Password Reset Security Flaw

[Lexia]

I've heard many unpleasant news regarding to the smartphone token, so I'm bit scared to use it.
If you lose your phone you're in totally bad position beyond any help.

That why they give you a emergency removal code so you can remove it if needed.

[mbncd]

They said they didn't have a device that could run the software token so they would need the physical one.

They said a lot of people don't have one, but they also said a lot of people won't use any kind of OTP because it's a hassle. It's unclear exactly what they have or what they're willing to do.

I would not however recommend buying a dongle token over getting any smart phone or iphone released in the last 10 years, for the simple fact that they can easily get one of the latter from a friend or family member for free when they upgrade to a more recent phone, and a phone is more universally useful and harder to lose. (I can't count the number of times I've spent an hour looking for something that fell behind a cupboard or something and wishing I could simply call it to find it...)

[Lexia]

I would not however recommend buying a dongle token over getting any smart phone or iphone released in the last 10 years, for the simple fact that they can easily get one of the latter from a friend or family member for free when they upgrade to a more recent phone, and a phone is more universally useful and harder to lose. (I can't count the number of times I've spent an hour looking for something that fell behind a cupboard or something and wishing I could simply call it to find it...)

I used a physical for long time from when the released in back in 2009 had it attached to my keyring there was no losing that without losing all my keys, leaving it on your desk is like what person below said

I can agree with that. Though that being said, it still would be dumb to have the token on your computer, lol. That is effectively like hiding your spare house key under your doormat. The door is still locked, but..... :P

[UltimateAoe2]

If you indeed lose your phone, you are able to remove the One-Time thingy on your account.
You just require to give exact information regarding the account in question. I've done this before since I restored my iPhone since it was bricked from a update. Derpy me.

[Jamein]

People are throwing out the term hacked a lot, amusingly enough they don't get your passwords by 'hacking' you. 90% of the time people are stupid enough to click those emails that direct you to www.ffxiv.sqaureplexnix.com or whatever and go dump their username and PW into the boxes.

Protect your password.
Be careful what you do and the site you're on.
Don't go opening up every website link on every email.
Use a token for added security.

There is a perfectly safe system in place, if you fail to use it correctly, well then god help you.

Although on that note, SE SHOULD send you an email everytime your password is changed. Most companies do this.

[tocsin]

People are throwing out the term hacked a lot, amusingly enough they don't get your passwords by 'hacking' you. 90% of the time people are stupid enough to click those emails that direct you to www.ffxiv.sqaureplexnix.com or whatever and go dump their username and PW into the boxes.

Protect your password.
Be careful what you do and the site you're on.
Don't go opening up every website link on every email.
Use a token for added security.

There is a perfectly safe system in place, if you fail to use it correctly, well then god help you.

Although on that note, SE SHOULD send you an email everytime your password is changed. Most companies do this.

im afraid to click that link. where does it go?

[Jamein]

im afraid to click that link. where does it go?

I made it up :P it's perfectly safe, just an error server not found.

[mbncd]

[Snip]
Protect your password.
Be careful what you do and the site you're on.
Don't go opening up every website link on every email.
Use a token for added security.

There is a perfectly safe system in place, if you fail to use it correctly, well then god help you.

Although on that note, SE SHOULD send you an email everytime your password is changed. Most companies do this.

All great advice but I just want to add one more:
Use different login details for every site.

If one is compromised, you don't want them all to be. As a teenager, I failed to consider that and when my single password for all sites was used on one that turned out to not be so safe, they went through a lot of the sites I was a member of very, very quickly. I learned that lesson very quickly and have not repeated that mistake in the last 15 years but sooo many people still do...

[Tiggy]

I've heard many unpleasant news regarding to the smartphone token, so I'm bit scared to use it.
If you lose your phone you're in totally bad position beyond any help.

You're given a recovery code that you write down for those moments. It specifically is used to remove the authenticator for moments like that. There's really no good excuse not to protect your account.

[JimboTCB]

I just can't get the software token to register right, I've tried half a dozen times and even gone via the support desk to confirm my personal details on my account are correct, the damn thing just refuses to work.

Keep meaning to get a hardware token, I've had one on my WOW account for years even though I don't play any more, and for me it's much more convenient than a soft token.