Bitcoin Forum

In order to reduce or limit the hacking of bitcointalk accounts, more security features can be introduced. I am also adding one suggestion here to get this thread started:

There should be option for high rank members to activate email verification. From time to time, when the member logs in using the username and password, it should send an code to the email to be entered on bitcointalk for login. While login, there should be option to trust the device for some days so that it does not affect user experience.
 
Same way, other security features can also be implemented. Let us discuss these in this thread.

Not a bad idea, bad the downside is more users are likely lost access and will ask a way to recover his account. Since this make the email is really important in this forum where each time login need to input verification code, I highly suggest to remove email address show to public in order to make it more secure.

Did you mean we're only allowed to log in with an old device? I disagree since each device has a lifespan where you will need to change device for every few years.

Imagine if they let their accounts hacked, they would easily let their emails hacked as well. The main causal reason is they are very careless when surfing on the Internet, on social media, via messenger applications, emails, and so on.

So adding the email verification does not make much sense.

There has been many request for 2FA but it won't be implemented in SMF forum (this one). It can be done in the new forum software (Epochtalk) but that new software has yet been completed.

The bitcoin technology lays it upon its users to be responsible for the security of their money if they must use the network, i am not sure at all, but maybe that is why the forum does not have any additional security measure in this version as this is a bitcoin forum, but i have read some discussions about it here and i feel it will be added in the new forum software whenever it is completed and implemented.

Though before the new forum software is implemented:  you can be your own addidional security measure (https://bitcointalk.org/index.php?topic=4920096.0)

2FA should be more than enough for an extra security measure. Even if someone steals your password or finds a way to break into your account, 2FA (one time password) on your account protects you against such attacks. In case you lose your password, you can still reset it by entering a valid email and a 2FA code. Of course, there is no such thing as 100% security, but this should definitely help a lot.

2FA is helpful but it is never a silver bullet.

Depends on how you install (where) your 2FA app, where you save your 2FA backup code and same for email password, email 2FA.

If you log in all accounts on same device, store backup, install 2FA application on the same device as well, its usefulness decreases a lot.

I will never say that 2FA is a bad option (as a choice) in the additional protection of BTT accounts, but as far as my memory serves, from 2015 to today there were less than 10 hacking of accounts of members who are somewhat important and were or are now Hero&Legendary members. The vast majority of others have never had such a problem because they know that each password should be unique and long enough to prevent someone from accidentally guessing it or breaking it with the brute force method.

Those who use passwords like John1234 or ILoveBitcoin or store them in the cloud/email in unencrypted form will not be helped by any additional protection.

I don't have stats to back up my claim, but I assume that majority of account breaches are a result of users entering their passwords into phishing websites and not brute force.

There are constant reminder on various websites when signing up on the importance of password strength, with many requiring lower and uppercase letters, special symbols, and numbers, so people are more likely to pick up on this, but proper security while on the internet is not talked about enough. So, someone can easily enter their passwords into an unverified website.

You are telling the forum to give our data to email service providers like Gmail, Yahoo or whatever the provider. They get the IP and other log that we have an account in the forum. No, it's not gonna happen.

We are still in pain that Theymos is using cloudeflare. I have no idea who are our hosting service provider though. I hope files are hosted in private virtual machine.

For account security, staking a bitcoin address to use for proof of ownership is the best idea so far.

If you give information of your passphrase to hacker then your bitcoin are not safe in your hand. The same applies in forum account too. But say you get phished. As long as you have bitcoin address staked, you can provide proof of authentication anytime and get your account back.

I’m using Bitcointalk forum for about 6 years without experiencing any hack incident in my account. I think having a secured password and 2fa is enough to make Bitcointalk account safe because there’s no money that needs to protect on this account besides account reputation which can be easily spot if the account suddenly do shady activities.

Hacking event usually happened on accounts that use a weak password or click phishing links.

I don't want to use something like this connected with any email, especially if it's going to be mandatory.
Unless you are running your own server with email, there is always a chance that email could be unavailable temporary or permanently, they could be flagged as spam, or they could be shut down.
Only option for securing accounts I would cosnuder using is 2FA or fido hardware keys.

I may be one of those who take things quite seriously, but since I first found this forum in 2014, I saved the link in my bookmarks and have been using it ever since. In addition, I only log in from one device that I consider safe, and I think that this is quite enough for my operational security to be at a high level.

Of course, there is always the possibility that something bad will happen to me, like everyone else - but phishing links and some other common traps will certainly not surprise me.

There's very likely users here that haven't used a valid email, and therefore wouldn't be able to verify anything. Of course, you could argue that's an issue to start with since they don't have that safety net, but an email is just something else you'd need to keep secure, so I do see the logic behind it. Also, some might not care for giving the forum an email they own, and therefore made an invalid one for privacy.

These things we've got to be extra conscious of, since Bitcoin does sort of attract the more privacy conscious minds.

The rate at which I see people post on beginners and help on how to retrieve their hacked accounts make me understand the importance of having an added layer of security in the forum.
I also wonder if there is any other way that one's account could be hacked apart from phishing attack and maybe guessing someone's password?


I was going to ask why one will register in the forum with an invalid email until I read to bottom. Yet, I am not satisfied, if for the sake of privacy a user doesn't want to submit a valid email, it shouldn't be a big deal to create a new email.

An account is as secured as you allow it to be. OP speaking of email verifications still sounds like typical OTP to me and that's one idea that have been suggested one too many times and as time have had it, the idea isn't one that everyone adorns. I don't if you would ask me. It would be way too stressful logging in considering the wait time and switching between mails and browser.

Hacks or not, the forum has put in place es measures for an account recovery and that is, the staking of an address. There are chances that your accounts could be hacked on the forum bit when it comes to wallets, pretty much zero. Although, that's directly related to how private you go about the security of your private key or seed phrase.
Your account gets hacked, password and mails changed and your kicked out? No problem.
You create an alt solely for the recovery of the account, providing a signed message for the staked address of your account and you've got your account back. Rendering all the efforts of the hacker wasted.

The downside to this is that, you must be active to know the moment your account was attacked to engage in recovery before any major damage is been done. Be a little more private and you would be safe.

I can't remember correctly if this was an exchange or gambling site. For registration they wanted a bitcoin address. User give the address and then they give a message and ask to sign the message with the bitcoin address to login to the account. It was a nice idea. I never seen many sites to use practice this.

Default SMF does not allow this feature of course but if Theymos can implement such thing then it will be nice. May be in the new forum software if this is even going to launch.

Lol Not a bad idea, but why would anyone go through such trouble to post on a simple forum where sensitive documents are not stored? Even someone who stores bitcoin exchanges is not subjected to such troubles. Account hacking and other issues can be solved by using 2FA or a secret question before logging in.

Good idea OP, and I also see the importance of the security features you mentioned, but honestly, I do not consider them really really important, and that is because I feel that the level of security features on a forum like this isn't the real reason why accounts are either hacked or not,
The main reason my account can get hacked easily is due to negligence and laziness.
Many users are too lazy to even secure their account with strong passwords, some use the same password on every platform they register on, including their email addresses.
For user like this, the security features you mentioned wont stop their account from being hacked, as Hackers can easily target and hack their email address, and from there, the gains access to the account of the victim.

If I remember correctly then it was really easy to access the account using the bitcoin address. I understand it's a forum. The way everyone is worried about their account and suggesting several things I thought why not I go with mine too LOL

With email verification you are giving away your anonymity to the email service providers. Email can be hacked, people do not take it seriously as they take their private keys.
Theymos is not going to add 2FA, I don't know how hard it is.

To be honest, we are fine with staking bitcoin address. If anything happen to your account, you can always provide proof of ownership and get back the account.

Since email addresses are not verified to be associated with the user, this is not a good idea. I am sure that many members have a fake/invalid email address associated with their accounts.

There is really no reason why the forum will ever contact members via email, many of the traditional phishing attacks will be useless against bitcointalk forum accounts. So as long as the forum is able to keep passwords away from adversaries, and forum members practice general good security, the risk of getting your account hacked is fairly low.

I appreciate every suggestions in security measures but i feel this is only happens ^{(getting hacked)} because of user's carelessness. Unless there is really a loophole in the website's security that needs to fix.

Why it didn't happened to me before? Or to someone else? Your account's security is your responsibility, same like your bitcoin private keys.

Your suggestion is good because securing your account is one the priority in the forum. I believed email verification is already existing. If someone want to change his or her password the forum software would automatically inform you through your email. Changing of the password at  anytime will be also decide by the person. Trusting of the device is also good but locking the account for some days will never work well with the user, because if the user is in a campaign and the user account is suspended for some days, that means the user miss his or her work within those days. Therefore, that will not work well for for the forum. So I strongly disagreed with you on that part which you said, "the device should be trusted for some days", that means indirectly, the account would not be working for these days you are saying. Now if the person is in a campaign, what the person would do in this period of time?

Every opinion counts, no matter how awkward some of them sound, but the forum's security is fine with me because I don't have to go back to my email to get a login code or click a link in my email to access my account, and as for the 2FA, I'd say the site doesn't require it. The best way to protect your account is to use disposable emails. I believe this was the case back then, and it was extremely difficult for someone's account to be hacked via email addresses.

What if you lose access to your staked address private keys/wallets? Many people were fcked up as a result of this. Is this option reliable enough?

For some, this method is reliable because private keys are something that anyone who understands what it is, pays the greatest possible attention to. So if someone manages to hack my BTT account and the email associated with it, I'm sure I still have the option to recover my account using the signed address. Anyone who can't follow these simple rules shouldn't even be online.

An additional measure that exists is also recovery via IP address, although I assume that this is only usable for those who do not use VPN/Tor.

If an email is not frequently used to send reminders to users to confirm their username and password, then this is not a bad idea. If such a security feature is ever put into place in the future, the 2FA can also be used for this. Since everyone is educated here about the fundamental security precautions they must take even with their bitcoin account wallets, I don't think account hacking occurs much here. Everyone is probably extra cautious and aware of the warning signs that a hacker is attempting to access their account. So also, I believe that the security measure should apply to every account on the forum, regardless of rank, rather than just those with high ranks.

It is important to note that 99% of the world's internet users are not using the internet to learn about how to secure private keys. Furthermore, there is no single 80% secure way to save private keys; they are lost over time due to accident, malware attacks, phishing attacks, and most of the time our gadget is stolen or broken down. Offline save is not safe, nor is online save, and because there is no 100% proven way to secure private keys, we will continue to post stories about lost private keys on the internet. I don't know about you, but I throw away my wallets every two years. Staked addresses help, but they are insufficient.

If this was the case then I'm sure 100% of Russians here cannot retrieve via IP address.

What will be the reason to only let high rank members enjoy this privilege that you've proposed? If anything, I think the proposed feature should be on every member's account with option to activate it or not if anyone wants. Letting only certain ranks enjoy it, for me, will be irrational and discriminatory. It should be the same way exchanges allow users (even newly registered ones) access to authentication features and then one chooses when and which features to activate. This forum is big enough to implement something similar. I think the call for 2FA authenticator is beginning to hit up. Who knows, theymos may see the need for it now and do something about it.

And most of the forum users have the Gmail account and we know how much risky it could be because they might not be having proton mail for it or say seperate mails for forum.Your mail data could be compromised and hackers could have access to your mail and the breach could happen anytime so it's more of risk factors then safety.

I would be more frustrated when I have to authenticate my code each time through mail while logging on the forum as sometimes I use my mobile browser also and have to login my mail also and this could be frustrating for me as well.

That's the best case for your account recovery and prove you are the real owner of the account and it can be verified also.

They are not even important in this story, because here we are discussing additional ways to protect the accounts of the members of this forum. Each of them should know what a private key is, and how it can help them protect their BTT account.


There are ways that are 99% safe, because nothing is 100%, and everything you listed can be avoided and prevented. Careless people keep losing their devices, becoming victims of malware and phishing, but do you think any additional protection would help them? From 2014 until today, I have not lost a single address, let alone a private key, nor have I been a victim of malware/phishing - and I am no expert in online security, but an average internet user who has learned some basic things that make me relatively safe when I am online.


It's the first time I've heard of such a strategy, and I don't see the point in it. I keep everything related to Bitcoin no matter how unimportant it seems, because I never know if I will ever need it. It's not that I need a warehouse for that, everything fits on a regular USB stick that costs a few $.

Why do you think that should be included now, don't you think since the requirement for verifying email address used was not needed right from point of registration, getting that into consideration now wouldn't create something new but rather deviate from the initial reasons why it was not needed from the first time, and be it newbie or legendary, a user is a user and preference must not be considered over each other, the more the privacy needed for individuals here which the forum created and respect the fact that it needed to be maintained.


No need for further process to this than the ones in place, just ensure that your email is truly accessible by you in case of when there's compromise because that's your last hole to retain your account by then, forum cannot be responsible for any irresponsible negligence on user's account.