Maybe I'm being freaky because my Bitcointalk account got hacked a while back and they changed the email address associated with my account, effectively "stealing" it. But it occurred to me that Narrative accounts could be similarly hacked and stolen this way. And don't tell me to choose a strong password because even the strongest password can be cracked.

Original Post

Hi,

Unfortunately, doing so would lock out the many many users that have legitimate reasons for changing their email address.  

But yes, I am going to tell you to make sure that you choose a strong password.  Sure, a very strong password can be broken, but if someone were to try to run a dictionary or brute force attack against our site and you have a very strong password then it would take them years to break.

If we prevent email address changes we will effectively lock out any person that moves to a different ISP, different job, from hotmail to gmail, from yahoo to gmail, or anything of that nature. They would never again receive a notification, be able to retrieve or reset a lost password. 

Worse, if someone leaves a job and loses access to an email address, and that address is routed to someone else in the company that they worked for?  That new person is now receiving the Narrative email.

Isn't the generally accepted solution to have a security challenge when trying to change the account's email?  Something that sends an email, or SMS with a code or link that needs to be entered or clicked before one can proceed?  That seems to be pretty effective.

I also think I remember Narrative mentioning that Two Factor Authentication was something Narrative was going to implement in the future.  That would be enough for me...

2FA might work, but also, there should be a way to restore an account to its original owner if it can be established that it got hacked and the email was changed. (I don't recommend using SMS for 2FA because I've heard of "SIM Swap" cases where somebody could access their victim's accounts just by pretending to be a cell phone service provider's customers and arranging to swap out the SIM card on their phone.)

OK, that makes sense. Like I said, that was probably just me being freaky. But maybe one thing that you could do is that if somebody wants to change their email address, first they have to confirm that that's what they want to do by getting into their original email and clicking on a link that was emailed to them. Or if they didn't request that change, they can send a "bogus login" report so that the staff can help them lock it down somehow. (Would blocking logins from a specific IP address or IP address range if account hacking attempts are detected help? Or maybe freeze logins for 15 or 30 minutes if there are X number of unsuccessful login attempts made?)

Can you repost this please, as a suggestion in our ticket system so that it doesn't get lost/buried?  

Just click Post, then Support ticket. And choose Suggestion as the topic type.   There's no guarantee we will implement it, or if we do, in the exact form as posted, but it makes a lot easier for us to track good suggestions and ideas when they are entered into the system this way.  It really helps.

Thanks!

David Dreezer posted:

Can you repost this please, as a suggestion in our ticket system so that it doesn't get lost/buried?  

Just click Post, then Support ticket. And choose Suggestion as the topic type.   There's no guarantee we will implement it, or if we do, in the exact form as posted, but it makes a lot easier for us to track good suggestions and ideas when they are entered into the system this way.  It really helps.

Thanks!

Done.

Add Reply

Post
×
×
×
×