#1
|
|||
|
Password Recovery sugestions!! Open discussion
--------------------------------------------------------------------------------Rogean said:
I've been asking for recommendations on what a good system for password recoveries would be. Maybe I should make a thread about it.. theres too much to take into consideration, ugh. Let's make this happen post ideas here! | ||
#2
|
|||
|
We miss Slapen
FREEEEEEEE the gnome!
Tie password recovery back to the email account used to create the login server account over at EQEmulator? Move characters off of the locked out account onto a whole new account? ++
__________________
❤ Z A R A H ❤
| ||
#3
|
|||
|
I think having about 2-4 security questions would be a good way to verify that the original owner of the LS account. Maybe have some way to reset the LS password after the security questions correctly. I know in the Coastguard we use a tool to do a simple right click, and reset PW for users who have locked themselves out of their account.
But, I know something sweet and simple is ideal.
__________________
Durison - 60 Extinct Warlord
| ||
#4
|
|||
|
Minten
Th only problem i see with simply making the PW "reset" to the original email is all the accounts that have been sold over the last year. The original owners can at any time come back and simply retake the charactor. I propose the following:
An ingame message allowing people temporary time to change there email for individual LS loggin accounts. Or assign an email to each LS account. Then after the week/two week time period simply have a "reset" feature on the website. ANOTHER idea Donation basis resets. Have a guide handle all resets (confirming current owners using ip or questions). When the owner is confirmed you pay nilbog and co. for there time to reset or a copy of your account onto a new account, and delete the old. I would say 40$ is a fair amount. These are just ideas I am currently in the same boat as you slapen. I cant remember my PW and am dieing to play on my toon again! | ||
#5
|
|||
|
Any sort of $$ payment is not going to fly I bet. Too many legal issues...
This is a good idea though, since basically you are screwed if you don't remember. An idea I like is having a password "reminder" field that contains a word or phrase that helps jog your memory. Whenever you make/change a password you are required to fill in this field as well, and the field cannot equal the password. Then if you have been gone or forgot or something you can click a button on eqemu website and it shows you your reminder phrase. Example: Change Password Old Password: XXXXX New Pasword: 205Elm New Password Again: 205Elm Reminder phrase: home address | ||
#6
|
||||
|
Quote:
Yea this is me, completely screwd because i took a break and forgot my password. Sucks that i cant remember it. But i know i cant be the only one, and from the replies and other posts i am not the only one. | |||
#7
|
|||
|
Something that involves the user's e-mail address would probably be ideal. That's as secure as you can make it, if somehow they got both their EQEmu forum account and their e-mail hacked well, they're screwed in more ways than just their EQEmu account.
To change a LS login you require your current EQEmu forum password + a link is sent to the registered e-mail address with a token to confirm. To change a EQEmu forum account e-mail address you require current e-mail address sent a token + new email address sent a verification + current password. | ||
#8
|
|||
|
Except if someone gains access to an eqemu forum account, they can just change the email address on it and then request the password for the loginserver acount which would be sent to the new address they just changed the eqemu account to. So that doesn't help at all.
We need options that solve the problem for current issues of recovering login accounts. Any suggestions about asking new questions on registration are not helping this situation. We need a way to verify the real original owner of an eqemulator account and/or loginserver account. (And personally, I'm not too worried about people that sold their accounts.. We don't support those sales and we shouldn't have to).
__________________
| ||
#9
|
||||
|
Quote:
Hacker gains access to EQemu account, tries to request a password for login server -> e-mail sent to current e-mail account (which he doesn't have access to). Hacker tries to change e-mail address of current EQemu account -> e-mail sent to current e-mail account to confirm In all of this he needs the current e-mail account to do anything right? I know you were worried about vulnerabilities in Vbulletin when you designed the EQEmu system, but I think forum + e-mail is as far as you should have to take it. In the end it's the users responsibility and if they use the same password for everything and get hacked or downloaded a trojan or a million other things you shouldn't have to plan around it. If someone had their EQEmu account hacked months ago and the hacker already changed the e-mail address (using the old system) then I can't really think of anyway to verify the original owner or protect them. Tough cookies I guess, but there has to be a cut off point somewhere right? | |||
#10
|
||||
|
Quote:
I thought the issue was lost login server account passwords. There is no way to recover those either. I guess, if you have access to the eqemu account you should be able to easily reset those passwords from there with just a click that emails a new random password that can then be changed with the existing tool. | |||
|
|