Bitcoin Forum

Hello Everyone,

In recent times bitcointalk account hacking has been a big concern for us. We are getting thread where members are claiming for their hacked account and facing a hard situation to recover it. In current system there is a option "Always stay logged in". If you click on that then you don't need to put login details untill you use log out option. Many of us use google "save password" option for log in.

As a result we may forget our password because of not using it for a long time. On the other hand many users use same password for all online accounts and its an opportunity for hackers to hack their account easily.

How it will be if forum force to reset password in every 2 month? For example if someone didn't change his/her password during this time frame then he/she will redirect to password reset page after log in. After reset a new password he/she will be able to log in again.

In my opinion if this force password system implement by our forum then it will not be easier for hackers to hack users account. From my experience i have seen this force password system on some banking website where they force to reset their users account password in every 2 or 3 month. If hackers be able to steal users account info somehow still then they will not be able to use it for a long time due to force password system.

I couldn't disagree more!

I very much dislike online services that require a password change. If it can be compromised in 10 years, it can be compromised in 2 months too. Even worse: regular password changes are terrible: it's extra work, it requires me to make a new backup of my password manager, and for the users who don't use a password manager, it makes it impossible to remember a new difficult password all the time.

The company I work for forces me to change my password every 60 days and that is actually a good idea you suggested.
You really should not do that! Password stealers are configured in such a way to find and steal the data that Chrome/Firefox and other browsers store when using the 'save password' option. At least get a password manager if you prefer saving your passwords.

Not in recent times but hacked accounts were always problem here, for example once famous member posted in Condoras's thread and he filled 0.5btc loan, in reality account was hacked, this man just didn't check it and lost his bitcoins. Usually such things were happening because of hacked accounts, that's real problem.
On another hand I don't like your idea of requesting password change every two months. I know my password well and I take care of my account, so why to change it that often for you? Do the same, set hard/different password and remember it, that's not hard lol.

I'm agree with this
for security, in my opinion, this forum is enough to only use the google 2FA application without having to change the password regularly which makes the user have to memorize it again.

Setting a hard/different password does not necessarily mean your account cannot be compromised. Malware inform of Key loggers and web extensions will do the damage  ;D

I even saw some thread(though I can't trace it right now) where someone said that he even used a very long hard password but his account was still compromised.

That said, what I think should be done to avoid inconveniencing most users with timely password resets, they should only be applied by default if:
- An account's IP address abruptly changes from what was previously recorded(probably from signing up or from a certain earlier period of the account's usage)
- An account has woken up from some long period of inactivity.
- Posting style has abruptly changed (from Spanish Local board then to suddenly Russian local board)

The forum is not responsible for the personal security of the accounts of members. A forced password reset may not sit well with everyone, as can already be seen on this thread.
Suggesting it to the forum users as a step to further secure their accounts would be best. And anyone interested can heed the advise.

There are pros and cons to doing this.

If your password is compromised, someone may be able to access, and continue to access your account indefinitely if you do not change your password. If you recycle passwords (as many people do unfortunately), the chances of this happening to the password you are using go up over time.

OTOH, changing your password frequently will require either backups of a password manager frequently, or people will use less secure passwords. It will also lead to more frequent password resets, which is another security concern.

On balance, this is probably not a good idea because it would be unusual for someone to hack an account around here and not attempt to do something (such as post or send a PM that will elicit a response) that would attract the attention of the owner. A hacker might be able to read the personal messages of a hacked account on an ongoing basis, however there are warnings against sending sensitive information unencrypted.   

Not a fan of this at all.  It's bad enough I have to do it at work, I don't want to do it here as well.  Passwords are enough of a ballache as it is.

Bitcoin is about personal responsibility and I would hope this forum wouldn't take the "Nanny State" approach and interfere with users' wishes regarding security.  Just like how 2FA isn't compulsory here as it is on some sites.

Users should prepare enough both knowledge, skills, and carefulness to protect themselves from hackers.
- Never use always stay log in option.
- Never use the "Save/ Remember password" option.
- Never use same passwords for your different types of accounts, especially if you use same email to register.
- Never use add-ons from unknown third parties
In addition, antivirus and internet security softwares should be used for all your devices that connect to Internet.

Use strong passwords, secure devices, be careful and should stay away from third-party add-ons.
And, stake bitcoin address with signed message to prove ownership.
All of those steps are enough to protect accounts.

---

Moreover, I totally agreed with what LoyceV said. It turns into very complicated for users to regularly forced password-changing. We all are human, and it is hard to remember all passwords on all platforms. Even composing and saving backups of accounts, and account's passwords take a lot of time.
It is so wasteful!

There are topics that guide on how to secure IDs from threats over Internet space.
[Guide] Bitcointalk account security (https://bitcointalk.org/index.php?topic=4920096.0) (sncc (https://bitcointalk.org/index.php?action=profile;u=1560793))
Recovering hacked/lost accounts (https://bitcointalk.org/index.php?topic=5089777.0) (theymos (https://bitcointalk.org/index.php?action=profile;u=35))
Stake your bitcoin address here (https://bitcointalk.org/index.php?topic=996318.0) (Tomatocage (https://bitcointalk.org/index.php?action=profile;u=37522))
Do you know how hackers are collecting our data by smartphone & real life? (https://bitcointalk.org/index.php?topic=5110967.0) (Coolcryptovator (https://bitcointalk.org/index.php?action=profile;u=1980983))
Must have web browser addons to keep you a step safer from phishing (https://bitcointalk.org/index.php?topic=5086564.0) (logfiles (https://bitcointalk.org/index.php?action=profile;u=1247226))

---

For password manager, can you help me links to services.
I have never used password manager for my accounts.
Thank you.

This practice needs extra effort because every time you will have to create a backup when you change password which is definitely a headache. 2-3 months duration is too short for a password change,i never suggest that.
Anyhow 4,5 months for a password change is acceptable if we really need it in future.


I strongly agree with DooMAD, our online security is our own personal responsibility.

I’ve got way too many site (all sorts) passwords to keep track off, and forcibly having to reset them to new values would be a real hazard. Despite what security best practice suggest, constant reset of passwords becomes a stretch for those that commit them to memory, and likely one will start spinning a given set, adding number sequences to them, and incrementing them on a plus one basis upon each password reset.

I’d rather 2FA or alike to double secure the credential login process than having to test my memory even further.

No matter what level security you have, if you don't know how to protect your data, changing the data every x days won't do the job.

Those who know what to do are already protected enough, those who have no idea, have to be educated.
Instead of a forcing different procedures, better to add a link in the welcome message how to protect yourself from eventual intruders. It's not the forum responsibility to teach the newbies, but still we can add some helpful info.

In this digital world, how to protect yourself should be a common knowledge.

Why should we be inconvenienced because people are too lazy or stupid to keep their computers and assets safe.

There is an old saying - " A fool and his Bitcoin Talk account are soon parted" - maybe we should have some guidance threads. Oh wait, we already have those, but people don't read them, unless they want to post "good project" of course. If people are addicted to unprotected sex with unknown porn sites, or they believe that an "investment" plan will be able to reward them with 50% interest every week, then they need to change more than their password.

Actually I have the same policy in my work environment that you need to change password after every 30 days and you cannot keep previous 5 passwords. Guess what happens with me?

After every 4-5 month when I change the password if I do not note down my password (against the password policy of the company) , I end up raising the ticket to reset my password.
If you want to take all these pain and give all this pain to theymos then you are welcome.
A good password is always good until you did not tell anybody else or get phished.

A safe browsing habit is must ,though changing password occasionally  will do no harm.

I have the same opinion, forcing someone to change their password every 2-3 months will not contribute to the security of their accounts, moreover may cause even greater problems. What we need at this forum is 2FA, after every login code is sent to user e-mail and there is no way to hack user account except in case e-mail is compromised+password for forum also.

I'm not sure how much this option is technically demanding to be implemented in this forum, but many other sites provide such additional protection.

Lazy and careless guys will lose their passwords no matter what kind of security solutions implemented by the forum, such as regularly forced reset password.
Smartly choosing strong password, and securing computers as safe and secured as possible.
That's all.

1. this forum is not bitcoin. it is not the bitcoin network
2. it is a site owned by someone and not a public community property but a private property
3. how dare doomad demand that a site owner cant/shouldnt add security/suggest precautions to his own property
4. how dare doomad then be hypocritical to say that bitcoins network should not do what the community desire
5. how dare doomad desire a corporate group should decide what to do with the network instead
6. doomad follow your own advice. if you dont like something someone is doing to his property, then you can "f**k off"

i say this as reverse psychology(using his tone and mindeset) for 3,4,5,6 as its apparent that DOOMAD enjoys wanting a core group to ignore community wishes in respect of a community project. but then wants someones private property to follow community desires.

doomad you love bitcoin having core as a nanny state. when bitcoin should not have a 'tory nanny controlling the family
doomad hates bitcoin having open community of diverse family, when bitcoin should have diversity and everyone being members of a family

doomad wake up. core is bitcoins nanny state.
doomad if you dont want someone babysitting their own property. then why love someone babysitting other peoples property

with that said.
why even have passwords

why not have people register a public address. and then users login by signing a message using the keys of that address.
each log-in will be unique and a hacker cant just use a public key to log-in
whereby log-in is only successful if the unique signature matches. whereby the private key is never given to the forum,ever

it is a few steps better than just having a password on a server and uses a bitcoin feature that is under utilised outside the bitcoin network

Completely agree with your first sentence, but I would love to see (optional) 2FA here.

Forcing users to change passwords does not improve security. If your password is complex enough to be secure, and you haven't been hacked, then changing it achieves nothing. Forcing changes makes no odds for the people who use password managers, but the majority of users don't. For this majority of users, they do 1 of the following things:
1) Set a new password which is almost identical to their old password - changing letmein01 to letmein02, for example
2) Endlessly cycle between a handful of passwords - to prevent this the forum needs to store all their old password, a security risk in and of itself
3) Write their passwords down to help them remember

None of these are good security practices. With bitcoin, you are wholly responsible for your own security. I don't see why the forum should be any different.

I have account on one forum where users must change their passwords every 2 month and I really hate this thing. I use "always stay logged-in" thing on that forum, so when they ask me to change my password I have to remember my old passwor, and sometimes it's not that easy task. Also, then I have to create new password and remember it. It's inconvenient and I'm not sure that it adds much security. Even if you will change your password daily, it won't protect you from phishing websites and similar shit.

why would hackers unable to use it forever?
this force password reset system would still be useless without email confirmation link
even with confirmation link, hackers would just change the registered email right after they hacked the account
because changing email (on this forum) doesn't require clicking on confirmation link, just provide locking mechanism
mandatory password reset would just give headache, makes us memorizing new password every 2 months

using a good combination of lowercase, uppercase letters, numbers and symbols as password should be enough
even with only 10 characters long password, it wouldn't be that easy brute forced by hackers 

I also do not see any additional protection in such actions. I think that frequent password changes only cause inconvenience to users. It is better to have a strong password and of course different for each website.

The OP's suggestion is unnecessary, in general.
As you mentioned below, hackers can hack both the forum accounts and emails used to register accounts.
Most of the time, hackers got accounts from hacked emails.
The most interesting thing implemented by our beloved admin, theymos, is if one account changes registered emails two times, the account will be locked, and confirmation link will be sent to the original email to unlock account.
In reality, the security mechanism has shown its power to clean out all hacked accounts.
As usualy, theymos has demonstrated that he is not too dumb to give hackers so many free space to use the forum as their land-fills.

This is a very rare function for every website and I never have seen this before. It is okay but there are still some disadvantages to the website and also to the user. Why not? there is an option on our account settings or before creating an account that there's a choice if we want to activate the force to reset the password for every month or any time frame?