Message To Beginners: Do not use Secret Question to reset account - It locks it

[notlist3d]

Just noticed a trend in Meta of people getting locked out of account for resetting and using secret question.  It will actually lock your account do to security and you have to get admin and prove ownership, so a pain for you and admins.  I'm hoping posting this here will slow the number of these we see in meta.

I take no credit as far as figuring it out read more here : https://bitcointalk.org/index.php?topic=1206977.0 

I just figured it would be good to have here and hopefully save a few members some time.

[Harry Hood]

Wow, great top tip for us...thanks.

Do you know if the Admins are planning to fix this flaw?

[shorena]

Wow, great top tip for us...thanks.

Do you know if the Admins are planning to fix this flaw?

The accounts get locked because of the database breach a while back. The security answers and questions were stored in the database as hash that was easier to attack than the (hashed) password itself. Thus the security question offered less security and in order to avoid hijacking of old accounts the locking was implemented. It was not common knowledge at first. To me it seemed the admins tried to use it as honeypot to find out more about the DB breack. As more and more users complained about their locked accounts it became more known, but probably only among those that read meta on a regular basis.

[alexrossi]

Afaik secret question was alwayas marked as a security flaw for btctalk account, so the common security measure was to leave it empty.

[RealBitcoin]

Holy shit i didnt know this. Luckily I always put for security question something like: asfh8y3qkafju89eu, which is really hard to guess the answer to

This should be added to the registration notification, or disabled completely. It seems to me a fatal flaw that can scare away many members.

[VirosaGITS]

Holy shit i didnt know this. Luckily I always put for security question something like: asfh8y3qkafju89eu, which is really hard to guess the answer to

This should be added to the registration notification, or disabled completely. It seems to me a fatal flaw that can scare away many members.

Maybe setup a strong 2FA for authentication, so that people can simply use their google authenticator or such to recover their password. I'm not sure if the other password reset method let you change your password without locking? By using your email account, i mean.

[bitcoin revo]

Holy shit i didnt know this. Luckily I always put for security question something like: asfh8y3qkafju89eu, which is really hard to guess the answer to

This should be added to the registration notification, or disabled completely. It seems to me a fatal flaw that can scare away many members.

Maybe setup a strong 2FA for authentication, so that people can simply use their google authenticator or such to recover their password. I'm not sure if the other password reset method let you change your password without locking? By using your email account, i mean.

I'm pretty sure that it doesn't lock your account, although I'm not 100% positive. I will tell you that 2FA will be included in the new forum, so at least members won't have a really good excuse if their accounts are hacked. ( )

This should be added to the registration notification, or disabled completely. It seems to me a fatal flaw that can scare away many members.

I would say that adding a warning to the page where you reset your password via Secret Question would be smarter, if theymos isn't going to remove the auto-lock feature.

[RealBitcoin]

I would say that adding a warning to the page where you reset your password via Secret Question would be smarter, if theymos isn't going to remove the auto-lock feature.

They already added it, but you know newbies, they will get locked out eventually.

You need to warn them 5-6 times before they get it, its really hard to get into bitcoin, for indisciplined people, because this is the wild west.

[TheGr33k]

I have a security question on my account and I didn't appear to have any problem changing/setting it recently.
Could this possibly be just for beginner's or did I get lucky and dodge a bullet?

[bitcoin revo]

I have a security question on my account and I didn't appear to have any problem changing/setting it recently.
Could this possibly be just for beginner's or did I get lucky and dodge a bullet?

Your account gets locked if you use the secret question to change the password on your account, not just changing your secret question through your profile. As long as your account isn't hacked/you forget your password, you shouldn't need to worry about this.

[notlist3d]

I have a security question on my account and I didn't appear to have any problem changing/setting it recently.
Could this possibly be just for beginner's or did I get lucky and dodge a bullet?

Your account gets locked if you use the secret question to change the password on your account, not just changing your secret question through your profile. As long as your account isn't hacked/you forget your password, you shouldn't need to worry about this.

I think you got lucky it is designed to be locked at this point.  As shorena said the secret question anwsers were compromised in hack a while back.  So it's kinda a safty measure to make sure they can't steal your account.

But here is a biig tips for accounts:

Make sure to "stake" a bitcoin address you have access to prove you are owner if ever needed: https://bitcointalk.org/index.php?topic=996318.0

[achow101]

I have a security question on my account and I didn't appear to have any problem changing/setting it recently.
Could this possibly be just for beginner's or did I get lucky and dodge a bullet?

It isn't with setting or changing it, but rather when you attempt to recover your password with it. If you try to recover your password using the secret question, you will be locked out. You can change it, and I would advise you to remove it completely.

[TheGr33k]

So at this point the "security" question is more of an account padlock and proves to be more of a detriment than anything..?
Does this mean if someone attempted to answer my secret question is would lock my account?

[achow101]

So at this point the "security" question is more of an account padlock and proves to be more of a detriment than anything..?
Does this mean if someone attempted to answer my secret question is would lock my account?

Only if they get it right.

[ikydesu]

Well this is irony actually, secret question is basically used for recovery or make a reset password, but in this case otherwise it will be disaster.

This advice is already warned few months ago, but this thread is nice to remainder, especially for newbie.

[Amph]

i removed it compeltely a long time ago, because bitcointalk itself, was pointing me about the dangerous part of having one

i just write down my pass on a A4 paper, which is not hackable, and i'm done

[VirosaGITS]

i removed it compeltely a long time ago, because bitcointalk itself, was pointing me about the dangerous part of having one

i just write down my pass on a A4 paper, which is not hackable, and i'm done

I always warry of doing this, so i don't instead i write down a reminder sequence that will let me rebuild the password safely, but without being me or going through massive efforts, its not possible to just check my drawer to find my password.

I figure if i leave home for a while or lose my wallet, i don't want to have to change my passwords too.

[notlist3d]

i removed it compeltely a long time ago, because bitcointalk itself, was pointing me about the dangerous part of having one

i just write down my pass on a A4 paper, which is not hackable, and i'm done

I always warry of doing this, so i don't instead i write down a reminder sequence that will let me rebuild the password safely, but without being me or going through massive efforts, its not possible to just check my drawer to find my password.

I figure if i leave home for a while or lose my wallet, i don't want to have to change my passwords too.

A piece of paper is honestly pretty hard to beat, just a little bit of a pain if you need it as it should be stored in safe or something.   But if you combine paper and code only you know you are right that is pretty much unhackable, only if keylogger or something then it could be taken from other things.   

I really like some of the 2FA things out there.  I have been looking at a few devices thinking about trying it on a site or two.  I want to give a yubikey a try but haven't yet - https://www.yubico.com/products/yubikey-hardware/

[Mickeyb]

I have a security question on my account and I didn't appear to have any problem changing/setting it recently.
Could this possibly be just for beginner's or did I get lucky and dodge a bullet?

Your account gets locked if you use the secret question to change the password on your account, not just changing your secret question through your profile. As long as your account isn't hacked/you forget your password, you shouldn't need to worry about this.

Well I don't even remember have I enabled my security question or not or even was this obligatory or not. It's been a while since I have created this account.

So the safest is just not touch it and use it for password recovery. I will then just forget about it!

[notlist3d]

Bumping as it's still happening so I figure some might need to read this - https://bitcointalk.org/index.php?topic=1214476.0

Do not use secret question to reset your account password.  I would suggest removing it if you have one.  It's a pain and possible waiting time to get account back.