Bitcoin Forum

Just noticed a trend in Meta of people getting locked out of account for resetting and using secret question.  It will actually lock your account do to security and you have to get admin and prove ownership, so a pain for you and admins.  I'm hoping posting this here will slow the number of these we see in meta.

I take no credit as far as figuring it out read more here : https://bitcointalk.org/index.php?topic=1206977.0 

I just figured it would be good to have here and hopefully save a few members some time.

Wow, great top tip for us...thanks.

Do you know if the Admins are planning to fix this flaw?

The accounts get locked because of the database breach a while back. The security answers and questions were stored in the database as hash that was easier to attack than the (hashed) password itself. Thus the security question offered less security and in order to avoid hijacking of old accounts the locking was implemented. It was not common knowledge at first. To me it seemed the admins tried to use it as honeypot to find out more about the DB breack. As more and more users complained about their locked accounts it became more known, but probably only among those that read meta on a regular basis.

Afaik secret question was alwayas marked as a security flaw for btctalk account, so the common security measure was to leave it empty.

Holy shit i didnt know this. Luckily I always put for security question something like: asfh8y3qkafju89eu, which is really hard to guess the answer to :D

This should be added to the registration notification, or disabled completely. It seems to me a fatal flaw that can scare away many members.

Maybe setup a strong 2FA for authentication, so that people can simply use their google authenticator or such to recover their password. I'm not sure if the other password reset method let you change your password without locking? By using your email account, i mean.

I'm pretty sure that it doesn't lock your account, although I'm not 100% positive. I will tell you that 2FA will be included in the new forum, so at least members won't have a really good excuse if their accounts are hacked. ( ;) )


I would say that adding a warning to the page where you reset your password via Secret Question would be smarter, if theymos isn't going to remove the auto-lock feature.

They already added it, but you know newbies, they will get locked out eventually.

You need to warn them 5-6 times before they get it, its really hard to get into bitcoin, for indisciplined people, because this is the wild west.

I have a security question on my account and I didn't appear to have any problem changing/setting it recently.
Could this possibly be just for beginner's or did I get lucky and dodge a bullet?

Your account gets locked if you use the secret question to change the password on your account, not just changing your secret question through your profile. As long as your account isn't hacked/you forget your password, you shouldn't need to worry about this.

I think you got lucky it is designed to be locked at this point.  As shorena said the secret question anwsers were compromised in hack a while back.  So it's kinda a safty measure to make sure they can't steal your account.

But here is a biig tips for accounts:

Make sure to "stake" a bitcoin address you have access to prove you are owner if ever needed: https://bitcointalk.org/index.php?topic=996318.0

It isn't with setting or changing it, but rather when you attempt to recover your password with it. If you try to recover your password using the secret question, you will be locked out. You can change it, and I would advise you to remove it completely.

So at this point the "security" question is more of an account padlock and proves to be more of a detriment than anything..?
Does this mean if someone attempted to answer my secret question is would lock my account?

Only if they get it right.

Well this is irony actually, secret question is basically used for recovery or make a reset password, but in this case otherwise it will be disaster.

This advice is already warned few months ago, but this thread is nice to remainder, especially for newbie.

i removed it compeltely a long time ago, because bitcointalk itself, was pointing me about the dangerous part of having one

i just write down my pass on a A4 paper, which is not hackable, and i'm done

I always warry of doing this, so i don't instead i write down a reminder sequence that will let me rebuild the password safely, but without being me or going through massive efforts, its not possible to just check my drawer to find my password.

I figure if i leave home for a while or lose my wallet, i don't want to have to change my passwords too.

A piece of paper is honestly pretty hard to beat, just a little bit of a pain if you need it as it should be stored in safe or something.   But if you combine paper and code only you know you are right that is pretty much unhackable, only if keylogger or something then it could be taken from other things.   

I really like some of the 2FA things out there.  I have been looking at a few devices thinking about trying it on a site or two.  I want to give a yubikey a try but haven't yet - https://www.yubico.com/products/yubikey-hardware/

Well I don't even remember have I enabled my security question or not or even was this obligatory or not. It's been a while since I have created this account.

So the safest is just not touch it and use it for password recovery. I will then just forget about it!

Bumping as it's still happening so I figure some might need to read this - https://bitcointalk.org/index.php?topic=1214476.0

Do not use secret question to reset your account password.  I would suggest removing it if you have one.  It's a pain and possible waiting time to get account back.

one of my friend account got hacked and the hacker changed the password and email id ,  please tell me how to recover that account , what is the procedure to get back that account, he used the wallet address, so he cannot get signature from them.

He needs to post in meta with all the details.   I suggest him starting a account just to post in meta and him to explain it.

I would not try to do it as a "friend" have it come from the source.

Secret Question Recovery is like Trojan Horse of Bitcointal. Once you use it there is usually no way back, as I heard that theymos or badbear are usually busy to the point that they don't unlock low level member accounts.

I'm not using Secret Question since i know if use that the account will locked. Also it will be hard to Unlock it because theymos and Badbear is really busy. And i see many who get that problem wait for him to unlock it. My suggest to everyone just use your email to reset your password.
Thank's

since the first time i had register in this site i'm never use a Secret Question because I was afraid will forget the answers

and my account will be locked forever

Bumping incase anyone new now and they have not read this.  Resetting your password via secret question does still indeed lock the account. 

Saw one in meta so thought I would give this a bump for those new, and if some missed it.

It is sad that we must resort to measures like 'bumping' thread with the info about disruptive functionality of bitcointalk. This issue is known for a long time, how much time will pass until it will be fixed?
I imagine it is not something impossible hard to fix, right?

The good news is it's slowed down from what it was, so it is being passed on the knowledge it still happens.   The sad thing is it still happens then people have to prove they own account, and it can take time.

A fix such as removing it would be great long term. This just will let a few new people to see it but will in no way stop it like removal would.

I buyed this account from a friend.  I was about to set the security question,  thank god i didn't. . My goodness that I found your post, thanjs a lot

Try to bump this every once in a while.  It is still happening https://bitcointalk.org/index.php?topic=1377943.0

DO NOT reset via secret question it locks your account. 

Been half a month it still is happening - https://bitcointalk.org/index.php?topic=1398722.0

The good news is there is a good reduction of amount since when I started this thread, so it is less of a problem.  Bad thing is it seems a few still don't know and it's a pain to get unlocked after.

Well it would be great if there is a warning pinned on profiles that if they reset password using the secret word then their accounts will be locked. Not everyone sees this thread actually and unfortunately it hardly gets any attention once this got covered with other threads in here in the Begginers and help section.

It would be nice but unfortunately that has not been implemented.   This thread was to show newer users, as it is good info to know and I did not think new users were reading meta.

I wish I could take credit of everyone seeing it but most have seen it in Meta.  If you don't read meta I suggest you do as there truly is lots of good info in it.  I read it a lot more then I post in it.   But people who read Meta have known about this a long time.

And really it has slowed down quite a bit which is good.  So even though there is no message the decrease of people getting locked out due to it is a good thing.

I never knew that using a secret question to reset an account would lock your account the few years I have been here. I have never set a secret questions and it seems something like this should of been addressed earlier. My hope is that bitcointalk accounts get 2FA authentication because it would be impossible to log into a bitcointalk account with the generated token from the authenticator. This seems like a such a hassle.  :-\

Stopped using secret questions when I forgot a password for a gambling site and had to call them up,30 minutes of me guessing on the line she says to me "Whats you wifes name" and I did not have a wife. Trolled myself back when I signed up for the account and put that down for some reason or another. So yeah stupid story about secret questions sucking major ass imo. 8)

Thanks for the info dude :)
Is admin are moving to fix this?

It's the secret question here in the forum not in your gambling site. You clearly didn't read the thread and you are spamming your sig here. Next time dude , again my favorite advice, learnto read. No one cares about your story here. This is a serious security matter in everyones bitcointalk account.

This is actually good for informing us to do so, it was a big help for others not to do so. But I was thinking mostly of the security questions use are secretly questions why do not allow to use this for I believe that this is the safest one for each and everyone..

@OP
This is good to know,I routinely think of using this option on this site. Only reason I do not is there seem to be a lot of hacked accounts
and secret questions tend to be similar accross the web or you are tempted to use the same one.


See nothing wrong with his post since he is stating why he does not use the function,you on the other hand.

Do not believe so.  I would delete it personally if you have one on account.  I believe there was at least 1 compromise where answers could have been compromised.... so can't really turn it on or it risks accounts with it being taken by "bad guys'.

And I could be wrong on that but i had it in my head started after a compromise of DB.

Practicing ones favorite advice might help one become a better writer. Benefit of the doubt helps as well if its hard to understand the context or rational of some ones response. Signature spamming is a serious accusation and I hope you are able to stand firmly on the ground when you lay out the evidence. Look forward to the thread. :)
*****************************************************************************************************
*****************************************************************************************************
Security questions(Back to the issue) are a way for hackers(another issue here) to get access to other sites around the web because people often answer the same question/answer on multiple sites. So being that I gave a gambling site as reference,does not reflect poorly but shows people just need to be aware everywhere they go.

Been about a month figured I would bump due to it still happening:
https://bitcointalk.org/index.php?topic=1436300.0
https://bitcointalk.org/index.php?topic=1398722.0
https://bitcointalk.org/index.php?topic=1377943.0

Just picked a few from front page of Meta.  You will see it still happens and is a long process to wait to get it back.  I suggest deleting secret question if you have one.  Only reset via email, NEVER secret message as it still locks account.

We have been lucky that this seems to be less and less.  Bumping to show  what happens if you do it.  It can take a long period of time and waiting, https://bitcointalk.org/index.php?topic=1398722.0 .  This thread show's waiting and it's not real fun.

So if you have a secret question I would delete it, and if for some reason want it left on account don't use it for any reason or it will lock your account.

Kinda a monthly PSA of this.  Again has slowed down a lot which is good.  But sadly people are still using security questions to unlock accounts - https://bitcointalk.org/index.php?topic=1490756.0

For anyone new or if anyone has not read it DO not reset via security question on password, or it will lock account.