awesome31312
|
|
November 15, 2014, 07:19:35 PM |
|
All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very low Only if its coupled with email verification though
|
Account recovered 08-12-2019
|
|
|
AnonBitCoiner
|
|
November 15, 2014, 08:02:39 PM |
|
All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very low Only if its coupled with email verification though Many other forums follow this procedure; I wasn't aware that this one didn't. +1; I think it could be made an option available to users...if they want to enable e-mail verification, then they can, for those more concerned with security, whereas for those who are lazier and would prefer not to go to their e-mail upon a change, they could have it disabled
|
▄▄████████▄▄ ▄▄████████████████▄▄ ▄██████████████████████▄ ▄█████████████████████████▄ ▄███████████████████████████▄
| ███████████████████▄████▄ █████████████████▄███████ ████████████████▄███████▀ ██████████▄▄███▄██████▀ ████████▄████▄█████▀▀ ██████▄██████████▀ ███▄▄████████████▄ ██▄███████████████ ░▄██████████████▀ ▄█████████████▀ █████████████ ███████████▀ ███████▀▀ | | | Mars, here we come! | ▄▄███████▄▄ ▄███████████████▄ ▄███████████████████▄ ▄█████████████████████▄ ▄███████████████████████▄ █████████████████████████ █████████████████████████ █████████████████████████ ▀███████████████████████▀ ▀█████████████████████▀ ▀███████████████████▀ ▀███████████████▀ ▀▀███████▀▀ | ElonCoin.org | │ | | .
| │ | ████████▄▄███████▄▄ ███████▄████████████▌ ██████▐██▀███████▀▀██ ███████████████████▐█▌ ████▄▄▄▄▄▄▄▄▄▄██▄▄▄▄▄ ███▀░▐███▀▄█▄█▀▀█▄█▄▀ ██████████████▄██████▌ █████▐██▄██████▄████▐ █████████▀░▄▄▄▄▄ ███████▄█▄░▀█▄▄░▀ ███▄██▄▀███▄█████▄▀ ▄██████▄▀███████▀ ████████▄▀████▀█████▄▄ | . "I could either watch it happen or be a part of it" ▬▬▬▬▬ |
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
November 15, 2014, 08:08:19 PM |
|
All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very lowOnly if its coupled with email verification though Just to put it into perspective as to how easy it is to guess someone's password: There are 26 potential english letters and 10 potential numbers that can be used in your password (we can ignore all the special characters that someone could potentially use as well as capital letters). If an attacker knew that a specific account's password was exactly 6 digits (I don't even think the forum allows for passwords to be this short) then the number of potential passwords would be 36^ 6 or written in base 10 scientific form 2176782336 ~2.17 * 10^ 9 or 2,176,782,336 or ~2.1 billion possibilities. Considering that an attacker can only attempt to "guess" a password once every 45 seconds, it would take 816,293,376 hours (34,012,224 days) to guess a password if the attacker has 100% luck (the attacker correctly guessed the correct password exactly half way though all the potential passwords). tl;dr it is not realistically possible to guess someone's password without some kind of social engineering and/or exploiting some kind of weakness of the person who owns the account (the owner somehow being at fault).
|
|
|
|
awesome31312
|
|
November 16, 2014, 08:31:01 PM |
|
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman
|
Account recovered 08-12-2019
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
November 16, 2014, 09:38:00 PM |
|
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions.
|
|
|
|
awesome31312
|
|
November 17, 2014, 10:53:48 AM |
|
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions. Because not everyone includes only the letters of the alphabet in their passwords like you.
|
Account recovered 08-12-2019
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
November 17, 2014, 01:17:29 PM |
|
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions. Because not everyone includes only the letters of the alphabet in their passwords like you. If you include special characters in your password then my arguement is stronger because it would take longer to guess a password
|
|
|
|
awesome31312
|
|
November 18, 2014, 06:40:06 PM |
|
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions. Because not everyone includes only the letters of the alphabet in their passwords like you. If you include special characters in your password then my arguement is stronger because it would take longer to guess a password You're confusing me
|
Account recovered 08-12-2019
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
November 18, 2014, 06:46:37 PM |
|
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions. Because not everyone includes only the letters of the alphabet in their passwords like you. If you include special characters in your password then my arguement is stronger because it would take longer to guess a password You're confusing me I explained how it would take ~93,000 years to guess someone's password if they did not use any capital or special letters. To most people this is a very long time.
|
|
|
|
MadZ
|
|
November 19, 2014, 06:21:27 AM |
|
(we can ignore all the special characters that someone could potentially use as well as capital letters).
Nice strawman idk what you are talking about. Can you provide an actual counter argument as to why it would be easy to guess someone's password? One that uses actual logic unlike your complaint about the TX fees being a tax on transactions. Because not everyone includes only the letters of the alphabet in their passwords like you. If you include special characters in your password then my arguement is stronger because it would take longer to guess a password You're confusing me I explained how it would take ~93,000 years to guess someone's password if they did not use any capital or special letters. To most people this is a very long time. I think the confusion here comes from the fact that you took his quote: All the hacker has to do is guess the right PW or answer security question correctly and it's game over.
The chances of that are very low Only if its coupled with email verification though and made it a reason to show how difficult it is to actually bruteforce someone's password. I read his quote as agreeing with the idea that passwords are not guessable, given that he says the chances of guessing someone's password are "very low". The thing is, you begin your reply by saying: Just to put it into perspective as to how easy it is to guess someone's password:
Which sounds like you are disagreeing with him if you take that sentence out of context. He probably read this and assumed your post was contradicting his, which is why he responded to you with hostility, even though you both actually agree. You're both confused because you believe the other person has the opposite view, when you actually both agree that passwords are very secure. That's how I read your conversation at least.
|
|
|
|
marcotheminer (OP)
Legendary
Offline
Activity: 2072
Merit: 1049
┴puoʎǝq ʞool┴
|
|
December 23, 2014, 12:39:00 PM |
|
Bump
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
December 27, 2014, 11:37:04 AM |
|
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.comI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account.
|
|
|
|
MadZ
|
|
December 27, 2014, 11:53:55 AM |
|
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.comI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account. First of all, I would have completely lost access to this account in the past had it not been for this feature. Disregarding that, what you describe sounds like a fairly uncommon method of account theft. I think it is safe to say that most accounts are stolen when the password is compromised, not the email, and requiring email confirmation for password/email changes would result in a net positive effect on account security, not a negative one.
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
December 27, 2014, 12:01:06 PM |
|
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.comI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account. First of all, I would have completely lost access to this account in the past had it not been for this feature. Disregarding that, what you describe sounds like a fairly uncommon method of account theft. I think it is safe to say that most accounts are stolen when the password is compromised, not the email, and requiring email confirmation for password/email changes would result in a net positive effect on account security, not a negative one. Email accounts are easier to compromise then forum accounts. Maybe it is uncommon, maybe not, IDK. I do think the rule that an email address can only be associated with one account should be lifted. If someone were to try to hack accounts via this method then they could attempt to change their a number of email addresses they think they can hack and when they get an error saying that email is associated with another account they know they can try to hack it
|
|
|
|
Lauda
Legendary
Offline
Activity: 2674
Merit: 2965
Terminated.
|
|
December 27, 2014, 12:17:28 PM |
|
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.comI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account. You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email account b) set up an account with an email that you've bought ? Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much.
|
"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" 😼 Bitcoin Core ( onion)
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
December 27, 2014, 12:19:35 PM |
|
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.comI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account. You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email account b) set up an account with an email that you've bought ? Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much. someone could potentially want a vanity email address that matches their bitcointalk username (he could register the username on the major email providers (gmail, yahoo, outlook, etc). I agree that this would be horrible security, but then again a lot of people here are pretty clueless about security
|
|
|
|
redsn0w
Legendary
Offline
Activity: 1778
Merit: 1042
#Free market
|
|
December 27, 2014, 12:22:19 PM |
|
I think the ability to recover/reset your password via email actually decreases security. For example BitMiningInvestments just offered to sell me the email address quickseller@live.comI obviously am not going to buy the account, however if I did buy it then I might add it to my bitcointalk profile and he could later try to recover it via social engineering from microsoft (which has a much lower standard to recover accounts then the forum does). Once he recovers the email account he can reset my password and have access to the account. You're wrong on so many levels. Why in the name of all that exists would you : a) buy an email account b) set up an account with an email that you've bought ? Recovering via email increases security by a huge factor, especially if your account is protected by an not crack able password/encrypted. Waiting a year for this feature is way too much. Yes , you're right . It is also possible to use the 2FA , and it will add a major level of security to the email address.
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
December 27, 2014, 12:24:55 PM |
|
I think 2fa in general would be beneficial. But I don't think email is the right way to do it. Maybe Google authentator would be a better solution.
|
|
|
|
hilariousandco
Global Moderator
Legendary
Offline
Activity: 3864
Merit: 2654
Join the world-leading crypto sportsbook NOW!
|
|
December 27, 2014, 12:33:50 PM |
|
How about the option of 3-factor? . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email?
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2926
Merit: 2347
|
|
December 27, 2014, 12:42:06 PM |
|
How about the option of 3-factor? . Google auth would be better than email but both are only as secure as you are. Email is probably much easier to hack, but couldn't you reset google auth via email? no. Google auth has nothing to do with email. You are given a qr code to scan and anyone that has access to the qr code can display the 6 digit code you enter that proves you controlled the accoint at the time it was set up. It is similar to signing a message
|
|
|
|
|