[Security tips]Someone Just tried to reset my password

[mdayonliner]

Whoever you are, trying to get my account please go away... Now my password is stronger then ever FYI. This is what happened few minutes ago.

I received an email...




Meaning someone was trying to reset my password.

IP location locates me in Saudi Arabia



Here is the procedure, if I click the link on my email then it will ask me to set a new password. I do not see how this will benefit the one who requested the password change. Is there any possible way for him/her?

Anyway, this is what I am having in mind... always check the IP location for this kind of sensitive security change even if you are doing by yourself. If you don't see the IP is yours then do not click the link.

[1714914196]

1714914196

[1714914196]

1714914196

[1714914196]

1714914196

[1714914196]

1714914196

[pugman]

People have tried to do that to my account as well, couple of times, I didn't bother much. The security of one's account in this forum is non-existent.

Anybody can try to reset your password. It doesn't mean that they have access to your password. And the IP location is definitely a VPN(I guess).

theymos should actually consider focusing some time on the security, cause I don't see the new forum coming around any soon or at all.

I could list a few to avoid hacks:

- Use email id to login instead of username. 90-95% of the accounts won't be hacked unless there is a loophole to it.

- Bring in 2FA(email or through apps like Google authenticator/Authy etc), of any sort. People won't necessarily lose their privacy.

I think these two should be more than enough for now, there are more things, but at least hope for these to be implemented.

PS: I know adding all this is complicated to SMF, but theymos has paid more than a million dollars to Slickage(the ones who are behind creating the new forum and also helped the merit system to be implemented),so I am sure they can take care of minor security flaws. 

[vphasitha01]

So what would happened if someone wants to change their password by clicking the reset button with the separate IP location where IP was banned by bitcointalk forum. But the initial account registration has been done in a country where IP addresses were not banned by the forum. Do we need to reset the password within the IP addresses where that member got registered at the first place?

Because sometimes I heard some people are saying that reset thing ultimately endup being locked their profiles.

[mdayonliner]

Guys this is scary now!!! I got logged out just a minute ago!!! Anybody is experiencing this?

Sorry for the big bold typo

~

I am really not sure why theymos is so quiet in this security issue. Apparently this logout thinggy stopped my heartbeat for few seconds.

So what would happened if someone wants to change their password by clicking the reset button with the separate IP location where IP was banned by bitcointalk forum. But the initial account registration has been done in a country where IP addresses were not banned by the forum. Do we need to reset the password within the IP addresses where that member got registered at the first place?

You can change your password from any IP, it does not have to be the same when you registered

[Quickseller]

You were probably logged out by an admin when you posted concerns about the email. The purpose was probably to invalidate the reset email.

[mdayonliner]

You were probably logged out by an admin when you posted concerns about the email. The purpose was probably to invalidate the reset email.

This actually can be done but I really have doubt about it. We are witnessing 100s of accounts hacking and stuffs but admin/s are actually very quiet in it. My account is no special for them to be taken care of. But I really hope this is the case.

[krishnaverma]

There are ways to cause force log out for users. I have read reports for such bug submissions on other sites. I am not saying that such a  bug exists here also but that may be the reason why OP got logged out automatically.

[Piggy]

On the other hand could also be some user with a similar account name, of which he could not remember the username and guessed it wrong.

In any case better to be always alert, in particular while receiving links which "should" point to bitcointalk.

[darklus123]

People have tried to do that to my account as well, couple of times, I didn't bother much. The security of one's account in this forum is non-existent.

Anybody can try to reset your password. It doesn't mean that they have access to your password. And the IP location is definitely a VPN(I guess).

theymos should actually consider focusing some time on the security, cause I don't see the new forum coming around any soon or at all.

I could list a few to avoid hacks:

- Use email id to login instead of username. 90-95% of the accounts won't be hacked unless there is a loophole to it.

- Bring in 2FA(email or through apps like Google authenticator/Authy etc), of any sort. People won't necessarily lose their privacy.

I think these two should be more than enough for now, there are more things, but at least hope for these to be implemented.

I actually discovered this two tips on my own before when someone was also trying to reset my password.  2FA is really a big thing when it comes to security

PS: I know adding all this is complicated to SMF, but theymos has paid more than a million dollars to Slickage(the ones who are behind creating the new forum and also helped the merit system to be implemented),so I am sure they can take care of minor security flaws. 

Exactly, I personally don't know this person but if he is a part of this forum then might as well he can put some effort for this community. After all this person is being paid a lot and adding some security features is really not a big thing I guess?

[esmanthra]

I received an email...

It reminds me of that case. It turned out then that user's PC was compromised by dint of virus which climbed in through the router vulnerability. Afterwards if was supposed that cookie leak also took place. Besides it can be expedient to check the e-mail (though it wasn't involved in the mentioned case, it can be affected in yours).

some people are saying that reset thing ultimately endup being locked their profiles

It concerns only the reset via security question.

[mdayonliner]

Guys this is scary now!!! I got logged out just a minute ago!!! Anybody is experiencing this?

Sorry for the big bold typo

This has been answered by theymos yesterday. Sorry I could not keep up with the updates on this topic....

- If you logout on one session, all of your sessions are logged out.
- When you change your password, your session length is changed to 1 hour, so you will soon be logged out.

This is what I wanted to know. Thanks mate. You are a star!