Security question and answer.

[akwala]

In order to change my security question and answer, I did the following in the Account Related Settings form under Modify Profile:

• entered a security question and answer;
• entered my password and OTP (next to the "Change profile" button);
• clicked the "Change profile" button.

This resulted in the form getting re-rendered without any error, but with the following message in red, next to the security answer field:

You have a secret question set. This is not recommended.

The security question I had entered appeared in its field.

How can I change my security question and answer?

[retaur]

The old security question or the new one you tried to set?

Security questions aren't recommended because the common ones are either guessable or searchable (especially if you've multiple accounts with the same email, password and security question or someone that sends you a "questionnaire" that asks for information that could be the answer to your security question).

[Xal0lex]

PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT

[JeromeTash]

Why would you opt for a security question when there is a much better option to secure your account via OTP.
"Security question" was an old account recovery method which is no longer in use. After the introduction of OTP a few years back, it's better you set it up to increase your account security

[SeriouslyGiveaway]

In order to change my security question and answer, I did the following in the Account Related Settings form under Modify Profile:

• entered my password and OTP (next to the "Change profile" button);

Something you must know about OTP for your account security.
2FA added by theymos from a SMF patch programmed by PowerGlove.
A concise 2FA/TOTP implementation (SMF patch)

There is a note from theymos on 2FA.

If you use the forgotten-password function, then there's an option to remove the 2FA. So 2FA does not provide any protection in case of a compromised email. Make sure that your email address is secure. If you don't want to set an email address, use something like yourUserName@invalid.bitcointalk.org; don't use a random nonsense email like y@x.com, since somebody might create that domain/email.

[KingsDen]

Why would you opt for a security question when there is a much better option to secure your account via OTP.
"Security question" was an old account recovery method which is no longer in use. After the introduction of OTP a few years back, it's better you set it up to increase your account security

I think theymos should remove the option of security question now that there is 2fa verification. I see that the only function security question is solving now is; if you want to self-destroy your account.
When I was new, I set it but then when I saw that it wasn't recommended, I removed it. I fear that it shouldn't trigger one day and become a problem to me.

Op, as advised by others, consider leaving the secret question alone if you don't want plenty drama with the admin concerning account recovery in the future.

[Cricktor]

I would not use and remove a previously set security question and answer in your profile, unless you didn't use a valid email address for your account OR you don't have control over the used email account.

Anyone who still uses the security question and answer should carefully read and understand the Public Service Announcement that Xal0lex has provided the link to! See post #3 above...

If your email account used for registration in this forum is properly secured, it's very recommended to activate and use 2FA for your forum's account.

In case shit happens with your forum account and you need to regain access via recovery, stake a Bitcoin address and/or a GPG public key in the appropriate mega-threads before you run into a need for account recovery.

[hd49728]

PSA: ACCOUNTS WILL BE LOCKED IF THE SECRET QUESTION IS USED TO RECOVER IT

The change of secret question to be usable for account recovery to account lock comes from the forum hack in 2015.
Bitcointalk history of hacks and vandalism.
About the recent server compromise.

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.

Accounts will be locked like busminer but there is an account recovery process that takes time, but no guarantee that you will succeed.
Busminer account locked, please help to unlock.