::READ:: IMPORTANT INFO regarding your forum password

[konidias]

I'm not liking this for the security issue it poses.

I always liked that the forum pass and account pass could be different. Because there seem to be many more ways to get your account pass stolen. For example, if someone obtained your graal account pass and e-mail, you could have the forum account linked to a different pass and e-mail, and then private message an admin to try and help you get your account back.

Also if someone get's your graal account pass, now they could come on the forum and post a bunch of spam or porn or whatever and get your forum account banned really fast. =/

[Skyld]

They are meant to be linked anyway, just like Graal.net is, and the Wiki is.

[WanDaMan]

Woah, that's a huge flaw. Listen to Konidias!

[Damix2]

Excellent, we can start a loriel-esque way to not only get forum passwords but now graal passwords aswell!

[unixmad]

I don't see any security issues:

If your graal password is stolen you can get it changed by the password changer in 30 seconds, you can also request by the support center giving your payement reference ID.

There are no reasons to get your graal password stolen, graal password are really random and they are really secure, we don't store them unencrypted and they are also salted.

We want to stop account sharing so it will be another good reason to not share his/her account to not have someone posting using your name...

Quote:

Originally Posted by konidias

I'm not liking this for the security issue it poses.

I always liked that the forum pass and account pass could be different. Because there seem to be many more ways to get your account pass stolen. For example, if someone obtained your graal account pass and e-mail, you could have the forum account linked to a different pass and e-mail, and then private message an admin to try and help you get your account back.

Also if someone get's your graal account pass, now they could come on the forum and post a bunch of spam or porn or whatever and get your forum account banned really fast. =/

[Googi]

Quote:

Originally Posted by unixmad

and they are really secure

Which is why we just had to change them.

[Darlene159]

Random, auto-generated passwords is a good idea anyway because too many people pick way too easy passwords, and tend to use the same password for everything, or at least several things.

[Demisis_P2P]

Quote:

Originally Posted by unixmad

I don't see any security issues:

If your graal password is stolen you can get it changed by the password changer in 30 seconds, you can also request by the support center giving your payement reference ID.

There are no reasons to get your graal password stolen, graal password are really random and they are really secure, we don't store them unencrypted and they are also salted.

We want to stop account sharing so it will be another good reason to not share his/her account to not have someone posting using your name...

If somebody steals my Graal account by getting into my email address then they have 2 days to do whatever they want. Since password changes can only be sent every 2 days (not to mention that any smart person with access to your email account would change your email password).

I could make a support ticket, if I remember my username and password for that, but by the time it's responded to and acted on it'll probably already be too late. (And when I say 'acted on' I mean having the account temp-globalled.)

Since all my paypal info would also be in my email account, or they would have direct access to it as a consequence of having my email address, then the chances of me ever being able to fully regain control of my account are slim to none.

[KuJi]

Hahaha @ Demisis.

I had all my accounts switched to one email and thats like 5-10 accounts (ask ibonic on this =P).

And recently my IP's been changing a lot aswell (ask Ibonic on that aswell =P)

Anyway.. I don't think anyones accounts even been leaked out (actual password).. it was more for security of something that MAY happen then DID happen @ Googi =o

[Minoc]

Quote:

Originally Posted by Demisis_P2P

If somebody steals my Graal account by getting into my email address then they have 2 days to do whatever they want. Since password changes can only be sent every 2 days (not to mention that any smart person with access to your email account would change your email password).

How would that somebody get into your e-mail account?

[Lord Sephiroth]

Quote:

Originally Posted by unixmad

I don't see any security issues:

If your graal password is stolen you can get it changed by the password changer in 30 seconds, you can also request by the support center giving your payement reference ID.

There are no reasons to get your graal password stolen, graal password are really random and they are really secure, we don't store them unencrypted and they are also salted.

We want to stop account sharing so it will be another good reason to not share his/her account to not have someone posting using your name...

There have been a lot of closed/deleted threads regarding the efficiency of the support center though. A lot of people are unhappy with the time it takes to get responses, and sometimes their tickets are just closed by a certain someone with no response what-so-ever.

[MysticX2X]

Yeah i learned to remember my graal password along time ago. its real easier logging into graal

[Googi]

Quote:

Originally Posted by Demisis_P2P

I could make a support ticket, if I remember my username and password for that, but by the time it's responded to and acted on it'll probably already be too late. (And when I say 'acted on' I mean having the account temp-globalled.)

Since all my paypal info would also be in my email account, or they would have direct access to it as a consequence of having my email address, then the chances of me ever being able to fully regain control of my account are slim to none.

The truly secure use different E-Mail addresses for everything important.

[Mykel]

Quote:

Originally Posted by Darlene159

Random, auto-generated passwords is a good idea anyway because too many people pick way too easy passwords, and tend to use the same password for everything, or at least several things.

There is little to no harm in someone discovering what someone's forum password is. There is a great deal of harm in finding out someone's graal password. Having the forum password be the same as the graal password only allows one additional way to hack someone's password.

And as you already said, having the same password for multiple things is a security risk.

Quote:

Originally Posted by Googi

Which is why we just had to change them.

Haha, good point.

Quote:

Originally Posted by unixmad

I don't see any security issues:

If your graal password is stolen you can get it changed by the password changer in 30 seconds, you can also request by the support center giving your payement reference ID.

There are no reasons to get your graal password stolen, graal password are really random and they are really secure, we don't store them unencrypted and they are also salted.

We want to stop account sharing so it will be another good reason to not share his/her account to not have someone posting using your name...

If our Graal password is stolen, chances are we wouldn't find out until after something happens. As I replied to moony, having a password be the same for multiple things only increases risk. Plus, it can be a hassle too.

Once, just once, do a poll or something and actually give the players what they want.

[Demisis_P2P]

Quote:

Originally Posted by Minoc

How would that somebody get into your e-mail account?

Email addresses have lots of 'failsafes' like secret questions that can be guessed. Or they're linked to a secondary email address.
If either your primary or your secondary email address expire then they can also simply be re-registered by another person, and they would still be in the database for whatever things you signed up for with that email address.

Alternatively if you use an ISP email address and you change ISPs or move then the email address is lost, and could be re-registered by somebody else that uses that same ISP.

It's also possible for 'graal hackers' to put keyloggers or trojans into their programs and gain access to accounts that way. Of they could make a graal-related website that requires registration and do a Velox.

There are lots of possibilities.

Quote:

Originally Posted by Googi

The truly secure use different E-Mail addresses for everything important.

Most people just use the one. It's more convenient (for any would-be hackers aswell, I guess). But most people just don't think about having a database leaked everytime they sign up to a website.