Title: Why People are getting Banned for using Security Question as Recovery Method?? Post by: SM23031997 on March 05, 2017, 05:44:50 AM Meta thread is full of people asking to recover their account which is showing as compromised after using security question as a recovery method.
Why People are getting Banned for using Security Question as Recovery Method?? What Should be done to stop this problem?? and what forum is doing to stop this kinda problem other than recovering their account one by one? Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: Quickseller on March 05, 2017, 06:54:16 AM The forum was hacked in mid 2015 that resulted in some information being leaked which included everyone's answer to their security question (those that had one) in a way so that little work was needed to decrypt the information into plaintext. As a security precaution theymos setup the forum so that accounts would get banned if someone successfully answered their secret question.
The obvious solution is to outright disable resetting of passwords via security question, especially now that it is well known that this will happen, so hackers are unlikely to even try to hack accounts this way, while the end user is frequently affected. Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: SM23031997 on March 05, 2017, 08:39:09 AM The forum was hacked in mid 2015 that resulted in some information being leaked which included everyone's answer to their security question (those that had one) in a way so that little work was needed to decrypt the information into plaintext. As a security precaution theymos setup the forum so that accounts would get banned if someone successfully answered their secret question. If this is the reason then why admins are taking 2-3 months to resolve someone's issue if they have valid proof of ownership and if they had thousands of pending case due to this then they should find a solution to the problem.The obvious solution is to outright disable resetting of passwords via security question, especially now that it is well known that this will happen, so hackers are unlikely to even try to hack accounts this way, while the end user is frequently affected. Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: Joel_Jantsen on March 05, 2017, 09:29:22 AM If this is the reason then why admins are taking 2-3 months to resolve someone's issue if they have valid proof of ownership and if they had thousands of pending case due to this then they should find a solution to the problem. 1.Recovering Lost Accounts is forum's least priority.2.It becomes ever tougher if you're not a known good contributor to the community.I have seen people with good trusts and rep getting their accounts recovered faster. 3.That doesn't mean the accounts can never be recovered,takes time,even months.All you can do its send admins the proof they want as mentioned in the stickies and send them monthly reminders. Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: Coin-Keeper on March 06, 2017, 09:07:44 PM The forum was hacked in mid 2015 that resulted in some information being leaked which included everyone's answer to their security question (those that had one) in a way so that little work was needed to decrypt the information into plaintext. As a security precaution theymos setup the forum so that accounts would get banned if someone successfully answered their secret question. The obvious solution is to outright disable resetting of passwords via security question, especially now that it is well known that this will happen, so hackers are unlikely to even try to hack accounts this way, while the end user is frequently affected. I am not an Admin on this site, but I manage at others. One solution I could think of would be to do a full wipe of ALL security question answers on EVERY single account. Then site Mgmt could post a new Meta thread telling active users to re-establish a security response for the future. The previously hacked data base out in the wild would be of no use any longer, and yet our active members could use the security challenge answer the way it is intended by the software designers. Just a little member making a suggestion, for whatever its worth. Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: Valiance on March 06, 2017, 09:50:52 PM Okay so I understand why people would get banned for using their security questions when there was a security breach, but why not remove security questions altogether and tell people why they need to know their password instead of banning people who might well have genuine intentions?
Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: actmyname on March 07, 2017, 10:31:46 PM Okay so I understand why people would get banned for using their security questions when there was a security breach, but why not remove security questions altogether and tell people why they need to know their password instead of banning people who might well have genuine intentions? I find that it's also kind of useless for security questions to exist since as long as you have the password to the account, you are able to change the answers to them with ease. In fact, with solely the password, one can do essentially anything they want (to the account - any transactions would likely require them to provide a signed message) Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: bamboylee on March 08, 2017, 12:00:10 AM Okay so I understand why people would get banned for using their security questions when there was a security breach, but why not remove security questions altogether and tell people why they need to know their password instead of banning people who might well have genuine intentions? Does this mean we have no way to recover our account if we forgot our password? That is a pain. I have my account in remember forever. I am now afraid to logout because I might not get the password right and lock me out of my account. Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: minifrij on March 08, 2017, 12:14:37 AM Does this mean we have no way to recover our account if we forgot our password? That is a pain. I have my account in remember forever. I am now afraid to logout because I might not get the password right and lock me out of my account. You can ask an admin to change the password of your account, however for low priority cases this can take up to a few months. You can also reset your password via Email I believe, if you have an Email attatched to your account.You should probably change your password, install a password manager like LastPass and save it in there. That way it can be very secure and you won't lose it. Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: Quickseller on March 08, 2017, 12:34:28 AM The forum was hacked in mid 2015 that resulted in some information being leaked which included everyone's answer to their security question (those that had one) in a way so that little work was needed to decrypt the information into plaintext. As a security precaution theymos setup the forum so that accounts would get banned if someone successfully answered their secret question. The obvious solution is to outright disable resetting of passwords via security question, especially now that it is well known that this will happen, so hackers are unlikely to even try to hack accounts this way, while the end user is frequently affected. I am not an Admin on this site, but I manage at others. One solution I could think of would be to do a full wipe of ALL security question answers on EVERY single account. Then site Mgmt could post a new Meta thread telling active users to re-establish a security response for the future. The previously hacked data base out in the wild would be of no use any longer, and yet our active members could use the security challenge answer the way it is intended by the software designers. Just a little member making a suggestion, for whatever its worth. I still do not see the rationale behind continuing to allow users to reset their passwords via their security question in the first place considering the result will always be a "security ban" Title: Re: Why People are getting Banned for using Security Question as Recovery Method?? Post by: VeryFunnny on March 13, 2017, 01:13:23 PM If this is the reason then why admins are taking 2-3 months to resolve someone's issue if they have valid proof of ownership and if they had thousands of pending case due to this then they should find a solution to the problem. 1.Recovering Lost Accounts is forum's least priority.2.It becomes ever tougher if you're not a known good contributor to the community.I have seen people with good trusts and rep getting their accounts recovered faster. 3.That doesn't mean the accounts can never be recovered,takes time,even months.All you can do its send admins the proof they want as mentioned in the stickies and send them monthly reminders. |