Jump to content
Eternal Lands Official Forums

Recommended Posts

BAsically goed like this

Reason I think that password being change by mod to ingame character was stopped was because no way to know if person for sure the character they claim to be.

I was think that ingame character should has to have a email address with them. So that automated sytem could send new password for their lost password for their character.

How will retrieval system work?

- Via web page that has have forum account to use to get into it

- Send validation email to email address for that account

- - which only click validation link will password activated for them

- - - think new generated password would better security stand point

- also should limit once for 24 hours period to prevent mass spaming of server

 

Though not saying implementing this will be easy to do.

- For has be able have server send validition email to check if valid. Though I guess techinquelly does not has to since person would be able use function if not valid.

- Has be able program function web page said active send new password to email account.

- Then has to have everyone put email address in for character then.

Edited by jamesvm

Share this post


Link to post
Share on other sites

Such a system would not be difficult to write, whenever a user logs in send a message saying

Hello <name> for security reasons we request a valid email address from you. You do not need to give us this information, but failure to do so means we will not return your password should you lose it.

 

Please type #myemail <address> eg #myemail test@eternal-lands.com

 

We will then send you an email to this email address. Inside the email is a link, please click the link to verify your details.

 

Eternal Lands will not use this email address for any reason other than password recovery.

 

If you do not wish to disclose your email address, type #noemail and this message will not appear again, although you can still type #myemail <address> at any time in the future.

 

If at any point you change your email address, you can type #myemail <address> and the system will automatically restart the verification process.

 

There are 2 new commands required:

#myemail <address> and

#noemail

 

#myemail will need to trigger an email to <address> with a randomly generated key, and a timeout window (a good figure would be 2 days, the same as the forum)

 

#noemail will clear any existing email address if one exists

 

Entering any one of the commands will stop the message appearing at login.

 

I foresee the question in the help channel, but as everyone gets the message at login it won't be that hard to find people that know what to type when people put #noemail and want to know how to change it, or vice versa.

Edited by LabRat

Share this post


Link to post
Share on other sites

Good idea.

How would work the password retrieval system then? From the game client, or from the website? Would it send the current password by email or randomly generate a new one and then send it?

Share this post


Link to post
Share on other sites

It couldn't work ingame as the only time you'd need it is if you don't already have it - and if that was the case you wouldn't be playing.

 

It would have to be on the EL website, a new link for "Forgotten Password", which would prompt for the playername, check to see if that player has registered and activated an email address and if so send the password, otherwise display a "you didn't register or validate an email address for this account".

 

Whether it sends the old password or a new random one is pure semantics and depends on the whim of the dev at the time.

 

Addendum to the above line:

It should really send the old password - I can see instances of ebul players requesting password resets of players that keep lagging out - suddenly the laggy player can't log in because the server has changed his password, and then the forums gets a nice post about someone hacking their account.

Edited by LabRat

Share this post


Link to post
Share on other sites

 

 

Addendum to the above line:

It should really send the old password - I can see instances of ebul players requesting password resets of players that keep lagging out - suddenly the laggy player can't log in because the server has changed his password, and then the forums gets a nice post about someone hacking their account.

The point system is the email account has be theres for get the password.

The lost password ingame would on web page that when user put there name it will go send email to them of there new password and then has log into forums to even use this function. Then they would has be validated link which would to page that validate the request say person really want to reset.

 

Lab Rat that kindy decision up dev team. Since this system has make sure from security stand point it does not open up new hole into server.

 

Reason should implement is that make more friendler to players and new ones. It reduce have 10,000 no longer use character because password was forgotten.

 

due to question gone up I have edit oringal though has say exact implementation of this would has thought who code it as has think security wise, skill they have.

 

As for in client this feature I would say no to that since it is open source make easy try take advanage of it.

Edited by jamesvm

Share this post


Link to post
Share on other sites

Ok, let me try and work this lot out..

The point system is the email account has be theres for get the password.

The point of the system is the email account has be theres for the password to be recovered. I got that much already.

The lost password ingame would on web page that when user put there name it will go send email to them of there new password and then has log into forums to even use this function. Then they would has be validated link which would to page that validate the request say person really want to reset.
Yup I covered that too. There is no point to logging into the forums just to do that, hence it being on the eternal-lands website itself, not the forum.

 

Lab Rat that kindy decision up dev team. Since this system has make sure from security stand point it does not open up new hole into server.
The addendum to my post stated exactly why it should send the original password rather than generate a new password.

 

Reason should implement is that make more friendler to players and new ones. It reduce have 10,000 no longer use character because password was forgotten.
If you have already forgotten the password it is already too late for that account, at least until such a system is in place and you remember the password up to that point. If you don't know the password right at this moment in time, 15 December 2006 - you will never recover it. So those 10,000 lost characters will remain lost until they get purged from the database.

 

due to question gone up I have edit oringal though has say exact implementation of this would has thought who code it as has think security wise, skill they have.
If the devs that have access to the server wanted to get access to your account then this system would not be necessary for them to do it - they can (but don't) do anything they want with any character they want.

 

As for in client this feature I would say no to that since it is open source make easy try take advanage of it.
You really have no idea how the software works do you? Only the client is open source, and all the client would do would be to send a packet "[RAW_TEXT][length]#myemail email address", just like it does for #storage, #beam me and numerous other commands. That is not a security risk - the actual execution code is server side not client side.

 

Hope that clarifies the matter for you. If not, feel free to PM me ingame and I'll try to explain further (although to be honest it would be a pointless exercise explaining to an end user how it would work - after all do you need to know how a television works to be able to watch a cartoon? All you really need to know is how to switch the TV on, how to select the channel and set the volume.)

Edited by LabRat

Share this post


Link to post
Share on other sites

first, actual do know how internet conection work that it just at monent was not fully thinking it out.

 

ps liber delete content since it should been pm too him

Edited by jamesvm

Share this post


Link to post
Share on other sites

Mods: feel free to delete this post, and JamesVM's (post #9)

 

I in no way insulted you - I offered to explain more fully but then said doing so would be pointless. I was showing the reasoning behind my reply with the bit about watching TV, not telling you to go and do it.

 

I understand you having problems with English, and have not taken your post into account, my offer to explain it still stands.

Share this post


Link to post
Share on other sites

This has nothing to do with being hacked, this has to do with forgetting your password. After all, you really should use a different password for each email address, forum, online game character, system login, bank account info etc. Passwords should also be changed monthly at the very least.

 

With the possible number of passwords (none of which should be ever reused), forgetting one is an all too real possibility.

Share this post


Link to post
Share on other sites
It would have to be on the EL website, a new link for "Forgotten Password", which would prompt for the playername, check to see if that player has registered and activated an email address and if so send the password, otherwise display a "you didn't register or validate an email address for this account".
although it's also more work, checking that they haven't logged on for a while (say, a day, at least) and they haven't recently requested a password reset would be good too
Whether it sends the old password or a new random one is pure semantics and depends on the whim of the dev at the time.

 

Addendum to the above line:

It should really send the old password - I can see instances of ebul players requesting password resets of players that keep lagging out - suddenly the laggy player can't log in because the server has changed his password, and then the forums gets a nice post about someone hacking their account.

no, neither is a good idea. it should send that session key thingy in a link in the email. once that gets back to the server, they can then change the password.

until they've proven they're the one behind the email address, there is no password involved at all.

ideally, this would be a https link and only to set a new password, since in ideal security you have heavily hashed passwords (ie, for the non-coders: no-one can turn what's stored on the server back into the password... but you can turn incoming passwords into the hashes stored on the server)... but at the least, you shouldn't send passwords by email

Share this post


Link to post
Share on other sites

but at the least, you shouldn't send passwords by email

 

Yea... you never know when you have email hackers or such

Share this post


Link to post
Share on other sites
Yea... you never know when you have email hackers or such
1: to everybody, stop calling crackers and script kiddies hackers. hackers have maturity and skill. the wannabes using the name don't. and don't listen to the media, because they're clueless on the issue as well, and anything scary, like the script kiddies, is a better story than competent people

to perpetuate this means you're demonstrating lack of knowledge. which is a bad idea when the script kiddies are watching (they don't know much, but they can cause trouble)

2: email is inherently insecure, and is usually open for others to read (if you're at work, or school, check your IT policy, because the IT admin probably have the rights to read your email. similar may go for other email providers). the connections between you and the server may also be watched. if there's any limitations on your email use, then it's being checked as stuff goes through. and quite possible it's being logged even if you don't see any evidence. a secure HTTP connection doesn't leave much open except at either end. the middle is secure. the same is not true with email

3: a good design makes security relatively easy. making a good design is a bit more work at the start, but is generally also easier to maintain

4: for people worried about security, you always have to assume someone more skilled than you will, sooner or later, try to breach security. and they only have to get lucky once (unless you have security in depth). best to plan for this, and mitigate it. if EL's server is breached, it's game over anyway. if someone manages to get into your gmail/etc, then how much has the system allowed them to see? saved messages with a time-limited password reset code aren't as bad as a new password

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×