Security improvements this weekend

[FRISKIE]

2factor also exposes a lot of personal information in the process... whereas if we can keep it witihin the cryptocurrency facility itself we retain as much of the anonymity we started with.

Sorry but I absolutely do not agree.

[GregoryGHarding]

2factor also exposes a lot of personal information in the process... whereas if we can keep it witihin the cryptocurrency facility itself we retain as much of the anonymity we started with.

Sorry but I absolutely do not agree.

i also do not agree
if authy is used as 2FA you will need to verify the app with your phone number but your number is in no was connected to prohashing

[JKDReaper]

If 2FA is delayed behind a reset fix...perhaps add a pin also. BUT...force this pin NOT to allow 1234 and the like. And also add email confirmation. To reset password you would enter the request as well as your pin, then send the email. And you mentioned peoples lack of concern/carelessness being an issue...force hard passwords...x number of characters, has to have symbol, number, cap, lower, etc... And it could be forced on current users also. But at a minimum...any future pw should be forced this way...bit of coding, but not that problematic.

Also...maybe add just a simple email confirmation to payout changes, specifically addresses? That would be a quick, short fix perhaps to eliminate that action.

*Edit...I'm in favor of 2FA in long term as well...just a thought on a quick fix or if 2FA isn't an option for whatever reason.

*Edit 2...A friend I'm helping get into the mining/trading/investing was a victim of this recent password issue. Hit 3 of his accounts, fortunately he had just started with small amounts I had given him or through faucets.

[GregoryGHarding]

another option for payout addresses is to give the user option to lock addresses so they cannot be changed

[CritterDog]

This seems like a waist of time and I don't think you should be forcing any security upgrade that is not needed for the miners that set up a proper password to begin with.. You could do this. Simply make the password have to have one upper case letter and one special symbol like a # or * character at least one number. Done deal..

[FRISKIE]

This seems like a waist of time

Until your PW gets cracked by an algo running on a powerful distributed computing platform

We're talking about money/digital assets here, which definitely means that sooner or later there will be hack attempts, and personally speaking when it's my money at stake I want more than single layer security of a password for protection.

[tmopar]

2factor simply will not solve a situation where someone has got the same password on multiple accounts or has a compromised phone/machine used for texting and the email or whatever the factors are.

This is why its the wallet itself thats most important. Other pools already lock the payout addresses and require a signed message to unlock them. I remember the now defunct eligius was that way back when I mined BTC there years ago.

If the wallet is in cold storage the account is safe.

[GregoryGHarding]

the job of prohashing is not to secure peoples phones/wallets its to secure their own customers data/assets while in prohashings systems. outside of prohashing that's at the discretion of the user. sounds harsh, but that's business

[tmopar]

Further, to the point of 2fa exposing personal information, you must now give up additional pieces of personally identifying information, phone numbers, emails etc. Then you are involving a third party to entrust this information (think data mining your login and usage of the site) to google, yahoo whoever.

You simply have fewer vulnerabilities, fewer points of failure, and fewer privacy liabilities if you keep your wallet in cold storage, setting the payout address automatically locks it and requiring the wallets involvement only in trusting the user. Keep it simple, keep it as independent as you can.

[GregoryGHarding]

Further, to the point of 2fa exposing personal information, you must now give up additional pieces of personally identifying information, phone numbers, emails etc. Then you are involving a third party to entrust this information (think data mining your login and usage of the site) to google, yahoo whoever.

You simply have fewer vulnerabilities, fewer points of failure, and fewer privacy liabilities if you keep your wallet in cold storage, setting the payout address automatically locks it and requiring the wallets involvement only in trusting the user. Keep it simple, keep it as independent as you can.

i believe this will clear up all your worries about privacy. be sure to read the detailed breakdown

https://www.twilio.com/legal/privacy/authy#data_use