Altcoins Talks - Cryptocurrency Forum
Crypto Discussion Forum => Forum related => Topic started by: admin on January 24, 2024, 12:55:01 PM
-
There were questions concerning the security of the passwords on Altt,
the passwords in our database are encrypted.
Passwords can not be decrypted they are hashed one way.
Here is the hasing code used to generate the hashes
sha1(strtolower('username') . 'password');
That's a form of salted password so breaking it fairly impossible.
Your passwords are safe, but do not have the same password used everywhere, because other platforms/sites/forums/etc.. might not have strict password encryption.
-
I trust the admin because this admin has loyalty to the forum he owns, that's for sure.
But I want to ask the admin:
1. What if the email password is the same as the altcoinstalks account, will this be a serious problem?
2. If I change my altcoinstalks account password, will there be a password change confirmation in my email inbox?
3. As far as I know, if someone logs in to email from another device it will be detected where they logged in, this makes it possible to quickly change our email password, right?
4. If my altcoinstalks account is hacked, what is the guarantee from the admin so that my account can be returned to me?
-
It is true that the password is encrypted in your database, but it could happen:
Hackers place backdoors in the forum's software that enabling them to record the password before encrypting it or temporarily having admin permissions and thus he can access/change the password.
Therefore, your advice to use another password is useful, and I hope to enhance security by adding:
- Two-factor authentication.
- Option to show IP addresses for the last 30 days.
- Cancel the ability to log in via Facebook (I have not tried it)
- locking the account when the user accesses the account via Secret Question
- Adding the option to assign white-list IP addresses so that you can only log in through them.
1. What if the email password is the same as the altcoinstalks account, will this be a serious problem?
2. If I change my altcoinstalks account password, will there be a password change confirmation in my email inbox?
3. As far as I know, if someone logs in to email from another device it will be detected where they logged in, this makes it possible to quickly change our email password, right?
4. If my altcoinstalks account is hacked, what is the guarantee from the admin so that my account can be returned to me?
1) If your email has been hacked, this means that all accounts linked to that email will be hacked.
2) This should happen because you were asked to verify email when you logged in.
3) Depends on your email settings.
4) Once you are verified, you will have to access your account. You have completed KYC verification, so you may be asked to send your passport again, or sign a message from your Bitcoin address.
-
I trust the admin because this admin has loyalty to the forum he owns, that's for sure.
But I want to ask the admin:
1. What if the email password is the same as the altcoinstalks account, will this be a serious problem?
2. If I change my altcoinstalks account password, will there be a password change confirmation in my email inbox?
3. As far as I know, if someone logs in to email from another device it will be detected where they logged in, this makes it possible to quickly change our email password, right?
4. If my altcoinstalks account is hacked, what is the guarantee from the admin so that my account can be returned to me?
in general always use unique password for every platform, facebook, linkedin , forum , etc ...
1- never do that, very bad idea
2- yes
3- what if they loggin when you are sleeping ?
4- If you can not access to your email the guarantee is low. If you can access to your email, we will check old backups, to see if email changed. Then restore the email.
-
one thing that has worked well in another forum is to stack any cryptocurrency address
I'll give you an example
if I write my btc address in a thread
bc11111
and someone quotes it, this is carved in rock
if by chance a bad hacker steals my account, I send an email to the admin and tell him
dear admin I'm really babo, this is the staked address in the xxx thread and this is the message signed with that address
admin recovers my account
end
-
one thing that has worked well in another forum is to stack any cryptocurrency address
I'll give you an example
if I write my btc address in a thread
bc11111
and someone quotes it, this is carved in rock
if by chance a bad hacker steals my account, I send an email to the admin and tell him
dear admin I'm really babo, this is the staked address in the xxx thread and this is the message signed with that address
admin recovers my account
end
nice idea, also can be implement no problem. I will make a section that is not visible to guests or below member rank , where you can stak addresses
-
one thing that has worked well in another forum is to stack any cryptocurrency address
I'll give you an example
if I write my btc address in a thread
bc11111
and someone quotes it, this is carved in rock
if by chance a bad hacker steals my account, I send an email to the admin and tell him
dear admin I'm really babo, this is the staked address in the xxx thread and this is the message signed with that address
admin recovers my account
end
nice idea, also can be implement no problem. I will make a section that is not visible to guests or below member rank , where you can stak addresses
I'm happy to have proposed something useful for everyone, for the forum, for the community and for account security
the important thing is that the messages with address are listed in order to "block" them to those who do not have access to the account and can modify old messages
-
Cancel the ability to log in via Facebook (I have not tried it)
[/size]
I would remove this facebook login asap from forum, and I would not add any other third party or social media login option again.
I don't know anyone using facebook in 2024 and this can be security issue for sure.
As for password encryption, they are encrypted on most of the other websites, yet they get hacked and leaked all the time.
nice idea, also can be implement no problem. I will make a section that is not visible to guests or below member rank , where you can stak addresses
Just make sure to explain everyone that they won't be able to recover their account if they can't prove address ownership.
Otherwise, this won't make any sense.[/size]
-
4. If my altcoinstalks account is hacked, what is the guarantee from the admin so that my account can be returned to me?
4) Once you are verified, you will have to access your account. You have completed KYC verification, so you may be asked to send your passport again, or sign a message from your Bitcoin address.
As for KYC, I am ready to do it at any time because this is my account since I was on the altcoinstalks forum.
Message from a Bitcoin address?
What do you mean by this?
I've never done something like this sending messages via Bitcoin Address, can you provide a more detailed explanation??
4. If my altcoinstalks account is hacked, what is the guarantee from the admin so that my account can be returned to me?
4- If you can not access to your email the guarantee is low. If you can access to your email, we will check old backups, to see if email changed. Then restore the email.
I have been protecting my email since I created it, and up to this moment I have only logged in once on my smartphone, the rest of my email has not been logged in on any device.
The admin's answer was convincing enough for me to accept, I hope my account will be fine in the future.
-
certainly protecting your account in the first place and protecting the never are definitely and certainly fundamental steps for protection
let's say that protection with a stacked address is further protection, the last bastion to access, also because it must be verified manually
-
The password is very confidential so the password I used must be on record close to admin, will I have any problems later on?
Must be careful about the password because I am a permanent member here, if I have any problem I will change my secret password and use a stronger password.
-
This is a very useful guide for those who want to teleport their accounts from other forums especially from Bitcointalk to this forum. I would always recommend everyone to use different and new passwords for each platform to have maximum security.
I don't really know why someone use same password on all the websites. It's not a good practice at all, anyone who cares about security should always use different passwords.
Although, I agree with admin that your passwords are protected on this forum but still one should prefer to use different passwords for maximum security.
-
I decided to visit the forum again and tried to log in and found a strange point:
(https://talkimg.com/images/2024/01/27/kvKw2.png)
Please delete it now. No one, including the administrator, has the right to ask you about the password. Encrypting the password must require that admin does not know it but has the authority to change it.
It is also better to have a warning on the login page ----> https://www.altcoinstalks.com/index.php?action=register telling you that you must use a different password than bitcointalk or any other service.
I also cannot find a page related to privacy. For example, for how long will the IP address registered with you be deleted, and is it deleted once the account is deleted?
-
@admin when you do this section, I would be happy to include my stacked address for recovery among the first
trivially it's not even an address with coins inside, it's an empty address that I use to sign messages, in this specific case messages to demonstrate that I'm the real me
-
I decided to visit the forum again and tried to log in and found a strange point:
(https://talkimg.com/images/2024/01/27/kvKw2.png)
Please delete it now. No one, including the administrator, has the right to ask you about the password. Encrypting the password must require that admin does not know it but has the authority to change it.
It is also better to have a warning on the login page ----> https://www.altcoinstalks.com/index.php?action=register telling you that you must use a different password than bitcointalk or any other service.
I also cannot find a page related to privacy. For example, for how long will the IP address registered with you be deleted, and is it deleted once the account is deleted?
i do not remember these terms, will look into them , they need some changes anyway.
-
I decided to visit the forum again and tried to log in and found a strange point:
(https://talkimg.com/images/2024/01/27/kvKw2.png)
Please delete it now. No one, including the administrator, has the right to ask you about the password. Encrypting the password must require that admin does not know it but has the authority to change it.
It is also better to have a warning on the login page ----> https://www.altcoinstalks.com/index.php?action=register telling you that you must use a different password than bitcointalk or any other service.
I also cannot find a page related to privacy. For example, for how long will the IP address registered with you be deleted, and is it deleted once the account is deleted?
did a quick update, will have to look into it in details another time
-
Here is the hasing code used to generate the hashes
sha1(strtolower('username') . 'password');
That's a form of salted password so breaking it fairly impossible.
If i understood it correctly, does that mean the salt is our username? If it's true, IMO it's not very strong since the salt is known and one high-end GPU can perform 51 billion SHA1/second (Hash-Mode 110)[1]. Please correct me if i'm wrong.
[1] https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd (https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd)
-
Your passwords are safe, but do not have the same password used everywhere, because other platforms/sites/forums/etc.. might not have strict password encryption.
+1 for this
Passwords should always be unique. For that, a password manager is a must. Because it generates the passwords for you.
This is because some services might be hacked. Database hacked happens all the time.
If you use the same password everywhere, the hacker can just login into other services with your password.
-
it's called password stuffing, there are various methods to avoid it, you should know that I work in the defensive security field. normally my work is called by Blue team, while attacking us is called Red team. a way to avoid password reuse and allows a maximum of 5 login attempts and then ban IP for an hour for example
-
did a quick update, will have to look into it in details another time
This happened quickly. I see you updated the Registration Agreement and the new text
(https://talkimg.com/images/2024/01/28/kV8hJ.png)
The new update is good and frees the forum from bearing the consequences of any hacks that occur using the same current password. All that remains is the commitment that the password is encrypted as soon as it is sent and no one, including admin, knows it. Only admin has access to encrypted version of the password.
Therefore, from a security standpoint, the Registration Agreement is good, and if you have time, it is better to write texts related to privacy, such as how long you will keep the IP address, encrypt messages, or delete data.
-
This is a very useful guide for those who want to teleport their accounts from other forums especially from Bitcointalk to this forum. I would always recommend everyone to use different and new passwords for each platform to have maximum security.
It is not even ideal to use same password for different sites or where you need to access something online. Once that password gets out, you’ll lose everything including the ones you never knew they can have access to. Security should be your priority in the crypto space because many people are always looking for ways to infiltrate accounts to cause harm to the person behind the account.
I don't really know why someone use same password on all the websites. It's not a good practice at all, anyone who cares about security should always use different passwords.
Some people argue that if they have too many passwords in their memory, they would become confused and lose track of things, which is why they use the same password. There are multiple ways to generate passwords for various websites while keeping them in your memory; simply follow the process that works best for you and your security will be much enhanced.