Secret Question issue: theymos, consider hassle to recover locked account

[mdayonliner]

This is what I learnt today (lucky that it caught my eyes)...

Just to make it clear for the OP, a normal password & email change doesn't lead to this but instead "recovering the account using the secret question, is its cause".

I was about to reply the post then I though to create this new topic so that I can get attention of theymos and also can help few readers to know to be careful about using their secret question feature.

If you haven't lost your password yet or you have regained access to the account, don't set the secret question, it can be a hassle. Make sure that you have the email set to an email address that you can access. That will make everything so much easier and will not require the long recovery process.

- My suggestion (no pressure) is why not then remove the secret question feature from the profile setting page? This will help to save unnecessary locks.

i.e: To secure my account when I joined I did set my secret question. A fairly advanced user like me will do it always. But after seeing this post I am feeling lucky now that I will never touch the secret question section. There are/will be many members who are/will not aware of this and they will be locked easily. The way I see account hacking and locking is happening I wonder what would I do if my one get hacked. It really is frustrating to see people are trying to recover their account from months and still unsuccessful (some have really legit proof).

The forum is lacking organised FAQ section IMO.  

EDIT:
Please advice how do I remove secret question since I already set up one 

[actmyname]

-snip-

The secret question is usually the last thing that people will resort to when they have lost their password. With an email, you can retrieve the password through a simple reset. When a user doesn't have an email/loses their email wouldn't it make sense to lock an account for verification if they reset using the secret question?

Especially considering the fact that the answer is usually far less secure than passwords.

[bill gator]

- My suggestion (no pressure) is why not then remove the secret question feature from the profile setting page? This will help to save unnecessary locks.

Your suggestion will almost certainly be pushed aside and forgotten about. Secret questions have done more good than harm when it comes to protecting and recovering accounts. You talk about how much you hate to see how long it takes for people to recover their accounts, but this length of time will only increase if there is no "Secret Question". I'm a little uninformed on this issue, in the sense that I don't know if the Secret Question works at all. I've just avoided it like the plague since a few years back when all the hubbub around it happened.

A fairly advanced user like me will do it always.
It really is frustrating to see people are trying to recover their account from months and still unsuccessful (some have really legit proof).
The forum is lacking organised FAQ section IMO. 

You believe that it is a fairly advanced that doesn't read stickies or educate themselves on the security of their accounts?
The forum is not lacking in FAQ, because there are stickies in almost every single section that effectively act as such.

[TheBeardedBaby]

When I registered, I knew nothing about the forum and I had this option enabled. Now I'm wondering what will happen if I try to remove it, maybe lock my account, but for now I'm not touching it.
If anyone has disabled this function successfully, please let me know, I'm not willing to try myself.

[cntryboy_alt]

That is a good question... when my normal account got locked yesterday, I was resetting my password and just did the secret question since it popped up there, I wasn't even thinking.  (I have an unlock thread also, just waiting for theymos to help).

I was considering disabling the secret question option if and when my regular account is unlocked, but afraid to touch it as well.

[mdayonliner]

-snip-

The secret question is usually the last thing that people will resort to when they have lost their password. With an email, you can retrieve the password through a simple reset. When a user doesn't have an email/loses their email wouldn't it make sense to lock an account for verification if they reset using the secret question?

Especially considering the fact that the answer is usually far less secure than passwords.

Of course not. I do not know how the SMF reset function work but the stander reset procedures should be....
...When the Secret answer match with the users input then send a reset link or a new pass to the registered email. 

However I understand the issue here. Since we do not need to verify an email at the time of registration so it's complected.

~~

Bill I said IMO. Please please don't through out argues out of no where. Please do not blame me saying...

....doesn't read stickies or educate themselves on the security of their accounts?

Please.
This forum is full with information and but not organised for sure. There are a lot of information I have not even encountered yet so do you.

I'm a little uninformed on this issue, in the sense that I don't know if the Secret Question works at all.

See your statement. Does that not mean that you are also in doubt.

You can not expect someone to know everything about everything. This forum is an ocean mate.


You see the fears bill?

If anyone has disabled this function successfully, please let me know, I'm not willing to try myself.

I was considering disabling the secret question option if and when my regular account is unlocked, but afraid to touch it as well.

Please bill please... Thank you for understanding.

[bill gator]

This forum is full with information and but not organised for sure. There are a lot of information I have not even encountered.

How do you propose we organize this ocean of information? It is not meant to be perfectly organized, it is a forum and it operates as such. Any improvements are probably going to be seriously considered, and theymos would love to hear them. The information that you and I have not encountered can be accessed through the "Search" function. If you are asking for a re-cap of everything that's ever happened on the forum, good luck with that. There is not a single soul that is aware of everything going on here, or all of the information being presented. Indeed, I have forgotten more information that I've read here than I can remember. There is no "perfect" system to organize millions of people's thoughts and discussions.

You can not expect someone to know everything about everything. This forum is an ocean mate.

You must misunderstand me. I am not saying that someone is expected to know "everything about everything", but I am suggesting that people should spend a few minutes researching what should be high-priority issues. A very high-priority issue, would include things like Account Security, Bitcoin Security, Rules, Guidelines, How Bitcoin Works, etc.

You see the fears bill?
Please bill please... Thank you for understanding.

I see the fears and I share them with you guys. The security question has been proven to be a security flaw and so most people do not even have one set, from what I understand. I think it is goofy that it operates the way it does, too. I wish that it was fixed as much as the next user, because it's like a booby-trap to lock someone out of their own account. I imagine that with the new forum software being developed this will be a problem of the past.

I simply say it will be pushed aside, because it has been discussed to death and the result is where we are now. It's not an unreasonable thing to discuss, but it has already been done and I see nothing new being presented at this point.

[mdayonliner]

Bill the forum is not perfect. I accept it. I hope you do as well (there is nothing bad in not to be perfect). What we are doing is - trying to improve our experience for the forum. You, me, everyone who cares about the forum we all are doing the same. It's theymos's and other admins job what to chose and what not to coz they know better than you and me on what exactly need to do for the forum. They are the ultimate deciders.

You believe that it is a fairly advanced that doesn't read stickies or educate themselves on the security of their accounts?

This was really insulting without prior knowledge about me. On March 20th I calculated my logged in time per day was 2 hours 13 minutes, now it's gone to (approximately calculated) 3 hours 10 minutes/day!. It's around 16 hours a week. My question is spending purely 16 hours a week is a lot of time for a forum. Don't you think I read a lot on the forum also write?


Anyway the topic was about the security issue and let's be in it. It's no good bringing another dimension on the topic.

I see the fears and I share them with you guys. The security question has been proven to be a security flaw and so most people do not even have one set, from what I understand. I think it is goofy that it operates the way it does, too. I wish that it was fixed as much as the next user, because it's like a booby-trap to lock someone out of their own account. I imagine that with the new forum software being developed this will be a problem of the past.

Let's say I agree with you. The most don't even set one but the least (including me) who set, I guess they are the most serious BitcoinTalk users, right? Those most do not care much may be so, they don't look for any security. Don't we need to think about those least serious BitcoinTalk users in this case?

1.
It should not be like to deal with bunches of codes. In the front panel part, a little html change can disable users to take input of Secret Question.

Code:

<input type="text" name="SecretQuestion">

The standard one

Code:

<input type="text" name="SecretQuestion" disabled>

With disabled attribute.

Closely see the difference. It's only adding a disabled attribute in the HTML will not allow the users to set a secret question.

2.
On the password remainder page just delete the HTML cheackbox that represents for ask me my question.

These should not be harder than unlocking a lot of locked account for Secret Question issue. Plus the amount of hassle the members go through on recovering the locked account I guess.