Please update your Password
#1
Posted 02 February 2011 - 11:02 AM
We did this in October to start a clean slate when it comes to account sharing and any other account compromise that may have occurred to the RO accounts. Since then 10,500 accounts have changed the passwords back to ancient, potentially compromised passwords.
Each time a player has their account logged into and damaged by surprise, it causes numerous issues. Of course the emotional and the game play effects are very high, and then the time it takes the CS team to research and perform whatever assistance we can. In the best of cases it is just time spent, and the player is back to neutral, but the worst case scenario can be there is nothing possible to assist and the player is left with an account that is damaged because of their negligence.
We do NOT like leaving players in a damaged state, but we have to draw a line somewhere of personal responsibility for the account information well being. With that in mind we are going to perform these password changes.
We are emailing all accounts that fit the criteria of using really old passwords on the accounts with what is going to happen on February 8th, and how to fix it.
If you want to change the password yourself so you do not have it changed for you, or you are deciding to take an active role in your account security, then please login to the WarpPortal, -> and edit the game account and change the password. We also have a Knowledge base article for this information as well.
I know there are several questions as to how an account can be compromised, so here are the vectors that we have noticed most often.
1. Account sharing in the past
2. A keylogger of some sort
3. Phishing websites, tricking you into releasing information
4. Really old passwords being bruteforced over a long period of time
5. Man in the middle attacks (colleges, podunk ISP, Lan party, lan cafes)
The groups that seem responsible for the recent reports seem to be gold selling sites, they make money off of destroying a game economy and hacking players. They do pay money to get the "edge" such as buying any figured out account information collected through any of the above means, as well as creating such methods themselves. It is a sick cycle really of enticing purchase, only to attempt to hack you or others so they have stuff to sell. These methods of acquiring the in-game stuff is the reason we do NOT SUPPORT RMT. Honestly if it were only legitimate game play from players causing the money and then someone selling it would be much less a problem then what it is today.
So we are doing our part to stop all we can before it happens, your assistance and support in this endeavor is greatly appreciated.
Below is the email we are sending out.
Dear [nickname],
Here at the WarpPortal we are very interested in helping you maintain your account security. To this end we have noticed that the password on the Ragnarok Online account [Account name], is over a year old and is a threat to your account security. To avoid potential unauthorized account access, we will be updating the password to a new random password on Tuesday February 8, 2011.
To avoid having the password changed to something you do not know, please update the password yourself by visiting the WarpPortal, logging in and updating the game account password. We will only update the password, for you, if the password remains unchanged on February 8. For assistance in how to update the Game account password please visit our Knowledge base article regarding Password changing. If further assistance is needed you are encouraged to write a ticket to the CS Team for support.
We do appreciate your support in helping us maintain account security,
WarpPortal Team
#2
Posted 02 February 2011 - 12:33 PM
1. If you are currently sharing your account with someone, and you change your password, you will tell them, right? This point has no bearing at all, unless you wish to protect your account from someone you USED to share you account with. In that case it's just common sense if you get "hacked" by them.
2. If you still have keyloggers on your computer, changing your password won't help. You have to get rid of them first, then change the password. Again, it's just common sense.
3. Again, people being retards and getting hacked is all their own fault.
4. This shouldn't happen at all. Maybe if you had some sort of DELAYS to prevent brute force attacks, and, well... I dunno.. maybe IP bans against computers that are obviously trying to brute force passwords, this wouldn't even be an issue?
5. Like I said before, if you think you have a problem with these now, wait till passwords become really simple and/or are just lying around.
Nobody likes it when you force them to change their passwords, and you will do more harm than good.
#3
Posted 02 February 2011 - 12:38 PM
inb4 kad post her tip on how to make a good password easilly
Edited by Fureedo, 02 February 2011 - 12:39 PM.
#4
Posted 02 February 2011 - 12:43 PM
#5
Posted 02 February 2011 - 12:45 PM
Edited by GuardianTK, 02 February 2011 - 12:46 PM.
#6
Posted 02 February 2011 - 01:00 PM
no problem!
Copy,Paste your Pass-word and remove any Word* XD
"Use Your Brain"
#7
Posted 02 February 2011 - 01:07 PM
Most people wouldn't know what to do with a RO Un/pass, nor would they have any reason to do it except to spite you (and if people who wish to cause harm and are willing to compromise your accounts have access to your important documents, you're screwed anyway.....
What i'm saying, is people with physical access to your computer/desk/office are not your problem (in most cases). Your problem is internet people, probably gold-seller types.
Also, i'll bet any brute force attacks are being run through a botnet now, making it less obvious and harder to recognize and block.
And, it's easy to stop brute force attacks when they hammer one account. But what if they have a list of a few tens of thousands of accounts (which is easy, just brute force the login - the errors are different depending on whether the username is taken or not - this really needs to be fixed!)? How would you address 100,000 different ip addresses, each trying to log in only a handful of times?
Edited by DrAzzy, 02 February 2011 - 01:09 PM.
#8
Posted 02 February 2011 - 01:17 PM
I would think that since most of these accounts are tied to a warpportal account, and we are thus emailing them on the registered email, that them recovering the password should be really easy.
#9
Posted 02 February 2011 - 01:24 PM
#10
Posted 02 February 2011 - 01:26 PM
That's assuming the people you're emailing to are all people that have access to the email they binded to WP, right?As I stated before, only the 10,500 accounts are even effected by this. And I'm sure many will actually update their passwords before February 8th, so they won't be changed either. This is our means of proactively helping. It uses alot of our time and frustrates our customers alot when they are accessed, regardless of why/how they were accessed.
I would think that since most of these accounts are tied to a warpportal account, and we are thus emailing them on the registered email, that them recovering the password should be really easy.
#11
Posted 02 February 2011 - 01:40 PM
So, need to change this IP? Log on your warpportal account to do that. Have a dynamic IP? Then don't bind your account to one...
#12
Posted 02 February 2011 - 02:19 PM
Since you said 10,500 accounts have changed their passwords "back" does that mean you keep track of all our old passwords?
Even if they are not able to "track" the old passwords, they should still be able to compare the encrypted data and find out if the old password and the new one are the same (if the have backups).
Maybe they should
#13
Posted 02 February 2011 - 02:28 PM
I'd rather give cookies and milk to those that didn't need the reminding to do the password changes as well.
Brute force is one vector, but from experience it is not the majority, keyloggers and man in the middles seem way more prevelant (assuming it isn't account sharing and they were not being truthful with us).
#14
Posted 02 February 2011 - 04:15 PM
#15
Posted 02 February 2011 - 04:53 PM
I guess the incentive is that you won't have the password updated by "surprise".
I'd rather give cookies and milk to those that didn't need the reminding to do the password changes as well.
Brute force is one vector, but from experience it is not the majority, keyloggers and man in the middles seem way more prevelant (assuming it isn't account sharing and they were not being truthful with us).
Yeah, so I have an alphanumeric non dictionary password that I "changed back to" but you want me to change it to a ( possibly ) less secure one again? Smart...very smart guys.
Go ahead and change my password, I can easily change it back to be secure again.
#16
Posted 02 February 2011 - 05:06 PM
if you're only changing passwords that are over a year old, and you did the last forced password change in october, how can people currently have a password that's over a year old?
even if they changed it back to what it was, it still probably wouldn't register as being over a year old in your database since it was previously changed.
#17
Posted 02 February 2011 - 05:32 PM
I'm pretty sure they're referring to the old passwords you had before the forced change(s) and call those "a year old password".question:
if you're only changing passwords that are over a year old, and you did the last forced password change in october, how can people currently have a password that's over a year old?
even if they changed it back to what it was, it still probably wouldn't register as being over a year old in your database since it was previously changed.
#18
Posted 02 February 2011 - 05:32 PM
#19
Posted 02 February 2011 - 06:35 PM
#20
Posted 02 February 2011 - 07:07 PM
The day they add "IDIOT" to an error description is the day I'd do it on purpose just to see it in order to crack myself up. xDIf you know what the passwords are that were a year old and are able to check that why don't you add a check into the password update form on the site so it goes "ERROR: YOU USED THIS PASSWORD BEFORE, IDIOT" ?
#21
Posted 02 February 2011 - 07:18 PM
#22
Posted 02 February 2011 - 07:41 PM
#23
Posted 02 February 2011 - 08:12 PM
if you're only changing passwords that are over a year old, and you did the last forced password change in october, how can people currently have a password that's over a year old?
so no change if less than 1 year?
#24
Posted 02 February 2011 - 08:13 PM
As far as the system denying you to reuse passwords, we are currently working on that functionality. It is not in the immediate update plans though, but is in the work list.
Basically if you are using the password you used at the end of 2009 you are going to get changed.
#25
Posted 02 February 2011 - 09:06 PM
1st off the passwords are heavily encrypted and salted. I have no idea what your PW is, no one here does. But we can tell if 2 hashes are the same as it was before.
As far as the system denying you to reuse passwords, we are currently working on that functionality. It is not in the immediate update plans though, but is in the work list.
Basically if you are using the password you used at the end of 2009 you are going to get changed.
This is retarded. Stop trying to be "big brother" and cram crap down your users throats. All you are going to do is piss off users that have secure passwords, by making them change to a less secure password. If you know you are going to have to change again in 6-12 months 90% of people will NOT make a secure password that is harder to remember and motor train yourself to type.
Plenty of other people have tried this password enforcing, including businesses, and found it more detrimental than letting users control when they wished to change. The only way you can be helpful is REQUIRE alphanumeric passwords, preferably with a lookup on creation to see if it is too close to a dictionary word.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users