Bitcoin Forum
October 22, 2018, 03:45:39 PM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Automated password recovery  (Read 103 times)
cellard
Legendary
*
Offline Offline

Activity: 1162
Merit: 1152


View Profile
July 29, 2018, 06:04:17 PM
 #1

What is the exact reason that we can't just get an automatically generated password to regain control of an account in which we lost our password for whatever reason, instead of just having to lock it pretty much forever (since it seems it's next to impossible to recover them, even after presenting sufficient cryptographic evidence through several signed bitcoin addresses)

Just let us request a new automatically generated password which is sent to our email used in here, then we can be back in minutes, instead of wasting everyone's time with endless queues (the meta section is now just a big queue of people wanting to recover their accounts).

If someone maliciously gets access to an account via the automated generated password, the real owner can just come here and sign an address, then in this case it would make sense to look at it individually.

1540223139
Hero Member
*
Offline Offline

Posts: 1540223139

View Profile Personal Message (Offline)

Ignore
1540223139
Reply with quote  #2

1540223139
Report to moderator
1540223139
Hero Member
*
Offline Offline

Posts: 1540223139

View Profile Personal Message (Offline)

Ignore
1540223139
Reply with quote  #2

1540223139
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1540223139
Hero Member
*
Offline Offline

Posts: 1540223139

View Profile Personal Message (Offline)

Ignore
1540223139
Reply with quote  #2

1540223139
Report to moderator
mdayonliner
Sr. Member
****
Offline Offline

Activity: 322
Merit: 297

Loading... & http://bit.ly/reLoaded_


View Profile
July 29, 2018, 06:11:26 PM
 #2

~
Give me few minutes I am bringing up something...

I never get an answer of the below post. Since you have created a topic already, I would like to bring everyone's attention into it, I assume we both are standing on the same page.
I am not sure if it has been discussed here or not but excuse my rush here...

Looking at all these hacked/locked account issues and the time needed to recover them manually, I feel very insecure for my account too. Although I always use strong password, 2FA where applicable - all sorts of things to ensure the highest security but still anything can happen anytime. It could be my mistake or it could be system leak, which actually does not matter. What matters is once an accident happen then the account holder is facing all sorts of hassles which is frustrating.

Coming to my point...
Whenever your password is changed (except by an administrator), you will get an email about it.

Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days.

I actually do not understand why the email is to lock? Instead of the link to lock the account why not the system send an email asking to revoke the request if the change has not made by this email account holder?

I think this could be a decent procedure....
If an account (bitcoinTalk) requests for password and/or email change then send an email to the last registered email address asking for approval. Send a link which will confirm manual approval for the change requested. If the original user requested the change then they are liable for their action. Now, if the user do not have access of the email address only then ask the mods/admins to help them out. I believe this small tweak in sending email, will be saving a lot of time for both the users who are victim and mods/admins.


Update:
A little correction...
For password change send approval email to the current registered email account and for email change send approval email to the last registered email.


ETFbitcoin
Legendary
*
Offline Offline

Activity: 1470
Merit: 1208


Use SegWit and enjoy lower fees


View Profile WWW
July 29, 2018, 07:09:48 PM
 #3

Surely this has been mentioned few times, some members even suggest automated account recovery with signed message from known bitcoin address. I'm sure theymos have the ability to do this.

System to prove account ownership and recovery automatically - Demo included
Proposal: prevent account hack
When will the account recovery problem be solved?

███           ▄▄▄                          ███
███           ███    ▄█                    ███
███ ▄▄▄▄▄▄          ▄██▄▄▄▄      ▄▄▄▄▄     ███        ▄██▄    ▄▄▄         ▄▄▄
███████████▄  ███ ▐████████  ██▄███████▄   ███       ██████    ███       ███▀
███▀    ▀███▌ ███   ███      ███▀    ▀███  ███      ████████    ███     ███▀
███      ▐██▌ ███   ███      ███      ███  ███     ██▀    ▀██    ███   ███▀
███      ▐██▌ ███   ███      ███      ███  ███    ███      ███    ███ ███▀
███▄    ▄███▌ ███   ███▄     ███▄    ▄███  ███   ████▄    ▄████    █████▀
███████████▀  ███   ▀██████  ███████████▀  ███  ████████████████    ███▀
▀▀▀ ▀▀▀▀▀▀    ▀▀▀     ▀▀▀▀▀  ███ ▀▀▀▀▀▀    ▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀    ███▀
                             ███       ▄▄▄ ▄   ▄  ▄ ▄▄▄          ▄███▀
                             ███      █    █   █  █ █▄▄▀      █████▀
                             ▀▀▀      ▀▄▄▄ █▄▄ ▀▄▄▀ █▄▄█      ▀▀▀















❱❱
❰❰

LTU_btc
Hero Member
*****
Online Online

Activity: 1022
Merit: 562

★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile WWW
July 29, 2018, 08:05:54 PM
 #4

Well, I also had posted similar similar question few days ago and already wanted to start a thread about it, but you was faster than me.
If admins don't have time to recover hacked accounts then I'm not sure that feature to lock accounts are needed. If password/email address was changed maybe it would be better to send notification with option to cancel these changes. Something similar like we have on some exchanges - when we make withdrawal we get email notification with options to confirm or cancel withdrawal. Such feature would make account hacking more difficult and users wouldn't need to lock their accounts anymore.
I also don't understand why it's necessary to lock accounts if there is small chance that it will be restored. My suggestion wouldn't solve problem completely, because it wouldn't help if hacker also have access to user email. But it would reduce number of hacked accounts significantly. Admins wouldn't get so many requests to restore accounts anymore. It would be really nice to hear something from theymos about this problem because it's getting worse and worse and something has to be done to solve it.

hugeblack
Sr. Member
****
Offline Offline

Activity: 476
Merit: 354


Do it with passion, or not at all.


View Profile WWW
July 29, 2018, 08:58:50 PM
 #5

I think the reason is that this forum has been hacked several times, as the hackers have been able to access all the sensitive data from the password to the email accounts "some have been changed."
Therefore, restoring accounts using email addresses will make it easy for anyone who has access to those emails to retrieve their password.
I also believe that the process of recovering accounts is not merely the signing/verification of a message "there is an investigation going on."
Based on theymos' programming capabilities, I think he can easily add this feature but must have a compelling reason.

cellard
Legendary
*
Offline Offline

Activity: 1162
Merit: 1152


View Profile
July 30, 2018, 03:35:06 PM
 #6

~
Give me few minutes I am bringing up something...

I never get an answer of the below post. Since you have created a topic already, I would like to bring everyone's attention into it, I assume we both are standing on the same page.
I am not sure if it has been discussed here or not but excuse my rush here...

Looking at all these hacked/locked account issues and the time needed to recover them manually, I feel very insecure for my account too. Although I always use strong password, 2FA where applicable - all sorts of things to ensure the highest security but still anything can happen anytime. It could be my mistake or it could be system leak, which actually does not matter. What matters is once an accident happen then the account holder is facing all sorts of hassles which is frustrating.

Coming to my point...
Whenever your password is changed (except by an administrator), you will get an email about it.

Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days.

I actually do not understand why the email is to lock? Instead of the link to lock the account why not the system send an email asking to revoke the request if the change has not made by this email account holder?

I think this could be a decent procedure....
If an account (bitcoinTalk) requests for password and/or email change then send an email to the last registered email address asking for approval. Send a link which will confirm manual approval for the change requested. If the original user requested the change then they are liable for their action. Now, if the user do not have access of the email address only then ask the mods/admins to help them out. I believe this small tweak in sending email, will be saving a lot of time for both the users who are victim and mods/admins.


Update:
A little correction...
For password change send approval email to the current registered email account and for email change send approval email to the last registered email.


Yes, confirming via email that it's you requesting a password change and not the hacker also makes sense, instead of locking it into the lottery of getting it recovered 10 years later.

I think the reason is that this forum has been hacked several times, as the hackers have been able to access all the sensitive data from the password to the email accounts "some have been changed."
Therefore, restoring accounts using email addresses will make it easy for anyone who has access to those emails to retrieve their password.
I also believe that the process of recovering accounts is not merely the signing/verification of a message "there is an investigation going on."
Based on theymos' programming capabilities, I think he can easily add this feature but must have a compelling reason.

As I pointed out, if someone gets your password because of this method, you can create an alt account, sign a bitcoin address you've posted in the past, and then the account would be closed for investigation.

But meanwhile, tons of people that legitimately own the account and can verify the bitcoin addresses, are stuck in this account limbo. So give people an easy way to recover it if they own the email, and if someone got your email address and you care about your account, you'll come here and get a btc address signed. You can't recover it without doing that anyway.

mdayonliner
Sr. Member
****
Offline Offline

Activity: 322
Merit: 297

Loading... & http://bit.ly/reLoaded_


View Profile
July 31, 2018, 08:53:44 AM
 #7

~
There is a hope, and I hope I am not spreading a rumor  Smiley

IIRC, the PM was from ~1 month ago and theymos said that he would try to code it in a few weeks. So it should be out soon. So it will definitely be available in the current forum software (SMF), and not only when the new software comes out.
You realize a number of eye balls are looking at you now?(!)  Smiley

I can not wait to see the outcome. More or less all of us actually worried about the account security and the time it takes to recover.


Update...
If you have not posted that addy elsewhere, it probably won't be accepted.


We don't actually accept the profile field address unless there's some sort of proof that it's remained unchanged, for that very reason.

I'm working on a new address-staking system which will automatically handle signatures, etc. Might have it ready by the end of the month if nothing else comes up to consume my time.

Fantastic, thank you.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!