So the whole problem with passwords

[dannym3141]

This is by no means a perfect solution, but could anyone "in the know" give me a reasonable explanation why we can't reset passwords via email?

I mean, if everything is changed/confirmed via email, what can go wrong? It wouldn't be a security issue that eqemu had to deal with, because people's email security is their own issue + their isp/hotmail/yahoo's issue.

So for example, i've forgotten the password to one of my LS accounts. Got the other 2, but not the one i'd like. Now, if i could click "reset my password" for that particular account from where i log in to the eqemu site, eqemu emailed me and asked me to confirm a password reset, i reset it and bingo, i have a new reset password emailed to me.

If someone managed to break into my eqemu server account, they'd still have to break into my email account in order to change anything regarding eqemu, and if they break in there then that's completely not the responsibility of eqemu.

One problem i see with that solution is that if people can no longer access the email account they enter into eqemu, they can't change any of their account details. And perhaps there are other problems which would explain why this hasn't already been done. It's how many mmo's do it, isn't it?

[trevius]

The main issue is that the forums database has been compromised one or more times within the past few years or so. It has been secure since Rogean took it over, but there were hackers that stole the DB prior to that. This means that anyone who hasn't changed their forums password since then would be at a major risk of getting their LS accounts stolen at any time if there was a recovery method based on the email account associated with EQEmu. Since the email account is an editable field, they could hack your forum account and change the email it points to then reset your LS accounts and take control over them.

There are ways to secure things going forward, but old accounts are probably completely out of luck indefinitely due to the previous security breaches.

[Kruel]

Can we handle some of the lost PWs on a case by case basis?? ME and a friend of mine both have full planer toons we are anxiously waiting to play. Both of us took a break and came back to play and completely forgot the PWs. Why not handle the existing cases one by one... then like you said going forward there are changes you can make. I really would hate to see all the long nights raiding etc go to crap because i forgot my PW. Help us out!! =D

[keithHen]

The idea that you wont help people recover passwords is just silly and rediculous. We donate and spend a good majority of our lives on this game, and when we forget our pw we get no help at all. A series of questions and or ip origins can ezily detect if this is your toon or not. PLEASE help us Slapen

[keithHen]

I use to talk to hobby the guide all the time...he can verify who I am I can tell ya everything about the account old pws and ip adresses also over 50 guildmembers can verify who I am how is this not enought?

[dannym3141]

Keep it clean, the only way forward to a solution is by polite and helpful discourse.

I think it's a fair statement, however, to say it seems a bit strange to have literally no method of password recovery!

[Kruel]

Quote:

Originally Posted by trevius

The main issue is that the forums database has been compromised one or more times within the past few years or so. It has been secure since Rogean took it over, but there were hackers that stole the DB prior to that. This means that anyone who hasn't changed their forums password since then would be at a major risk of getting their LS accounts stolen at any time if there was a recovery method based on the email account associated with EQEmu. Since the email account is an editable field, they could hack your forum account and change the email it points to then reset your LS accounts and take control over them.

There are ways to secure things going forward, but old accounts are probably completely out of luck indefinitely due to the previous security breaches.

Thanks for taking the time to discuss this problem. With what you said though there is a simple fix. ALL changes to the accounts email can only be done with a confirmation to the original email address. So in order to get hackd, one would not only need the email address but to hack the PW on the email address. I really think we are overthinking this. I really wish we could handle things on case by case basis right now, similiar to IP exemptions.

[sorvani]

Quote:

Originally Posted by Kruel

I really wish we could handle things on case by case basis right now, similiar to IP exemptions.

I think all the P99 people need to realize that P99 is not EQ Emulator

[dannym3141]

Quote:

Originally Posted by sorvani

I think all the P99 people need to realize that P99 is not EQ Emulator

I think non p99 people should stick to the topic please

He's right. All account changes could be done via email, and as i say - the only problem arises when you lose access to your email address permanently and without warning - and how often is that gonna happen? Almost certainly less than people losing passwords! And those people will still be able to log in if they remember their password, but they'll not be able to make changes without admin interference. Less cases to deal with, surely that's a preference?

[trevius]

Here is a recent related thread on the topic, though there have been hundreds of them over the years:

http://www.eqemulator.org/forums/showthread.php?t=32454

As you can see there, I have already made a suggestion related to email to add password recovery going forward. Again though, there is no fully secure way to do it retroactively. The email suggestion made by Kruel is probably about as good as it could be for a retro-active solution. To combine that idea with mine might be a good solution for old and new accounts. So, you could only change your email address if you can verify your old email address or if you are able to provide the password to one of your Login Server accounts. Though until that change is put in place, there is still an open window for the hacker(s) to go into thousands of accounts and change their email address, which could potentially (while unlikely) have a MUCH worse impact than not having a password recovery option for old accounts.

Rogean is the only person who even has the capability of doing anything at all about password recovery. If you want it, then you need to convince him of a way to make it happen or to do it for you on a case-by-case basis. He also helps run P99, so you P99 people can discuss it there too if needed.

Currently, the only thing that can be done to help people in this scenario apart from having Rogean fix it is for you to speak with the admin of the server you play on and see if they will move your characters to a new account for you. Some servers allow this and some do not. It is the only work-around at this time. For you P99 people, I would think your chances of that happening are probably the same as getting your password reset though.

Being a Dev/Mod on these forums, I get bugged about this quite often in PMs as do most of the other Devs and Admins that can't do anything about it. So, believe me when I say that I would love to see a solution to this problem as much as you would.

For now, my best advice is that if you put a crapload of time into something, don't forget your own password!

[khamirr]

Really sad... I've got 6 accounts that I cannot login to =X

[DookieBasket]

rogean, i never changed my password and it has been saved on my account so i dont have to put it in again. its the same password i use for everything, but now it says its different. my pw is no longer working and i cant access my password after i login to the main account. if i can login to the main account just let me see what has changed. i feel like this is a glitch of some kind on the password that is totally not my fault and yet ooop there goes my character...sorry, better luck next time. it also seems like there is no swaying you and i dont have time to check this every day. please consider doing something about this in the future. THX

[wolfwalkereci]

Step 1: Make the same post across a couple of threads. Really helpful if the people you are trying to communicate with don't actually login and can't use/see the "new posts" link.