PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT

[jackbox]

Thank you, I will do that. It just seems strange that there is no option to turn of the "feature" completely. There are a lot of people who don't browse the different forum sections and simply don't know about the issue. I won't forget it anymore though  

There is.

Leave both fields blank in the secret question section.

It will disable it.


~BCX~

I understand that you can have it turned off, I actually had it turned off before, but thought I'd improve the security. I ment it's strange that the possibility of adding a secret question is still in there, if the feature is bugged and gets people locked out (for months).

Unfortunately it is not a bug. A while back the user database of the forum was hacked. Logins were compromised. Theymos did it so the hackers could not get the password via the reset option. And they purposely kept it secret so the hackers would not know about it. They won't be turning it off. Just need to know or once you do it and get your account reinstated you will never do it again. But someone who did have a BTC address six months prior in a post or signature has no chance of recovering the account.

[1714808535]

1714808535

[1714808535]

1714808535

[1714808535]

1714808535

[1714808535]

1714808535

[1714808535]

1714808535

[BitcoinEXpress]

I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.

I was originally set to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.



~BCX~

[muleroaa]

I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.

I originally set it to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.



~BCX~

BitcoinEXpress, cheeky question: Since you are able to make changes to the forum, are you also able to unlock accounts?

[BitcoinEXpress]

I am not sure how robust of a solution this is. Not everyone is going to see this warning (or even visit Meta on any kind of regular basis), so they will not know to remove their security question and to not attempt to use it to reset their password to their account.

I originally set it to display red text "You have a secret question set, this is not recommended" if there was a secret question set.

If no secret question is set, you will not see this warning.



~BCX~

BitcoinEXpress, cheeky question: Since you are able to make changes to the forum, are you also able to unlock accounts?

Unfortunate typo as English is not my primary language.

I meant to say


It was originally set to display red text "You have a secret question set, this is not recommended" if there was a secret question set.



Only Theymos and BadBear have the technical abilities to unlock accounts.


I'm just a regular member.



~BCX~

[FFrankie]

Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

[jackbox]

Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You do not want to set a secret question. If you use it to recover your password your account will be immediately frozen.

[ndnh]

Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You can (can't you??). But you probably should not.

It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)

Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.

[minifrij]

It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)

Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.

It won't anymore, it will just be useless considering the account would just be locked if it were used.

What that quote is saying is about secret questions in general. Accounts only began to be locked after the forum was last compromised, as the secret questions and answers were leaked and could be decrypted to hack into accounts.

[notlist3d]

Is this why I can not make a secret question? I would assume so, but I figured I would ask anyway I did not see it in this thread anywhere

You can (can't you??). But you probably should not.

It will make your account vulnerable. (which is why the account gets locked to protect account theft when that is used to recover account)

Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account.

If you made it now it is not that the question would make it vulnerable.  It is that there was a past security breach where the ones at that time were compromised.   So a security question in itself is not really making it vulnerable, but the problem is account's that have same security question now as time of breach.    It also becomes even harder with inactive accounts as chances of changing security question are none.

So the security question now locks to prevent compromise.   It is a pain for those who hit it but it is considered known now, and we really have a LOT less using security questions now then we did say in October of 2015.  If you look back there was quite a few more then say today it has went down drastically that more users know it locks account's.