Bitcoin Forum

I stumbled across something that might be worth asking here. The bpip.org site showed me the forum admin (theymos (https://bpip.org/Profile?p=theymos))has periodically changed password the account every year for the past 3 years. Is this periodic password change recommended to increase the security of our account?

https://i.ibb.co/0Qxqwj1/Screenshot-2021-04-09-03-27-07-74.jpg (https://bpip.org/Profile?p=theymos)

If so, are there any issue users might face if they periodically change their account password every years?

I change my password occasionally--not too often, and usually after I get paranoid about the forum getting hacked.  It's probably not a bad idea for a member to do that from time to time (and to pick a strong one, too), because people have certainly lost their accounts to hackers in the past and no doubt it'll happen again. 

If there's a downside to doing so, I think it might be that it's a major pain in the ass to recover your account if you forget your password, but maybe a moderator can clarify that.  There's also the issue of people thinking your account might have changed hands if you happen to change both your password and your e-mail at the same time (which I think I've also done). 

The security on bitcointalk, as far as I can tell, is questionable and I do wonder how vulnerable the forum is to another major hacking.  It's been a while since the last one, but I've no idea what goes on behind the scenes.

Regarding keeping all of my "internet" accounts safe I consider myself as "mild" paranoid. I was an user of LastPass even before they were bought by LogMeIn and by that time I had almost every account that I had with a complex password. I think I'm talking about early 2011-2012. From my point of view we have to look into our accounts as being a reflection of our identity in this world that is the Internet and like all identities we must do our best to keep them out of harms way.

Regarding the activity of theymos I would probably do the same if I was in the same spot as he is (Admin) especially considering that the forum has no 2FA in place. Even though I'm sure that all the staff have a strong password and it's kept only to the forum and not shared with anymore website (a basic usual practice), we are all humans and humans at some point of their life do commit mistakes. I do believe that even if someone is able to hack a staff account he wouldn't be able to create havoc for long but the sheer thought of it happening makes me uneasy (as it for sure makes others).

As always, you should try to always have a really strong password OP. There were times that I've used this tool: https://passwordsgenerator.net/ , but there are many others which are similar to it. Regarding the issues that you may have I don't think so, even though I see some threads popping up every now and then of users alerting that they are going to proceed with a change of their e-mail account and they want to let anyone know that they are going to change it (some I believe even sign their bitcoin address with such information).

It's is a good practice for any activity on the internet, no matter what type of site it is. Email, bank account, shopping sites, streaming, etc.

This way, if there is a security breach and the data is intercepted, the hacker will have a better chance of getting your old password and not the current one.


People shouldn't care about what others think. If you listen to them, they may say the account has changed if you cough

Only theymos could answer that accurately, the rest of us can only speculate. Although, concerning changing the password frequently; This is something that's been recommended for years, in fact many years ago I think the standard was to recommend you change your password every 2 weeks. Although, if you have a strong password in the first place, and you are sure that is hasn't been compromised then you probably don't need to change your password frequently. Most passwords are gathered via database breaches, and malware. You can't really do anything about databases being breached, and therefore you just need to monitor various resources which provide information about what site has been breached, and change your password accordingly. Of course, you will always have the risk of a website being breached, without yours, the owners or the various organizations providing news about breaches actually knowing about it, well at least quick enough to prevent you from being compromised.

If your system is compromised then changing your password wouldn't have any effect, because if they have compromised your system via a keylogger or whatever method, and they are able to retrieve what you are putting into a website, then you are at risk whether you are entering your password or changing it. It might be advisable, if you suspect that you could be compromised locally, that keeping the "remember" me option on websites so you don't have to log in with your password each time. It would take a more sophisticated approach of gathering the password then.

This. But far more importantly — don't re-use passwords on multiple websites, and make sure your password is long (probably 40 characters or more) and complex enough for it to be difficult to bruteforce.

"But how do I remember all my passwords?"

Use open-source password managers such as Bitwarden[1] and KeePass2[2]!

---

[1] https://bitwarden.com/
[2] https://keepass.info/

I am using LastPass since last few years, it has been serving well, what made you stop using it if I may ask(considering you used 'was' in sentence)?

*psst. Ex-LastPass user here. Use Bitwarden instead. It's free (but I recommend paying just to help out the devs), it's open-source, and you can self-host as well.*

Disclaimer: Not affiliated. Just a fan.

If you do not reuse your password and your password is not a derivative of other passwords you use on other sites, you should not need to change your password unless it becomes compromised. I would recommend using a password manager to generate and secure your passwords.

If you change your password, you are risking that you forget or otherwise lose access to your password.

Changing your password, AND using unique passwords, AND not using a password manager means that you will generally use less complex passwords, which will make your accounts more vulnerable to hacking attempts.

The Best Password Managers (https://lifehacker.com/the-five-best-password-managers-5529133)
[GUIDE] How to Create a Strong/Secure Password (https://bitcointalk.org/index.php?topic=5132378.msg50624914#msg50624914)

Some services recommend or force users to change passwords each 3 or 6 months. If you are not forced to change your password and decide to change it, you have to use password manager to randomly generate passwords.

If you don't use password manager, you will create new passwords with something similar to your past passwords. It is bad.

I can quite relate to that especially after this (https://bitcointalk.org/index.php?topic=5217251.msg53594867#msg53594867) happened to me. It is not that I was locked out from my account, but rather someone from other country posted a scam using my account without my awareness until feedbacks to my profile came along.

From now on, I often check my IP logs here in the forum and from other accounts if someone is logged in from a sus IP that I know it does not belong to me.

This is common practice and everyone should practice to secure their account. It's not only bitcointalk, should be applied to every other sites you are using. Personally, I change password sometimes in my exchanges account. But in bitcointalk, I have never changed it, it’s reasonable because I believe my password is strong enough to be bruteforced. I have used long password with every possible characters combination.

It's okay for other sites, not for bitcointalk, because here:
- If you are locked out, it's more difficult to gain back access.
- There will be the text "this user's password was reset recently" or something like that. Some users will question that as if it's uncommon.

I did password change several times and stopped doing that after using a very strong password special for this site.

That is what my teacher in Computer Class said, we have to regularly change our password, mix and match the characters, and choose long password, and the password doesn't have any connection with you personally. Another kne that I might add is that you have to shut up about your important accounts, loose lips sinks ships. I wouldn't necessarily do what theymos does which is annually but maybe 2 to 3 years.

Yes, of course, it is better to use strong passwords everywhere, whether it is a bitcoin account, a Facebook account or an exchanger account, because it is better to use a strong password than to change the password, so we will all use strong passwords everywhere.

I consider changing passwords regularly to be a security practice, but one should take care to write it down to avoid loosing it.

You call always sign a message using 'change in email or password' as the message, this way, no one would suspect that your account has changed hands as you've proven to own to still own the Bitcoin address related to your profile.

*psst. Current-dashlane user here! Heard a wee bit on Bitwarden, is it better than Dashlane do you reckon oui matêë? *

Dude, your paranoia is NOT bad;; for someone like you especially, considering how many rat cum eaters are after you/your account/rep/ lê chipmixer status, etc,.

Its been what over 6 years, since the last hack? You never though what is to happen ;.;

<yes, this is me subtly hinting on where new forum is :( iamwaiting.png />

I wouldn't advise changing your password too regularly, as you can see in the OP's example, the password was changed withing two days of the first anniversary of the first instance.  This could be a key date such as a birthday, or wedding anniversary etc, so anyone wanting to data mine, or even hack an account can look at this and can probably guess other relevant information.

For the last couple weeks, I'm actually in the process of consolidating all my passwords from Lockwise, GPG files and iCloud to LastPass. And I can tell you that migrating from one password manager to another is a very laborious process when you have hundreds of passwords. Makes me shy away from self-hosted password managers which can screw me over if they blow up (which Bitwarden actually did to me, I never even got it past the install stage).

How do you mean 'if they blow up'?

As Welsh said, only Theymos can provide honest to the OP question but from my own presumption changing of account password every year shouldn't be a problem if done in the right way.
With that been said, according to what I have learnt ever since I have been browsing online is that to prevent vulnerability and for security purpose, it's nice to change ones account password at least every 6months.

*psst. Aye m8, g'day. Based on my past research, Dashlane has been bloody reputable from what I remember.*

Unfortunately I can't recommend nor not-recommend it because I haven't tried it personally, but it seems pretty good. I'm just more of a fan of open-source.

I'm guessing something broke or something when he/she was in the process of configuring his/her account.

*psst *psst *psst From all the password managers out there, I would only be able to recommend bitwarden because it's the only one that provides you with an option to self-host[1] your client. This means that you're not storing your encrypted passwords somewhere in the cloud (or bitwarden servers) but you're actually hosting that same environment but in a much more closer entity (your machine).

As a side note, you'll find in here - https://www.privacytools.io/ (https://www.privacytools.io/)  - a great list of apps and addons that you can use to increase your privacy in almost every spectrum of a computer use (programs, OS, Internet ...).

---

[1] https://bitwarden.com/help/article/install-on-premise/ (https://bitwarden.com/help/article/install-on-premise/)

Okay what the hell? How- what? huh? explain sir.

*psst. [whispering slowily] I...love dashlane but-- they are switching to an entirely browser-based platform which I am not sure if I like.

*triple psst to you, ouuu.

Okay in all seriousness, I like the idea behind bitwarden, and I want to use it, but the reviews on it thus far are shaky. ssss. And I don't know if I trust windows to keep my files safe. Heckin hell this is.

This is risky I've never seen any site recommend you set your password to 40 letters and above this is something very strange. How do you manage to use such long password and still remember them? Password should be within 8 letters.


I don't fancy or trust any third party when it comes to my password, what if there is data breach? You are likely going to lose everything.

Jeebus that's probably the worst advice I've read concerning account security in my whole life. Probably worse than saving passwords on a .txt file. There's a reason why a lot of sites don't allow password as short as 8 characters anymore, as it's easy as hell to bruteforce if you have a good-enough hardware.

Password manager data being encrypted aside, you don't need to trust them if you don't want to. Hence why I also mentioned self-hosting in one of my previous replies in this thread.

They've got these things called "pen and paper", perhaps you've heard of them?  They can be securely stored off line and need little, or no maintenance and work in an off-line environment without the need even for an external power source (not to mention they can be stored "air gaped" one on top of another without information loss or data transfer).

Hackers have to physically come into contact with the "pen and paper" risking exposure to virus and toxins that my have been planted on the relevant surfaces with the added layer of security they have to be able to discern the location of you, then the location of the "pen and paper" which may or may not be in the same physical location as yourself.

 ;D

I wonder if changing password is needed when we can stake address in this forum? Most people stake their address on this forum to be safe even if their account is stolen. While it may take a few to get your account back, but surely no one can steal it unless you no longer own the address. Furthermore, is this forum account really easy to be stolen? In most cases, the hacked accounts are usually accounts that have been inactive for a long time. I haven't changed my password for a long time, nothing happened, maybe I am lucky?

OK, I am grateful to anyone who has answered my question and I will probably not quote you one by one.
I got the answer here and maybe I will put it into practice in the future if I am paranoid enough about the security of my account. So far, I haven't had any issues with the password I use. I'm sure it's a pretty strong password with a good combination.

As we can see theymos change the password every year (last 3 years) and I believe it is a good practice for someone like him even though it is highly unlikely that his account will be hacked and controlled by someone else for a long time. But I believe we don't need to change our email and password if it's not in urgent situation like hacking attempt and emails are full of spam message and phishing attempt.

Accounts don't get stolen that easy. Unless your device isn't vulnerable, you aren't using an easy to guess/bruteforce password, and there isn't a recent database breach, you will be fine. And unless you used the same password on another site that got leeked of course.

I like how they do it at my current job. Every 3 months we are required to change the password to log in to the main platform. And they have a system in place similar to Skype's. You can't reuse an old password. It has to be a new and unique password. Maybe this is also a possible attack vector because it means that a server somewhere compares the entries (hashes) you make with the ones you used in the past.  

I once created a similar theme. I was surprised by a user who so diligently changes his password from the forum every day.

https://bitcointalk.org/index.php?topic=5308307.msg56064303#msg56064303

Likewise, I think that if we do not use someone else's Internet, we have one device for an account, and we use the security system correctly, we should not be too paranoid about changing the password. It is important to keep copies of passwords, because, with frequent changes on one device, the user often forgets to save the new password, thereby creating problems for himself.
Let's not talk about the complexity of passwords here, 8 characters is of course "hard" ;D

https://howsecureismypassword.net/

And also a post as a reminder of how a hacker can get our passwords.
https://www.quora.com/How-does-a-hacker-grab-a-persons-password

And the dangers of stealing cookies
https://securityintelligence.com/articles/guide-to-cookie-hijacking/

Oh shit  ::) I often have a habit of using the same password for many different accounts, recently, Google announced that I have been exposed to 55 identical passwords  ::)

It is difficult to change passwords frequently, changing frequently will lead to forgetting of passwords, especially passwords that cannot be the same as old passwords. Seems safe but sometimes also dangerous if you forget your password and then lose other relevant security information to recover password

I can't deal with a triple psst, you won! Regarding bitwarden, if you're still unsure if bitwarden is stable to use as self-host then I see that the only option would be a tool similar to KeePassXC but in this solution you keep your database encrypted on your PC... If you don't trust Windows to keep your files safe I don't really think you'll ever find a password manager that fills all the boxes in terms of requirements ...

What about setting up bitwarden in a Linux environment? You could host it in a VM/Docker and then use the desktop version in Windows to connect to your server... This guide sums up all the important steps : https://golb.hplar.ch/2018/12/self-host-bitwarden.html . I do believe that even if the program does crash you should always have a backup of your encrypted database to prevent any loss in your passwords... After all we for sure want to continue watching a pug appear from time to time here in bitcointalk  ;D

Basically, if you have a strong password in the first place, and you use different passwords in different places that significantly reduces the chance of database leaks compromising you. The only issue then is if Bitcointalk was compromised, but at least the passwords are hashed, and if you have a strong password to begin with its unlikely that anyone will be able to crack it before you become aware that the site was compromised. So, generally if you follow these guidelines, you don't really need to change your passwords all that often, if at all depending on your own personal security protocols.

There are times which you might make a mistake, and aren't completely convinced that your data wasn't compromised, especially when traveling, or using insecure devices. I've definitely had these moments in the past.

However, I do recommend users do a security review from time to time even if you believe everything is fine.