Password Recovery sugestions!! Open discussion - Page 2

Droop · #11 05-04-2011, 10:23 AM

DIdn't EQLive have a master email address that no matter what the original e-mail address owner from when the account was created could get the acct info back?

Kruel · #12 05-04-2011, 10:35 AM

so if we made an area just for LS server email address and made an annoucement via in game text when logging in or an email to an active p99 account saying to add an email to there LS account that should work.
When logging into eqemu and under LS accounts they can just click to add an email. And incase of hacks to the eqemu account in general you can only display the first couple letters of the email account used for that LS account. In order to change the email account they need to confirm the current PW.. IMO if someone doesnt have access to the original email and also doesnt have access to the current PW they arent the account holder. If you have the current PW well then you can loggin and play. If you have the original email the account was made under... then its your account.. nobody should be able to figure out your email address off a video game as well as your current PW.

**Rogean** · #13 05-04-2011, 10:41 AM

Quote:

Originally Posted by naekko [You must be logged in to view images. Log in or Register.]

Sorry, I'm a little slow Rogan! How do they change the e-mail address on the EQEmu account if you require them to click a link on the current e-mail address to change it.

Hacker gains access to EQemu account, tries to request a password for login server -> e-mail sent to current e-mail account (which he doesn't have access to).

Hacker tries to change e-mail address of current EQemu account -> e-mail sent to current e-mail account to confirm

In all of this he needs the current e-mail account to do anything right? I know you were worried about vulnerabilities in Vbulletin when you designed the EQEmu system, but I think forum + e-mail is as far as you should have to take it. In the end it's the users responsibility and if they use the same password for everything and get hacked or downloaded a trojan or a million other things you shouldn't have to plan around it.

If someone had their EQEmu account hacked months ago and the hacker already changed the e-mail address (using the old system) then I can't really think of anyway to verify the original owner or protect them. Tough cookies I guess, but there has to be a cut off point somewhere right?

The email address for an eqemulator account can be changed without requiring any confirmation; That's the point... The system was designed to be used in situations where a user didn't have access to the email address currently on file, so why would it require confirmation from the old address? That would be silly.

Kruel · #14 05-04-2011, 10:51 AM

another idea (not that the gms dont have enough to do) but is to take it on a case by case basis.. rogean / nilbog have a master email list.. in order to get the account back you have to email them the email address used to make the char, as well as all the charactors on the p99 account? Just spitballin =P

do it in waves similiar to the ip exemption

slapen · #15 05-04-2011, 11:32 AM

Then stick with how eq live does it...master email when you make the account if you want to change that you must always have access to that master email or remember the pw. You could also set it up so when u go to change the email it will send an email to the current one and you have to click a link in that email showing its your account.

naekko · #16 05-04-2011, 11:45 AM

Quote:

Originally Posted by Rogean [You must be logged in to view images. Log in or Register.]

The email address for an eqemulator account can be changed without requiring any confirmation; That's the point... The system was designed to be used in situations where a user didn't have access to the email address currently on file, so why would it require confirmation from the old address? That would be silly.

I understand, but that's the modification to Vbulletin / EQEmu I'm suggesting. Instead of just sending an e-mail to the new address to change your e-mail, make it send it to the old and new address. This stops any hacking attempt unless the hacker has both access to the EQemu account and email account.

It could pose a problem if a user somehow loses access to their e-mail account, but these days that's pretty rare. Hotmail, Yahoo, Gmail all have tools to recover lost e-mail passwords and they don't delete accounts, ISPs give ample warning before they cut off access to e-mails, etc.. And even in that instance unless you lose access to your e-mail account AND get your EQemu account hacked you should be fine.

I think it's the best compromise unless modifying Vbulletin's password recovery is too much of a hassle.

Kruel · #17 05-04-2011, 01:34 PM

Honestly someone be our hero and help with PW recoveries!! I love you lon time.

dredge · #18 05-04-2011, 01:44 PM

Kruel · #19 05-04-2011, 01:48 PM

Quote:

Originally Posted by dredge [You must be logged in to view images. Log in or Register.]

everyone should write their password on a postcard and send them to Santa at the North Pole, then when you loose it you can just ask for it back for X-Mas.

Honestly if santa helped me recover my PW i would kiss him passionately.. oh so softly.

naekko · #20 05-04-2011, 02:19 PM

I'm really against anything that allows users to change their passwords in-game (via a command in chat or something). I give out my password to a lot of people I know in-game (so they can log in my cleric at Seb entrance and res their group if they need to, etc.) and I like the separation of EQEmu and loginserver. It means they can't ever change my password and take off with my character.

I hope we maintain that separation in any system Rogean decides on. It's superior to any of the MMOs out there where giving your login means possibly losing your account if you're not careful.