Robbed Account

[loftar]

Add system, when logging on new IP you gotta do some crazy stuff such as verifying it via email.

No, this is completely onerous. Just think about accesses from school/work, or having a dynamic IP at home or whatnot. A procedure like this just assumes account-theft by default, and honestly it's not so common that I want to compromise the default experience just because of it.

About changing mail: the 'mail the old account with yes/no links and if no answer within 7 days assume yes as default' looks like a good solution unless one knows that someone is on holiday. So it should only work while being logged into the account and impossible to trigger for a lost password case.

Naturally, it is already only possible to change e-mail addresses when logged-in, so I don't see that being an issue. :)

It also could be a good meachanic to separate the 'master' (=forum) account from the game login

That seems much too formalized for the standard use-case to me. That's not to say that I haven't considered formal mechanics for sharing characters between accounts, but it hasn't been a huge priority. I'll see if I get around to it.

[loftar]

I've stopped playing 3 months ago I'd say. And got back into the game yesterday.

Then I've logged in the forums a few times during this period, 88.171.xxx.xxx is my IP.

It seems to me that you stopped playing on Oct 15. Then, on Oct 29, a Slovenian IP logged into your account. He logged pretty much right into it with only one failed password attempt, so it is clear that he knew the password rather than guessed it. If you're really sure that you never shared your password with anyone (color me doubtful), I can only assume a keylogging client.

[ewlol]

What about requiring a PIN to change core account details, like password and email? Or a security question?

[loftar]

What about requiring a PIN to change core account details,

That's kinda the purpose the password is supposed to serve. ^^

[ewlol]

What about requiring a PIN to change core account details,

That's kinda the purpose the password is supposed to serve. ^^

If your password is compromised, then what? It's just a secondary line of defense, I guess.

If a PIN check is added (solely) to changing core account information, then people with keylogged clients or those who share their accounts and regret it later will have an extra layer of security, yes?

[Mernil]

So I had a little chat with the account borrower.
For the story, I've given the man an other account, on may 2014 (with login / password), he asked me for it and I wasn't playing, so I gave him.
Then, later, I've made myself a new one to play again, but used the same password I always use on H&H .
Later, the guy apparently looked for other accounts of mine on the forum found this one, and tried the password I gave to him earlier, and he was in...

So I've made a mistake and now, obviously, I've changed my password.
Though, taking advantage of something I gave willingly to sneakily access my other accounts is not nice.
But then my main didn't die in the process, and have been well kept. So all in all it's not that wicked neither.

Now this is still my account, and I'm having it back.
And that's still my characters so I'll also keep what's on them (as he kept what was on them when he "took" them for himself).

So yes, case closed I guess.

[mvgulik]

For the story, I've given the man an other account, on may 2014 (with login / password), he asked me for it and I wasn't playing, so I gave him.

I was wondering when that might pup up. (As I had seen you say you gave a account away in a other post)

Which made me also wonder if you might have used the same password for both account. ...

Then, later, I've made myself a new one to play again, but used the same password I always use on H&H .

And so its a other case directly related to unsecured user behavior.

People!
Use some password tool to store and generate your passwords!!! ... Good passwords, no mixups/hickups/etc, and still no need to remember more than one password. (And a good secure USB stick if you like to carry your passwords around with you.)

[borka]

So yes, case closed I guess.

That simple Mernil ?!? Guess you forgot about something:

Sorry, I killed the animals it helped me think about what was going on.

Hope you solve that too please ...

[Mernil]

Hope you solve that too please ...

Yes I'll give these guys a hug next time I see them.

[Senviro]

Woe is me. I'm late, as usual.

Send me a PM, Mr. Mernil.