Bitcoin Forum

This just recently came to my attention.

How is it that an account's email can be changed without verification from said email? Likewise with password changing..

This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)

It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ;D). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.

Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.

Layout, avatars and performance can come at a later date. Security needs to come tomorrow.

Agreed; security is important, particularly so on a forum dedicated to cryptography. Though it's possible to recover accounts after their email has been changed, the process is cumbersome and time-consuming. I'm certain a plugin for email verification already exists for SMF, but it wouldn't be particularly hard to create one independently if necessary (generate a password reset key and store it in a database, send an email, invalidate unused keys after ~24 hours).

This would rely very heavily on automation which has it's own vulnerabilities.

At the moment, there's no email verification required to change an account's email; anyone with the password can change the email to anything they choose, with no confirmation required. Regaining control of an account would require the same manual process, but email verification would make it more difficult for accounts to be stolen in the first place by requiring confirmation from the second factor before allowing it (and consequently, the way for the original owner to reset the account's password) to be changed.

So long as there are no vulnerabilities in the email confirmation system (which should be easy enough to secure; it's a common practice for many sites, and relatively simple to implement) then the only disadvantage will be to the people buying and selling accounts, who will have to add another step to their process.

This should be implemented to prevent hackers from gaining full access to the account. However, some people don't use a real address to register or use temporary email to register a account. The forum don't send email verification to activate your account, most people don't bother to use an actual email. If they need to change email or password, they would have a hardtime.

Then force users to use actual email addresses, problem solved.

I just started a thread outlining another security concern: https://bitcointalk.org/index.php?topic=832742.0

Will take a look now. Theymos, this issue and Phinneaus Gage's (Gleb Gamow's) needs to be fixed (even if it is temporary) asap, please!

Bitcointalk's account security is a joke. I received '0' emails about my account creation details

Wouldn't mind your reply to the above posts, Theymos.

I agree with you,this should be fixed!

did you not see the huge fiscao with bayuo/zedicus in meta a few months ago? If you are taking possession of an account you need to get a signed message from a btc address on an unedited post that is "old". This especially applies to taking accounts as collateral for a loan as the process to lend is much quicker then to buy an account.

The only exception to this is if you are lending to someone who farms accounts but the reason you would lend to an account farmer is ??? (This really only applies if you are buying accounts and have bought from them before)

Yup because it doesn't require you to do any email confirmation. In fact, you can register a bitcointalk account with an email like geja1ovf13lpjeo@jog67enfergn.com

Why not just make the email field optional then?

It probably should be removed if a confirmation is not required. People who use fake emails just leave themselves wider open to be hacked.

I agree. IMO an email should be send when registering and when changing 'Account Related Settings'.

   ~~MZ~~

Hacker let we cannot update the individual forum speech record？

I completely agree with this feature request 100%. My original account which got compromised, could have been prevented if something as simple as email confirmation was in place. In fact, I made this exact suggestion on my hacked account thread (https://bitcointalk.org/index.php?topic=786313.msg9545592).

As of this time, I still haven't received any reply to my recovery PM from theymos (and yes I followed the recovery procedures outline here (https://bitcointalk.org/index.php?topic=497545.0)). I don't understand how a cryptocurrency forum that deals with money can be so lax in its security department. All the hacker has to do is guess the right PW or answer security question correctly and it's game over.

The chances of that are very low

Only if its coupled with email verification though

Many other forums follow this procedure; I wasn't aware that this one didn't. +1; I think it could be made an option available to users...if they want to enable e-mail verification, then they can, for those more concerned with security, whereas for those who are lazier and would prefer not to go to their e-mail upon a change, they could have it disabled

Just to put it into perspective as to how easy it is to guess someone's password:

There are 26 potential english letters and 10 potential numbers that can be used in your password (we can ignore all the special characters that someone could potentially use as well as capital letters).

If an attacker knew that a specific account's password was exactly 6 digits (I don't even think the forum allows for passwords to be this short) then the number of potential passwords would be 36^⁶ or written in base 10 scientific form 2176782336 ~2.17 * 10^⁹ or 2,176,782,336 or ~2.1 billion possibilities. Considering that an attacker can only attempt to "guess" a password once every 45 seconds, it would take 816,293,376 hours (34,012,224 days) to guess a password if the attacker has 100% luck (the attacker correctly guessed the correct password exactly half way though all the potential passwords).

tl;dr it is not realistically possible to guess someone's password without some kind of social engineering and/or exploiting some kind of weakness of the person who owns the account (the owner somehow being at fault).

Nice strawman

idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions.

Because not everyone includes only the letters of the alphabet in their passwords like you.

??? If you include special characters in your password then my arguement is stronger because it would take longer to guess a password

You're confusing me

I explained how it would take ~93,000 years to guess someone's password if they did not use any capital or special letters. To most people this is a very long time.

I think the confusion here comes from the fact that you took his quote:


and made it a reason to show how difficult it is to actually bruteforce someone's password. I read his quote as agreeing with the idea that passwords are not guessable, given that he says the chances of guessing someone's password are "very low". The thing is, you begin your reply by saying:
 

Which sounds like you are disagreeing with him if you take that sentence out of context. He probably read this and assumed your post was contradicting his, which is why he responded to you with hostility, even though you both actually agree. You're both confused because you believe the other person has the opposite view, when you actually both agree that passwords are very secure. That's how I read your conversation at least.

Bump

I think the ability to recover/reset your password via email actually decreases security. For example  BitMiningInvestments (https://bitcointalk.org/index.php?action=profile;u=63487) just offered to sell me the email address quickseller@live.com

I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.

First of all, I would have completely lost access to this account in the past had it not been for this feature. Disregarding that, what you describe sounds like a fairly uncommon method of account theft. I think it is safe to say that most accounts are stolen when the password is compromised, not the email, and requiring email confirmation for password/email changes would result in a net positive effect on account security, not a negative one.

Email accounts are easier to compromise then forum accounts. Maybe it is uncommon, maybe not, IDK.

I do think the rule that an email address can only be associated with one account should be lifted. If someone were to try to hack accounts via this method then they could attempt to change their a number of email addresses they think they can hack and when they get an error saying that email is associated with another account they know they can try to hack it

You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email account
b) set up an account with an email that you've bought ?

Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much.

someone could potentially want a vanity email address that matches their bitcointalk username (he could register the username on the major email providers (gmail, yahoo, outlook, etc). I agree that this would be horrible security, but then again a lot of people here are pretty clueless about security

Yes , you're right . It is also possible to use the 2FA , and it will add a major level of security to the email address.

I think 2fa in general would be beneficial. But I don't think email is the right way to do it. Maybe Google authentator would be a better solution.

How about the option of 3-factor?  :D. Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?

no. Google auth has nothing to do with email. You are given a qr code to scan and anyone that has access to the qr code can display the 6 digit code you enter that proves you controlled the accoint at the time it was set up. It is similar to signing a message

What if you lose your phone? I'm sure I read there's alternative ways to restore access to it if you lose it.

The Google Authenticator keys are stored on your device, not on a Google server. This means that a potential hacker needs access and control of your device. So pay attention while browsing, downloading etc. anything with your mobile phone.

Contact the support and get your account back. Authy binds the 2FA to your phone numbers. You would need to reset the phone using your email and key in your password and you would gain access to your 2FAs. It isnt hard to get a new sim card for your phone number. This kind of 2FA can be a bit dangerous compared to google authenticator.

The email + 2FA is the best solution in my opinion. I think the email verification is easy to add here in the forum, but theymos don't want (or am I wrong ?).

Well i'm not pretty sure about him wanting to add the 2 factor but i think its included in the upcoming forum upgrade. He would have to redesign the login page to include two factor and have to make modifications to the database to include 2FA as the SMF for this version didnt include 2FA. Please correct me if im wrong.

Problem solved :  https://bitcointalk.org/index.php?topic=364307.msg7733979#msg7733979    It takes  only a few changes and it is  ready for the bitcointalk forum.

The problem is that addons can always be a potential security risk. But it's great and I hope the bounty of Stunna gets fulfilled soon ;)

Why not? The more the better if you ask me.
Google auth isn't a risk at all if used correctly. Why not buy an smartphone from a Chinese manufacturer (very cheap) and use it only for auth? Your device won't get hacked I'm sure.

I actually agree. More would make me feel more secure but it could also lead to more problems. People will likely complain if they lose access to their 2-factor and then pester theymos to remove them which if he does it's not very secure and if he doesn't then their accounts are screwed. Always going to be a catch 22.

That's their problem and theymos shouldn't do anything about it. I have even registered on a few sites which state that password recovery is not possible, even if you contact support.
Every single member is obligated to know their password/or in this instance their 2/3-factor.

Bump.