Bitcoin Forum

For the second time now, someone has tried to reset my password on my account.

This time, it came from IP address 63.118.235.5, which traces to the domain "mail.wholesystems.com".

Any idea if there is someone from that domain involved in BitCoin?

Admin, last time you moved this message elsewhere - I think if we can have some of the other threads I've seen in here, a discussion about someone potentially trying to compromise an account is worthy of a discussion.

I'd suggest PMing theymos, he has access to the IP logs.

Well the IP is listed in the message as being where it came from... what do you suggest?

Theymos can check to see if that IP address has attempted to reset others', or if that IP address is associated with any accounts. If there are multiple instances of it, he can at least IP ban the person - which isn't really a solution worth cheering about, but there really aren't any decent solutions to this outside of ensuring your password is very secure both here and with your email service.

And with your back-up email service, if you use Gmail or another web-based email provider.

And lie on the security questions. Just remember your lies.

I've seen hacking attempts on my IRC handle too.

Is there a way to lock my account to a static IP address?

I will look into it later. Maybe I'll add an option to disable password resets for your account.


Adding a security question is optional. I don't recommend using them (on any site).


That'd be too much trouble. Everyone changes IPs eventually.

Well, it's optional here. But not on every site. On those you do have to use them, so long as you lie, and remember the lie (mother's maiden name is actually the name of your first dog, or whatever) then that reduces the security vulnerability that they introduce.

How many famous people have had their accounts hacked because the attacker could just look up the answers to those questions?

Yeah, "security questions" are totally insecure. For sites that require them, I just pick a random question and generate another password.

That's a great idea!

Mother's maiden name? D3r(83ckd8#22-H/  :D

Yeah I always just jam my keyboard on those. These are also stored as plain text often.

Maybe we could require that someone has to request a password reset based on not only the username, but the email address associated with it as well?

Hehe, I do that, too ^^

I think that he only tried this on you. He may have actually thought that he owned your account. He was trying passwords on a similar-looking account.

OK.  I guess I'll just have to wait and see... it was just that this was the second time in about a month someone tried to "recover" my account.

I always give nonsense answers on security questions.  You can put "polka dots" down for you mother's maiden name for all the system cares and "dragon football aluminium" for your favourite movie.

Exactly. As long as you remember that your favorite movie was dragon football aluminum, you're good. Which is why I like Theymos' "just generate another password" idea. because then you don't have to remember. The password generator does that. :)