Silk Road forums
Discussion => Silk Road discussion => Topic started by: Dread Pirate Roberts on December 21, 2011, 11:49 pm
-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To help limit the damage to accounts that are compromised, we'll be requiring a second password to make withdrawals or transfers. You will be prompted to provide this password sometime in the next 24-48 hours. This password should be very strong and unrelated to your main account password.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJO8m7RAAoJEAIiQjtnt/ol51sH+gN+3QkbYJ+g6KO3uOyDOSBB
ytk9Uu0KifAD3T8zI6yjdCYTJ/So09svYfWBjsTXdMjaLGBPnSQQ4dYDfUPp7hkK
qVpm2Mj2ldJilk5x2L5EY2IJQ4ddF9AbCKnT/JBy3bJzst1j03zHXCYoxz49JVLQ
pZAhkiN+SogEoc1ntBiE62Ck4o/q720MhICC98UungQATRaG2K1jHd53qqmeqJ+7
MeDHMVQIVT+iWAgAGEQPYu13XPv0GA/3ftLwes+qkItqhMjl/zTUdemMePh8Hs6Z
0oTRUTSUpF1T596mfW9ll5kqgNonOUfpwQ+HYjrlpx4376HOfjeIheFAu+1jfbU=
=s9fx
-----END PGP SIGNATURE-----
-
Good idea SR! ;D
-
You might want to opt for random characters P, Q, X, Y and Z from your secret word rather than just another plain password.
Any key-logger on a compromised system would make the second security measure fairly pointless especially on high usage accounts. Building on that, some financial websites provide drop-downs populated with all characters A-Z, 0-9 and certain symbols allowable in the construction of your secret word. E.g. Provide character 3 <DROP DOWN> Character 4 <DROP DOWN> and character 9 <DROP DOWN> from your secret word. That way you never (technically) have to touch the keyboard.
Nothing will stop the determined hacker, but makes life more difficult.
-
Done.
-
Good idea SR! ;D
While it is a good idea, this has been brought up and requested for MONTHS now, so he doesn't really deserve praise for having the idea, but it is nice that it is getting done.....FINALLY!!
-
now if only they would disable early finalization, then this site might actually be a bad place for scammers and a good place to buy drugs!
-
Keep in mind adding new features has to be done in any way that maximizes security, and does not detriment the speed of the site.
Thanks for implementing wonderful features, thank you so much SR for everything. It's been an honor to see this place grow.
And remember guys, expectations are elucidating, speaking compendious volumes about character.
Peace,
DigitalAlch
-
There is no way to prevent early finalizing. If some technical mechanism is put in place, vendors will require that you transfer them the btc directly instead.
Honestly, I think SR should leave the current escrow system how it is. There is a very proper darwinistic element in place here. Finalize early and get scammed? Nobodies fault but your own, and whether you learn a lesson and continue to use SR, or get angry and quit...it really doesn't matter.
The only thing I think SR should do is make it so that if you click the finalize button within 4 days of the order, you are taken to a page which briefly explains the benefits of escrow and why you shouldn't finalize early, with a check box that says "I accept the risk of finalizing early and understand that if I get scammed, I have nobody to blame but myself", followed by the Finalize button that takes you to the page you get when you currently click Finalize.
-
There is no way to prevent early finalizing. If some technical mechanism is put in place, vendors will require that you transfer them the btc directly instead.
Honestly, I think SR should leave the current escrow system how it is. There is a very proper darwinistic element in place here. Finalize early and get scammed? Nobodies fault but your own, and whether you learn a lesson and continue to use SR, or get angry and quit...it really doesn't matter.
The only thing I think SR should do is make it so that if you click the finalize button within 4 days of the order, you are taken to a page which briefly explains the benefits of escrow and why you shouldn't finalize early, with a check box that says "I accept the risk of finalizing early and understand that if I get scammed, I have nobody to blame but myself", followed by the Finalize button that takes you to the page you get when you currently click Finalize.
"I accept and understand that by finalizing early I forfeit any and ALL customer support, and recognize that if the transaction does not work out I will have no recourse. I accept these terms and wish to transfer the money to the Vendor now. "
Yeah, that's actually not a terrible idea. That would be really nice.
Peace,
DigitalAlch
-
Changes are in the works.
-
Intriguing.... ;)
-
Early Finalization: Being a newb, it's hard to find a vendor who doesn't force newbs to "finalize early." It took a couple days of dilligence to find some...with some decent product/prices.
As for the 2nd password, thanks for the heads up! Glad there will be a prompt....I'm already on info overload.
Peace,
SD
-
Sounds good to me! Extra measures of safety are always a plus!
-
Thanks SR! I was happily surprised when I logged in this morning. :)
While it is a good idea, this has been brought up and requested for MONTHS now, so he doesn't really deserve praise for having the idea, but it is nice that it is getting done.....FINALLY!!
GTFO. Seriously.
-
This is Awsome! Something Long over-due(secondary password). Things are all coming into place!
-
Keep in mind adding new features has to be done in any way that maximizes security, and does not detriment the speed of the site.
Please implement a check to make sure that the second password does not equal the password used to log on to the site. That is, if you want to maximize security etc.
-
GRRR, phishing paradise is over.
Seller scams it is, then.
-
What is the pin number added to the pay section?
thanks
cleaverfield
-
I just took my Medicine and I feel much better about this. How about a Retina Scan?
I can put my eyeball close to Cam and SR verifies everything!
-
What is the pin number added to the pay section?
thanks
cleaverfield
It used to ask for your password in those fields, to confirm withdrawals or transfers.
Now it asks for a PIN, which should also be a long passphrase, before it allows you to do financial transactions.
Since phishing sites only mimic the login page to steal your password, a phisher won't have access to your account balance if you are unfortunate enough to get your info phished.
-
I don't understand what is the pin??? is it the second password?
thanks
-
yes, people are calling it a PIN, but it's a secondary password.
Your main password gets you on the site, and your secondary password has to be entered every time you try to withdraw or add funds, or transfer them to another user.
-
You'd think that somebody would have advised Silk Road to call it a secondary passphrase, and not a PIN, just to avoid this type of confusion.
-
I still like the idea of a Retina Scan. I'm trying on my Cam right now!
-
Super cool new feature - never asked for new pin # and now I can't access my bitcoins.
I have an 11 am appointment in city for transfer and am prolly gonna have to cancel !!
Well on the bright side the coins haven't disappeared from my account. rofl.
Extremely inconvenient though........ :(
-
When I was prompted upon logging in to create my second password, I created one. Now, when I try to withdraw bitcoins, I type in my second password/ PIN, and it is NOT being accepted...
It keeps telling me that it is incorrect. When I know for a fact it is not.
-
the crappy thing is SR hasn't responded to my pm on the road in over 2 hrs now.
I sure hope they are typing their fingers to the bone writing code to fix this. lol
:P
Christy
-
can i make another suggestion also? not sure if this is something i can fix on my end, but the "withdraw bicoins:" text box. is there any way to make it longer so i can view the enter bitcoin address?
-
the crappy thing is SR hasn't responded to my pm on the road in over 2 hrs now.
I sure hope they are typing their fingers to the bone writing code to fix this. lol
:P
Christy
Don't sweat response times. SR Admin is peppered with messages constantly - he usually takes at least half a day to get back to me, and more often then not it's a full day.
-
Thank you Silk Road for thinking of our safety!
-RI
-
Liberty Reserve has a lot of passwords for a lot of different actions.
I liked it.
-
Yes, LR's security is excellent nowadays. But that was an experience learned through trial and error.... ;)
-
BTW guys, I highly recommend KeePass software for all your password safekeeping. It can also generate random passwords of desired length and complexity. I use it for all my online accounts, including SL and the Forums! It supports auto-type feature so you click on the username input box, then go to KeePass, right click and auto-type and it will punch your password in for you :)
-
Awesome to see community suggestions being implemented. Makes us feel like we have a voice, and helps the site overall. Win-win :)
Thanks SR!
-
Um, so you need this password to add funds to an account, like if you were to buy bitcoins from btc buddy or sugarmama. Because I totally forgot mine, I hope im not fucked. I never planned on transffering funds to anyone else, so I wasn't thinking when I made it :(
-
Well, first off you should contact SR support (use the link on the bottom of any page on the main SR site) and see if you can reset your secondary password, and put it somewhere safe this time!
You don't need it to make purchases or add funds to your account, only to withdraw or transfer them to someone else.
-
Well this is annoying. I didn't know the PIN is my secondary password. Usually a PIN is a set of numbers I thought so I didn't even think to try my secondary password. I PMed support asking about it and was told I should have 10 tries before it will reset my PIN. Ok cool, no big deal. I typed in my secondary password and it wouldn't accept it and then said my PIN is reset. What? I tried it 4 times max, and I know what my secondary password is/was. I PMed support again and the response was that it is insecure to change my PIN using my account and I should follow the instructions. Ok, what instructions? My account isn't tied to an email address. Where do I get these instructions? So I PMed staff back yet again.
How annoying this mess is. It really shouldn't say PIN. It should say secondary password or withdrawal password. This whole issue is creating tons of confusion and I don't want to lose my brand new sellers account because of this. Needless to say I'm a bit nervous.
-
Hi everyone,
Long time SR member/user. First time registering on this forum, as this topic is of great interest to me.
As a security expert with over a decade of active experience, I cannot endorse the recommendation of using KeePassX or KeePass enough. Make your KeePass password impossibly strong (mine is over 1,000 characters), and make ALL of your passwords incredibly strong (as strong as each site will allow). This will allow you to make passwords for which you have no connection. Forgetting them is not an issue, since your KeePass database will store them.
For added security, store your password on a different volume (USB drive, perhaps), and duplicate your database across at least one other volume in case something happens to your main drive.
Any questions, feel free to message me on here. Security is something I take very seriously, and I'd genuinely like to help anyone having problems with this. If you need help with setup, or have general questions, fire away.
Thanks,
luvaluva
-
"your PIN has been reset due to too many failed attempts"
WHAT TO ME TO DO?
-
"your PIN has been reset due to too many failed attempts"
WHAT TO ME TO DO?
It will let you reset it within the next 3 days. If it doesn't then contact staff asking for help.
-
Thanks SR. I have already used this feature and am glad to be a part of such an incredible site.
Bikerbum
-
So, I went to withdraw bitcoins tonight, to send to my dear pal who regularly loans me temp oins (for a fee), since I'm too impatient to wait for the transfer process, and I was prompted to enter my "pin."
I had saved this 2nd pin on a text document on my desktop, and mistakenly deleted it (yes I know, I'm stupid). I vaguely recalled it, yet repeatedly failed to get the password correct. I contacted Support and was told this:
"Sorry but the whole point of the PIN is to prevent someone who gets into your account from withdrawing money, so we can't honor requests for a PIN reset coming from your account. You have about 10 attempts to remember your PIN before it is reset and you are given further instructions."
I was notified the Pin was reset, but I wasn't given any further instructions. I emailed them a few more times and no response yet.
I have notification emails from the sources of my BTC which match exactly the deposit I made today (and the notification emails also match the same day/time) to prove that it's me. I also am putting this out here on the forums, since I have the same username but different password as to SR, in hopes that they can see the chances of TWO hacked accounts are pretty slight.
I also can answer any questions they would have of my account history, which might not be known to someone who has the present account information. Not sure what else to do. I owe my buddy these bitcoins, and the only thing I can do is make purchases, I can't send him the funds. I emailed him and asked him if he has a seller account, which I could have him create a dummy listing and I can send them that way. Other than that, I don't know what else to do.
Help, I don't want to look like a scammer to my friend who I owe this money to. I know he won't, since we've had numerous successful deals but still...
-
I dont support theft but honestly the weak will be targeted and the strong will overcome. The same dumb asses that get phished will do some dumb shit that negates any security measure. Some people were made to be victims and taken advantage of, its sad but its not something anything can change. The only way a person can evolve from a victim into an informed individual is by changing themselves.
Is a post like this even necessary? Is it helpful? What have you done other than sound like a self-proclaimed elite, arrogant jerk, who, fortunately for the rest of us don't dominate SR, but do occasionally pop-up and make this place extremely unwelcoming and cold.
I've never had an account hacked, never had my identity stolen. I also use extremely cautious and preventative security measures, which I researched on SR. I also offer advice and help to new people on SR, to make this place a pleasant experience. Nothing you have stated adds to any kind of humanity. This place is not a just an anonymous place to buy drugs. It's a revolutionary idea that attributes to new way of thinking. You should reconsider whether or not you belong here, if you have statements like that to make.
Make yourself a New Year's Resolution: before you open your mouth (or in this case, type), ask yourself, "Is it kind? Is it necessary? Is it helpful?"
Good luck.
-
Too many fucken tards on this site. Hopefully this will weed them out.
-
I'm with you keldog....GTFOH
-
So Ima kina slow but let me get this straight.
If i go to a phishing site - which I wont and they get my main password then all they have to do is try
to log to the secondary 10 times and then they get to put in their own new fraudulent pass and steal
my coins?
Like i said SR ima kinda slow.
Please explain.............
How about pgp verification?
Btw - thanks for resetting mine when either i screwed it up or u guys did.
still cant figure that one out.
Happy new year;
Christy
-
For the people who keep asking the same questions repeatedly, failing to read the prior posts within this thread and the responses to those posts.
1) The "PIN" which is required ONLY to WITHDRAW funds is the "Second Password" which SR prompt/forced you to create approximately two weeks ago. This wasn't a "choice" which only a few people received.It was obviously an error on SR's part to initially name it a "second password" and then refer to it as "pin" on the withdraw account page. EVERYONE was required to create this, so for the people saying they never did, you were probably too high to remember. You couldn't log on without creating the 2nd password. Period.
2) If you were notified that your pin was "reset" because you of the number of failed attempts, then, as far as I'm aware, that's it. You cannot withdraw your funds anymore. Period.
As for the previous douche who refer to the "tards" being weeded out, go pull more money outta mommy and daddy's BAs and buy some shit, instead of doing fuck-all in these forums but polluting it.
Good luck!
-
Thanks for this SR, you are saving many, MANY users.
Would you please consider implementing the buyer feedback system?
I would love to know who has been a problem to other vendors in the past so I can protect myself and ensure my customers will not be dicks to me or try to extort me using the rating system (again). I'm pretty sure every vendor on this site agrees with me on this. We have way more to lose than buyers. We put ourselves on the line with every order we take, I think we deserve to know how our prospective buyers have acted in past transactions. It should only be able to be viewed when a buyer makes an order, just like buyer statistics are now.
I know this still will not keep out all the assholes, but it will certainly help put some of them in check when they know that being an asshole will have an affect on their future transactions.
-
There's some Freeware I use called KeePass
It's a fantastic tiny tiny little application that sits on your desktop, or pendrive and is within itself 1 folder
The app has a master password, once you get in you get a table of passwords for example mine has "Retail" folder "Websites" folder etc.
I have SR in too under a false alias, the app has a password generator which you can set to use various keys and the number of or follow an algorithm
For example here's a 32 key one Se8vLWYgW6tbnX7AsgSPohiEJUS00cC1
And another using special keys JyA,u,6,W0tr\HzF81d&WuHusc*X/eRP
Link to download
KeePass: http://keepass.info/download.html
KeePass portable: http://portableapps.com/apps/utilities/keepass_portable
Hope this helps you fine people :) I've intrusted it for a few years now, its especially good for things like online banking etc. for having really secure passwords.
-
Great job keeping security good on the site! I hope this teaches those phisers a lesson!
-
So, my PIN is reset and now I can't withdraw funds or get in on Anarcho47's direct buy deals?!? RAGE!
-
Please reset my pin!
I don't even want to withdraw funds, just want to place an order.
Thank you!
-
Does the PIN reset go to the email listed or in a private message? I don't want to reset it and have it go to the fake email I listed. Also, I only go on this site sober and I am incredibly meticulous about this stuff, and I don't remember this second password at all..
-
Just explain situation to SR if you can get in? then be patient, and log in from time to time, and hopefully they will have a reset waiting. Happened to me also, glitch or something, took a couple of days but they set me back up! long live SR
-
If anyone has ahd their pin reset and figured out how to actually implement it again could you post how to do it? I've contacted SR after the 7 day grace period and havent heard back from them. I want my Moneyz >:(