Please update your Password - Archives - WarpPortal Community Forums

Jump to content


Photo
- - - - -

Please update your Password


  • This topic is locked This topic is locked
78 replies to this topic

#1 Heimdallr

Heimdallr

    Too Legit To Quit

  • Community Managers
  • 3654 posts
  • Playing:Ragnarok Online

Posted 02 February 2011 - 11:02 AM

On February 8th we will be updating any password that is over a year old.

We did this in October to start a clean slate when it comes to account sharing and any other account compromise that may have occurred to the RO accounts. Since then 10,500 accounts have changed the passwords back to ancient, potentially compromised passwords.

Each time a player has their account logged into and damaged by surprise, it causes numerous issues. Of course the emotional and the game play effects are very high, and then the time it takes the CS team to research and perform whatever assistance we can. In the best of cases it is just time spent, and the player is back to neutral, but the worst case scenario can be there is nothing possible to assist and the player is left with an account that is damaged because of their negligence.

We do NOT like leaving players in a damaged state, but we have to draw a line somewhere of personal responsibility for the account information well being. With that in mind we are going to perform these password changes.

We are emailing all accounts that fit the criteria of using really old passwords on the accounts with what is going to happen on February 8th, and how to fix it.

If you want to change the password yourself so you do not have it changed for you, or you are deciding to take an active role in your account security, then please login to the WarpPortal, -> and edit the game account and change the password. We also have a Knowledge base article for this information as well.

I know there are several questions as to how an account can be compromised, so here are the vectors that we have noticed most often.

1. Account sharing in the past
2. A keylogger of some sort
3. Phishing websites, tricking you into releasing information
4. Really old passwords being bruteforced over a long period of time
5. Man in the middle attacks (colleges, podunk ISP, Lan party, lan cafes)

The groups that seem responsible for the recent reports seem to be gold selling sites, they make money off of destroying a game economy and hacking players. They do pay money to get the "edge" such as buying any figured out account information collected through any of the above means, as well as creating such methods themselves. It is a sick cycle really of enticing purchase, only to attempt to hack you or others so they have stuff to sell. These methods of acquiring the in-game stuff is the reason we do NOT SUPPORT RMT. Honestly if it were only legitimate game play from players causing the money and then someone selling it would be much less a problem then what it is today.

So we are doing our part to stop all we can before it happens, your assistance and support in this endeavor is greatly appreciated.


Below is the email we are sending out.

Dear [nickname],

Here at the WarpPortal we are very interested in helping you maintain your account security. To this end we have noticed that the password on the Ragnarok Online account [Account name], is over a year old and is a threat to your account security. To avoid potential unauthorized account access, we will be updating the password to a new random password on Tuesday February 8, 2011.

To avoid having the password changed to something you do not know, please update the password yourself by visiting the WarpPortal, logging in and updating the game account password. We will only update the password, for you, if the password remains unchanged on February 8. For assistance in how to update the Game account password please visit our Knowledge base article regarding Password changing. If further assistance is needed you are encouraged to write a ticket to the CS Team for support.

We do appreciate your support in helping us maintain account security,
WarpPortal Team
  • 0

#2 LethalJokeChar

LethalJokeChar

    Amateur Blogger

  • Members
  • 322 posts
  • Playing:Nothing

Posted 02 February 2011 - 12:33 PM

Ok, seriously. Having to change your password every so often is EVEN MORE annoying and dangerous than just keeping old passwords. So you have to keep changing your passwords... sooner or later it just becomes such a huge hastle that you end up using really simple passwords, or you have to write them down cause you can't remember them. Then when it's written down, it's extremely vulnerable to being taken by roommates, "friends", neighbors, or anyone else who sees you playing. And yes, since like 90% of "hacks" are actually your "friends" and people you know backstabbing you, leaving your password around on a piece of paper isn't good.



1. If you are currently sharing your account with someone, and you change your password, you will tell them, right? This point has no bearing at all, unless you wish to protect your account from someone you USED to share you account with. In that case it's just common sense if you get "hacked" by them.

2. If you still have keyloggers on your computer, changing your password won't help. You have to get rid of them first, then change the password. Again, it's just common sense.

3. Again, people being retards and getting hacked is all their own fault.

4. This shouldn't happen at all. Maybe if you had some sort of DELAYS to prevent brute force attacks, and, well... I dunno.. maybe IP bans against computers that are obviously trying to brute force passwords, this wouldn't even be an issue?

5. Like I said before, if you think you have a problem with these now, wait till passwords become really simple and/or are just lying around.


Nobody likes it when you force them to change their passwords, and you will do more harm than good.
  • 2

#3 Fureedo

Fureedo

    Amateur Blogger

  • Members
  • 201 posts
  • LocationIn a wind tunnel...in my dream~
  • Playing:Ragnarok Online
  • Server:All of em?

Posted 02 February 2011 - 12:38 PM

Well, it is good practice to change your password once a year...actually, it should be common sense by now /hmm

inb4 kad post her tip on how to make a good password easilly

Edited by Fureedo, 02 February 2011 - 12:39 PM.

  • 0

#4 LethalJokeChar

LethalJokeChar

    Amateur Blogger

  • Members
  • 322 posts
  • Playing:Nothing

Posted 02 February 2011 - 12:43 PM

No, it isn't common sense if you've kept your password secure from phishers and keyloggers and the places you use it at don't have their thumb up their ass when it comes to preventing brute force attacks.
  • 2

#5 GuardianTK

GuardianTK

    They pay me to post.

  • RO Fungineering
  • 9388 posts
  • LocationIn a certain mansion
  • Playing:Nothing
  • Server:Chaos Renewal + Odin

Posted 02 February 2011 - 12:45 PM

I hope nobody comes in here with the "But I forgot my email to which I binded my WP to from the time it was made a requirement, so I can't change my password! Screw you Gravity for my own incompetence!" excuse. It's a shame some people are so lazy as to not remember which emails are important and how it's just simple to edit a password in some manner to protect an account.

Edited by GuardianTK, 02 February 2011 - 12:46 PM.

  • 0

#6 fong

fong

    Too Legit To Quit

  • Members
  • 1070 posts
  • LocationBehind The Jail
  • Playing:Ragnarok Online
  • Server:Valkyrie

Posted 02 February 2011 - 01:00 PM

Keylogger?
no problem!

Copy,Paste your Pass-word and remove any Word* XD

"Use Your Brain"
  • 0

#7 DrAzzy

DrAzzy

    Really Azzy? Already?

  • VMod Retired
  • 15606 posts
  • LocationNew England
  • Playing:Ragnarok Online
  • Server:Chaos-Clandestine Society

Posted 02 February 2011 - 01:07 PM

I don't see a problem with writing down your passwords to RO (either in a text document or on dead trees), unless you know people in real life who play RO, but don't know them well enough to trust them.

Most people wouldn't know what to do with a RO Un/pass, nor would they have any reason to do it except to spite you (and if people who wish to cause harm and are willing to compromise your accounts have access to your important documents, you're screwed anyway.....

What i'm saying, is people with physical access to your computer/desk/office are not your problem (in most cases). Your problem is internet people, probably gold-seller types.

Also, i'll bet any brute force attacks are being run through a botnet now, making it less obvious and harder to recognize and block.
And, it's easy to stop brute force attacks when they hammer one account. But what if they have a list of a few tens of thousands of accounts (which is easy, just brute force the login - the errors are different depending on whether the username is taken or not - this really needs to be fixed!)? How would you address 100,000 different ip addresses, each trying to log in only a handful of times?

Edited by DrAzzy, 02 February 2011 - 01:09 PM.

  • 0

#8 Heimdallr

Heimdallr

    Too Legit To Quit

  • Community Managers
  • 3654 posts
  • Playing:Ragnarok Online

Posted 02 February 2011 - 01:17 PM

As I stated before, only the 10,500 accounts are even effected by this. And I'm sure many will actually update their passwords before February 8th, so they won't be changed either. This is our means of proactively helping. It uses alot of our time and frustrates our customers alot when they are accessed, regardless of why/how they were accessed.

I would think that since most of these accounts are tied to a warpportal account, and we are thus emailing them on the registered email, that them recovering the password should be really easy.
  • 0

#9 Castella

Castella

    I made it Off Topic

  • Members
  • 59 posts

Posted 02 February 2011 - 01:24 PM

Since you said 10,500 accounts have changed their passwords "back" does that mean you keep track of all our old passwords?
  • 0

#10 GuardianTK

GuardianTK

    They pay me to post.

  • RO Fungineering
  • 9388 posts
  • LocationIn a certain mansion
  • Playing:Nothing
  • Server:Chaos Renewal + Odin

Posted 02 February 2011 - 01:26 PM

As I stated before, only the 10,500 accounts are even effected by this. And I'm sure many will actually update their passwords before February 8th, so they won't be changed either. This is our means of proactively helping. It uses alot of our time and frustrates our customers alot when they are accessed, regardless of why/how they were accessed.

I would think that since most of these accounts are tied to a warpportal account, and we are thus emailing them on the registered email, that them recovering the password should be really easy.

That's assuming the people you're emailing to are all people that have access to the email they binded to WP, right?
  • 0

#11 LethalJokeChar

LethalJokeChar

    Amateur Blogger

  • Members
  • 322 posts
  • Playing:Nothing

Posted 02 February 2011 - 01:40 PM

Hey I got an idea though. Let us "bind" an IP address to our accounts. Any IP trying to access that account is rejected for one reason or another. You can probably get away with just saying "incorrect username or password" to not let them know it's actually cause of the IP.

So, need to change this IP? Log on your warpportal account to do that. Have a dynamic IP? Then don't bind your account to one...
  • 0

#12 Kahlev

Kahlev

    Amateur Blogger

  • Members
  • 131 posts

Posted 02 February 2011 - 02:19 PM

Since you said 10,500 accounts have changed their passwords "back" does that mean you keep track of all our old passwords?


Even if they are not able to "track" the old passwords, they should still be able to compare the encrypted data and find out if the old password and the new one are the same (if the have backups).

Maybe they should bribe offer some kind of incentive like they did last time a mass password change happened. You know, since it's not exactly the users fault that they allow brute force attacks to happend unnoticed.
  • 1

#13 Heimdallr

Heimdallr

    Too Legit To Quit

  • Community Managers
  • 3654 posts
  • Playing:Ragnarok Online

Posted 02 February 2011 - 02:28 PM

I guess the incentive is that you won't have the password updated by "surprise".

I'd rather give cookies and milk to those that didn't need the reminding to do the password changes as well.

Brute force is one vector, but from experience it is not the majority, keyloggers and man in the middles seem way more prevelant (assuming it isn't account sharing and they were not being truthful with us).
  • 0

#14 Mefistofeles

Mefistofeles

    Too Legit To Quit

  • Members - No Sig
  • 1281 posts
  • Playing:Nothing

Posted 02 February 2011 - 04:15 PM

Any GM can give us an answer to this feedbacks? http://forums.warppo...newal-feedback/
  • 0

#15 meoryou2

meoryou2

    Too Legit To Quit

  • Members
  • 1176 posts
  • LocationAFK in Ymir pront
  • Playing:Ragnarok Online
  • Server:Ymir

Posted 02 February 2011 - 04:53 PM

I guess the incentive is that you won't have the password updated by "surprise".

I'd rather give cookies and milk to those that didn't need the reminding to do the password changes as well.

Brute force is one vector, but from experience it is not the majority, keyloggers and man in the middles seem way more prevelant (assuming it isn't account sharing and they were not being truthful with us).



Yeah, so I have an alphanumeric non dictionary password that I "changed back to" but you want me to change it to a ( possibly ) less secure one again? Smart...very smart guys.
Go ahead and change my password, I can easily change it back to be secure again.
  • 0

#16 Frappuccino

Frappuccino

    Amateur Blogger

  • Members
  • 376 posts
  • Playing:Nothing

Posted 02 February 2011 - 05:06 PM

question:

if you're only changing passwords that are over a year old, and you did the last forced password change in october, how can people currently have a password that's over a year old?

even if they changed it back to what it was, it still probably wouldn't register as being over a year old in your database since it was previously changed.
  • 0

#17 Miyuki

Miyuki

    Awarded #1 Troll

  • Members
  • 598 posts
  • LocationUnderground
  • Playing:Ragnarok Online
  • Server:Ymir

Posted 02 February 2011 - 05:32 PM

question:

if you're only changing passwords that are over a year old, and you did the last forced password change in october, how can people currently have a password that's over a year old?

even if they changed it back to what it was, it still probably wouldn't register as being over a year old in your database since it was previously changed.

I'm pretty sure they're referring to the old passwords you had before the forced change(s) and call those "a year old password".
  • 0

#18 CocaCola

CocaCola

    Too Legit To Quit

  • Members
  • 1007 posts
  • LocationNE
  • Playing:Ragnarok Online
  • Server:Classic

Posted 02 February 2011 - 05:32 PM

idk I just got one, and ive changed my pass like 3 times in the last year. Havnt touched it since Nov though
  • 0

#19 Xellie

Xellie

    Valkyrie

  • RO Fungineering
  • 18610 posts
  • Twitter:@nekoxellie
  • LocationValhalla
  • Playing:Ragnarok Online
  • Server:Europe ban!

Posted 02 February 2011 - 06:35 PM

If you know what the passwords are that were a year old and are able to check that why don't you add a check into the password update form on the site so it goes "ERROR: YOU USED THIS PASSWORD BEFORE, IDIOT" ?
  • 0

#20 GuardianTK

GuardianTK

    They pay me to post.

  • RO Fungineering
  • 9388 posts
  • LocationIn a certain mansion
  • Playing:Nothing
  • Server:Chaos Renewal + Odin

Posted 02 February 2011 - 07:07 PM

If you know what the passwords are that were a year old and are able to check that why don't you add a check into the password update form on the site so it goes "ERROR: YOU USED THIS PASSWORD BEFORE, IDIOT" ?

The day they add "IDIOT" to an error description is the day I'd do it on purpose just to see it in order to crack myself up. xD
  • 0

#21 Xellie

Xellie

    Valkyrie

  • RO Fungineering
  • 18610 posts
  • Twitter:@nekoxellie
  • LocationValhalla
  • Playing:Ragnarok Online
  • Server:Europe ban!

Posted 02 February 2011 - 07:18 PM

Me too, me too.
  • 0

#22 LethalJokeChar

LethalJokeChar

    Amateur Blogger

  • Members
  • 322 posts
  • Playing:Nothing

Posted 02 February 2011 - 07:41 PM

Hey, what are they doing storing all your old passwords anyway? Trying to put together a nice database that is too irresistible for all the hackers in the world to not try to steal it?
  • 1

#23 aurum

aurum

    Amateur Blogger

  • Members
  • 326 posts

Posted 02 February 2011 - 08:12 PM

if you're only changing passwords that are over a year old, and you did the last forced password change in october, how can people currently have a password that's over a year old?

so no change if less than 1 year?
  • 0

#24 Heimdallr

Heimdallr

    Too Legit To Quit

  • Community Managers
  • 3654 posts
  • Playing:Ragnarok Online

Posted 02 February 2011 - 08:13 PM

1st off the passwords are heavily encrypted and salted. I have no idea what your PW is, no one here does. But we can tell if 2 hashes are the same as it was before.

As far as the system denying you to reuse passwords, we are currently working on that functionality. It is not in the immediate update plans though, but is in the work list.

Basically if you are using the password you used at the end of 2009 you are going to get changed.
  • 0

#25 meoryou2

meoryou2

    Too Legit To Quit

  • Members
  • 1176 posts
  • LocationAFK in Ymir pront
  • Playing:Ragnarok Online
  • Server:Ymir

Posted 02 February 2011 - 09:06 PM

1st off the passwords are heavily encrypted and salted. I have no idea what your PW is, no one here does. But we can tell if 2 hashes are the same as it was before.

As far as the system denying you to reuse passwords, we are currently working on that functionality. It is not in the immediate update plans though, but is in the work list.

Basically if you are using the password you used at the end of 2009 you are going to get changed.



This is retarded. Stop trying to be "big brother" and cram crap down your users throats. All you are going to do is piss off users that have secure passwords, by making them change to a less secure password. If you know you are going to have to change again in 6-12 months 90% of people will NOT make a secure password that is harder to remember and motor train yourself to type.

Plenty of other people have tried this password enforcing, including businesses, and found it more detrimental than letting users control when they wished to change. The only way you can be helpful is REQUIRE alphanumeric passwords, preferably with a lookup on creation to see if it is too close to a dictionary word.
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users