LOGIN SECURITY

D00ML0RD · Thu Apr 20, 2006 1:18 pm

With all these security problems concerning illegal access - is it possible to insert a seconday tier of security when logging in????

Perhaps freezing the account after three unsuccessful logins and emailing the player a new password??? Just a suggestion.

~not telling~ · Thu Apr 20, 2006 1:40 pm

that would be interesting. and good for the security.

MAsterp · Thu Apr 20, 2006 3:53 pm

DOOM LORD wrote:With all these security problems concerning illegal access - is it possible to insert a seconday tier of security when logging in????

Perhaps freezing the account after three unsuccessful logins and emailing the player a new password??? Just a suggestion.

A great suggestion! I believe they have this on paypal

Sleipnir · Fri Apr 21, 2006 6:27 am

One problem. You can do this to someone just to annoy them, having their password changed.

The Dalek Empire · Fri Apr 21, 2006 8:52 am

A two password system perhaps?

Fri Apr 21, 2006 10:17 am

But where will it all end? Until recently people have complained that they would like the email details removed from the login procedure - but now people are asking for another level of security.

Sleip is correct - having a lockout is the wrong way to go as someone could just maliciously enter your name and then other details incorrectly, just to freeze you out.

A two password system? How would that work? You have to enter 2 passwords each time? This goes back to people previously being annoyed about having to put the email in - and, when somebody is hacked under the two password system, what do we do then, go to three?

Or you might mean that we have to select 2 passwords, but when we login the game asks us for one of them randomly. If this is what you mean - why not take it a stage further.

We keep the current level of 3 pieces of information being required to login. These would be:

1. Name (Wolf359)
2. Email (mailto:abc@123.com)
3. Any 1 additional piece of information from a list of 3, including a password.

for 3. what you would have to do when you register is supply a passwrod, plus the answers to 2 other questions that you already know the answer to (i.e. Mother's maiden name etc). Then, you are randomly asked one of these questions as part of the login process.

An alternative may be to keep login as it is, but to ask for an additional confirmation password if it looks like something dodgy may be happening to the account. i.e. to confirm account deletion, or if multiple (3?) trades and or transfers are set up, or a certain level of resources is being moved to someone else.

A further alternative may be to ask for an additional confirmation password if the account is accessed from an IP other than the usual one (although this would mean that 'the usual one' would somehow have to be determined).

Just a few ideas for the pot.

D00ML0RD · Fri Apr 21, 2006 12:48 pm

Hey Wolf thanks for the input. I like your ideas -

Fri Apr 21, 2006 12:55 pm

The game is just weakly coded. I had my SD co-admin (Streamdown.NET co-admin) check around. According to him, everything should be rewritten. He offers to do it, but anyways, I haven't received anything from admin on the matter.

-Jason

eggsalad · Sat Apr 22, 2006 10:59 am

ya i just thot of sumting sorta lik wat wolf said. lik wen u create ur account. u put in the 3 stuff. ur name,email, and password. then it could hav u make up a question and u answer the question. then wen u log on u put ur question and answer. for example: ur question- who was the first president of the united states of america. ur answer- george washington. sorta lik wat they hav u do wen u make ur email address.

Sat Apr 22, 2006 11:09 am

eggsalad wrote:ya i just thot of sumting sorta lik wat wolf said. lik wen u create ur account. u put in the 3 stuff. ur name,email, and password. then it could hav u make up a question and u answer the question. then wen u log on u put ur question and answer. for example: ur question- who was the first president of the united states of america. ur answer- george washington. sorta lik wat they hav u do wen u make ur email address.

or even exactly like I said!

eggsalad · Sat Apr 22, 2006 11:12 am

o ya i just noticed. i red it then i made my post. then i red ur thing again and noticed dat it was exactly wat u said. plz dont mind me im a little off today. ( actually im always off but dats besides the point)

pianomutt20000 · Sat Apr 22, 2006 11:15 am

Wolf359 wrote:But where will it all end? Until recently people have complained that they would like the email details removed from the login procedure - but now people are asking for another level of security.

Sleip is correct - having a lockout is the wrong way to go as someone could just maliciously enter your name and then other details incorrectly, just to freeze you out.

A two password system? How would that work? You have to enter 2 passwords each time? This goes back to people previously being annoyed about having to put the email in - and, when somebody is hacked under the two password system, what do we do then, go to three?

Or you might mean that we have to select 2 passwords, but when we login the game asks us for one of them randomly. If this is what you mean - why not take it a stage further.

We keep the current level of 3 pieces of information being required to login. These would be:

1. Name (Wolf359)
2. Email (mailto:abc@123.com)
3. Any 1 additional piece of information from a list of 3, including a password.

for 3. what you would have to do when you register is supply a passwrod, plus the answers to 2 other questions that you already know the answer to (i.e. Mother's maiden name etc). Then, you are randomly asked one of these questions as part of the login process.

An alternative may be to keep login as it is, but to ask for an additional confirmation password if it looks like something dodgy may be happening to the account. i.e. to confirm account deletion, or if multiple (3?) trades and or transfers are set up, or a certain level of resources is being moved to someone else.

A further alternative may be to ask for an additional confirmation password if the account is accessed from an IP other than the usual one (although this would mean that 'the usual one' would somehow have to be determined).

Just a few ideas for the pot.

Wolf, man I hadn't thought about that.....I could lock someone out, then mass him when he's locked out. He get's logged back in.....NOTHING LEFT hahahahaha. I agree, bad idea. hmmm I like your idea about if it's accessed from another IP. It should have another layer, like a question..

What is your favorite pet or somesuch.

_Predator_ · Sat Apr 22, 2006 11:16 am

wat if it locks an ip out after trying to log in 3 times

Groupthink · Sat Apr 22, 2006 3:15 pm

For a start, what about not requiring the email address each time (since it's easy to find) and instead requiring a second password in that spot. It would allow the page setup to stay the same but would increase the security.

The problem I'd see with getting banned long term for 3 failed logins, is when I try to log into main using my Chaos password. Sometimes the old brain cramps up on me, and it's a few tries before I realize I selected the wrong page from favorites... I'd hate to be harassing admin for days while I tried to get access to my account again.

Sat Apr 22, 2006 5:14 pm

I think we can safely rule out the 'locking out' option - even for particular IPs - remember some people play from school or work, so someone could maliciously lock them out on purpose from the same location.

LOGIN SECURITY

LOGIN SECURITY

Re: LOGIN SECURITY

Honours and Awards

Honours and Awards

LOGIN SECURITY

Honours and Awards

Honours and Awards

Honours and Awards

Login