Why changing the email and the password is so easy !!!!

[Karavadinos]

Recently my friend's bitcointalk account got hacked and unfortunatly for him he was not able to recover it, the hacker was able to change the email and password without being stopped due to the fact that bitcointalk system only sends you a notification mail to let you know that your informations were already changed, and the only way you can recover your account is by having a signed message which people only know about when it's too late, or by pming one of the administrators who have a busy schedule and probably won't reply to you even if you have a proof of ownership of the account.

What i'm suggesting here is to add another layer of security, so that when you want to change the email or the password, a verification mail would be sent to the current email and the owner would have the option to accept it or not and also know if he is being hacked.

[1713992545]

1713992545

[1713992545]

1713992545

[1713992545]

1713992545

[1713992545]

1713992545

[pugman]

Because there is no 2FA yet and the passwords that most users keep is just as terrible as their shitposts. Guessing the passwords are more easier when hackers have access to usernames. Poor security measures are the reasons why. Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?Users do get email notifications when someone tries to get access to their accounts, right?

[Karavadinos]

Because there is no 2FA yet and the passwords that most users keep is just as terrible as their shitposts. Guessing the passwords are more easier when hackers have access to usernames. Poor security measures are the reasons why. Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?Users do get email notifications when someone tries to get access to their accounts, right?

No they don't get any notification when someone tries to access their account, they only get a notification when it's already too late and their email and password have been changed, and that's where the problem lies, they won't be able to know that they are being hacked.

[pugman]

Because there is no 2FA yet and the passwords that most users keep is just as terrible as their shitposts. Guessing the passwords are more easier when hackers have access to usernames. Poor security measures are the reasons why. Slightly off topic :- When users sign in why doesn't the forum ask for email ids along with password rather than asking for username and password, because the latter only benefits the hacker?Users do get email notifications when someone tries to get access to their accounts, right?

No they don't get any notification when someone tries to access their account, they only get a notification when it's already too late and their email and password have been changed, and that's where the problem lies, they won't be able to know that they are being hacked.

Some one tried to gain access to my account using the forgot password feature and I received an email, but I don't think you receive an email when some one gets access to your account and changes email /password /both. This suggestion of yours may or may not curb down the number of hacks but should be worth a shot.

[nullius]

Stake a Bitcoin address, and preferably, a PGP key.  (But n.b. that Segwit addresses cannot yet be used for this purpose.)

I think that current options for securing one’s account are inadequate.⁰  However, there do exist ad hoc ways to help protect your account.  If your account has any value to you, make the effort to do that—and also to improve your own security!  I’m sick of hearing about “accounts hacked” when, as far as I can tell, most or all (recent) such instances are matters of users being hacked.  I am not aware of any evidence that accounts are ever hacked, nowadays.

What i'm suggesting here is to add another layer of security, so that when you want to change the email or the password, a verification mail would be sent to the current email and the owner would have the option to accept it or not and also know if he is being hacked.

What about people who lose access to an e-mail address, but legitimately know their own password?


0. For account recovery purposes, users should be able to somehow bind a PGP key fingerprint to an account—either permanently, or with a long timelock.  I mean this as a forum feature with a form widget on the user profile page, not the ad hoc “post your key here” threads.  I would also add Bitcoin keys, but for the aforestated problem with Segwit addresses.

I also want some means of public-key auth login.  I began writing a long post for Meta about that more than two months ago, when I was more or less brand-new.  However, browser makers have made this infeasible by effectually deprecating functionality required for TLS client certificate usage by websites; and there are other problems with TLS client certs.  I also considered SSH tunnels, etc.; but I know realistically that has negligible probability of actually happening.

[seven2smoke1]

I saw a lot of people here in Meta lost their accounts because of hacking, The majority are full members and senior members accounts, and sometimes Hero or legendary accounts. The problem is not on the signed message of the stacked btc address, but in the security weakness. I agree with the OP on that, because I already read a case like that. If the hacker knows the pseudo and the password of bitcointalk account, he can easily hack your account, and you can't do anything, Even the procedure of recovering the hacked account is too much hard, because Theymos and Cyrus take too much time to respond.
What I can suggest

1- Improve the bitcointalk account security using email verification when anyone login with a new device into the account.
2- Add a phone verification in case of login with a new device.
3- Add a new procedure for recovering a hacked account that doesn't take too much time.

[nullius]

The problem is not on the signed message of the stacked btc address, but in the security weakness.

What security weakness?  The users’ security weakness?  If you know of a security weakness in the forum, please report it and collect a bounty!

If the hacker knows the pseudo and the password of bitcointalk account, he can easily hack your account, and you can't do anything,

If a hacker knows the username and password, then there is nothing to hack!  That’s like saying that if a hacker knows your Bitcoin private keys, he can “hack” your wallet.

1- Improve the bitcointalk account security using email verification when anyone login with a new device into the account.

That would be extremely annoying, and of little or no use to users who know how to secure their own passwords.  Also, for Tor users, it would effectually mean an e-mail verification for each and every login.

2- Add a phone verification in case of login with a new device.

I don’t have a phone.  (At least, not one that you or the forum will ever know about.)  What do you suggest I should do?

3- Add a new procedure for recovering a hacked account that doesn't take too much time.

I have a better idea:

4. Choose a strong password, and keep it secure.

HTH.

[shield132]

There was discussion about it in the past but seems theymos didn't take care of it.
All you need currently to keep your account secure is very good password. There was a fact of hacking famous members too. I remember how condoras sent btc to one member (can't remember username) and lost it because account was hacked and real owner lose control on it. Condoras trusted blindly and didn't ask for signing a message. (I talk about loans)
Btw real way here is signing a message from your bitcoin adress which must be actively used here and then you need a lot of wait to get response on your pm from moderator, usually from Cyrus. There is another way to prove ownership if you can't sign a message but that will take a lot of time and won't worth for it (messages and etc for example).

[nullius]

All you need currently to keep your account secure is very good password.

That means a randomly generated password of sufficient length, used only for this site and nowhere else.  May I suggest use of a good password manager (non-“cloud”-based).

You also need to prevent your computer from being compromised.  Accounts are not being hacked.  Users are being hacked.

[Happydd]

Changing your password and email is easy. This is very convenient for email users. This will help us protect our privacy. If you feel your password is expired then you change it. Or sometimes you forget the password you can get back the password.

[Shenzou]

Recently my friend's bitcointalk account got hacked and unfortunatly for him he was not able to recover it, the hacker was able to change the email and password without being stopped due to the fact that bitcointalk system only sends you a notification mail to let you know that your informations were already changed, and the only way you can recover your account is by having a signed message which people only know about when it's too late, or by pming one of the administrators who have a busy schedule and probably won't reply to you even if you have a proof of ownership of the account.

What i'm suggesting here is to add another layer of security, so that when you want to change the email or the password, a verification mail would be sent to the current email and the owner would have the option to accept it or not and also know if he is being hacked.

I think this actually might be helpfull because, new people don't know about signed messages until its too late and they got their accounts stolne, having a good or a bad password is not the issue, anyone is vulnerable to get hacked, and there is nothing worst than losing your account that you spend a lot of time on it.

[nullius]

I think this actually might be helpfull because, new people don't know about signed messages until its too late and they got their accounts stolne,

This is why I think user education is important.  For a forum dealing with what is now colloquially called “crypto”, only an astonishly small proportion of users are crypto-savvy.

One of my first thoughts on seeing anything Bitcoin-related is, “Why isn’t public-key crypto used for all authentication?”  Of all places, the Bitcoin Forum should lead with that!  If you use Bitcoin, you should also use PGP, at the bare minimum; and the attention brought by Bitcoin makes for an opportunity to introduce more people to what old cypherpunks call “crypto”, resulting in more security all-around.

having a good or a bad password is not the issue,

Password crackers would beg to differ.  Most passwords are laughably weak.  The way you said that, I am guessing that that includes your password, too.

anyone is vulnerable to get hacked,

In this context, that’s the wrong attitude; it encourages people to give up and keep their security weak.  Yes, everything out there is broken.  The state of the industry is horrific.  Most people have bad security because they don’t care about security, don’t put any effort into it—and won’t pay for it, which is why the state of the industry is horrific.

I think the NSA could probably hack me.  I’m sure that forum account thieves can’t.  So much for “anyone is vulnerable”.

[kazakova]

Actually, this works like this on almost all the forums in same way. I am not sure what protection is here for brute force attacks.

[Wipro]

Actually, this works like this on almost all the forums in same way. I am not sure what protection is here for brute force attacks.

As of now they will send the push  notification to previous e-mail when the password and email address has been changed. However, you will be able to report the moderator hilariouscando and Theymos about account hacking issue.
OP mentioned would be good idea to secure the forum reputation from the hackers stealing accounts. After blocking and recovering and all a burden and extra efforts for moderators crew but implementing the Authentication push up to mail would better to secure everyone account.

Or directly take out the password and reset option under every account and implement the link 'change password' this should push reset link to concern email. For email, authentication link first to the old email and verification link to new email. This is also works better.

[longlivecapitalism]

To be honest, I find the security measures in this forum ludicrous especially if you consider that many accounts here belong to members who are trying to start or promote a business, whether that is a cryptocurrency coin/token or trading or something else. There's no confirmation e-mail even. At first, when I signed up I thought I had made a mistake in typing my e-mail and it had gone to a wrong address. There's no 2FA, no SMS verification, nothing... It's basically a hacker's paradise.

Staking Bitcoin address? Well, sorry that I don't have a permanent one. All my Bitcoin addresses are given to me by exchange sites so there would be no point. I think that the powers that be of this forum should try to look at this from the members' point of view. There's a huge chance that at some point many of our accounts will be hacked. I've seen it happen and I've seen the huge inconvenience it has caused.

So, please, if any moderator reads this, do not act defensively to my words. I only seek to protect myself and the rest of the members. Please, give us a second security measure besides our password to ensure that we'll be safer and that our accounts will not fall into the wrong hands. Remember, accounts in the wrong hands won't be beneficial for you guys either since these guys will probably sell these accounts to third parties of scammers or spammers.

PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.

[Maum]

The security mechanisms here in the forum are smart and forward-looking.
In the event, that an account is hacked here and the password / email address is changed, a link is sent to the old email, with which the account can be blocked.
Read this thread for further info:
https://bitcointalk.org/index.php?topic=2282758.msg23164732#msg23164732
In case, that the email address is lost, the email address here can easily be changed.
And it is easy to generate a Bitcoin address that can be staked here
https://bitcointalk.org/index.php?topic=996318.0 and be used to sign a message. Just study the section "Beginners & Help".

[nullius]

PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.

That would do little against spammers who can easily avail themselves of bulk numbers for SMS; but it would instantly evict me from the forum.  Mandatory phone “validation”!?  It is reprehensible even to suggest that on a forum where many legitimate users, including Satoshi Nakamoto, exclusively connect(ed) through anonymity networks.

Fortunately, this has absolutely zero chance of ever happening here; and it’s a waste of everybody’s time for you to even mention it.

Staking Bitcoin address? Well, sorry that I don't have a permanent one. All my Bitcoin addresses are given to me by exchange sites so there would be no point.

If you don’t control your own private keys, then you are not using Bitcoin.  Forgive me if I am underwhelmed by your opinions about the Bitcoin Forum.

[longlivecapitalism]

PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.

That would do little against spammers who can easily avail themselves of bulk numbers for SMS; but it would instantly evict me from the forum.  Mandatory phone “validation”!?  It is reprehensible even to suggest that on a forum where many legitimate users, including Satoshi Nakamoto, exclusively connect(ed) through anonymity networks.

Fortunately, this has absolutely zero chance of ever happening here; and it’s a waste of everybody’s time for you to even mention it.

Staking Bitcoin address? Well, sorry that I don't have a permanent one. All my Bitcoin addresses are given to me by exchange sites so there would be no point.

If you don’t control your own private keys, then you are not using Bitcoin.  Forgive me if I am underwhelmed by your opinions about the Bitcoin Forum.

Well, for starters, I don't care if it's mandatory or not. Which is why I added it as a PS, an afterthought if you will, that the moderators should consider it. I would like the phone number validation to be an option, though. Most people have a phone.

I'm not sure a discussion over whether I am using Bitcoin or not is worth having with a person who doesn't have a phone.

Written from my phone  

[nullius]

I'm not sure a discussion over whether I am using Bitcoin or not is worth having with a person who doesn't have a phone.

Neither did Satoshi Nakamoto, in this context.  Not that that would matter to one of the ovine imbeciles who exclusively keeps money on exchanges.  Baa, baa.  Do you even know what a private key is?  It is self-evident that you neither know nor care why private keys are important.

Written from my phone 

That’s not something to brag about.  That you think it is, says much about you.  But not as much about you as your attitude about private keys.

The Bitcoin Forum is for users of Bitcoin.  By definition, such people have private keys.  Those who don’t are serfs, living on a master’s estate and at his mercy.  As a serf, you should know your place, and never expect anybody to take your opinion seriously.  How dare you come on the Bitcoin Forum and complain that it’s such an imposition to have a private key?

Well, for starters, I don't care if it's mandatory or not. Which is why I added it as a PS, an afterthought if you will,

Logic failure.  What you said was this:

PS: The phone validation would solve lots of problems with spammers in this forum. Just saying.

How could that even try to solve any spam problems, if it were not mandatory?  I do not expect that spammers would “opt-in”.  Had you been advocating optional SMS “verification”, you would not have suggested it to be an antispam measure.

[LoyceV]

I wouldn't like to see 2FA added, it's another layer that can fail and take away my access to the forum. Besides, there's another reason why phone or email verification is a bad thing: privacy! Theymos respects privacy, and privacy shouldn't be compromised for security.

That means a randomly generated password of sufficient length, used only for this site and nowhere else.  May I suggest use of a good password manager (non-“cloud”-based).

I use KeePass (for Windows), KeePassX for Linux, or a different version for anything from iPad to Blackberry.
If you're not using one yet: get a decent password manager, spend a few hours setting it up for all your accounts (don't forget to backup the database!), and keep it updated for all new passwords you create in the future.
I'm pretty sure nobody will ever be able to brute-force my password, but I changed my password anyway after the forum got hacked (a few years back).

One of my first thoughts on seeing anything Bitcoin-related is, “Why isn’t public-key crypto used for all authentication?”  Of all places, the Bitcoin Forum should lead with that!  If you use Bitcoin, you should also use PGP, at the bare minimum; and the attention brought by Bitcoin makes for an opportunity to introduce more people to what old cypherpunks call “crypto”, resulting in more security all-around.

I regret not being more private when I joined here, but it's too late to change that now.

Most passwords are laughably weak.

Several lists show the most common passwords, #1 is 123456. For PIN codes, #1 is 1234!

To be honest, I find the security measures in this forum ludicrous especially if you consider that many accounts here belong to members who are trying to start or promote a business, whether that is a cryptocurrency coin/token or trading or something else. There's no confirmation e-mail even. At first, when I signed up I thought I had made a mistake in typing my e-mail and it had gone to a wrong address. There's no 2FA, no SMS verification, nothing... It's basically a hacker's paradise.

I have never in my life had any forum account compromised. It's entirely up to you to keep your account secure.

Staking Bitcoin address? Well, sorry that I don't have a permanent one. All my Bitcoin addresses are given to me by exchange sites so there would be no point.

You can easily print a paper wallet, stake the address, and keep it secure in case you need it.