Additional security measures to keep account secure

[krishnaverma]

In order to reduce or limit the hacking of bitcointalk accounts, more security features can be introduced. I am also adding one suggestion here to get this thread started:

There should be option for high rank members to activate email verification. From time to time, when the member logs in using the username and password, it should send an code to the email to be entered on bitcointalk for login. While login, there should be option to trust the device for some days so that it does not affect user experience.
 
Same way, other security features can also be implemented. Let us discuss these in this thread.

[Solosanz]

There should be option for high rank members to activate email verification. From time to time, when the member logs in using the username and password, it should send an code to the email to be entered on bitcointalk for login.

Not a bad idea, bad the downside is more users are likely lost access and will ask a way to recover his account. Since this make the email is really important in this forum where each time login need to input verification code, I highly suggest to remove email address show to public in order to make it more secure.

While login, there should be option to trust the device for some days so that it does not affect user experience.

Did you mean we're only allowed to log in with an old device? I disagree since each device has a lifespan where you will need to change device for every few years.

[tranthidung]

There should be option for high rank members to activate email verification. From time to time, when the member logs in using the username and password, it should send an code to the email to be entered on bitcointalk for login. While login, there should be option to trust the device for some days so that it does not affect user experience.

Imagine if they let their accounts hacked, they would easily let their emails hacked as well. The main causal reason is they are very careless when surfing on the Internet, on social media, via messenger applications, emails, and so on.

So adding the email verification does not make much sense.

Same way, other security features can also be implemented

There has been many request for 2FA but it won't be implemented in SMF forum (this one). It can be done in the new forum software (Epochtalk) but that new software has yet been completed.

[Z-tight]

The bitcoin technology lays it upon its users to be responsible for the security of their money if they must use the network, i am not sure at all, but maybe that is why the forum does not have any additional security measure in this version as this is a bitcoin forum, but i have read some discussions about it here and i feel it will be added in the new forum software whenever it is completed and implemented.

Though before the new forum software is implemented: you can be your own addidional security measure

[Stalker22]

2FA should be more than enough for an extra security measure. Even if someone steals your password or finds a way to break into your account, 2FA (one time password) on your account protects you against such attacks. In case you lose your password, you can still reset it by entering a valid email and a 2FA code. Of course, there is no such thing as 100% security, but this should definitely help a lot.

[tranthidung]

2FA should be more than enough for an extra security measure.

2FA is helpful but it is never a silver bullet.

Even if someone steals your password or finds a way to break into your account, 2FA (one time password) on your account protects you against such attacks. In case you lose your password, you can still reset it by entering a valid email and a 2FA code.

Depends on how you install (where) your 2FA app, where you save your 2FA backup code and same for email password, email 2FA.

If you log in all accounts on same device, store backup, install 2FA application on the same device as well, its usefulness decreases a lot.

[Lucius]

I will never say that 2FA is a bad option (as a choice) in the additional protection of BTT accounts, but as far as my memory serves, from 2015 to today there were less than 10 hacking of accounts of members who are somewhat important and were or are now Hero&Legendary members. The vast majority of others have never had such a problem because they know that each password should be unique and long enough to prevent someone from accidentally guessing it or breaking it with the brute force method.

Those who use passwords like John1234 or ILoveBitcoin or store them in the cloud/email in unencrypted form will not be helped by any additional protection.

[Upgrade00]

IThe vast majority of others have never had such a problem because they know that each password should be unique and long enough to prevent someone from accidentally guessing it or breaking it with the brute force method.

I don't have stats to back up my claim, but I assume that majority of account breaches are a result of users entering their passwords into phishing websites and not brute force.

There are constant reminder on various websites when signing up on the importance of password strength, with many requiring lower and uppercase letters, special symbols, and numbers, so people are more likely to pick up on this, but proper security while on the internet is not talked about enough. So, someone can easily enter their passwords into an unverified website.

[BitcoinGirl.Club]

There should be option for high rank members to activate email verification.  

You are telling the forum to give our data to email service providers like Gmail, Yahoo or whatever the provider. They get the IP and other log that we have an account in the forum. No, it's not gonna happen.

We are still in pain that Theymos is using cloudeflare. I have no idea who are our hosting service provider though. I hope files are hosted in private virtual machine.

For account security, staking a bitcoin address to use for proof of ownership is the best idea so far.

[...]
I don't have stats to back up my claim, but I assume that majority of account breaches are a result of users entering their passwords into phishing websites and not brute force.

If you give information of your passphrase to hacker then your bitcoin are not safe in your hand. The same applies in forum account too. But say you get phished. As long as you have bitcoin address staked, you can provide proof of authentication anytime and get your account back.

[dimonstration]

In order to reduce or limit the hacking of bitcointalk accounts, more security features can be introduced. I am also adding one suggestion here to get this thread started:

There should be option for high rank members to activate email verification. From time to time, when the member logs in using the username and password, it should send an code to the email to be entered on bitcointalk for login. While login, there should be option to trust the device for some days so that it does not affect user experience.
 
Same way, other security features can also be implemented. Let us discuss these in this thread.

I’m using Bitcointalk forum for about 6 years without experiencing any hack incident in my account. I think having a secured password and 2fa is enough to make Bitcointalk account safe because there’s no money that needs to protect on this account besides account reputation which can be easily spot if the account suddenly do shady activities.

Hacking event usually happened on accounts that use a weak password or click phishing links.

[dkbit98]

There should be option for high rank members to activate email verification. From time to time, when the member logs in using the username and password, it should send an code to the email to be entered on bitcointalk for login. While login, there should be option to trust the device for some days so that it does not affect user experience.

I don't want to use something like this connected with any email, especially if it's going to be mandatory.
Unless you are running your own server with email, there is always a chance that email could be unavailable temporary or permanently, they could be flagged as spam, or they could be shut down.
Only option for securing accounts I would cosnuder using is 2FA or fido hardware keys.

[Lucius]

I don't have stats to back up my claim, but I assume that majority of account breaches are a result of users entering their passwords into phishing websites and not brute force.
~snip~

I may be one of those who take things quite seriously, but since I first found this forum in 2014, I saved the link in my bookmarks and have been using it ever since. In addition, I only log in from one device that I consider safe, and I think that this is quite enough for my operational security to be at a high level.

Of course, there is always the possibility that something bad will happen to me, like everyone else - but phishing links and some other common traps will certainly not surprise me.

[Welsh]

There's very likely users here that haven't used a valid email, and therefore wouldn't be able to verify anything. Of course, you could argue that's an issue to start with since they don't have that safety net, but an email is just something else you'd need to keep secure, so I do see the logic behind it. Also, some might not care for giving the forum an email they own, and therefore made an invalid one for privacy.

These things we've got to be extra conscious of, since Bitcoin does sort of attract the more privacy conscious minds.

[KingsDen]

The rate at which I see people post on beginners and help on how to retrieve their hacked accounts make me understand the importance of having an added layer of security in the forum.
I also wonder if there is any other way that one's account could be hacked apart from phishing attack and maybe guessing someone's password?

There's very likely users here that haven't used a valid email, and therefore wouldn't be able to verify anything. Of course, you could argue that's an issue to start with since they don't have that safety net, but an email is just something else you'd need to keep secure, so I do see the logic behind it. Also, some might not care for giving the forum an email they own, and therefore made an invalid one for privacy.

These things we've got to be extra conscious of, since Bitcoin does sort of attract the more privacy conscious minds.

I was going to ask why one will register in the forum with an invalid email until I read to bottom. Yet, I am not satisfied, if for the sake of privacy a user doesn't want to submit a valid email, it shouldn't be a big deal to create a new email.

[Smartvirus]

An account is as secured as you allow it to be. OP speaking of email verifications still sounds like typical OTP to me and that's one idea that have been suggested one too many times and as time have had it, the idea isn't one that everyone adorns. I don't if you would ask me. It would be way too stressful logging in considering the wait time and switching between mails and browser.

Hacks or not, the forum has put in place es measures for an account recovery and that is, the staking of an address. There are chances that your accounts could be hacked on the forum bit when it comes to wallets, pretty much zero. Although, that's directly related to how private you go about the security of your private key or seed phrase.
Your account gets hacked, password and mails changed and your kicked out? No problem.
You create an alt solely for the recovery of the account, providing a signed message for the staked address of your account and you've got your account back. Rendering all the efforts of the hacker wasted.

The downside to this is that, you must be active to know the moment your account was attacked to engage in recovery before any major damage is been done. Be a little more private and you would be safe.

[BitcoinGirl.Club]

These things we've got to be extra conscious of, since Bitcoin does sort of attract the more privacy conscious minds.

I can't remember correctly if this was an exchange or gambling site. For registration they wanted a bitcoin address. User give the address and then they give a message and ask to sign the message with the bitcoin address to login to the account. It was a nice idea. I never seen many sites to use practice this.

Default SMF does not allow this feature of course but if Theymos can implement such thing then it will be nice. May be in the new forum software if this is even going to launch.

[Igebotz]

These things we've got to be extra conscious of, since Bitcoin does sort of attract the more privacy conscious minds.

I can't remember correctly if this was an exchange or gambling site. For registration they wanted a bitcoin address. User give the address and then they give a message and ask to sign the message with the bitcoin address to login to the account. It was a nice idea. I never seen many sites to use practice this.

Default SMF does not allow this feature of course but if Theymos can implement such thing then it will be nice. May be in the new forum software if this is even going to launch.

Lol Not a bad idea, but why would anyone go through such trouble to post on a simple forum where sensitive documents are not stored? Even someone who stores bitcoin exchanges is not subjected to such troubles. Account hacking and other issues can be solved by using 2FA or a secret question before logging in.

[Fivestar4everMVP]

Good idea OP, and I also see the importance of the security features you mentioned, but honestly, I do not consider them really really important, and that is because I feel that the level of security features on a forum like this isn't the real reason why accounts are either hacked or not,
The main reason my account can get hacked easily is due to negligence and laziness.
Many users are too lazy to even secure their account with strong passwords, some use the same password on every platform they register on, including their email addresses.
For user like this, the security features you mentioned wont stop their account from being hacked, as Hackers can easily target and hack their email address, and from there, the gains access to the account of the victim.

[BitcoinGirl.Club]

Lol Not a bad idea, but why would anyone go through such trouble to post on a simple forum where sensitive documents are not stored? Even someone who stores bitcoin exchanges is not subjected to such troubles. Account hacking and other issues can be solved by using 2FA or a secret question before logging in.

If I remember correctly then it was really easy to access the account using the bitcoin address. I understand it's a forum. The way everyone is worried about their account and suggesting several things I thought why not I go with mine too LOL

With email verification you are giving away your anonymity to the email service providers. Email can be hacked, people do not take it seriously as they take their private keys.
Theymos is not going to add 2FA, I don't know how hard it is.

To be honest, we are fine with staking bitcoin address. If anything happen to your account, you can always provide proof of ownership and get back the account.

[PrimeNumber7]

There should be option for high rank members to activate email verification. From time to time, when the member logs in using the username and password, it should send an code to the email to be entered on bitcointalk for login. While login, there should be option to trust the device for some days so that it does not affect user experience.
 

Since email addresses are not verified to be associated with the user, this is not a good idea. I am sure that many members have a fake/invalid email address associated with their accounts.

There is really no reason why the forum will ever contact members via email, many of the traditional phishing attacks will be useless against bitcointalk forum accounts. So as long as the forum is able to keep passwords away from adversaries, and forum members practice general good security, the risk of getting your account hacked is fairly low.