[Guide] Lessons that every beginners should learn from recent account hack

[TheGreatPython]

When I come across this topic in meta, I am little surprised on learning how people get busy on real life and then forgetting about the basics on securing their bitcointalk account. Beginners may not be enough skilled to secure their account and even legendary members as well might miss like this incident hence decided to list few check points to make sure the security of our bitcointalk account.

In above incident, account holder lost their email due to expiry of it and then hacker created the same email and then easily got access to bitcointalk account.

It means, getting access to our email is very much similar to hacking password. So, we must not show what is our email.

Tip #1
Make sure that your mail is HIDDEN to anyone by ticking this checkbox:
Profile-> Account Related Settings-> Hide email address from public?



Tip #2
Make sure your email is active (and secured in terms of strong password and recovery options).

In recent times, (for example) google announced about deactivating inactive emails. So, it would be always a good practice to frequently keep checking all our email accounts including the one linked to our bitcointalk account.

And always use an alphanumeric password with at least 8 character length with symbols and capital letters. Because such password can be hacked only by 10+ years of brutal force.

Tip #3
Enable two-factor authentication in your bitcointalk account.

(I am mentioning this because it is relatively a new feature to our accounts and with this reason, not everyone is aware of availability of this security measurement).

Profile-> Account Related Settings->Two-factor authentication status:




I am sure that in above hack incident, if that user followed at least any one of these basics, might have prevented the hack.

Also, I like to know if I am missing any other tip to secure my account. I am always open to learn. Thank you all!

[dzungmobile]

Some more things about email address that need to be valid, not an invalid and non-existing one. Because later someone else can create that email address and steal your account.

theymos advised that it's better if you use email address like

Code:

yourUserName@invalid.bitcointalk.org

Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

This is something we recently started doing. If email sent to your email address bounces with an error message like, "This email address doesn't exist", then your email may eventually be changed to u...@bounces.invalid. (It's not possible for users to change their email address to something ending in .invalid, so this can only be an administrative change.) Because your old email didn't exist, somebody could've registered your non-existent email address and used that to steal your account.

[Mia Chloe]

Nice thread op I have a thread like this I created a very long time ago even before the 2FA implementation. Here is the post;

Securing your Bitcoin talk account

[Wiwo]

I made this mistake when I was a newbie, by displaying my email, but sure the forum already did enough to secure your privacy by making new account email hiden by default, unless if the user when to setting to make the email public.

I my own case I was the one that activated my email displayed, until some legendary old members enlighten that time to make my email private, leaving the account setting the way their are is the best way to go about the forum a d not sharing your email in public domain such as filing spreadsheets and the rest.

[SATWAT]

Nice thread op I have a thread like this I created a very long time ago even before the 2FA implementation. Here is the post;

Securing your Bitcoin talk account

As time is running out quickly newbies are also facing many problems so we need to keep things update for them, I have been feeling its good try by the OP for having all things in this thread because recently we are having some troubles for few members due to these mistakes hopefully now they will try to avoid them.

[KingsDen]

I remember when I registered newly here. My email was visible and I was receiving generic messages like;
"Hi, I'm from bitcoin forum, can we get to know ourselves"
"Hello, how long have you been in bitcoin"
I was surprised why I was recieving them in my email instead of in the forum pm. Until an established member advised me to hide my email address.
Most times we overlook the basics and concentrate more on the secondary and lose the primary.

[Adbitco]

I am sure that in above hack incident, if that user followed at least any one of these basics, might have prevented the hack.

Also, I like to know if I am missing any other tip to secure my account. I am always open to learn. Thank you all!

To me secure account you need to stake your bitcoin address and used a complicated password that could be very hard for people to guess or memorized that is all. I don't think killing oneself with various security can still help you, just that people are too lazy to use strong password. I think I have came across a user here who said immediately he logout his account while login back he would have to reset his password to have new password because he always forget his password.

[General_Bitcoin]

After registering my account I am not able to have enough time here on this forum but still I am doing good because I learn many things which are helping me in crypto world and managing my savings into Bitcoin because I am feeling comfortable with this now for securing my account I read few good and important points.
These are going to help me in future because now I have feeling I will be tried to give more time here because this is always blessing for me increased my knowledge and also good tips for many things related to my work and life.

[Ishicryptic]

Thanks for sharing this important information for newbies and older members who might be ignorant of the importance of hiding their emails in this forum. When I registered I thought that it will be wise to leave my email on hide, since this is an open forum and people can have access to my profile. Hackers makes it their business to break into people's accounts so it is important that we should try not to give them the access to impersonate us. Using a combination of complicated letters and symbols to create passwords is a good way to make it difficult for hackers to access our accounts.

[Upgrade00]

Your topic suggests that the account was hacked which some will interpret as a security lapse on the forum. Best to refer to it as an email breach, as that was the channel that allowed unauthorized access to the account.

Another security advice will be to have an address posted here which you have access to and to stake a signed address. This doesn't protect your account but will be your best way of recovering it if it someone else gets into it.

[lovesmayfamilis]

You certainly missed the point that after registering an account, you need to carefully store your data so that there are no incidents, like the one that happened recently, when a person simply forgot their password.
Also, do not trust letters received in PM. Do not follow the links in messages, since sometimes you can get a phishing link. There were cases when, after following the links, people thought that they accidentally logged out, but they remained on the forum, and they were asked to enter their login and password again. Every time you encounter such a situation, be careful not to fall into the clutches of hackers.
Likewise, do not save your passwords in the browser, since all your cookies can be decrypted, and others can get the password for the forum.
I had cases when there was a need for quick registration on some resources and confirmation. I used temporary mail. So in the history of these emails provided by services, there were many interesting things, including logins and passwords of other people. I think the case that the OP was referring to was identical.

[knowngunman]

I remember when I registered newly here. My email was visible and I was receiving generic messages like;
"Hi, I'm from bitcoin forum, can we get to know ourselves"
"Hello, how long have you been in bitcoin"
I was surprised why I was recieving them in my email instead of in the forum pm. Until an established member advised me to hide my email address.
Most times we overlook the basics and concentrate more on the secondary and lose the primary.

Email is hidden by default now when you register newly and issues like this can now be avoided. Some few newbies still make that mistake of enabling their email to show publicly thou but the risk of getting their account hacked is still very minimal since hackers are not interested in newly created accounts.

Likewise, do not save your passwords in the browser, since all your cookies can be decrypted, and others can get the password for the forum.

Some of the browsers we are using today are very deliberate in stealing people's data by asking them to save the password on every platforms they signed in or registered in. I must also confess that I have fallen for that in the past by saving some passwords on browsers. How do we get rid of these passwords on browsers? Does deleting them means they won't longer have access to it? If not, then it's a trap set against users.

[lovesmayfamilis]

Some of the browsers we are using today are very deliberate in stealing people's data by asking them to save the password on every platforms they signed in or registered in. I must also confess that I have fallen for that in the past by saving some passwords on browsers. How do we get rid of these passwords on browsers? Does deleting them means they won't longer have access to it? If not, then it's a trap set against users.

It would help if you changed all your passwords. It isn't easy to delete what is stored online. However, changing your passwords will not affect your security. Get into the habit of completely deleting all traces of sessions when you finish working in the browser, clearing cookies before closing. And to save passwords, use password managers with an open source code (for example, KeePass, Bitwarden).  Or just save them in a blanket encrypted document.

[tranthidung]

You certainly missed the point that after registering an account, you need to carefully store your data so that there are no incidents, like the one that happened recently, when a person simply forgot their password.

Likewise, do not save your passwords in the browser, since all your cookies can be decrypted, and others can get the password for the forum.

The common advice for account security is using a strong password which is misunderstood by many people. Being unique is the first important specification of a strong password. Because if you use one password on many platforms for multiple accounts, no matter how strong that password is in length and character combination, it breaks basic rule for password setup.

If one platform is compromised, you will have risk of losing all of your accounts that have only one password.

[GUIDE] How to Create a Strong/Secure Password
Use Password managers.

And to save passwords, use password managers with an open source code (for example, KeePass, Bitwarden).  Or just save them in a blanket encrypted document.

Links to some password manager softwares are above.

[knowngunman]

It would help if you changed all your passwords. It isn't easy to delete what is stored online. However, changing your passwords will not affect your security. Get into the habit of completely deleting all traces of sessions when you finish working in the browser, clearing cookies before closing. And to save passwords, use password managers with an open source code (for example, KeePass, Bitwarden).  Or just save them in a blanket encrypted document.

Thank you for the suggestions although those mistakes happened in the past. I have been practicing some of the above like clearing sessions and cookies sometimes for a while now but for the password, I decided to take it away completely from anything digital. I have learnt series of lessons as a result of password mismanagement.

I really don't know much about the open source that you recommend or how to use them. I will appreciate if you share more details on how to get it or make use of it.

Edit:
I just noticed the links shared above my post. I already checked it out but everything look confusing to me.