[Guide] Bitcointalk account security

[F2b]

Great guide! It brings together all the informations new members and hacked members need to have. A very good summary.

Do you allow translations of this guide into other languages?

[1714823293]

1714823293

[1714823293]

1714823293

[sncc]

Update: [GUIDES] on Bitcointalk. Index thread (work in progress).
When there is a child board, insubstantial topics can be Reported and moved. As an alternative: if users can't create new topics on that board, only Mods can move existing good topics, which keeps the quality high.

Thanks, looks good, this will be very useful.

https://bitcointalk.org/index.php?topic=4422529.0

Yes this is a nice index thread covering a wide range of topics.  This one https://bitcointalk.org/index.php?topic=1217042.0 is also useful.

I would also add in the password section that one shouldn't use the same password for multiple websites.

It was written so in the OP.

Do you allow translations of this guide into other languages?

Yes go ahead for any languages except Japanese since I've started to work on it no need to duplicate the effort.

[F2b]

Do you allow translations of this guide into other languages?

Yes go ahead for any languages except Japanese since I've started to work on it no need to duplicate the effort.

Thanks!

[jointherevolution]

Thanks for taking time to put together this guide. I obtained some tips to make my password stronger from this.

[sncc]

Bump.  Still see many accounts are hacked, hope more users learn the security.

[TheBeardedBaby]

Bump.  Still see many accounts are hacked, hope more users learn the security.

I think this should be in the stickies, for better exposure. Wonder why it's not there yet.

sry, hilarious I could't resist it..

[Welsh]

Theymos mentioned recently that he's not complete opposed to delegating more responsibilities onto others for account recoveries. I imagine he would have to make sure that they were capable of it, but I'm sure hilariousandco and the like would be more than capable of it.

[sncc]

I think this should be in the stickies, for better exposure. Wonder why it's not there yet.

It would be useful as the account security is a fundamental issue of the forum.  Even if it is not going to be in the stickies, I plan to continue to bump the thread and hope more forum members become aware of how to improve their account security.

Theymos mentioned recently that he's not complete opposed to delegating more responsibilities onto others for account recoveries. I imagine he would have to make sure that they were capable of it, but I'm sure hilariousandco and the like would be more than capable of it.

hilariousandco would be one the most natural candidates.  He already has a permission to unlock accounts as well.  I am sure LoyceV is also capable of it as he has been helping recovery of hacked accounts and made key contributions for several cases to be resolved.

[athanz88]

I think this should be in the stickies, for better exposure. Wonder why it's not there yet.

It would be useful as the account security is a fundamental issue of the forum....

Thanks for a great guide and yes, it should be on sticky threads i guess, and it will be great if it can be on every local board too.

Theymos mentioned ....

hilariousandco would be one the most natural candidates....

I support hillariousandco and LoyceV to be one of the authority person to do some account recovery task. They are one of the oldest and best member in here and is active in Meta and want to spare their time for the sake of the forum. I believe there are more members like that but they are the most members i have seen since the day i joined the forum.

By the way, mind if i translate it for my local board??

[LoyceV]

Although I appreciate the endorsements, I don't think it's very likely for a user to go from "foot soldier" to Admin

[mapuche33]

Thanks for tips, actually I was wondering why your account was hacked since you did these security measures?  If you have somehow identify the reason why your account was hacked and potential loophole of the above strategies that would be worthwhile to share.

Honestly I'm not sure, I cannot recall if I was victim of phishing by making click on some URL posted on the forum. However, I remember using the search engine of btctalk days before being hacked (which asked me to login). Fake site bitcointalk.to I don't think so because I never remember my credentials so password-managers take care of it.
I always use different user names & random passwords on each site, also have several emails for different uses. The only thing that I regret is that my password wasn't that strong (12 characters) and after the 2015 data breach I changed the password by just adding a symbol. Also I should have done the homework of regularly changing all my password on January of this year but I didn't.
Even though, I still blame Admins because it could have been prevented just by being proactive.

[sncc]

Thanks for a great guide and yes, it should be on sticky threads i guess, and it will be great if it can be on every local board too.

As the account security is fundamental and important thing, it would be good to have more exposure.  I would appreciate if this thread is in the stickies and translated into other languages.

By the way, mind if i translate it for my local board??

Sure feel free to translate this thread.  

Although I appreciate the endorsements, I don't think it's very likely for a user to go from "foot soldier" to Admin

You deserve the position, we'll see

Honestly I'm not sure, I cannot recall if I was victim of phishing by making click on some URL posted on the forum. However, I remember using the search engine of btctalk days before being hacked (which asked me to login). Fake site bitcointalk.to I don't think so because I never remember my credentials so password-managers take care of it.

I think it is normal that forum search requires you to login.  It should have not been a phishing site.

I always use different user names & random passwords on each site, also have several emails for different uses. The only thing that I regret is that my password wasn't that strong (12 characters) and after the 2015 data breach I changed the password by just adding a symbol. Also I should have done the homework of regularly changing all my password on January of this year but I didn't.
Even though, I still blame Admins because it could have been prevented just by being proactive.

It might have been a combination of data breach and brute force hacking if you added a symbol to the old password.  I think now we really need to be careful about the protection of our accounts.  

[hotforblockchain]

I just recently came across a possible security problem in this forum which seems not to be mentioned here and i believe should be.

Do not give out your frequently used email address to bounty managers , there are a lot managers who do not protect email addresses which they collect during bounty and they can be easily copied.

Also this applies to bounties who asks for registration to their websites, this could be attempt of stealing your details.

[Welsh]

Also this applies to bounties who asks for registration to their websites, this could be attempt of stealing your details.

This has happened in the past, and continues to happen today. These bounties are an easy way to collect data, because people are willing to put in anything for the promise of free coins. There's been numerous fake bounties in an attempt to farm user details from native users signing up to everything, and anything.

Honestly, I wouldn't trust half of them, and would be using a disposable email. But, that's just me.

[peter0425]

Hi,

I was able to recover my account as well here: https://bitcointalk.org/index.php?topic=4497259.0
The method I used was similar to Swenna (probably the same hacker) but prior to him/her spilling the beans.. I just didn't put in Meta how I recovered my account because I don't want the hacker/s to have a idea how I did it. But since Swenna reveal the method, (she/he did it in good faith though),I confirmed that its the step I took to get back my account, just saying.

[hotforblockchain]

Also this applies to bounties who asks for registration to their websites, this could be attempt of stealing your details.

Honestly, I wouldn't trust half of them, and would be using a disposable email. But, that's just me.

I wouldn't also , if i have to I make new email to register with them.
I think that warning about this should be included in original post, since a lot of users do not know this or just haven't thought about this problem.

[sncc]

True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)

Did you mean this:
True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)
Theymos is smart Fake links work in preview, but get fixed when posted.

However, a homograph attack can still be used to create a fake link:
True https://bitcointalk.org/
Fake https://www.google.com/  (link to google.com)

Now it seems that
- (some?) homograph attacks are automatically replaced, and
- fake link is automatically replaced

Hi,

I was able to recover my account as well here: https://bitcointalk.org/index.php?topic=4497259.0
The method I used was similar to Swenna (probably the same hacker) but prior to him/her spilling the beans.. I just didn't put in Meta how I recovered my account because I don't want the hacker/s to have a idea how I did it. But since Swenna reveal the method, (she/he did it in good faith though),I confirmed that its the step I took to get back my account, just saying.

Yes I was aware of your story.  It is a difficult issue whether the method should be disclosed or not, as the hackers will notice it as well.  Added a note to the OP.

Also this applies to bounties who asks for registration to their websites, this could be attempt of stealing your details.

Honestly, I wouldn't trust half of them, and would be using a disposable email. But, that's just me.

I wouldn't also , if i have to I make new email to register with them.
I think that warning about this should be included in original post, since a lot of users do not know this or just haven't thought about this problem.

I think it is a little bit off-topic as it is not related to the security of the Bitcointalk account.  Also, the collection of email addresses and personal data always happens for any kind of registration, not only bounties.  Focusing on the registration of Bitcointalk, the OP already recommended to use new email address.  Having said that I understand your concern and added a remark as a related topic. 

[LoyceV]

Now it seems that
- (some?) homograph attacks are automatically replaced, and
- fake link is automatically replaced

All homograph attacks should be automatically replaced on all non-local boards. This means fake links can still be posted in (for instance) a Russian thread.

[sncc]

All homograph attacks should be automatically replaced on all non-local boards. This means fake links can still be posted in (for instance) a Russian thread.

Good to know that, at least in the non-local board we do not have the issue.  However non-Cyrillic characters like

ą ç í î ị ň ṇ ö ó ọ ú

are not replaced and one needs to be careful about it.  They are actually different characters but still could be used for a similar kind of attack like the Binance phishing website, they are less dangerous than the previous ones though.  For example,

True https://bitcointalk.org/
Fake https://bitcoiṇtalk.org/ (link to google.com)

[DdmrDdmr]

Perhaps it would be interesting to add a warning in the OP in relation to Bitcointalk non-official apps that can be found either being promoted on this same forum, or on some online app stores such as Google Play. These apps are of potential high risk to one’s account credentials.