PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT

[achow101]

This is a Public Service Announcement:

If you lose your password, DO NOT USE THE SECRET QUESTION TO RECOVER THE ACCOUNT. It will result in your account being locked. Please use the email recovery option to recover the account.
The reason that the accounts are locked is because the May 2015 hack leaked Bitcointalk's database which did not securely secure the Secret Question and Answer. To prevent people from guessing the answers, theymos made it so that accounts that are recovered using the secret question are automatically locked when the option is attempted. This is to prevent hackers who may be able to guess the answers from the leaked database.

If you have had your account locked, to recover it, please send and email to the email displayed on your screen when you try to login. You can also create a new account and pm both theymos and badbear. In the email and PM, to prove your identity, You MUST sign a message with a bitcoin address that you have posted previously, at least 2 months prior. Please be patient. Theymos and BadBear are busy people. Your email or pm may become lost among all of the other stuff that they have to do. You should resent your email and pm once a week so that they will see it and get around to you. If you need help signing a message, check this thread: https://bitcointalk.org/index.php?topic=990345.0

If you haven't lost your password yet or you have regained access to the account, don't set the secret question, it can be a hassle. Make sure that you have the email set to an email address that you can access. That will make everything so much easier and will not require the long recovery process.

[whywefight]

I dont get why it is still possible to use it as a lot of ppl lock themself out... or just wipe all q and as out so ppl have to put in new ones...

[Quickseller]

I think this was suppose to be a secret.

[jacee]

So that is the reason why I locked myself before when I reset my account with the security question.So what then is the use if that feature if it can't be used properly? As for me I always want a secret question attached in all my accoints even outside this forum so I thought it's a good thing but then it's not. Why can't they just reset it all again anyway?

[achow101]

I think this was suppose to be a secret.

Why?

I made this since I always see at least 3 threads in the front page meta where people are complaining about being locked out of their accounts and they all tried to use the secret question to recover it.

[achow101]

So that is the reason why I locked myself before when I reset my account with the security question.So what then is the use if that feature if it can't be used properly? As for me I always want a secret question attached in all my accoints even outside this forum so I thought it's a good thing but then it's not. Why can't they just reset it all again anyway?

I dont get why it is still possible to use it as a lot of ppl lock themself out... or just wipe all q and as out so ppl have to put in new ones...

I don't know. Ask theymos, he made it that way.

[Quickseller]

I think this was suppose to be a secret.

Why?

I believe it was secret because the answers to the secret questions were leaked when the forum was hacked, and this data was stored in a way that would be fairly easy to hash the data to get the plaintext answers. Since it would be so easy to hack accounts via secret questions, accounts would need to be manually checked by an admin prior to allowing them to have their password reset this way. It should have been a secret so people who were attempting to hack accounts would not know which attack vectors were not going to work, discouraging people to even attempt to hack accounts.

What I find very strange is how tspacepilot's account was hacked, or at least "hacked" and then so quickly restored by theymos with the help of dooglus. Especially considering how most of these requests usually take weeks.

[achow101]

I think this was suppose to be a secret.

Why?

I believe it was secret because the answers to the secret questions were leaked when the forum was hacked, and this data was stored in a way that would be fairly easy to hash the data to get the plaintext answers. Since it would be so easy to hack accounts via secret questions, accounts would need to be manually checked by an admin prior to allowing them to have their password reset this way. It should have been a secret so people who were attempting to hack accounts would not know which attack vectors were not going to work, discouraging people to even attempt to hack accounts.

Huh. I could've sworn I saw a post by theymos himself saying that accounts were being locked if the security question was being used to unlock them. But now I can't find any such post.

I suppose I will leave this up since it may help people who lock themselves out. If it's a problem and theymos doesn't want it up, he can let me know, or just remove it himself.

[syndria]

Thank you for letting me know this, ill remove my SQ now

[Quickseller]

Huh. I could've sworn I saw a post by theymos himself saying that accounts were being locked if the security question was being used to unlock them. But now I can't find any such post.

I suppose I will leave this up since it may help people who lock themselves out. If it's a problem and theymos doesn't want it up, he can let me know, or just remove it himself.

A staff member previously posted something similar to this, I spoke to them about it privately and they removed it.

This is not exactly the private keys to the forum's bitcoin, however it is a security issue. IMO there is really no reason to remove the thread now since this has been posted for long enough.

[jacee]

Thank you for letting me know this, ill remove my SQ now

I have a question, How can I remove the secirity question in my account? I already set another security question when I got back my account from previous lock. Thanks!

[achow101]

Thank you for letting me know this, ill remove my SQ now

I have a question, How can I remove the secirity question in my account? I already set another security question when I got back my account from previous lock. Thanks!

AFAIK you just make sure that both text boxes for the secret question are empty. IIRC the answer box will have a red warning next to it when you have one set, when it isn't set, that warning should disappear.

[jacee]

Thank you for letting me know this, ill remove my SQ now

I have a question, How can I remove the secirity question in my account? I already set another security question when I got back my account from previous lock. Thanks!

AFAIK you just make sure that both text boxes for the secret question are empty. IIRC the answer box will have a red warning next to it when you have one set, when it isn't set, that warning should disappear.

Ok thanks. Got it removed.

[achow101]

bump

[jaberwock]

Why not just remove the secret question?
When the account is locked for security reasons you will have to sign a message from an unused address anyway

[notlist3d]

Why not just remove the secret question?
When the account is locked for security reasons you will have to sign a message from an unused address anyway

I would guess it's that the forum really does not check email when you sign up.  Some assumed  secret message was enough.   But after a while that big hack the secret messages were compromised. 

So now you really need to sign with a address used or something else to prove ownership.   Honestly everyone should stake a address

[mexxer-2]

I would guess it's that the forum really does not check email when you sign up.  Some assumed  secret message was enough.   But after a while that big hack the secret messages were compromised. 

So now you really need to sign with a address used or something else to prove ownership.   Honestly everyone should stake a address

It does, you can't leave the email box empty. I also agree with the removal of secret question, why put something like that if it can lock your account, at least a warning like this should be available on the secret question page or new members may get themselves locked out while using this.

[dothebeats]

Well I think that is also for security purposes. If one gained access to your secret answer, then you know the rest: they can get access to your account. This feature should be removed imo so that things like hacking wouldn't be a that much of a problem when it comes to secret answers.

[notlist3d]

Well I think that is also for security purposes. If one gained access to your secret answer, then you know the rest: they can get access to your account. This feature should be removed imo so that things like hacking wouldn't be a that much of a problem when it comes to secret answers.

One day there will be a "new forum" not sure on timeline of when we see updated forum.  I suspect then it they might possibly address it or remove it.

I think that chances of spending time programming on this forum to do it is slim.  Just have it in meta and people will know not to use it.

[ndnh]

I would say it is better to change OP to discuss "Do not have a secret question for your account. Why, and how to do it."

As QS said, I guess it is better to keep it a bit secret. Changing the title would help. Having a secret question for an account is not very useful.