~
Give me few minutes I am bringing up something...I never get an answer of the below post. Since you have created a topic already, I would like to bring everyone's attention into it, I assume we both are standing on the same page.
I am not sure if it has been discussed here or not but excuse my rush here...
Looking at all these hacked/locked account issues and the time needed to recover them manually, I feel very insecure for my account too. Although I always use strong password, 2FA where applicable - all sorts of things to ensure the highest security but still anything can happen anytime. It could be my mistake or it could be system leak, which actually does not matter. What matters is once an accident happen then the account holder is facing all sorts of hassles which is frustrating.
Coming to my point...
Whenever your password is changed (except by an administrator), you will get an email about it.
Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days.
I actually do not understand why the email is to lock?
Instead of the link to lock the account why not the system send an email asking to revoke the request if the change has not made by this email account holder?I think this could be a decent procedure....
If an account (bitcoinTalk) requests for password and/or email change then
send an email to the last registered email address asking for approval. Send a link which will confirm manual approval for the change requested. If the original user requested the change then they are liable for their action. Now,
if the user do not have access of the email address only then ask the mods/admins to help them out. I believe this small tweak in sending email, will be saving a lot of time for both the users who are victim and mods/admins.
Update:
A little correction...
For password change send approval email to the current registered email account and for email change send approval email to the last registered email.
Yes, confirming via email that it's you requesting a password change and not the hacker also makes sense, instead of locking it into the lottery of getting it recovered 10 years later.
I think the reason is that this forum has been hacked several times, as the hackers have been able to access all the sensitive data from the password to the email accounts "some have been changed."
Therefore, restoring accounts using email addresses will make it easy for anyone who has access to those emails to retrieve their password.
I also believe that the process of recovering accounts is not merely the signing/verification of a message "there is an investigation going on."
Based on theymos' programming capabilities, I think he can easily add this feature but must have a compelling reason.
As I pointed out, if someone gets your password because of this method, you can create an alt account, sign a bitcoin address you've posted in the past, and then the account would be closed for investigation.
But meanwhile, tons of people that legitimately own the account and can verify the bitcoin addresses, are stuck in this account limbo. So give people an easy way to recover it if they own the email, and if someone got your email address and you care about your account, you'll come here and get a btc address signed. You can't recover it without doing that anyway.
