Re: PSA: Do NOT use the insecurity misfeature of a secret question. And #getagrip.
Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation? I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.
Yeah, I haven't ruled out that. However, the things that stand out to me is the comment about letting them know how you've secured your account, and the fact they claimed to have frozen accounts. The latter being a outright lie. That's not exactly good, if you're looking to do some white hat work. Agreed.
Although, that might have been a way of trying to convince the user. I'm not going to get my pitchfork out, but I do believe users should be cautious dealing with this user in further message exchanges. Not that I distrust them entirely, but at the very least advise caution.
On a side note, I don't like that anyone can find out if a user has a security question or not. I'm not a fan of security questions in the first place, but probing like that just opens up those accounts for further attack. I kind of wish that the security question field popped up regardless of if a user has set one or not. If someone tries to guess the security question of one of these users, it simply just gives a non match, rather than indicating they don't have one set up.
On a side note, I don't like that anyone can find out if a user has a security question or not. I'm not a fan of security questions in the first place, but probing like that just opens up those accounts for further attack. I kind of wish that the security question field popped up regardless of if a user has set one or not. If someone tries to guess the security question of one of these users, it simply just gives a non match, rather than indicating they don't have one set up.
On a side note, I don’t like that the forum doesn’t let you remove your e-mail address, and/or otherwise totally disable password reset by e-mail. (Yes, you can set a fake e-mail address; but then, you need to be careful to make sure it can never be valid. And that does not itself totally disable password reset by e-mail.) I’m not the only one. Lauda complained to me about that.
On a side note, I don’t like that the forum doesn’t let you disable password authentication, and log in by signing a challenge with your PGP key... OK, I will stop right here.
Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link.
For the record, I reached out to him by PM as I said I would. With a link to my post on this thread. Kind of sticking my neck out, doing that. Eh. Anyway, he should be well on notice about this thread.