesn't take too much time.
What I can suggest
1- Improve the bitcointalk account security using email verification when anyone login with a new device into the account.
2- Add a phone verification in case of login with a new device.
3- Add a new procedure for recovering a hacked account that doesn't take too much time.
Stake a Bitcoin address, and preferably, a PGP key. (But n.b. that Segwit addresses cannot yet be used for this purpose.)
I think that current options for securing one’s account are inadequate.0 However, there do exist ad hoc ways to help protect your account. If your account has any value to you, make the effort to do that—and also to improve your own security! I’m sick of hearing about “accounts hacked” when, as far as I can tell, most or all (recent) such instances are matters of users being hacked. I am not aware of any evidence that accounts are ever hacked, nowadays.
What about people who lose access to an e-mail address, but legitimately know their own password?
0. For account recovery purposes, users should be able to somehow bind a PGP key fingerprint to an account—either permanently, or with a long timelock. I mean this as a forum feature with a form widget on the user profile page, not the ad hoc “post your key here” threads. I would also add Bitcoin keys, but for the aforestated problem with Segwit addresses.
I also want some means of public-key auth login. I began writing a long post for Meta about that more than two months ago, when I was more or less brand-new. However, browser makers have made this infeasible by effectually deprecating functionality required for TLS client certificate usage by websites; and there are other problems with TLS client certs. I also considered SSH tunnels, etc.; but I know realistically that has negligible probability of actually happening.
I think that current options for securing one’s account are inadequate.0 However, there do exist ad hoc ways to help protect your account. If your account has any value to you, make the effort to do that—and also to improve your own security! I’m sick of hearing about “accounts hacked” when, as far as I can tell, most or all (recent) such instances are matters of users being hacked. I am not aware of any evidence that accounts are ever hacked, nowadays.
What i'm suggesting here is to add another layer of security, so that when you want to change the email or the password, a verification mail would be sent to the current email and the owner would have the option to accept it or not and also know if he is being hacked.
What about people who lose access to an e-mail address, but legitimately know their own password?
0. For account recovery purposes, users should be able to somehow bind a PGP key fingerprint to an account—either permanently, or with a long timelock. I mean this as a forum feature with a form widget on the user profile page, not the ad hoc “post your key here” threads. I would also add Bitcoin keys, but for the aforestated problem with Segwit addresses.
I also want some means of public-key auth login. I began writing a long post for Meta about that more than two months ago, when I was more or less brand-new. However, browser makers have made this infeasible by effectually deprecating functionality required for TLS client certificate usage by websites; and there are other problems with TLS client certs. I also considered SSH tunnels, etc.; but I know realistically that has negligible probability of actually happening.
Because there is no 2FA yet and the passwords that most users keep is just as terrible as their shitposts. Guessing the passwords are more easier when hackers have access to usernames. Poor security measures are the reasons why.
Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?
Users do get email notifications when someone tries to get access to their accounts, right?
No they don't get any notification when someone tries to access their account, they only get a notification when it's already too late and their email and password have been changed, and that's where the problem lies, they won't be able to know that they are being hacked. Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?
Users do get email notifications when someone tries to get access to their accounts, right?
Because there is no 2FA yet and the passwords that most users keep is just as terrible as their shitposts. Guessing the passwords are more easier when hackers have access to usernames. Poor security measures are the reasons why.
Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?
Users do get email notifications when someone tries to get access to their accounts, right?
No they don't get any notification when someone tries to access their account, they only get a notification when it's already too late and their email and password have been changed, and that's where the problem lies, they won't be able to know that they are being hacked. Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?
Users do get email notifications when someone tries to get access to their accounts, right?
Because there is no 2FA yet and the passwords that most users keep is just as terrible as their shitposts. Guessing the passwords are more easier when hackers have access to usernames. Poor security measures are the reasons why.
Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?
Users do get email notifications when someone tries to get access to their accounts, right?
Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?
Users do get email notifications when someone tries to get access to their accounts, right?
Recently my friend's bitcointalk account got hacked and unfortunatly for him he was not able to recover it, the hacker was able to change the email and password without being stopped due to the fact that bitcointalk system only sends you a notification mail to let you know that your informations were already changed, and the only way you can recover your account is by having a signed message which people only know about when it's too late, or by pming one of the administrators who have a busy schedule and probably won't reply to you even if you have a proof of ownership of the account.
What i'm suggesting here is to add another layer of security, so that when you want to change the email or the password, a verification mail would be sent to the current email and the owner would have the option to accept it or not and also know if he is being hacked.
What i'm suggesting here is to add another layer of security, so that when you want to change the email or the password, a verification mail would be sent to the current email and the owner would have the option to accept it or not and also know if he is being hacked.
Jump to: