Potential User Data Breach

"

sarannah101 wrote:

I have posted this in the feedback forum before, but will post this again here:

Could we please get a 2nd password for our accounts, which is needed to access our items(stash/inventory/equipped gear)?
This is how I envision it to work: After logging in like we do now, for the first time when you try to pick up an item in your inventory, equipped items or stash you will be prompted for this password. This password could be a simple 4 or 5 digit code. This password would only have to be used once per log-in, and auto log-offs the account when you attempt three failed uses in a row. Meaning that even if somehow your account would be brute-forced, your items would still be safe.

The advantage is that your items are always safe, even if your account does get hacked. The disadvantage would be people forgetting their 2nd password and mailing GGG for this.

I've actually used this type of system in another mmo I used to play, and it worked great.

Would this 2nd password be something GGG could take a look at?

+ hacker would have to bruteforce 2 passwords

- user experience when trying out the game (even if it seems minor to type in 2 passwords)
- as you mentioned bigger workload for support
- remembering 2 passwords
- always having to type this password after every login (thats a absolut killer user experience wise)

I think the negatives outweigh the positives, but maybe im just negative.

Just want to +1 this thread for the upfront and honest communication from GGG. They have again proven why they continually set the bar for other development teams in this industry.

From martch 13 my friend have problem to access to his account, he alwyas got message by some one connect from other place - he change the password after he get 3 errors like this. Now we know why it's occure. btw, his password was 1234567 :D

thanks for the update ;)

"

stevich wrote:

"

sarannah101 wrote:

I have posted this in the feedback forum before, but will post this again here:

Could we please get a 2nd password for our accounts, which is needed to access our items(stash/inventory/equipped gear)?
This is how I envision it to work: After logging in like we do now, for the first time when you try to pick up an item in your inventory, equipped items or stash you will be prompted for this password. This password could be a simple 4 or 5 digit code. This password would only have to be used once per log-in, and auto log-offs the account when you attempt three failed uses in a row. Meaning that even if somehow your account would be brute-forced, your items would still be safe.

The advantage is that your items are always safe, even if your account does get hacked. The disadvantage would be people forgetting their 2nd password and mailing GGG for this.

I've actually used this type of system in another mmo I used to play, and it worked great.

Would this 2nd password be something GGG could take a look at?

+ hacker would have to bruteforce 2 passwords

- user experience when trying out the game (even if it seems minor to type in 2 passwords)
- as you mentioned bigger workload for support
- remembering 2 passwords
- always having to type this password after every login (thats a absolut killer user experience wise)

I think the negatives outweigh the positives, but maybe im just negative.

- user experience when trying out the game (even if it seems minor to type in 2 passwords)
Well, the 2nd password would have to be created. But this is only once.

- as you mentioned bigger workload for support
Nothing to be done about this.

- remembering 2 passwords
Yes, but the 2nd password isn't a real password, it would only be a 4 or 5 digit code. Which will usually be something players can easily remember.

- always having to type this password after every login (thats a absolut killer user experience wise)
Having to type this password once after every log-in isn't a huge deal in my opinion. Try to keep track of how often you log in/out. Maybe once every 3-5 hours, unless you happen to crash. Keep in mind though, you could play the game without even letting the game prompt you for the 2nd password, by not accessing your stash/inven/equipped items. Ofcourse when your inventory fills up, eventually you'd have to let it prompt you when you need to sell stuff from your inventory.

You are correct with your downsides though, so awesome feedback. Personally, I think the pro's heavily outweight the cons.
The true realistic cons for the player are having to create this code, remembering it, and typing it once every play session(usually at the very beginning).

Could you clarify which hash you're using? There's a huge difference between:

1) Bulletproof ones like BCrypt or PBKDF2 that make cracking even stupid passwords difficult.
2) Older ones that are still reasonable as long as a salt and non-stupid password are used like the various SHA-2 hashes (SHA-224/256/384/512). Although if you're using one of these, you really should plan to upgrade to BCrypt/PBKDF2 at some point in the reasonably near future.
3) Something completely obsolete like MD5 or SHA-1.

For the peanut gallery: Based on when it was started, I'd assume that POE is using an SHA-2 hash at a minimum. And courtesy of The Guardian, a general interest article about password storage for anyone who wants to have some idea what I was talking about.

Thanks for the Info

Thank you for being so transparent, GGG :) changed my password instantly and hope nothing has actually happened!

Did the hackers just steal the exalt recipe and fishing secrets?

What the hell is with all the ''Thank you''? They got hacked,there is a slim chance that some/most/all personal info inbetween those dates got jacked,and you are thanking them?
For what? being transparent? It's not transparency,it's a common sense and i do believe that in certain regions a requirement that if any or/and all private user-end information has been/might be compromised that they have to make an announcement.

This is a fuck up,there is nothing to thank them for,sit back and hope that nothing much got leaked.