Don't use your bitcointalk account password on other websites

[Mahdirakib]

Most of the people are aware of this issue. And there might be few topics about this matter before. I just want to share my experience with you all and hope it will be helpful for those who aren't aware of it.

Firstly my intention was to earn bitcoin from faucets. But slowly slowly the forum introduced me with other crypto related things (like gambling, mining, trading, investing). I started to engage myself with those platform and created account at most of the new sites that I have found in this forum. I used the same password, email and username at most other sites which I have used in my forum account. It was my fault. Hacker got my password from any of those site(phishing) and accessed my account.

Though he didn't made any post or spam from my account. But he changed my account password on 9th July, 2018. On 12th July I came back and found that my password was changed, was unable to login. So I reset my password via mail. Within two weeks my account get locked for security reason.


Finally I took step to get back my account in May this year. And recovered it on 5th June.
I'm not the alone victim of the hacker. The hacker just used my sMerit and send it to someone in this reply
I think that user is also a victim of the hacker. There are few more user in the list.

• Danglen1010
• ChardsElican28
• bgpsq
• peter0425

Maybe there are more victim of this. First three people are banned now. The 4th user peter0425 has recovered his account and created a topic about the hacked issue. Check it here.

Hacker just used sMerit from these account during that time and sent one to another. If you notice those user security log at bpip.org you can realize it.

Check this topic to realize the importance of account password & how to secure it.
Prevent your bitcointalk account from hacker- prevention is better then cure.

As a newbie all should stay aware of this matter. For your account safety don't use the same password at other sites. Every website isn't going to be legit what you will see in this forum. Stay aware of phishing sites.[/list]

[1714963338]

1714963338

[1714963338]

1714963338

[1714963338]

1714963338

[1714963338]

1714963338

[1714963338]

1714963338

[CucakRowo]

Or :
1. Always make your email in your profile account "hidden"
2. Use different email (not the email you used when registering at BTT) when you follow bounty. Coz usually your email exposed when following bounty. You guys can use proton mail or mailfence services if there is a bounty where one of the requirements is to include an emaill.
3. Always use browser that support your privacy (firefox or tor browser).
4. Use VPN always in your daily internet activities.

[Coyster]

Some users complain it's not that easy to always create a strong new password all the time, so for users like that who find it difficult to create strong and unique passwords across many of their accounts/profiles, learn how to create a strong/secure password here, the instructions in that thread will help you, not only to secure your btt forum account, but any account you own.

[pixie85]

This is pretty much the most basic thing in your Internet security.

You should never use any password more than once because if you use it for more a single database leak will compromise you on multiple levels.

If you use the same password in your bitcointalk and email and the hacker somehow phishes the bitcointalk password he will also know the email and its password. Through the email he can find other sites you have used in the past because people rarely remove spam or clean trash on email accounts and all your "thank you for registering" emails can be found there.

One site - one password.

[notblox1]

It is good that you learned something about passwords and to never reuse them on more than one website.
People are doing exact same thing not only for websites and loging details, but also for crypto wallets.
Yes it seems easy at first, but you will pay high price in the end.

[OcTradism]

1. Always make your email in your profile account "hidden"
2. Use different email (not the email you used when registering at BTT) when you follow bounty. Coz usually your email exposed when following bounty. You guys can use proton mail or mailfence services if there is a bounty where one of the requirements is to include an emaill.
3. Always use browser that support your privacy (firefox or tor browser).

Forum account: security, privacy, and recovery
and you can check my list to get more if you are wanting to get more tutorials for security, privacy protections with Good topics on security and privacy

4. Use VPN always in your daily internet activities.

It is only when you need to hide your privacy (of course you should).

[blue Snow]

^
1. For remember, don't ticking "Always stay logged in" if using public pc



2. Don't click auto save login and password in browser
3. If you mobile and always have urgent situation, prepare your USB stick and download portable browser.

[Anwar151]

2. Use different email (not the email you used when registering at BTT) when you follow bounty. Coz usually your email exposed when following bounty.

And activate the 2FA feature on the email for additional security.

[erikoy]

Phishing only happens when you are unaware that the attack is happening, I agree that you should use different password but also make sure to sweep your devices because the phishing attacks are mostly trojans.

Yes, usually hacker will attack the user unaware and there are process on how to phished accounts specifically financial related accounts. One must know should know why phishing exist and how it became rampant. Other information about information about phishing is how it will be done(methodology).

Anyone can check my post For your ready reference on phishing and see what are the methods that hacker use to make them successful. Nowadays, we should be knowledgeable so that we can at least avoid being a victim of phishing. I think it is better to expose the phishing activity help other prospect victim of phishing usually those users verified with good financial records publicly or not knowingly it was been exposed to hacker and eventually one will become a target for phishing.

For evaluation purposes, one can check this reply  and learn how hacker make sophisticated fake sites or websites which purpose is to ask you to disclose important details of any of your account may it non-financial or financial aspect that means that one can create a fake site even for bitcointalk.org.

[libert19]

I looked at title and was like, wow this is common sense then realized I was making same mistake as when I was new to the Internet.

[hatshepsut93]

^
1. For remember, don't ticking "Always stay logged in" if using public pc

2. Don't click auto save login and password in browser
3. If you mobile and always have urgent situation, prepare your USB stick and download portable browser.

1. Using public computer is already a good method to lose your accounts, they can easily have installed keyloggers that will steal all accounts.

2. Why not? If it's because of malware, then there's a ton of other ways your account will get stolen if it's in your system. Your credentials won't be autofilled on phishing sites, since they have different domains.

3. Again, don't login into anything on machines that you don't trust. Bringing your own browser won't change anything.

[Findingnemo]

Better learn how to avoid the phishing attacks which might save us from future phishing attempts.Some simple steps can save us from lot of phishing like

1. Avoid installing unknown extensions to your browser

2. Stop using online password manager applications

3. Don't use Gmail.

4. Don't install any applications from the third-party websites ( both for smartphones and PC)

5. Finally don't use simple passwords

[reliable]

I looked at title and was like, wow this is common sense then realized I was making same mistake as when I was new to the Internet.

People learn from their mistake and so experience is what counts. So, users who have gone through and made some mistakes are sharing it and how it could be easily avoided by new users. So, it is important for users to check out such threads and see if they are doing same mistake then start correcting it.

[Shimmiry]

It's probably the laziness of the user to use strong passwords that isn't already used. Most of the time, people tend to just use the password that they already used on other websites for the reason that this is the best way they can remember their passwords. But it is highly not advisable.

As much as possible use different passwords on different websites.

[GreatArkansas]

In terms of using such strong passwords,
this thread may help for creating a strong password that will help us in our different accounts: [GUIDE] How to Create a Strong/Secure Password
I already experienced this kind of scenario before, especially in one of the exchanges I am using before, I really don't have an idea why they were able to log in my account. One of the reasons could be like this (using the same password in different websites), or another one is the insider of the exchange or they have been breached.

[Yaunfitda]

^
1. For remember, don't ticking "Always stay logged in" if using public pc

2. Don't click auto save login and password in browser
3. If you mobile and always have urgent situation, prepare your USB stick and download portable browser.

1. Using public computer is already a good method to lose your accounts, they can easily have installed keyloggers that will steal all accounts.

Or public WIFI for that matter, there are a lot of videos circulating around about this methods. So there are a lot of tricks. So don't believed that public WIFI are safe, until it's too late. You may have strong bitcointalk passwords, but once it is intercepted, then nothing you can do about it.

[AniviaBtc]

Absolutely not.

The thing that I do with my accounts is that, I made a list of those accounts in other platforms that are not that important so that I don't forget them when I try to access them.

But those platforms such as like this, it is very important to make it unique and easy to memorize even in those social media account that is personal. Here in bitcointalk, it is really necessary for you to not to apply the password or username that you use in other social media to prevent hacking or linking of accounts and also for the security of your account.

[samputin]

^
1. For remember, don't ticking "Always stay logged in" if using public pc



2. Don't click auto save login and password in browser
3. If you mobile and always have urgent situation, prepare your USB stick and download portable browser.

Checked on the two things. 

1. I do click "always stay logged in" but in my phone only. I open my bitcointalk account if I have the time and it's hassle if I still have to log in and do captcha every time I visit here. But in other public PCs, it's a no-no for me to tick that. I'll just open my account there for just an hour or less so no need for that. And also for security reasons. Better safe than sorry.
2. I don't auto save my passwords as well. I just keep them on my notepad or notes app. It's hassle sometimes but I got used to it.

Hackers are everywhere especially in this digital age. So we must be very cautious in what we do online and make sure that the security of our accounts is on top priority.

[Peanutswar]

Its the common problem right now of the people not only on our forum because some of them having the same password with all of their accounts some of the reasons are


They want to make it access easily
It's not hard to remember
Just common so they don't need to change from time to time.

For me, I highly recommend to the members use a
Camel Case
Symbol
Number

If you want to you can make your own encryption at the same time you don't need to make it change because this is one of the most secure.

[robelneo]

2. Use different email (not the email you used when registering at BTT) when you follow bounty. Coz usually your email exposed when following bounty.

And activate the 2FA feature on the email for additional security.

I was scrolling and reading on the comments and no one mentioned about securing your email by activating the phone or 2FA but only you this is a must if your email is secured the hacker cannot change your password it will trigger confirmation and notification to the email the user is using,
on Gmail there are three ways to secure your email, these are phone verification, 2FA, and code verification, you should apply anyone to all your emails.  

[lovesmayfamilis]

People learn from their mistake and so experience is what counts. So, users who have gone through and made some mistakes are sharing it and how it could be easily avoided by new users. So, it is important for users to check out such threads and see if they are doing same mistake then start correcting it.

You are completely correct in saying that the best lessons we learn only when we make our mistakes.
All guides described in this topic will be useful to everyone, not just beginners. We are often not very aware of security, thinking that nothing bad can happen to us.

The rule that must be learned is this: if your profile on the forum is dear to you, then take care of it. Strong passwords, mail with which you registered only on this forum, and has double verification, as well as a signed message from your bitcoin wallet with the name of your account on the forum.

Plus, don't store important data on your computer. Those who use Windows systems are very susceptible to all kinds of key loggers. Timely antivirus scanning will also help keep your data safe.

[Asuspawer09]

I was worried about this issue back in the day because if you just think about it websites could just use your password and login into your accounts if you use the same password on the other websites. And I think I've done the mistake in my early days because we know that it's easy to remember your password when you only have 1 password or 2 passwords .  As an IT I understand that passwords in a website are actually encrypted so even the programmers or the websites should not be able to see your password at least.

It's better to have a strong password or another layer of protection when it comes to your Gmail because every website is just connected to your email, having an access to your email account meaning having a access to all of your accounts on different websites most of the time.

But it's a different story when it comes to phishing websites or scammed websites because their goal is to get your information so I don't think they have encryption or anything.

Also, the construction of your password is important:



Source:
https://www.facebook.com/photo.php?fbid=10164381734490372&set=gm.2824409767782130&type=3&theater
https://howsecureismypassword.net/

You could also check how should your password here:
https://howsecureismypassword.net/
after what i said maybe you don't trust the website anymore, putting some password .

[tom_trader]

Using an exclusive computer linux  based to access your cryto related website businesses is a great step. Don't download anything from internet, be torrent or sharing-websites like mega. Don't install cracked softwares, nor apps and never connect usb to it.
Use it exclusively for crypto related browsing.

That way you can make individual powerful passwords and keep them in a txt file without putting them in risk.
 

[DdmrDdmr]

<…> That way you can make individual powerful passwords and keep them in a txt file without putting them in risk.

But having them on a txt file on the actual drive, even on linux, may still encounter the odd malware that you can install through a wallet downloaded from a wrong site. What’s more, even if isolating the computer as much as possible will mitigate risks, there’s still the risk that someone grabs/steals your physical computer, and mounts the linux disk as a secondary device to access the content, gaining access the txt file.

[khaled0111]

As an IT I understand that passwords in a website are actually encrypted so even the programmers or the websites should not be able to see your password at least.
...

This is not always true. It depends entirely on the website you are using and its owner.
The owner/developer is the one who decides how passwords are going to be saved on the database (plain text or encrypted).
As a user and without having access to the website's back end, there is no way to know how passwords are being saved.

Using an exclusive computer linux  based to access your cryto related website businesses is a great step.

I encourage everyone to use Linux but it doesn't mean you are going to be 100% safe. A Linux OS can be hacked too and it doesn't matter which OS you are using if you enter your credentials into a phishing website.

[tom_trader]

<…> That way you can make individual powerful passwords and keep them in a txt file without putting them in risk.

But having them on a txt file on the actual drive, even on linux, may still encounter the odd malware that you can install through a wallet downloaded from a wrong site. What’s more, even if isolating the computer as much as possible will mitigate risks, there’s still the risk that someone grabs/steals your physical computer, and mounts the linux disk as a secondary device to access the content, gaining access the txt file.

Well, then use a brand new usb flash drive to save it there and use it exclusively with that PC. Downloading anything infected with  malware is user's fault. Hence avoid downloading anything from that computer. And of course, having a genuine licensed antivirus will prevent most of the malwares beign installed.
If someone steals a PC, there is no much you can do about it.
  

[2double0]

<<>>
If someone steals a PC, there is no much you can do about it.
  

Tbh, keeping such things on a PC is not only stupid, but dangerous too.
Imho, I would never keep any of my passwords stored anywhere but write them down straight away. Keep a specific book (one is fine but you can keep 2 if you fear any kind of damage to the first one). Write the website name, username, email and password (and any extra details that are important to you like your security Q&A) and do the same in the second book. You can use a carbon paper and keep 2nd book's blank page under 1st book's page and then write if you don't want to do double up your workload. Keep both the books safe (but not in same place). Saving your passwords on browsers is also not a good practice if you want to save yourself from getting hacked.

[Assface16678]

Also I see a lot of reports before with the use and problem of the members about their accounts because some of them reports it's hacked and forgot the password sometimes they are using the same password to their different accounts and also to their emails which is not a good thing this is too much prone to hacking.

Also there are alot of them using only the left part of the keyboard to make it more easiest commonly with the use of

A
S
W
D
R
1
2
3

[Latviand]

Prioritize the security of your account above all because it is not that easy to earn your rank here.

Never settle with only one email that you will use when you access other platforms. Using VPN is not that hard to do, you can learn how to apply it in Youtube and any other tutorials because it is really important. Always make a unique password, as soon as possible maximize using letters, numbers, and symbols to have a unique combination of passwords. Keep in mind that bitcointalk account is not that instant to have, so value it and take care of it to prevent scamming and hacking.

[gentlemand]

I don't give a fuck about passwords for most websites. I use the same one a million times. There's no info of note.

However one's Bitcointalk account can be a truly valuable thing so you owe it to yourself to get it right. A few minutes of thought and memorisation will save you plenty of future grief.

[yazher]

My Bitcointalk password is always been unique since I last changed it because I was afraid that something like this could happen and getting it back is not guaranteed since the step is so complicated and there were some users who didn't get back their account after someone hacks them. Before things going out of our hand, it is better to do this step and don't forget before doing it, you must stake your BTC address here: https://bitcointalk.org/index.php?topic=990345.0

In case you messed up, The steps to recover your lost account is here: https://bitcointalk.org/index.php?topic=990345.0

[Rosilito]

-
For me, I highly recommend to the members use a
Camel Case
Symbol
Number

As far as making your password stronger goes, you should take a look with @bob123's reply, here, and have it into consideration whenever you'll create one or if you would make some changes with your pw. This maybe kind of odd to do for typical users, since it is quite straightforward  .

[Krislaw]

I've also done the same mistake but instead using my mobile number and adding my birthday which i thought a good and secured idea but it got hacked, so don't put shared personal information in your password and add a backup email. I suggest to use different email, I'm currently using different email on different social accounts so it will be more secured, when one account got hacked the others will be safe.

[Nellayar]

Actually, having an identical passwords in different websites will put you in a risk. Because hackers can easily access your account in any websites you may attended. This is the reason why I want to generate different passwords with strong security so that I can avoid loss of my accounts. My password in BTT is different in my password at binance or any social media app. There are many people have been victim because of their similar passwords and it should be a lesson for all of us that putting a strong password and different in any websites will put as away in harm.

[Asuspawer09]

As an IT I understand that passwords in a website are actually encrypted so even the programmers or the websites should not be able to see your password at least.
...

This is not always true. It depends entirely on the website you are using and its owner.
The owner/developer is the one who decides how passwords are going to be saved on the database (plain text or encrypted).
As a user and without having access to the website's back end, there is no way to know how passwords are being saved.

I agree, but it is a good practice to encrypt the password as a programmer since you cannot really leak any information from your users, it is against the law in my country.

That is actually the problem since they are a phishing website they just want to get information so the programmer programs it that way to get information easily.

[DdmrDdmr]

These are some statistics I’ve found on the topic of password reuse:

Here are some staggering statistics that show the magnitude of the password reuse problem.
1.   A Google survey found that at least 65% of people reuse passwords across multiple, if not all, sites.
2.   Another recent survey found that 91% of respondents claim to understand the risks of reusing passwords across multiple accounts, but 59% admitted to doing it anyway.
3.   Microsoft recently announced that a staggering 44 million accounts were vulnerable to account takeover due to compromised or stolen passwords.
4.   The average person reuses each password as many as 14 times.
5.   72% of individuals reuse passwords in their personal life while nearly half (49%) of employees simply change or add a digit or character to their password when updating their company password every 90 days. These forced resets are an ineffective tactic.
6.   And it is not just personal accounts. 73% of users duplicate their passwords in both their personal and work accounts.
7.   Security.org found that 76% of millennials recycle their passwords.
8.   This is why compromised passwords are responsible for 81% of hacking-related breaches, according to the Verizon Data Breach Investigations Report.

See: https://securityboulevard.com/2020/04/8-scary-statistics-about-the-password-reuse-problem/

The above link allows us to reference the original source for each statement, originated in different surveys over the last couple of years, with different scopes and population sizes.

The surge and constant expansion of sites we suscribe to, that require the creation of an account (ecommerce and so forth), requires an excessive memory exercise, which leads to bad habits such as password reuse. Keeping just a few distinct credential pairs in mind for sensitive sites (hopefully with 2FA as an additional platform feature), and using a decent password manager to keep track of the others, should present a reasonable scenario where no site credentials are reused. The problem is that many people still remain unaware of the threat that password reuse practice poses.

[cheezcarls]

Most of the people are aware of this issue. And there might be few topics about this matter before. I just want to share my experience with you all and hope it will be helpful for those who aren't aware of it.

Firstly my intention was to earn bitcoin from faucets. But slowly slowly the forum introduced me with other crypto related things (like gambling, mining, trading, investing). I started to engage myself with those platform and created account at most of the new sites that I have found in this forum. I used the same password, email and username at most other sites which I have used in my forum account. It was my fault. Hacker got my password from any of those site(phishing) and accessed my account.

Though he didn't made any post or spam from my account. But he changed my account password on 9th July, 2018. On 12th July I came back and found that my password was changed, was unable to login. So I reset my password via mail. Within two weeks my account get locked for security reason.


Finally I took step to get back my account in May this year. And recovered it on 5th June.
I'm not the alone victim of the hacker. The hacker just used my sMerit and send it to someone in this reply
I think that user is also a victim of the hacker. There are few more user in the list.

• Danglen1010
• ChardsElican28
• bgpsq
• peter0425

Maybe there are more victim of this. First three people are banned now. The 4th user peter0425 has recovered his account and created a topic about the hacked issue. Check it here.

Hacker just used sMerit from these account during that time and sent one to another. If you notice those user security log at bpip.org you can realize it.

Check this topic to realize the importance of account password & how to secure it.
Prevent your bitcointalk account from hacker- prevention is better then cure.

As a newbie all should stay aware of this matter. For your account safety don't use the same password at other sites. Every website isn't going to be legit what you will see in this forum. Stay aware of phishing sites.[/list]

Exactly. I have learned my lesson the hard way when I use the same password of my email with other third party platforms (which I registered the same email over and over again). Since I am so worried about my accounts getting hacked anytime without warning, I make sure that my passwords are very hard. I create long passwords mixed with special characters or so (but not using the same hard long password to other platforms).

In case I forgot my password in my email, social media accounts (or even here on Bitcointalk), I put them on a notebook and write them down for me to remember. I also back them up in my USB drive through Notepad.

[Bitcoinislife09]

I've also done the same mistake but instead using my mobile number and adding my birthday which i thought a good and secured idea but it got hacked, so don't put shared personal information in your password and add a backup email. I suggest to use different email, I'm currently using different email on different social accounts so it will be more secured, when one account got hacked the others will be safe.

When it comes to phishing websites it might be every log-in is just recorded to just get every information possible to use it in a lot of possible websites. I think the phishing websites are just targeting your email because your account is connected to your email. Getting the email is just what they needed to reset your accounts or to know the websites that you are connected because everything is emailing your mail. For me having different emails in different social media account is a good thing because you could easily organized your emails. But it could be confusing because you have a lot of emails. Maybe a personal email and a business email is enough you could just put a lot of protection to your one email If you only have one and it is easy to manage.

[Mahdirakib]

Bumping this topic, because

the best lessons we learn only when we make our mistakes.

And when we watch other people's mistakes

[Mpamaegbu]

Some simple steps can save us from lot of phishing like

Your numbers 1–5 as enumerated in your post are apt. Though I think item 4 will be a lot more difficult to avoid since a lot of sites will need app downloads from Google playstore or apple. However, the catch there is to make sure one is certain that the site in question has an app to be downloaded before heading to a third party for it. As for those using simple passwords, it's advisable not to. I guess a lot of people use simple password so they can easily recall it off by heart instead of writing it down on paper. That's not good to want to remember it that way. We should know that the mind is sometimes subject to forgetfulness. Write out the passwords, and since one is writing it out it will be nice to make it a strong and difficult one. There's no harm in doing that.

[OcTradism]

And when we watch other people's mistakes

It is best when we do research and learn from advice, lessons of others. It's not good to lose money just to get lesson which we learn from.

It is terrible if we only have lesson to learn after losing all of our capital. If we fall into such cases, it is only because we are close-minded and don't listen to advice of others and think we are smarter than them then we will be safe without learning their advice.

Your advice in this topic can be expanded to as Never use a same password on multiple platforms, multiple exchanges or multiple wallets.

[TheNineClub]

In this day and age, a new different password and username should be created for any new website signup. And I am not talking about changing the last two digits on a number, I mean it has to be something completely different. That's how I go about it and honestly, I sometimes think that even that is not enough. With how many sign-ins I am required, I wouldn't be surprised if I duplicated my info eventually XD

[Findingnemo]

Some simple steps can save us from lot of phishing like

Your numbers 1–5 as enumerated in your post are apt. Though I think item 4 will be a lot more difficult to avoid since a lot of sites will need app downloads from Google playstore or apple. However, the catch there is to make sure one is certain that the site in question has an app to be downloaded before heading to a third party for it. As for those using simple passwords, it's advisable not to. I guess a lot of people use simple password so they can easily recall it off by heart instead of writing it down on paper. That's not good to want to remember it that way. We should know that the mind is sometimes subject to forgetfulness. Write out the passwords, and since one is writing it out it will be nice to make it a strong and difficult one. There's no harm in doing that.

I said about third party website like apart from downloading on playstore and app market for PC apart from official website so we can trust the application we are downloaded to install. Having password which is completely random and more difficult to remember is good but still it can be brute forced still it is not going to happen for all the account even if its hacked we have 14 days to lock the account then we can further proceed for account recovery.