Whats your take on adding 2FA key as a Bitcointalk account security features.

[dimonstration]

I never thought of that maybe I was thinking password is only limited to 8 to 12 characters,  though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I do have that kind of passwords, a combination of familiar words and numbers but not random characters coz it's way too difficult to remember, you will end up resetting your password again lmao.

Also you will always be reliaon copy pasting the exact password since it's very hard to memorize random characters and symbols password. My iphone has a feature that automatically suggest a strong password on all my registrations. It is consist of so many random symbol and letter which is very hard to memorize.

I'm always skipping it because I will be reliant to my phone to access my account while it will give me a problem later on once my phone got broken.

[1714570414]

1714570414

[1714570414]

1714570414

[1714570414]

1714570414

[1714570414]

1714570414

[m2017]

Bitcointalk is a well-known forum in the crypto industry where being a reputable member is like a dream for many. There are some security measures that can be taken to protect your bitcoin talk account from being stolen or hacked. A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

You can use the secret question for additional account protection, but even in the explanations in the profile it is written that the use of this feature is not recommended.

Stake bitcoin addresses on the forum looks safer by comparison if all precautions are taken to protect access to this wallet address (from which, if necessary, you can confirm your ownership of the account using a signed transaction).

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Most likely, this 2FA key implementation is opposed by the administration of this forum, and perhaps it will even be better, because they are aimed at ensuring maximum account security.


Bonus question.
Do I understand correctly that if the forum administration can recover the password to the stolen account (after the owner confirms his ownership), then, in principle, they can gain access to any account? Or does it work in a different way?

[DVlog]

I never thought of that maybe I was thinking password is only limited to 8 to 12 characters,  though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I do have that kind of passwords, a combination of familiar words and numbers but not random characters coz it's way too difficult to remember, you will end up resetting your password again lmao.

Also you will always be reliaon copy pasting the exact password since it's very hard to memorize random characters and symbols password. My iphone has a feature that automatically suggest a strong password on all my registrations. It is consist of so many random symbol and letter which is very hard to memorize.

I'm always skipping it because I will be reliant to my phone to access my account while it will give me a problem later on once my phone got broken.

I think most of the phone now has these features. Even when you are going to sign up for a website sometimes google suggest a random password that contains mostly symbol and numbers. Many people nowadays use Keepass to keep their passwords safe so that they do not need to remember them in their next log-in. This is the easy way but sometimes these 3rd party service shows vulnerability.

[Timelord2067]

Signing a message became meaningless many years ago when it was uncovered accounts were being sold WITH a corresponding priv key to a wallet address that had been staked.

2FA isn't meant to stop account sales, it's meant to stop accounts from getting compromised.

It's not working - some account sellers have carpet rug pulled after the sale to claim back the UID.  It's happened in the past.

2FA would have prevented a great many people from having been scammed over the years.

[nakamura12]

I do not have any issues with 2FA getting added for account security. What I do think is that it should be a user's responsibility to secure his/her account. Adding another layer is only a pain for people who are aware on how to secure their accounts. Already the CAPTCHA on the login screen is pain when you are using a VPN or TOR browser to access the forum. I won't be happy if the forum imposes a strict rule for 2FA. I would be happy if they give an option to ignore it.

No matter what situation it is either there's a 2FA in the forum which is good to increase your account's security or no 2FA for the forum account. If 2FA is implemented then it is up to the forum member to enable 2FA in their account or won't enable 2FA at all. Captcha helps preventing bots to access the forum and I don't see any problem about it being annoying since you have to complete it if you have log out of your account and the forum have a bypass for th captcha if you ask me.

[Upgrade00]

It's not working - some account sellers have carpet rug pulled after the sale to claim back the UID.  It's happened in the past.

Can you give an instance of when this has happened? That is the original owner trying to claim back their account which they staked an address on and the hacker still winning ownership of the said account despite not having access to the Bitcoin address used to sign a message.

I've been here a short while and cannot remember a single scenario where this happened.

2FA would have prevented a great many people from having been scammed over the years.

2FA and signing a message are not mutually exclusive. We can comfortably have both as recovery features to protect accounts.

[Lucius]

Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters,  though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I believe that a password of 20 random characters is more than enough in the sense that it cannot be broken by force in a very long period of time. I can't say if there is a limit to the number of password characters on BTT, but I don't think that's the case, considering that no one should be restricted from setting a password that is impossible to crack.

However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

[robelneo]

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Yes there is a modification software that will add 2FA in an SMF forum SMFPacks Two Factor Authentication
I don't think we need to add this, it's an additional workload for the server and we have the best option to recover the account which is staking our address, the user will be more careful with their private keys than their 2FA application in their cellphone, backup code or password.

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

I agree 2FA cannot prove ownership, and passwords and 2FA can be compromised.

[DVlog]

So why don't we add a Google authentication option as a security feature to the forum? This could prevent from account being stolen if the user never showed up after a long period of inactivity or his password has been compromised.

Yes there is a modification software that will add 2FA in an SMF forum SMFPacks Two Factor Authentication
I don't think we need to add this, it's an additional workload for the server and we have the best option to recover the account which is staking our address, the user will be more careful with their private keys than their 2FA application in their cellphone, backup code or password.

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

I agree 2FA cannot prove ownership, and passwords and 2FA can be compromised.

It is the best practice to stake a BTC address to add an extra layer of security but this can be risky for some users as well. Privet key of our BTC address can be compromised and we can not ignore the possibility of losing our privet keys as well. It will be an extra workload for the server but by considering the importance of the security of our bitcoin talk account, having several options to secure our account is not a bad idea as well.

[arabspaceship123]

When we're regularly being told to change password it means we won't be able to memorise any of them. You're getting used to one password it's time to update so it's copy paste. If a keylogger's infiltrated your system you'll have another problem to fix. I'd say it's counterproductive because memorise one long safe password's safer for me to regularly changing it.

If I have a strong password that consists of, say, 20+ random characters, and if that same password is stored in a way that I'm sure it's accessible only to me, what's the point of regularly changing the password? It can even be counterproductive if you pick up a keylogger in the meantime, and by changing your password you actually compromise yourself.

[virasog]

It is the best practice to stake a BTC address to add an extra layer of security but this can be risky for some users as well. Privet key of our BTC address can be compromised and we can not ignore the possibility of losing our privet keys as well. It will be an extra workload for the server but by considering the importance of the security of our bitcoin talk account, having several options to secure our account is not a bad idea as well.

Why would the private key of our wallet be compromised unless we do not follow the best practices for safe guarding the private keys.
 
Also, as you said that the private keys can be lost, well if anyone is unable to keep his private key safe, then he shouldn't be here  
That's the most basic thing that you should not lose your private key of your wallet under any circumstances. You should have 2 copies of the private keys stored at two different locations.

Once you have your private key with you, you can always proof the ownership of your bitcointalk account by signing a message through it.

[The Sceptical Chymist]

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Sure, but to have that as a requirement for logging in?  I wouldn't want to have to either sign a message from an address or do any other sort of 2FA.  If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that.  But if it was mandatory, forget about it.  I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.

I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.

[arabspaceship123]

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Sure, but to have that as a requirement for logging in?  I wouldn't want to have to either sign a message from an address or do any other sort of 2FA.  If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that.  But if it was mandatory, forget about it.  I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.

Feature changes must be optional or else users will be upset. There shouldn't be mandatory requirements for signing wallets as part of 2FA. It's impossible to make a Bitcoin wallet signing feature. If 2FA becomes optional feature it's giving choices to users.

I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.

I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it using special characters I don't usually use. I'll have to paste it because I won't remember it. If it's optional it's allowing user to make their own minds.

[LoyceV]

I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it

Forced password changes increase the risk instead of making it safer. See:

Changing password and email occasionally has always been a good security practice what changed now?

People realized it was stupid in the first place

Read the NCSC:

Regular password expiry is a common requirement in many security policies. However, in the Password Guidance published in 2015, we explicitly advised against it. This article explains why we made this (for many) unexpected recommendation, and why we think it’s the right way forward.

Let’s consider how we might limit the harm that comes from an attacker who knows a user’s password. The obvious answer is to make the compromised password useless by forcing the legitimate user to replace it with a new one that the attacker doesn’t know. This advice seems straightforward enough.

The problem is that this doesn’t take into account the inconvenience to users - the ‘usability costs’ - of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember. Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.

To make matters worse, most password policies insist that we have to keep changing them. And when forced to change one, the chances are that the new password will be similar to the old one.

Attackers can exploit this weakness.

The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.

The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.

Or PCMag: Stop Changing Your (Strong, Unique) Passwords So Much.

[KingsDen]

A user can add secret questions, and stake their BTC address in the forum to protect their account. Despite this sometimes accounts got hacked and are taken by hackers.

This is a bitcoin forum and not a random website or forum. We all know that bitcoin came with some kind of cryptographic uniqueness, such as digital signature. Even if your account is hacked,  all you need do is to create a new account and complain in the forum. Then sign a signature from the old account, the account would be returned to the rightful owner.

We also know that not everyone staked their address and not everyone knows to sign messages. So, 2fa alternative is not a bad one. It shouldn't be mandatory for all users.

[arabspaceship123]

It shouldn't be mandatory because they increase risk of making it safer. I don't like being forced to change my password on the site I'm registered with. As long as I'll need their services I'll do it. If it's an option we're allowed to choose what we want but forcing compliance isn't making users confident.

I've an account at a website. It's mandatory to change password after six months so when I'm logging in they'll force me to change it

Forced password changes increase the risk instead of making it safer. See:

[Adbitco]

Oh no!
You mean you are that strong to have about 20 random character as password?
I never thought of that maybe I was thinking password is only limited to 8 to 12 characters,  though you are right I don't see any reason of constantly changing password if someone already choose a solid one that could not be easily accessible by someone.

I believe that a password of 20 random characters is more than enough in the sense that it cannot be broken by force in a very long period of time. I can't say if there is a limit to the number of password characters on BTT, but I don't think that's the case, considering that no one should be restricted from setting a password that is impossible to crack.

However I don't think an active account could have that slime chance of getting hacked just like that, so far I never witnessed where an active is being stolen from the original owner.

I know of several cases of active members who were hacked (even Hero&Legendary members), but considering that there is a method of proving ownership, hacking a BTT account is one thing, and keeping it is something else entirely.

Thank you all through..
Maybe I can increase in my password strength and I never got that thinking that I won't be able to exceed 12 random characters nd also seeing a way to implore additional strong password. Although my choice of chosen password is never that too strong to break in, maybe I might change my password later or in anytime soon to properly secure ones account. Secondly I never knew an active account could get hacked since they are active was thinking they won't mind badging into the account to break through since the owner could quickly raised an alarm.

[DVlog]

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

Sure, but to have that as a requirement for logging in?  I wouldn't want to have to either sign a message from an address or do any other sort of 2FA.  If Theymos were to make such a feature optional, then I wouldn't be opposed to implementing a feature like that.  But if it was mandatory, forget about it.  I honestly can't stand any website that requires you to use 2FA to log in, and there are currently a few that I use regularly that do that.

I get how much more secure it is, but I'm of the opinion that anything like that which requires you to provide more personal information should be an opt-in feature.

I want it as an optional features. Some do not want to use it when other may find it useful. When the internet is being transitioning from web2 to web3 it is not a bad idea to have a option to use your bitcoin address to sign in to your bitcointalk account. Though i am against it to be a mandatory features but in support of it to be an optional features.

[Mpamaegbu]

So why don't we add a Google authentication option as a security feature to the forum?

This line of interest has been cropping up steadily lately and I like it. I'm in for a 2FA on accounts here. Yes, I know many will allude to the signing wallet messages to regain access but those who will do that should remember that signing a wallet to prove account ownership has to do with a stolen or hacked account and not as an antidote to preventing the account from getting hacked. That's what a 2FA does. It strengthens accounts against being hacked.

When you can prove authenticity by signing a message from any of your old/staked bitcoin address. why bother having 2FA? Learn to sign message if you are worried about account comprising.

This will be a very cumbersome thing to do. I don't like the idea of the wallet signed message just to log in as we know it could be a regular thing, especially for those who don't have the permanently logged in box ticked.

[Lucius]

~snip~
Secondly I never knew an active account could get hacked since they are active was thinking they won't mind badging into the account to break through since the owner could quickly raised an alarm.

The activity of a BTT account does not mean that the person who hacks such an account cannot do damage using that account, because most people also have their private lives, which probably includes sleeping. If someone hacks you and you are not aware of it for 8+ hours, the hacker can use that time to request a loan or post malicious links or send threats to other members, all of which can result in you receiving a message that your account has been permanently banned. Of course, such a user will have the opportunity to prove that he was not behind all these actions, but sometimes that takes time.

For example, I remember that @LTU_btc was hacked, and also @BitcoinGirl.Club.