|
Title: Automated password recovery Post by: cellard on July 29, 2018, 06:04:17 PM What is the exact reason that we can't just get an automatically generated password to regain control of an account in which we lost our password for whatever reason, instead of just having to lock it pretty much forever (since it seems it's next to impossible to recover them, even after presenting sufficient cryptographic evidence through several signed bitcoin addresses)
Just let us request a new automatically generated password which is sent to our email used in here, then we can be back in minutes, instead of wasting everyone's time with endless queues (the meta section is now just a big queue of people wanting to recover their accounts). If someone maliciously gets access to an account via the automated generated password, the real owner can just come here and sign an address, then in this case it would make sense to look at it individually. Title: Re: Automated password recovery Post by: mdayonliner on July 29, 2018, 06:11:26 PM ~ I never get an answer of the below post. Since you have created a topic already, I would like to bring everyone's attention into it, I assume we both are standing on the same page. I am not sure if it has been discussed here or not but excuse my rush here... Looking at all these hacked/locked account issues and the time needed to recover them manually, I feel very insecure for my account too. Although I always use strong password, 2FA where applicable - all sorts of things to ensure the highest security but still anything can happen anytime. It could be my mistake or it could be system leak, which actually does not matter. What matters is once an accident happen then the account holder is facing all sorts of hassles which is frustrating. Coming to my point... Whenever your password is changed (except by an administrator), you will get an email about it. Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days. I actually do not understand why the email is to lock? Instead of the link to lock the account why not the system send an email asking to revoke the request if the change has not made by this email account holder? I think this could be a decent procedure.... If an account (bitcoinTalk) requests for password and/or email change then send an email to the last registered email address asking for approval. Send a link which will confirm manual approval for the change requested. If the original user requested the change then they are liable for their action. Now, if the user do not have access of the email address only then ask the mods/admins to help them out. I believe this small tweak in sending email, will be saving a lot of time for both the users who are victim and mods/admins. Update: A little correction... For password change send approval email to the current registered email account and for email change send approval email to the last registered email. Title: Re: Automated password recovery Post by: LTU_btc on July 29, 2018, 08:05:54 PM Well, I also had posted similar similar question few days ago and already wanted to start a thread about it, but you was faster than me.
If admins don't have time to recover hacked accounts then I'm not sure that feature to lock accounts are needed. If password/email address was changed maybe it would be better to send notification with option to cancel these changes. Something similar like we have on some exchanges - when we make withdrawal we get email notification with options to confirm or cancel withdrawal. Such feature would make account hacking more difficult and users wouldn't need to lock their accounts anymore. I also don't understand why it's necessary to lock accounts if there is small chance that it will be restored. My suggestion wouldn't solve problem completely, because it wouldn't help if hacker also have access to user email. But it would reduce number of hacked accounts significantly. Admins wouldn't get so many requests to restore accounts anymore. It would be really nice to hear something from theymos about this problem because it's getting worse and worse and something has to be done to solve it.Title: Re: Automated password recovery Post by: hugeblack on July 29, 2018, 08:58:50 PM I think the reason is that this forum has been hacked several times, as the hackers have been able to access all the sensitive data from the password to the email accounts "some have been changed."
Therefore, restoring accounts using email addresses will make it easy for anyone who has access to those emails to retrieve their password. I also believe that the process of recovering accounts is not merely the signing/verification of a message "there is an investigation going on." Based on theymos' programming capabilities, I think he can easily add this feature but must have a compelling reason. Title: Re: Automated password recovery Post by: cellard on July 30, 2018, 03:35:06 PM ~ I never get an answer of the below post. Since you have created a topic already, I would like to bring everyone's attention into it, I assume we both are standing on the same page. I am not sure if it has been discussed here or not but excuse my rush here... Looking at all these hacked/locked account issues and the time needed to recover them manually, I feel very insecure for my account too. Although I always use strong password, 2FA where applicable - all sorts of things to ensure the highest security but still anything can happen anytime. It could be my mistake or it could be system leak, which actually does not matter. What matters is once an accident happen then the account holder is facing all sorts of hassles which is frustrating. Coming to my point... Whenever your password is changed (except by an administrator), you will get an email about it. Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days. I actually do not understand why the email is to lock? Instead of the link to lock the account why not the system send an email asking to revoke the request if the change has not made by this email account holder? I think this could be a decent procedure.... If an account (bitcoinTalk) requests for password and/or email change then send an email to the last registered email address asking for approval. Send a link which will confirm manual approval for the change requested. If the original user requested the change then they are liable for their action. Now, if the user do not have access of the email address only then ask the mods/admins to help them out. I believe this small tweak in sending email, will be saving a lot of time for both the users who are victim and mods/admins. Update: A little correction... For password change send approval email to the current registered email account and for email change send approval email to the last registered email. Yes, confirming via email that it's you requesting a password change and not the hacker also makes sense, instead of locking it into the lottery of getting it recovered 10 years later. I think the reason is that this forum has been hacked several times, as the hackers have been able to access all the sensitive data from the password to the email accounts "some have been changed." Therefore, restoring accounts using email addresses will make it easy for anyone who has access to those emails to retrieve their password. I also believe that the process of recovering accounts is not merely the signing/verification of a message "there is an investigation going on." Based on theymos' programming capabilities, I think he can easily add this feature but must have a compelling reason. As I pointed out, if someone gets your password because of this method, you can create an alt account, sign a bitcoin address you've posted in the past, and then the account would be closed for investigation. But meanwhile, tons of people that legitimately own the account and can verify the bitcoin addresses, are stuck in this account limbo. So give people an easy way to recover it if they own the email, and if someone got your email address and you care about your account, you'll come here and get a btc address signed. You can't recover it without doing that anyway. Title: Re: Automated password recovery Post by: mdayonliner on July 31, 2018, 08:53:44 AM ~ There is a hope, and I hope I am not spreading a rumor :)IIRC, the PM was from ~1 month ago and theymos said that he would try to code it in a few weeks. So it should be out soon. So it will definitely be available in the current forum software (SMF), and not only when the new software comes out. You realize a number of eye balls are looking at you now?(!) :)I can not wait to see the outcome. More or less all of us actually worried about the account security and the time it takes to recover. Update... If you have not posted that addy elsewhere, it probably won't be accepted. We don't actually accept the profile field address unless there's some sort of proof that it's remained unchanged, for that very reason. I'm working on a new address-staking system which will automatically handle signatures, etc. Might have it ready by the end of the month if nothing else comes up to consume my time. Fantastic, thank you. |