Quote:
Originally Posted by Rogean
[You must be logged in to view images. Log in or Register.]
Except if someone gains access to an eqemu forum account, they can just change the email address on it and then request the password for the loginserver acount which would be sent to the new address they just changed the eqemu account to. So that doesn't help at all.
We need options that solve the problem for current issues of recovering login accounts. Any suggestions about asking new questions on registration are not helping this situation. We need a way to verify the real original owner of an eqemulator account and/or loginserver account. (And personally, I'm not too worried about people that sold their accounts.. We don't support those sales and we shouldn't have to).
|
Sorry, I'm a little slow Rogan! How do they change the e-mail address on the EQEmu account if you require them to click a link on the current e-mail address to change it.
Hacker gains access to EQemu account, tries to request a password for login server -> e-mail sent to current e-mail account (which he doesn't have access to).
Hacker tries to change e-mail address of current EQemu account -> e-mail sent to current e-mail account to confirm
In all of this he needs the current e-mail account to do anything right? I know you were worried about vulnerabilities in Vbulletin when you designed the EQEmu system, but I think forum + e-mail is as far as you should have to take it. In the end it's the users responsibility and if they use the same password for everything and get hacked or downloaded a trojan or a million other things you shouldn't have to plan around it.
If someone had their EQEmu account hacked months ago and the hacker already changed the e-mail address (using the old system) then I can't really think of anyway to verify the original owner or protect them. Tough cookies I guess, but there has to be a cut off point somewhere right?