Major Flaw in Security

[awesome31312]

All the hacker has to do is guess the right PW or answer security question correctly and it's game over.

The chances of that are very low

Only if its coupled with email verification though

[AnonBitCoiner]

All the hacker has to do is guess the right PW or answer security question correctly and it's game over.

The chances of that are very low

Only if its coupled with email verification though

Many other forums follow this procedure; I wasn't aware that this one didn't. +1; I think it could be made an option available to users...if they want to enable e-mail verification, then they can, for those more concerned with security, whereas for those who are lazier and would prefer not to go to their e-mail upon a change, they could have it disabled

[Quickseller]

All the hacker has to do is guess the right PW or answer security question correctly and it's game over.

The chances of that are very low

Only if its coupled with email verification though

Just to put it into perspective as to how easy it is to guess someone's password:

There are 26 potential english letters and 10 potential numbers that can be used in your password (we can ignore all the special characters that someone could potentially use as well as capital letters).

If an attacker knew that a specific account's password was exactly 6 digits (I don't even think the forum allows for passwords to be this short) then the number of potential passwords would be 36^⁶ or written in base 10 scientific form 2176782336 ~2.17 * 10^⁹ or 2,176,782,336 or ~2.1 billion possibilities. Considering that an attacker can only attempt to "guess" a password once every 45 seconds, it would take 816,293,376 hours (34,012,224 days) to guess a password if the attacker has 100% luck (the attacker correctly guessed the correct password exactly half way though all the potential passwords).

tl;dr it is not realistically possible to guess someone's password without some kind of social engineering and/or exploiting some kind of weakness of the person who owns the account (the owner somehow being at fault).

[awesome31312]

(we can ignore all the special characters that someone could potentially use as well as capital letters).

Nice strawman

[Quickseller]

(we can ignore all the special characters that someone could potentially use as well as capital letters).

Nice strawman

idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions.

[awesome31312]

(we can ignore all the special characters that someone could potentially use as well as capital letters).

Nice strawman

idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions.

Because not everyone includes only the letters of the alphabet in their passwords like you.

[Quickseller]

(we can ignore all the special characters that someone could potentially use as well as capital letters).

Nice strawman

idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions.

Because not everyone includes only the letters of the alphabet in their passwords like you.

If you include special characters in your password then my arguement is stronger because it would take longer to guess a password

[awesome31312]

(we can ignore all the special characters that someone could potentially use as well as capital letters).

Nice strawman

idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions.

Because not everyone includes only the letters of the alphabet in their passwords like you.

If you include special characters in your password then my arguement is stronger because it would take longer to guess a password

You're confusing me

[Quickseller]

(we can ignore all the special characters that someone could potentially use as well as capital letters).

Nice strawman

idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions.

Because not everyone includes only the letters of the alphabet in their passwords like you.

If you include special characters in your password then my arguement is stronger because it would take longer to guess a password

You're confusing me

I explained how it would take ~93,000 years to guess someone's password if they did not use any capital or special letters. To most people this is a very long time.

[MadZ]

(we can ignore all the special characters that someone could potentially use as well as capital letters).

Nice strawman

idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions.

Because not everyone includes only the letters of the alphabet in their passwords like you.

If you include special characters in your password then my arguement is stronger because it would take longer to guess a password

You're confusing me

I explained how it would take ~93,000 years to guess someone's password if they did not use any capital or special letters. To most people this is a very long time.

I think the confusion here comes from the fact that you took his quote:

All the hacker has to do is guess the right PW or answer security question correctly and it's game over.

The chances of that are very low

Only if its coupled with email verification though

and made it a reason to show how difficult it is to actually bruteforce someone's password. I read his quote as agreeing with the idea that passwords are not guessable, given that he says the chances of guessing someone's password are "very low". The thing is, you begin your reply by saying:
 

Just to put it into perspective as to how easy it is to guess someone's password:

Which sounds like you are disagreeing with him if you take that sentence out of context. He probably read this and assumed your post was contradicting his, which is why he responded to you with hostility, even though you both actually agree. You're both confused because you believe the other person has the opposite view, when you actually both agree that passwords are very secure. That's how I read your conversation at least.

[marcotheminer]

Bump

[Quickseller]

I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.com

I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.

[MadZ]

I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.com

I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.

First of all, I would have completely lost access to this account in the past had it not been for this feature. Disregarding that, what you describe sounds like a fairly uncommon method of account theft. I think it is safe to say that most accounts are stolen when the password is compromised, not the email, and requiring email confirmation for password/email changes would result in a net positive effect on account security, not a negative one.

[Quickseller]

I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.com

I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.

First of all, I would have completely lost access to this account in the past had it not been for this feature. Disregarding that, what you describe sounds like a fairly uncommon method of account theft. I think it is safe to say that most accounts are stolen when the password is compromised, not the email, and requiring email confirmation for password/email changes would result in a net positive effect on account security, not a negative one.

Email accounts are easier to compromise then forum accounts. Maybe it is uncommon, maybe not, IDK.

I do think the rule that an email address can only be associated with one account should be lifted. If someone were to try to hack accounts via this method then they could attempt to change their a number of email addresses they think they can hack and when they get an error saying that email is associated with another account they know they can try to hack it

[Lauda]

I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.com

I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.

You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email account
b) set up an account with an email that you've bought ?

Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much.

[Quickseller]

I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.com

I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.

You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email account
b) set up an account with an email that you've bought ?

Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much.

someone could potentially want a vanity email address that matches their bitcointalk username (he could register the username on the major email providers (gmail, yahoo, outlook, etc). I agree that this would be horrible security, but then again a lot of people here are pretty clueless about security

[redsn0w]

I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.com

I obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.

You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email account
b) set up an account with an email that you've bought ?

Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much.

Yes , you're right . It is also possible to use the 2FA , and it will add a major level of security to the email address.

[Quickseller]

I think 2fa in general would be beneficial. But I don't think email is the right way to do it. Maybe Google authentator would be a better solution.

[hilariousandco]

How about the option of 3-factor?  . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?

[Quickseller]

How about the option of 3-factor?  . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?

no. Google auth has nothing to do with email. You are given a qr code to scan and anyone that has access to the qr code can display the 6 digit code you enter that proves you controlled the accoint at the time it was set up. It is similar to signing a message