The 0.10.1d account changes

...

So I tried my password now after update. Doesnt work. I hope patch didnt mess up somehing.
Now waiting for reset email. Annoying...

I think maybe a quick guide to password security would be a big help for the 'average player'.


Everyone working in customer support knows the real question isn't "Does this password have enough entropy?" Or "Is is sufficiently save against dictionary attacks? Against brute forcing?"

It's "why did this lazy bum use 'mypass' or "1234" and the same account name/e-mail for so many of his/her accounts?"
Because like Chris said: The 'hacked' accounts were not 'hacked', they had been compromised beforehand, and the compromised info had been used again. The EXACT same thing happened (together with a very real security hole) at the beginning with Rift. A lot of players just used the same email-and-password combo they had used for WoW and WoW-related sites, and were consequently 'hacked' because that information was already known to the people making a lot of money with this kind of thing.


We're lazy flubbers. We do things with the least amount of effort we feel is warranted. Which means the one thing that would probably help best in the long run is making the average Joe aware that he's gotta care for his passwords and login information. That he really HAS to have unique login info for each service that requires it. That "123456", "password", "abc123", "qwerty" and "letmein" REALLY are NOT. FREAKING. ACCEPTABLE. as passwords.


Personally, I use passwords that are easy (for me, who else cares?) to remember, offer a lot of entropy, are reasonably secure against dict attacks, and that I can generate in the hundreds if necessary.

And I have a few other 'safeguards' in place as well. Making a game out of my account security is surprisingly fun.

So we're not going to get our stuff back?

Pfff I got hacked 24 hours before this patch came out.. just my luck. However great job to GGG with the new security measures. Try to use unqiue passwords for every game. you can store them on a free program called Kee Pass. It works with 1 master PW and the file is encrypted. Also as off today Im running a antikeylogger.

Thnx GGG for making this game more secured.

Chris, Thank you.

As a token of appreciation for your teams hard work in understanding how dupe items hurt, and being willing to fix it, I'm going to buy some more tokens right now to support you guys, even though there's nothing I want to buy (right now) in the micro-transactions store.

Another idea: like with home networks, the game could force you to "register" another location through email, and then it would know that it was still *you* logging in, whether you were in either city. It remembers the one, so why not know in advance that either location is still home?


Wondering how hard this is going to be, in a couple days' time, when I'm back home again, and try to log into the game. This is bound to happen twice a week, and maybe that won't be such a big hassle, actually. But maybe it will, depending on how they go about this.


PS: I'm not trying to diminish their efforts here; they're very needed changes and kudos to GGG for implementing them. I'm just looking at the downside, and trying to see if that can be minimized before a massive headache ensues for all of us who reside in a couple different places. They're not all that far apart, but still, it'll probably trigger an account hold.

not like i log poe from any other location anyway, good idea to location lock

with the implementation of 10.1d GGG introduced a flaw that allowed hackers to login to your account if you hadn't logged in to the game since the patch.

the hacker was able to login without having to verify through email what city/ip/region they were from.

because this new patch was "trying" to implement some new security features, but since GGG implemented them incorrectly, it caused many people to get hacked today and lose all their valuable orbs and items.

see, GGG should have forced everyone, i mean everyone, to verify through email before being able to login after the release of the 10.1d patch. but GGG failed to do so. the flaw was that instead, GGG took it on faith that whoever logs in first to your account, that ip/city/region will be put on record as the account owners location, and only after this will logins be subjected to this new security check. it was a bonehead move, and the hackers exploited it, and many people got hacked today.

do you know how frustrating it is to hear this happen? "new patch to implement new security features" then you try to login and it says you can't til you check your email. and the email says your ip is from a new city that GGG doesn't have on file! i'm been playing this game for MONTHS from this location GGG. you screwed up!

as for how the hackers obtained the passwords, that's a whole separate issue, but let me just be clear, the accounts that got hacked today would not have been compromised if GGG had properly implemented the patch. it is likely the accounts that got hacked were part of a database of accounts that the hackers have been sitting on. far less likely that the passwords were brute forced one at a time.

likely, the hacked account details came from a game forum - maybe they came from this very website being compromised. this website has been up over a year, and is just NOW deciding some more security would be the smart thing to implement... as far as i'm concerned my money is on this whole website being compromised.

The password security was indeed a very good addition. Good job guys.

"

infected wrote:

with the implementation of 10.1d GGG introduced a flaw that allowed hackers to login to your account if you hadn't logged in to the game since the patch.

the hacker was able to login without having to verify through email what city/ip/region they were from.

because this new patch was "trying" to implement some new security features, but since GGG implemented them incorrectly, it caused many people to get hacked today and lose all their valuable orbs and items.

I fucking knew it.

If we're not going to get our stuff back, are we at least going to get an admission and apology?