Secret Question Help link disabled, Why?

[logfiles]

I was looking at my Account Related Settings, and I was curious about the secret question part because i have seen people get their accounts locked up in the past because of inadequate information about the feature and yet there is guide on how to avoid getting your account locked on the page.

The why is this blank? Link which i thought would provide more information is disabled for some reason.



Why was it disabled?
Shouldn't users be able to access the help information about the Secret question feature since not much is known about how it works by most members?

[mocacinno]

It has been disabled for many, many years IIRC, it was because of a vulnerability in SMF that allowed hackers to obtain a database dump with the unencrypted security questions.. So if these questions were left as they were, the hackers could have used them to attack accounts, so Theymos disabled the feature.

[rhomelmabini]

I think it was disabled because secret question isn't a recommended security measure for the account because most of those answers there can be easily brute forced. Besides, the Support for hacked/lost accounts is the new culture here. I think that feature "secret question" needs an update or permanently delete it(?).

[TheBeardedBaby]

It has been disabled for many, many years IIRC, it was because of a vulnerability in SMF that allowed hackers to obtain a database dump with the unencrypted security questions.. So if these questions were left as they were, the hackers could have used them to attack accounts, so Theymos disabled the feature.

The Security Queston featute is still ON!
Only the help link is disabled.
I just tested with a fresh accound and got it locked when I tried to recover it!
See below >

[mocacinno]

@iasenko : Apparently, my memory looks like a swiss cheese, full of holes

What i was thinking about was the server compromise in 2015 where Theymos explicitly asked everybody to disable their secret questions
https://bitcointalk.org/index.php?topic=1067985.msg11445725#msg11445725

--snip--
You should disable your secret question and assume that the attacker now knows your answer to your secret question.
--snip--

However, you are 100% correct, the secret question isn't technically disabled... But using it will lead to a locked account.

[logfiles]

The secret question just works fine. But whatever was in this link(why is this blank?) next to the answer box was disabled. It's what i was inquiring about.

[DdmrDdmr]

I assume that, if someone has the secret question in place on their profile, deleting the question itself (leaving it blank) later on, deletes the feature altogether from the profile (question and answer) with no further consequences. Is that so?

[TheBeardedBaby]

The secret question just works fine. But whatever was in this link(why is this blank?) next to the answer box was disabled. It's what i was inquiring about.

If you see the link that it leading to the action=helpadmin;

Code:

https://bitcointalk.org/index.php?action=helpadmin;help=secret_why_blank

If you ask me the whole helpadmin modul have been disabled, that's why you get a disabled on the link.
The regular help is accessed by action=help;

[SFR10]

The why is this blank? Link which i thought would provide more information is disabled for some reason.

The secret question just works fine. But whatever was in this link(why is this blank?) next to the answer box was disabled. It's what i was inquiring about.

I did some digging and could only find an archived version but it also doesn't provide that much information:

For your security, the answer to your question (as well as your password) is encrypted in such a way that SMF can only tell you if get it right, so it can never tell you (or anyone else, importantly!) what your answer or password is.

I assume that, if someone has the secret question in place on their profile, deleting the question itself (leaving it blank) later on, deletes the feature altogether from the profile (question and answer) with no further consequences. Is that so?

Almost correct:

You need to delete everything on both fields (Q&A) > Enter your "Current Password" > Click "Change profile" button.

^{On a side note: I accidentally clicked "delete" button instead of the # of post for getting the link. Is there any way to get it restored?}

[DdmrDdmr]

<…> You need to delete everything on both fields (Q&A) > Enter your "Current Password" > Click "Change profile" button <…>

I had this step (deleting my secret question) pending for ages, and it has not been until now that I’ve gone ahead with it. Just a minor observation: Since the Answer is displayed as blank, you can’t really delete the content of the field. I therefore deleted the question, assumed that the answer deletion would be deleted, and hoped for the best. Logging out and back in again works fine, so I figure that was all that was required (+ > Enter your "Current Password" > Click "Change profile" button <…> as you stated).