Why People are getting Banned for using Security Question as Recovery Method??

[SM23031997]

Meta thread is full of people asking to recover their account which is showing as compromised after using security question as a recovery method.

Why People are getting Banned for using Security Question as Recovery Method??

What Should be done to stop this problem??

and

what forum is doing to stop this kinda problem other than recovering their account one by one?

[Quickseller]

The forum was hacked in mid 2015 that resulted in some information being leaked which included everyone's answer to their security question (those that had one) in a way so that little work was needed to decrypt the information into plaintext. As a security precaution theymos setup the forum so that accounts would get banned if someone successfully answered their secret question.

The obvious solution is to outright disable resetting of passwords via security question, especially now that it is well known that this will happen, so hackers are unlikely to even try to hack accounts this way, while the end user is frequently affected.

[SM23031997]

The forum was hacked in mid 2015 that resulted in some information being leaked which included everyone's answer to their security question (those that had one) in a way so that little work was needed to decrypt the information into plaintext. As a security precaution theymos setup the forum so that accounts would get banned if someone successfully answered their secret question.

The obvious solution is to outright disable resetting of passwords via security question, especially now that it is well known that this will happen, so hackers are unlikely to even try to hack accounts this way, while the end user is frequently affected.

If this is the reason then why admins are taking 2-3 months to resolve someone's issue if they have valid proof of ownership and if they had thousands of pending case due to this then they should find a solution to the problem.

[Joel_Jantsen]

If this is the reason then why admins are taking 2-3 months to resolve someone's issue if they have valid proof of ownership and if they had thousands of pending case due to this then they should find a solution to the problem.

1.Recovering Lost Accounts is forum's least priority.
2.It becomes ever tougher if you're not a known good contributor to the community.I have seen people with good trusts and rep getting their accounts recovered faster.
3.That doesn't mean the accounts can never be recovered,takes time,even months.All you can do its send admins the proof they want as mentioned in the stickies and send them monthly reminders.

[Coin-Keeper]

The forum was hacked in mid 2015 that resulted in some information being leaked which included everyone's answer to their security question (those that had one) in a way so that little work was needed to decrypt the information into plaintext. As a security precaution theymos setup the forum so that accounts would get banned if someone successfully answered their secret question.

The obvious solution is to outright disable resetting of passwords via security question, especially now that it is well known that this will happen, so hackers are unlikely to even try to hack accounts this way, while the end user is frequently affected.

I am not an Admin on this site, but I manage at others.  One solution I could think of would be to do a full wipe of ALL security question answers on EVERY single account.  Then site Mgmt could post a new Meta thread telling active users to re-establish a security response for the future.  The previously hacked data base out in the wild would be of no use any longer, and yet our active members could use the security challenge answer the way it is intended by the software designers.  Just a little member making a suggestion, for whatever its worth.

[Valiance]

Okay so I understand why people would get banned for using their security questions when there was a security breach, but why not remove security questions altogether and tell people why they need to know their password instead of banning people who might well have genuine intentions?

[actmyname]

Okay so I understand why people would get banned for using their security questions when there was a security breach, but why not remove security questions altogether and tell people why they need to know their password instead of banning people who might well have genuine intentions?

I find that it's also kind of useless for security questions to exist since as long as you have the password to the account, you are able to change the answers to them with ease. In fact, with solely the password, one can do essentially anything they want (to the account - any transactions would likely require them to provide a signed message)

[bamboylee]

Okay so I understand why people would get banned for using their security questions when there was a security breach, but why not remove security questions altogether and tell people why they need to know their password instead of banning people who might well have genuine intentions?

Does this mean we have no way to recover our account if we forgot our password? That is a pain. I have my account in remember forever. I am now afraid to logout because I might not get the password right and lock me out of my account.

[minifrij]

Does this mean we have no way to recover our account if we forgot our password? That is a pain. I have my account in remember forever. I am now afraid to logout because I might not get the password right and lock me out of my account.

You can ask an admin to change the password of your account, however for low priority cases this can take up to a few months. You can also reset your password via Email I believe, if you have an Email attatched to your account.
You should probably change your password, install a password manager like LastPass and save it in there. That way it can be very secure and you won't lose it.

[Quickseller]

The forum was hacked in mid 2015 that resulted in some information being leaked which included everyone's answer to their security question (those that had one) in a way so that little work was needed to decrypt the information into plaintext. As a security precaution theymos setup the forum so that accounts would get banned if someone successfully answered their secret question.

The obvious solution is to outright disable resetting of passwords via security question, especially now that it is well known that this will happen, so hackers are unlikely to even try to hack accounts this way, while the end user is frequently affected.

I am not an Admin on this site, but I manage at others.  One solution I could think of would be to do a full wipe of ALL security question answers on EVERY single account.  Then site Mgmt could post a new Meta thread telling active users to re-establish a security response for the future.  The previously hacked data base out in the wild would be of no use any longer, and yet our active members could use the security challenge answer the way it is intended by the software designers.  Just a little member making a suggestion, for whatever its worth.

That is one option, although the risk is that users might create a new security answer that is very similar to the one they previously used.

I still do not see the rationale behind continuing to allow users to reset their passwords via their security question in the first place considering the result will always be a "security ban"

[VeryFunnny]

If this is the reason then why admins are taking 2-3 months to resolve someone's issue if they have valid proof of ownership and if they had thousands of pending case due to this then they should find a solution to the problem.

1.Recovering Lost Accounts is forum's least priority.
2.It becomes ever tougher if you're not a known good contributor to the community.I have seen people with good trusts and rep getting their accounts recovered faster.
3.That doesn't mean the accounts can never be recovered,takes time,even months.All you can do its send admins the proof they want as mentioned in the stickies and send them monthly reminders.

Its not so fast and monthsto recovery its a not normal position here.In that case ,would be only one here.Ppl look and read threads about same problems,see how its going and what a real position from admins to solve their problems here and go out or start be quit.Last two years is show that trend here,better than tons of posts.Its not have any sense who are make a security error at first ,at first here a problem with login that have a normal good users (Im was hacked two weeksa ago and what status Legendary,+60 trust points,few active topics ,that must be updated,given all rthatneeds to recovery to admins,sign message from associated address,confirming my ownership to myaccount from another members of forum ,includes exchanges and what? Im doing all that needs to not be hacked and how im getting that im not understand,and why my account not back to me im not inderstand too) ,no feedback,itslooks likeignoring ,because not to see my threads and PM's its impossible,ignoring its possible reset email address or passphrase its maximum can take fewe minutes by admins ,but ppl must wait months for getting back accounts and already if asll known about that forum was hacked in 2015 why its cannot behacked in 2017z? Three year im here,its cost anything to admins , what feedback from community they want to get if they are shown same position to the problems of community members ,which can be solved only by administrators level of access?