The 0.10.1d account changes

"

infected wrote:

~

I see alot of accusations and no proof or sources what so ever

To the Devs.

I log in Path of exile on my home internet and my work internet. The internet at my house is in one state and the internet at my work goes through the headquarters isp Which is in another state, so once I log onto path of exile on the game the account will get locked and I will need to go to my e-mail and get the unlock code to type in and unlock my account.

Sounds good, but the current system does not prevent me from logging onto path of exile website and logging into my account. The problem with this is that I can change the email connected to the account.. So When I do log in on the game I can have any e-mail I want receive that unlock code and then be able to log in on the game and type the code in.

Just a heads up. Hope they can get a fix for this since its a very very easy work around for account security.

Hi there,

My Ip change every day and I already needed to get that unlock code, will I have to do this every day ? :/

Dynamic IP + several locations + one got a load balancer = this is hell. It may be meant well, but I can't play at all at the moment without entering an unlock code. If that even works. I had strings of not being able to log in since it wanted a new one the moment I try to log in after the old one got validated. The longest string was 7 times in a row, at which point I gave up.

This is sick, Everytime I turn off my modem and turn on I have to type my password again, and log into my email to copy and paste the unlock code ...

At least let us choose if we want more security on accounts or not ...

So sad ...

"

UberMey wrote:

This is sick, Everytime I turn off my modem and turn on I have to type my password again, and log into my email to copy and paste the unlock code ...

At least let us choose if we want more security on accounts or not ...

So sad ...

This would be an option if we lived in a world of responsible adults who understand that account security is primarily their responsibility.


Alas, we live in a world where the overwhelming number of people can not even be bothered to think up new passwords (let alone remember them) for most of the sites they frequent. They go with the 'one account information fits all!' approach and think "I'm too smart to be hacked. This only happens to dumb people. I am not dumb." and when they do get 'hacked', they scream bloody murder and how it was not their fault because for them, account security issues happen to other people and CS is solely responsible for keeping their account safe.


And now imagine giving those people options of putting up with less hassle when logging in and out.
Sure, a handful of people will use them responsibly. But they weren't the problem even before those 'counter measures'. The vast majority of users however will disable the security systems for ease of use and then complain "I was HACKED! DO SOMETHING, YOUR SECURITY IS SH!T!!!!!!".


Yeah, I use a dynamic IP as well, it's pretty standard in my country (you get assigned a new IP every 24 hours). Yeah, it sucked in Rift, it sucks in PoE.
But I can live with it, and there simply is no other viable way of keeping idiots from hurting themselves.

"

Avireyn wrote:

I think maybe a quick guide to password security would be a big help for the 'average player'.


Everyone working in customer support knows the real question isn't "Does this password have enough entropy?" Or "Is is sufficiently save against dictionary attacks? Against brute forcing?"

It's "why did this lazy bum use 'mypass' or "1234" and the same account name/e-mail for so many of his/her accounts?"
Because like Chris said: The 'hacked' accounts were not 'hacked', they had been compromised beforehand, and the compromised info had been used again. The EXACT same thing happened (together with a very real security hole) at the beginning with Rift. A lot of players just used the same email-and-password combo they had used for WoW and WoW-related sites, and were consequently 'hacked' because that information was already known to the people making a lot of money with this kind of thing.


We're lazy flubbers. We do things with the least amount of effort we feel is warranted. Which means the one thing that would probably help best in the long run is making the average Joe aware that he's gotta care for his passwords and login information. That he really HAS to have unique login info for each service that requires it. That "123456", "password", "abc123", "qwerty" and "letmein" REALLY are NOT. FREAKING. ACCEPTABLE. as passwords.


Personally, I use passwords that are easy (for me, who else cares?) to remember, offer a lot of entropy, are reasonably secure against dict attacks, and that I can generate in the hundreds if necessary.

And I have a few other 'safeguards' in place as well. Making a game out of my account security is surprisingly fun.

My password uses caps numbers letters and a few sites even an alt code in it. I fail to see how my account was compromised before the patch. And Im going to bet that a lot of other people dont use 12345 or admin as their passwords either.

"

Avireyn wrote:

This would be an option if we lived in a world of responsible adults who understand that account security is primarily their responsibility.


Alas, we live in a world where the overwhelming number of people can not even be bothered to think up new passwords (let alone remember them) for most of the sites they frequent. They go with the 'one account information fits all!' approach and think "I'm too smart to be hacked. This only happens to dumb people. I am not dumb." and when they do get 'hacked', they scream bloody murder and how it was not their fault because for them, account security issues happen to other people and CS is solely responsible for keeping their account safe.


And now imagine giving those people options of putting up with less hassle when logging in and out.
Sure, a handful of people will use them responsibly. But they weren't the problem even before those 'counter measures'. The vast majority of users however will disable the security systems for ease of use and then complain "I was HACKED! DO SOMETHING, YOUR SECURITY IS SH!T!!!!!!".


Yeah, I use a dynamic IP as well, it's pretty standard in my country (you get assigned a new IP every 24 hours). Yeah, it sucked in Rift, it sucks in PoE.
But I can live with it, and there simply is no other viable way of keeping idiots from hurting themselves.

I didnt meant to sound rage or something like that ...

And, I was not looking at this way that ppls was complaining to devs about security, maybe because I was not reading all the post on this thread ... you got a point and yeah I have to agree with you ... of course we can live with it, and if this will help ggg then I am ok with it

"

Riney wrote:

My password uses caps numbers letters and a few sites even an alt code in it. I fail to see how my account was compromised before the patch. And Im going to bet that a lot of other people dont use 12345 or admin as their passwords either.

Perhaps because you used the password on another site or service as well? Perhaps because you don't use adblock and noscript addons? Perhaps because you didn't set up your browser correctly? Perhaps because you didn't patch your JavaScript? Perhaps you ran software with malicious code in it? Perhaps because you input your password on a public machine (i.e. ANY machine not your own)? Perhaps you shared your account info with a good friend and he did any of the above?
There are a thousand and one ways to get people's account information. Really cracking a password is the least of your worries.

The operative phrase in your statement is "I fail to see": Just because you fail to see does not mean there is nothing to see. Just that it is not apparent to you.


Let's be frank: The people using "1234" and "letmein" as password are the dumbest of the dumb. Or just really uncaring and clueless about security. And I chose these passwords specifically to demonstrate how many of those truly epically unconcerned people there are. Go and do a search about what the most common passwords are. Not the most easily guessed. The ones used by the most people. Compare them with my little selection.

"But I didn't use "1234" as my password! I did everything I could! I used numbers, capitalization, special code, it's got entropy AND can cook dinner". This is how your comment reads. If you do have additional measures in place, and heeded every bit of security advice you could find, kudos to you.
In any case: Choosing a password that is hard to brute force is a good first step, but if it is your only step you need not have bothered. Most passwords nowadays are not bruteforced.

And this is why I suggested GGG should be doing a prominent article/section about account security. That there is more to it than a password that looks like a hurricane had mated with a keyboard.


In closing, let me share an old adage about digital security: "A system is considered secure if the effort of cracking it exceeds the effort of securing it" (i.e. if there is no net gain for the cracker). It basically states that you never truly are secure. But the more hurdles you design to keep your account safe, the smaller the risk that your security is breached.

On the other hand: The more valuable the account is, the more in danger of your security being breached your account is. And gaming accounts tend to be high-ish on that list because of all those people willing to pay real money for in-game goods, meaning that for the people doing the hacking, there is real money to be made.

"

UberMey wrote:

I didnt meant to sound rage or something like that ...

You didn't. A bit exasperated maybe, but understandably so.

"

UberMey wrote:

And, I was not looking at this way that ppls was complaining to devs about security, maybe because I was not reading all the post on this thread ... you got a point and yeah I have to agree with you ... of course we can live with it, and if this will help ggg then I am ok with it

Thanks :-)

It helps me that I do have a background in Customer Service. It offers a new perspective when I see such measures - if you look through their eyes, they simply often cannot do it any other way without going crazy.