A lot of users have been hacked this past few days, weeks or months. I'm not sure. I'm one of those who have been recently hacked.
And thanks to Cyrus and Theymos i managed to get my account back. The things is i don't want this kind of thing to keep on happening!
I don't want this to happen to other users and i think my idea would be a great leap to our forum's security.
So here's how it's going to work. Most of us that we're hacked weren't able to regain access on our account because our email was changed.
What if every time a user wants to change his email he needs to authenticate that request using the current email address registered to his account.
And after authenticating the request there will be a 24 hour process. The user can still cancel it within 24 hours if he change his mind.
24 hour process for what? You have to wait 24 hours to change the email? That's just plain stupid. What if the hacker got into your email as well?
The only good idea here is to validate that the email or password was changed. Unfortunately that isn't going to happen since a lot of users here just registered with a fake email address.
I also think that it would be great if we add the service like Cloudflare to completely secure our forum. Of course all of us should be a part of this.
We should all contribute on this. We should build a donation address for this plan.
No. This has been discussed before. Cloudflare does not provide any additional security whatsoever, in fact, they actually reduce your security. Cloudflare acts as a man in the middle, they can see all of your communication in plaintext, not encrypted as it should be. This opens up a whole other attack vector and a bunch more problems.
Let this post serve as a petition to make our forum more secure and greater than before!
The forum is already very secure; it's part of the reason that the SMF version hasn't been updated, many many changes have been made to significantly increase the security. The problem is when people fall for phishing scams, use weak passwords, or set a security question. There is only so much the forum can do to protect you from yourself.