Bitcoin Forum
September 19, 2019, 05:37:29 AM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: 1 2 [All]
  Print  
Author Topic: Password reset log  (Read 3263 times)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3514
Merit: 6234


View Profile
October 19, 2014, 03:49:15 AM
 #1

Whenever a user changes his own password or resets his account (via email or secret question), this action is now publicly logged here for 30 days:
https://bitcointalk.org/seclog.php

Additionally, these same actions will be listed on the person's Trust page. A reset will be shown for 30 days, while a password change will be shown for 3 days.

This should make it easier to determine whether an account has been compromised.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
1568871449
Hero Member
*
Offline Offline

Posts: 1568871449

View Profile Personal Message (Offline)

Ignore
1568871449
Reply with quote  #2

1568871449
Report to moderator
1568871449
Hero Member
*
Offline Offline

Posts: 1568871449

View Profile Personal Message (Offline)

Ignore
1568871449
Reply with quote  #2

1568871449
Report to moderator
1568871449
Hero Member
*
Offline Offline

Posts: 1568871449

View Profile Personal Message (Offline)

Ignore
1568871449
Reply with quote  #2

1568871449
Report to moderator
Be very wary of relying on JavaScript for security on sites such as blockchain.info and brainwallet.org. The site can change the JavaScript at any time unless you take unusual precautions, and browsers are not generally known for their airtight security.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1568871449
Hero Member
*
Offline Offline

Posts: 1568871449

View Profile Personal Message (Offline)

Ignore
1568871449
Reply with quote  #2

1568871449
Report to moderator
1568871449
Hero Member
*
Offline Offline

Posts: 1568871449

View Profile Personal Message (Offline)

Ignore
1568871449
Reply with quote  #2

1568871449
Report to moderator
1568871449
Hero Member
*
Offline Offline

Posts: 1568871449

View Profile Personal Message (Offline)

Ignore
1568871449
Reply with quote  #2

1568871449
Report to moderator
marcotheminer
Legendary
*
Offline Offline

Activity: 1442
Merit: 1013


Newbies: Feel free to message me!


View Profile
October 19, 2014, 07:18:08 AM
 #2

Thank you for taking this initiative, smart decision!
redsn0w
Legendary
*
Offline Offline

Activity: 1736
Merit: 1040


#Free market


View Profile
October 19, 2014, 09:12:26 AM
 #3

Whenever a user changes his own password or resets his account (via email or secret question), this action is now publicly logged here for 30 days:
https://bitcointalk.org/seclog.php

Additionally, these same actions will be listed on the person's Trust page. A reset will be shown for 30 days, while a password change will be shown for 3 days.

This should make it easier to determine whether an account has been compromised.
This is a great idea and  "tool" , thanks .
hilariousandco
Below Average Member
Global Moderator
Legendary
*
Offline Offline

Activity: 2128
Merit: 1651


KnowNoBorders.io


View Profile WWW
October 19, 2014, 09:20:08 AM
 #4

Yeah, very useful. Though maybe you should change the colour of the warning This user's password was reset recently to red and make it a little larger. The yellow is hard to see, at least on my phone.

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
Shogen
Legendary
*
Offline Offline

Activity: 966
Merit: 1000



View Profile
October 19, 2014, 09:40:03 AM
 #5

Thanks for the new feature, theymos.

Yeah, very useful. Though maybe you should change the colour of the warning This user's password was reset recently to red and make it a little larger. The yellow is hard to see, at least on my phone.

The warning message is in orange for me. Did theymos change it after reading your feedback? Smiley

hilariousandco
Below Average Member
Global Moderator
Legendary
*
Offline Offline

Activity: 2128
Merit: 1651


KnowNoBorders.io


View Profile WWW
October 19, 2014, 09:57:00 AM
 #6

It might have just been orange actually. It's still a bit hard to notice as the orange though.

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1484
Merit: 1320


No I dont escrow anymore.


View Profile WWW
October 19, 2014, 10:01:35 AM
 #7



Yep orange, way better than the yellow



but I also think that it should be little bigger.
PistolPete
Member
**
Offline Offline

Activity: 90
Merit: 10


View Profile
October 19, 2014, 10:16:04 AM
 #8

Good feature.

What happens if the account is hacked but the password is deliberately not changed? There are a lot whose accounts are lying inactive so wouldn't check on it.
redsn0w
Legendary
*
Offline Offline

Activity: 1736
Merit: 1040


#Free market


View Profile
October 19, 2014, 10:20:06 AM
 #9



Yep orange, way better than the yellow



but I also think that it should be little bigger.

I think (as hilariousandco) that the write should be changed to :

This user's password was reset recently.
Muhammed Zakir
Hero Member
*****
Offline Offline

Activity: 560
Merit: 504


I prefer Zakir over Muhammed when mentioning me!


View Profile WWW
October 19, 2014, 10:41:12 AM
 #10

Thanks for this! It will be helpful! Smiley



Yep orange, way better than the yellow



but I also think that it should be little bigger.

I think (as hilariousandco) that the write should be changed to :

This user's password was reset recently.

Orange is okay but making the font a bit bigger would be good.

   ~~MZ~~

hilariousandco
Below Average Member
Global Moderator
Legendary
*
Offline Offline

Activity: 2128
Merit: 1651


KnowNoBorders.io


View Profile WWW
October 19, 2014, 10:57:23 AM
 #11

Good feature.

What happens if the account is hacked but the password is deliberately not changed? There are a lot whose accounts are lying inactive so wouldn't check on it.

I don't think this is something we have to worry about. Someone isn't going to go to the trouble of hacking your account and then not change the password. If it's not changed then you still have control of the account until someone does change it. The original owner is going to notice something is amiss, and if it's an old inactive account then I don't see the big problem, but there's nothing that could be done about that anyway unless someone notices something fishy about the account.

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
TradeFortress 🏕
VIP
Legendary
*
Offline Offline

Activity: 1176
Merit: 1023


View Profile
October 19, 2014, 11:01:10 AM
 #12

If you're investing development effort here for account security, how about implementing 2FA? I really don't understand the apparent aversion of 2FA.
Muhammed Zakir
Hero Member
*****
Offline Offline

Activity: 560
Merit: 504


I prefer Zakir over Muhammed when mentioning me!


View Profile WWW
October 19, 2014, 11:13:51 AM
 #13

If you're investing development effort here for account security, how about implementing 2FA? I really don't understand the apparent aversion of 2FA.

He said, it will be implemented in the New Forum. Smiley

   ~~MZ~~

TradeFortress 🏕
VIP
Legendary
*
Offline Offline

Activity: 1176
Merit: 1023


View Profile
October 19, 2014, 11:22:02 AM
 #14

He said, it will be implemented in the New Forum. Smiley

   ~~MZ~~

Implementing TOTP 2FA is significantly more effective than implementing a password reset log.
hilariousandco
Below Average Member
Global Moderator
Legendary
*
Offline Offline

Activity: 2128
Merit: 1651


KnowNoBorders.io


View Profile WWW
October 19, 2014, 11:44:31 AM
 #15

He said, it will be implemented in the New Forum. Smiley

   ~~MZ~~

Implementing TOTP 2FA is significantly more effective than implementing a password reset log.

And I imagine setting up 2F is significantly more work than implementing a simple password reset log. Shouldn't be too long for the new forum now anyway.

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
anujjain
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250


View Profile
October 19, 2014, 01:03:22 PM
 #16

This feature will help so much atleast for who try to hack and using for scam.
Muhammed Zakir
Hero Member
*****
Offline Offline

Activity: 560
Merit: 504


I prefer Zakir over Muhammed when mentioning me!


View Profile WWW
October 19, 2014, 04:38:20 PM
 #17

He said, it will be implemented in the New Forum. Smiley

   ~~MZ~~

Implementing TOTP 2FA is significantly more effective than implementing a password reset log.

And I imagine setting up 2F is significantly more work than implementing a simple password reset log. Shouldn't be too long for the new forum now anyway.

I would like to have bitcoin 2FA too though an option to choose Google Authenticator and BTC 2FA would be good. Suggestions are welcome! Smiley

we should use bitcoin related 2FA

https://github.com/nanotube/supybot-bitcoin-marketmonitor/blob/master/GPG/local/bitcoinsig.py

easy to implement and only requires storing public bitcoin addresses.

   ~~MZ~~

santaClause
Full Member
***
Offline Offline

Activity: 183
Merit: 100


View Profile
October 19, 2014, 05:10:40 PM
 #18

Whenever a user changes his own password or resets his account (via email or secret question), this action is now publicly logged here for 30 days:
https://bitcointalk.org/seclog.php

Additionally, these same actions will be listed on the person's Trust page. A reset will be shown for 30 days, while a password change will be shown for 3 days.

This should make it easier to determine whether an account has been compromised.
Would it be possible to not disclose how a password is reset (email verses secret question). If this is disclosed then the fact that someone has a secret question which would make their account more vulnerable to getting hacked. Removing the disclosure of what method was used to to reset a password would remove this vulnerability.
BombaUcigasa
Legendary
*
Offline Offline

Activity: 1442
Merit: 1000



View Profile
October 19, 2014, 06:51:39 PM
 #19

Whenever a user changes his own password or resets his account (via email or secret question), this action is now publicly logged here for 30 days:
https://bitcointalk.org/seclog.php

Additionally, these same actions will be listed on the person's Trust page. A reset will be shown for 30 days, while a password change will be shown for 3 days.

This should make it easier to determine whether an account has been compromised.
OMG, thanks theymos, we can finally change our ava..... oh...

Good implementation idea...
greatwolf_
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile WWW
October 19, 2014, 07:14:41 PM
 #20


And I imagine setting up 2F is significantly more work than implementing a simple password reset log. Shouldn't be too long for the new forum now anyway.

You mean the new forum that's supposedly in the works since jan 2013? Frankly, I don't understand why there's a need to design a completely new forum software from scratch when there are many off-the-shelve open-source choices available. It would save so much time going with one of them that closely fits the requirements and just customize and mod it to fit our purposes.

PS. I'm still waiting for a reply to my PM on my hacked account btw.
Raize
Donator
Legendary
*
Offline Offline

Activity: 1417
Merit: 1008


View Profile
October 20, 2014, 03:07:26 PM
 #21

Implementing TOTP 2FA is significantly more effective than implementing a password reset log.

It's also significantly more difficult. SMF's password-handling and use is, to put it simply, horrible. It's better to just have the new forum designed from the ground up to use 2FA than to even attempt to hack it into SMF. I can't speak for theymos, but I'd be terrified to try to hack up a 2FA for SMF given the little I already know of its code and especially the anti-XSS part of it.

I just recently changed my password and I think I agree with the others, it should be a bigger font and maybe even RED and bolded. It might help cut down significantly on the "oh, I got hacked!" scams. Of course, it's going to have to require that a lot of folks actively refuse to do business with people who have changed their password or reset their account recently.

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
Salmon1989
Hero Member
*****
Offline Offline

Activity: 603
Merit: 500



View Profile
October 21, 2014, 06:30:28 AM
 #22


And I imagine setting up 2F is significantly more work than implementing a simple password reset log. Shouldn't be too long for the new forum now anyway.

You mean the new forum that's supposedly in the works since jan 2013? Frankly, I don't understand why there's a need to design a completely new forum software from scratch when there are many off-the-shelve open-source choices available. It would save so much time going with one of them that closely fits the requirements and just customize and mod it to fit our purposes.

The following is what theymos said 8 months ago about the new forum software.

Quote
Why do you think we needed to spend so much for software when there are free or much cheaper option available?

The most popular forum software is:
- Old.
- Written in PHP, which sucks.
- Written insecurely and messily.
- Difficult to modify, especially safely.
- Not much more featureful than SMF, if at all.

There are a handful of newer forum software packages which solve some of those problems, but all of them are very sparse in features.

The goal of this software project is to create new, open source forum software which will compete with SMF, phpBB, etc.

Quote
What special features will the forum have?

This isn't completely defined yet. It'll have almost all features that we have now. A main goal will be improving filtering and data presentation so that users can more easily manage the flood of posts both board-wide and within threads, while simultaneously reducing the need for centralized moderation.

theymos
Administrator
Legendary
*
Offline Offline

Activity: 3514
Merit: 6234


View Profile
October 25, 2014, 11:46:36 PM
 #23

I added color-coding to the usernames in this log. That'll make it easier to pick out more valuable accounts from the list. The colors are the same as the colors on Who's Online:
- Admins = red
- Global mods = dark blue
- Donators = green
- VIPs = violet
- Staff = pink
- Regular users are various shades of grey, getting darker with seniority.
- Legendary = lightish blue

Also, I made the "reset recently" text darker and larger.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Muhammed Zakir
Hero Member
*****
Offline Offline

Activity: 560
Merit: 504


I prefer Zakir over Muhammed when mentioning me!


View Profile WWW
October 26, 2014, 04:26:34 AM
 #24

I added color-coding to the usernames in this log. That'll make it easier to pick out more valuable accounts from the list. The colors are the same as the colors on Who's Online:
- Admins = red
- Global mods = dark blue
- Donators = green
- VIPs = violet
- Staff = pink
- Regular users are various shades of grey, getting darker with seniority.
- Legendary = lightish blue

Also, I made the "reset recently" text darker and larger.

Thanks! Now it is better.

Off-topic: It would be good if you make a total no. of logged in users and total no. of guests in a small box or something like that in Who's Online.

   ~~MZ~~

--Encrypted--
Copper Member
Legendary
*
Offline Offline

Activity: 924
Merit: 1003

hee-ho.


View Profile
June 18, 2015, 11:03:03 PM
Last edit: June 18, 2015, 11:16:26 PM by --Encrypted--
 #25

sorry for bumping an old topic, but I have just noticed something a little strange while I was wandering around.

KWH's trust page shows the "This user's password was reset recently." notice, but according to seclog, his password hasn't been changed since May 25th. and I compared him with some other members that had changed their password on that day, but I don't see anything like this.

which one is correct?

for additional info, I noticed that before this appeared on the seclog. "10:36:25 PM - DooMAD - password changed"

"You cannot now believe that you will ever feel better. But this is not true. You are sure to be happy again. Knowing this, truly believing it will make you less miserable now."
- Abraham Lincoln #GettingOverIt
Muhammed Zakir
Hero Member
*****
Offline Offline

Activity: 560
Merit: 504


I prefer Zakir over Muhammed when mentioning me!


View Profile WWW
June 19, 2015, 05:26:01 AM
 #26

sorry for bumping an old topic, but I have just noticed something a little strange while I was wandering around.

KWH's trust page shows the "This user's password was reset recently." notice, but according to seclog, his password hasn't been changed since May 25th. and I compared him with some other members that had changed their password on that day, but I don't see anything like this.

which one is correct?

for additional info, I noticed that before this appeared on the seclog. "10:36:25 PM - DooMAD - password changed"

KWH resetted his password via email. It will be shown till June 25.

-snip-
Additionally, these same actions will be listed on the person's Trust page. A reset will be shown for 30 days, while a password change will be shown for 3 days.
 -snip

yogg
Legendary
*
Offline Offline

Activity: 1596
Merit: 1794


Coldkey™ -- coldkey.eu


View Profile
December 10, 2017, 12:07:07 AM
 #27

Sorry for bumping an old thread...

Is there any way to check the seclog archives for between 2015 and 2017 ? Yeah, I know it's 24 months and it keeps only the last 30 days...  Grin

I tried webarchive but it didn't keep track of everything. Undecided

Pages: 1 2 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!