Disable recovery account change if password changed within 30 days

View this thread on: d.buzz | hive.blog | peakd.com | ecency.com

utopian-io·@guiltyparties·7 years ago

0.000 HBD

Disable recovery account change if password changed within 30 days

#### Proposal
Hackers have been attempting to figure out how to change the recovery account on phished accounts for some time and finally succeeded. These accounts are being set to accounts owned by the hackers.

Once the recovery account is changed, the user cannot recover the account.  

#### Solution 
Changing the recovery account should be disabled for a period of 30 days following a password change. 

ie. Password changed on day 1. Change recovery account possible after day 31. Day 1-30 no change permitted. 

#### Benefits
This would prevent hackers from changing the recovery account and locking users out within the password recovery period (30 days) / recovery account change period (30 days).

#### Mockups / Examples

From [source](https://github.com/steemit/steem/blob/master/libraries/chain/steem_evaluator.cpp):
``` language
if ( account_to_recover.recovery_account.length() )   // Make sure recovery matches expected recovery account
      FC_ASSERT( account_to_recover.recovery_account == o.recovery_account, "Cannot recover an account that does not have you as there recovery partner." );
   else                                                  // Empty string recovery account defaults to top witness
      FC_ASSERT( _db.get_index< witness_index >().indices().get< by_vote_name >().begin()->owner == o.recovery_account, "Top witness must recover an account with no recovery partner." );
```

_steem assert exception:account_to_recover.recovery_account == o.recovery_account: cannot recover an account that does not have you as there recovery partner._

![image.png](https://cdn.utopian.io/posts/666b59d900c3958b80e38d255ef0d9d28040image.png)

![image.png](https://cdn.utopian.io/posts/c458da6c01c06f6d6a1e71612b47358976edimage.png)

User @ximeta is a phishing victim whose account is now irretrievable. It's recovery account has been set to @receive.steem, the hacker. 


----------
<p>
<center>
<table><tr><td><center>
https://steemitimages.com/DQmRcL3B6KHEQw5ix94RBw2PPjMfycvzoqDxt7tp4hjAfw6/vet_for_edit_extrasmall.png</center>
</td>
<td><center>

##### Like what we're doing? Support us as a Witness.
###### Go to https://steemit.com/~witnesses
###### At the bottom, type in *guiltyparties*
###### Click VOTE
<a href="https://steemit.com/~witnesses"><img src="https://steemitimages.com/DQmPWsxRkoR766gh8SL43BcxMo3N4VMT8kbYxK4UPm4R1q8/image.png"></a>
</center></td>
<td><center>https://steemitimages.com/DQmPy3oWCme75KzEhisU7Pm4xcznCHViLcC3R3B7zw39q94/witness_for_edit_extra%20small.png</center></td></tr></table>
</center>
</p>

👍 inthenow, curly-q, jess.abernathy, alanzheng, azyref, shawshank-steem, donchate, cryptos, enginewitty, lexikon082, thealliance, underground, gohba.handcrafts, avesa, mayvil, kriptonoob, dadview, phelimint, tyedyefirepower, blue.panda, christianyocte, supergoodliving, stnwllstrtgc, sbi5, ameliabartlett, lifesavers, crimsonclad, discordiant, rakkasan84, dixiesilverminer, wolf-dawg, logic, jasonbu, raybrockman, tbnfl4sun, ironshield, fat-elvis, nofiat, darkmrmystic, vgholdingsllc, chainchoppers, marty-arts, longsilver, afifa, christheaudioguy, deaconlee, vj1309, edthecanadian, snook, warpedweaver, jimbobbill, theb3ar, armia11, ronaldoavelino, jatinhota, rigaronib, logan6230, getonthetrain, michaelcabiles, ubg, debart, talesfrmthecrypt, sjennon, steemgh, d-zero, fow, erikaflynn, danielapardo, mariannewest,

properties (23)vote details (69)