Robbed Account

[Rodimus]

Always change password after leaving the game. No one knows when you return back.

[Mernil]

Loftar, do you log connections to game accounts?

Could you describe the timeline more precisely, please? Like, when did you stop playing, when did you come back, &c&c?

I've stopped playing 3 months ago I'd say. And got back into the game yesterday.

Then I've logged in the forums a few times during this period, 88.171.xxx.xxx is my IP.

[Granger]

@Loftar: a more detailed list of logins (say: last 10 or 20, together with ip) in the account page could help the user to spot foreign logins.

Because in case you login and find something strange happened ingame you can't go back in time to see when the last login was (to remember stuff like: 'oh yes, i came back from the bar that night and i...') since you'll currently only see the last (current) one.

About changing mail: the 'mail the old account with yes/no links and if no answer within 7 days assume yes as default' looks like a good solution unless one knows that someone is on holiday. So it should only work while being logged into the account and impossible to trigger for a lost password case.

It also could be a good meachanic to separate the 'master' (=forum) account from the game login:

• have a single account which is used to access the forum and character management
• create new characters (in terms of 'alt') and a login token (pure random and long enough not to be hackable by brute force) for them on the website, with the option to create a new token (invalidates the current one) for a character
• in the client the login token gives access to just the one ingame character, for your webstart client you could have a 'play' link on the characters page on the website (which hands the token to the java client, for custom clients the authors will certainly figure out something creative - or maybe you supply an option to set a path to a .jar on-disk which will get it as a parameter)
• no per account limit on characters online

Upsides:

• keylogging in custom clients couldn't compromise master account
• ingame character creation room would have no runestone clutter (or unreachable ones because they extend into the void) since a maximum of one (for direct ancestor, if any) could be there
• character sharing (which will happen anyway, even should village management be upgraded massively) is more secure (since it's on character, not account, basis)
• multi-alting (which will most likely happen anyway and is impossible to police) would no longer eat forum nicks, so easier for new players to find one

[shubla]

Add system, when logging on new IP you gotta do some crazy stuff such as verifying it via email.

[Mernil]

Add system, when logging on new IP you gotta do some crazy stuff such as verifying it via email.

This idea is pretty simple to realize and would be very efficient, I like it.

[RustyBuckitt]

Just Figured I'd add some stuff.

For secure Passwords, check this video out:
https://www.youtube.com/watch?v=hYyWgPXfx9U

And as for security, why not have a security question?

Example:

Q: Favorite Book Author's First name.

A: Christopher

It has to be something that you'd be able to keep from being easy to breech, or something that you'd easily be able to realize. Like your friend asking you a ton of stupid questions out of "Curiosity," and you'd easily be able to catch on.

A list of some:
Q: Favorite Book Author's First name.
Q: Favorite Movie Director's Last name.
Q: Favorite Game Dev's Name (Don't pick Jorbtar).
Q: Favorite Cartoon Animator's First Name.

[adyroty]

not 100% sure if this is the one, but a friend told me that someone gave the account to care for him, and now accused of stealing account.He disconnected quickly and we have not discussed much, but I think that is the case below

Literally all account issues I deal with end up in one of these cases:
[list][*]Shared accounts (this is 90%+ of issues).

[borka]

Add system, when logging on new IP you gotta do some crazy stuff such as verifying it via email.

Ever heard of IP might change when Providers give you a new after 24hours forced net separation or when your DSL or broadband fails and 3G failover gets used by router or people rely on proxies ?!? So IP check wouldn't work ...

[shubla]

Add system, when logging on new IP you gotta do some crazy stuff such as verifying it via email.

Ever heard of IP might change when Providers give you a new after 24hours forced net separation or when your DSL or broadband fails and 3G failover gets used by router or people rely on proxies ?!? So IP check wouldn't work ...

Well. Who cares? Then you can verify it everytime.

[borka]

yeah i guessed that you don't care about others - it's prolly well known by forumers ...