Silk Road forums
Support => Feature requests => Topic started by: jameslink2 on June 08, 2012, 12:37 am
-
Well, Here I go again. Lost my password on my first account then forgot my pin for my SR account on my second. Both are my fault, getting set up and not thinking far enough ahead to create an encrypted key file and note the information.
At the moment I am waiting on a reset of my pin and it got me to thinking. If you had the person register a GPG/PGP key on signup that could not be changed without an extended wait and mod approval you would have a way to identify users in this situation.
Then when a password or pin was lost you could Simply generate a hash or string, encrypt it with the users registered public key. The user decrypts it and replies with the correct string.
Any thoughts?
-
Well, Here I go again. Lost my password on my first account then forgot my pin for my SR account on my second. Both are my fault, getting set up and not thinking far enough ahead to create an encrypted key file and note the information.
At the moment I am waiting on a reset of my pin and it got me to thinking. If you had the person register a GPG/PGP key on signup that could not be changed without an extended wait and mod approval you would have a way to identify users in this situation.
Then when a password or pin was lost you could Simply generate a hash or string, encrypt it with the users registered public key. The user decrypts it and replies with the correct string.
Any thoughts?
An interesting notion but isn't a PIN much easier to set up and use?
V.
-
I'm not sure how you can forget a single password and a pin. If you know you aren't good at remembering things there's nothing wrong with writing them down, it's unlikely any LE are going to connect one word and a 4 digit number on some paper to your SR account.
-
How about a backup password, in case you forget your primary password?
How about a (non-identifying) security question/answer?
How about a second backup password? .....................
I'm pretty sure this isn't a problem, and doesn't need any kind of solution.
From a security standpoint, if someone gains access to your SR box, then they can easily use your PGP key to reset your password without your knowledge. Whereas they probably won't be able to tell SR admins the necessary indentifying information needed to reset a password as it works currently.
Seriously, just don't forget your password. If you forget your password, PM an admin and have it reset. This site introduced the PIN as a security feature, but it can't program for stupid by automating the process of resetting a password. There's no "identity" linked to an account--no place to send an updated password to. And this is how it should be.
I mean--imagine if your favorite vendor "forgot his password", so he couldn't send your product for 10 days. Absolutely ridiculous, right?
-
It would be nice if the PIN system was changed to only affect coins that have been in the account for longer than around 1-3 hours. No hacker is going to camp random accounts with no cash 24/7 in the hopes they'll transfer some in, and it would solve the frustrating problem of depositing coins into your account only to have them immediately frozen for an entire week.
I've seen a lot of posts denigrating such users for being junkies, having no patience etc. but the main issue is the vulnerability to BTC fluctuation. With such a small, unstable currency, having your money tied up for a week can mean you end up with far less than you initially deposited.
One other solution I think would be helpful is the option to tie your SR account to an email address for verification of identity in cases of forgotten passwords or PINs. Clearly one still needs to remember a password, though for semi-rare SR buyers like myself the email account gets a lot more use than the SR account.
Just my two cents
-
I'm not sure how you can forget a single password and a pin. If you know you aren't good at remembering things there's nothing wrong with writing them down, it's unlikely any LE are going to connect one word and a 4 digit number on some paper to your SR account.
It is not that I am not good at remembering things or that it is not hard to remember the pin. It is more along the lines of.
Set up account on SR Forum, SR, Tor Mail, GPG, Encrypted pen drive, as well as 7 other sites I will not mention. using a different 10 character complex password for each.
Did not think to write it down, then a couple of days pass, a few smokes, a hand full of beers, and I am going "What the fuck did I set the password to?" The only thing I could remember was the pen drive, the GPG password, and the Tor mail password. lol
I changed my method and am using randomly generated passwords based on a random generator that measures the decay of the isotope Am241 and store my password encrypted with GPG on my encrypted pen drive. Now, I only have to remember two passwords.
The random generator is slick, when Am241 decays it releases α-particles. Common CCD image devices like the ones in cheap ball cam's can detect them when they hit one of the CCD pixles. By placing a 1024x768 CCD next to it in a sealed box it will randomly light up one of the pixles. Feed that data into /dev/random and you have a perfect random number generator.