--------------------------------------------------------------------------------Rogean said:

I've been asking for recommendations on what a good system for password recoveries would be. Maybe I should make a thread about it.. theres too much to take into consideration, ugh.


Let's make this happen post ideas here!

FREEEEEEEE the gnome!


Tie password recovery back to the email account used to create the login server account over at EQEmulator?


Move characters off of the locked out account onto a whole new account? ++

I think having about 2-4 security questions would be a good way to verify that the original owner of the LS account. Maybe have some way to reset the LS password after the security questions correctly. I know in the Coastguard we use a tool to do a simple right click, and reset PW for users who have locked themselves out of their account.

But, I know something sweet and simple is ideal.

Th only problem i see with simply making the PW "reset" to the original email is all the accounts that have been sold over the last year. The original owners can at any time come back and simply retake the charactor. I propose the following:

An ingame message allowing people temporary time to change there email for individual LS loggin accounts. Or assign an email to each LS account. Then after the week/two week time period simply have a "reset" feature on the website.

ANOTHER idea

Donation basis resets. Have a guide handle all resets (confirming current owners using ip or questions). When the owner is confirmed you pay nilbog and co. for there time to reset or a copy of your account onto a new account, and delete the old. I would say 40$ is a fair amount. These are just ideas

I am currently in the same boat as you slapen. I cant remember my PW and am dieing to play on my toon again!

Any sort of $$ payment is not going to fly I bet. Too many legal issues...

This is a good idea though, since basically you are screwed if you don't remember. An idea I like is having a password "reminder" field that contains a word or phrase that helps jog your memory. Whenever you make/change a password you are required to fill in this field as well, and the field cannot equal the password. Then if you have been gone or forgot or something you can click a button on eqemu website and it shows you your reminder phrase.

Example:

Change Password
Old Password: XXXXX
New Pasword: 205Elm
New Password Again: 205Elm
Reminder phrase: home address

since basically you are screwed if you don't remember.


Yea this is me, completely screwd because i took a break and forgot my password. Sucks that i cant remember it. But i know i cant be the only one, and from the replies and other posts i am not the only one.

Something that involves the user's e-mail address would probably be ideal. That's as secure as you can make it, if somehow they got both their EQEmu forum account and their e-mail hacked well, they're screwed in more ways than just their EQEmu account.

To change a LS login you require your current EQEmu forum password + a link is sent to the registered e-mail address with a token to confirm.

To change a EQEmu forum account e-mail address you require current e-mail address sent a token + new email address sent a verification + current password.

Except if someone gains access to an eqemu forum account, they can just change the email address on it and then request the password for the loginserver acount which would be sent to the new address they just changed the eqemu account to. So that doesn't help at all.

We need options that solve the problem for current issues of recovering login accounts. Any suggestions about asking new questions on registration are not helping this situation. We need a way to verify the real original owner of an eqemulator account and/or loginserver account. (And personally, I'm not too worried about people that sold their accounts.. We don't support those sales and we shouldn't have to).

Except if someone gains access to an eqemu forum account, they can just change the email address on it and then request the password for the loginserver acount which would be sent to the new address they just changed the eqemu account to. So that doesn't help at all.

We need options that solve the problem for current issues of recovering login accounts. Any suggestions about asking new questions on registration are not helping this situation. We need a way to verify the real original owner of an eqemulator account and/or loginserver account. (And personally, I'm not too worried about people that sold their accounts.. We don't support those sales and we shouldn't have to).

Sorry, I'm a little slow Rogan! How do they change the e-mail address on the EQEmu account if you require them to click a link on the current e-mail address to change it.

Hacker gains access to EQemu account, tries to request a password for login server -> e-mail sent to current e-mail account (which he doesn't have access to).

Hacker tries to change e-mail address of current EQemu account -> e-mail sent to current e-mail account to confirm

In all of this he needs the current e-mail account to do anything right? I know you were worried about vulnerabilities in Vbulletin when you designed the EQEmu system, but I think forum + e-mail is as far as you should have to take it. In the end it's the users responsibility and if they use the same password for everything and get hacked or downloaded a trojan or a million other things you shouldn't have to plan around it.

If someone had their EQEmu account hacked months ago and the hacker already changed the e-mail address (using the old system) then I can't really think of anyway to verify the original owner or protect them. Tough cookies I guess, but there has to be a cut off point somewhere right?

Except if someone gains access to an eqemu forum account

Aren't all bets off if someone h4x0rz the eqemu account? Or do you guys store the account creators email address, even when its changed. If so you can just have a button to "reset to default" or something that is accessible without having to log in and only having the user name.

I thought the issue was lost login server account passwords. There is no way to recover those either. I guess, if you have access to the eqemu account you should be able to easily reset those passwords from there with just a click that emails a new random password that can then be changed with the existing tool.

DIdn't EQLive have a master email address that no matter what the original e-mail address owner from when the account was created could get the acct info back?

so if we made an area just for LS server email address and made an annoucement via in game text when logging in or an email to an active p99 account saying to add an email to there LS account that should work.
When logging into eqemu and under LS accounts they can just click to add an email. And incase of hacks to the eqemu account in general you can only display the first couple letters of the email account used for that LS account. In order to change the email account they need to confirm the current PW.. IMO if someone doesnt have access to the original email and also doesnt have access to the current PW they arent the account holder. If you have the current PW well then you can loggin and play. If you have the original email the account was made under... then its your account.. nobody should be able to figure out your email address off a video game as well as your current PW.

Sorry, I'm a little slow Rogan! How do they change the e-mail address on the EQEmu account if you require them to click a link on the current e-mail address to change it.

Hacker gains access to EQemu account, tries to request a password for login server -> e-mail sent to current e-mail account (which he doesn't have access to).

Hacker tries to change e-mail address of current EQemu account -> e-mail sent to current e-mail account to confirm

In all of this he needs the current e-mail account to do anything right? I know you were worried about vulnerabilities in Vbulletin when you designed the EQEmu system, but I think forum + e-mail is as far as you should have to take it. In the end it's the users responsibility and if they use the same password for everything and get hacked or downloaded a trojan or a million other things you shouldn't have to plan around it.

If someone had their EQEmu account hacked months ago and the hacker already changed the e-mail address (using the old system) then I can't really think of anyway to verify the original owner or protect them. Tough cookies I guess, but there has to be a cut off point somewhere right?

The email address for an eqemulator account can be changed without requiring any confirmation; That's the point... The system was designed to be used in situations where a user didn't have access to the email address currently on file, so why would it require confirmation from the old address? That would be silly.

another idea (not that the gms dont have enough to do) but is to take it on a case by case basis.. rogean / nilbog have a master email list.. in order to get the account back you have to email them the email address used to make the char, as well as all the charactors on the p99 account? Just spitballin =P

do it in waves similiar to the ip exemption

Then stick with how eq live does it...master email when you make the account if you want to change that you must always have access to that master email or remember the pw. You could also set it up so when u go to change the email it will send an email to the current one and you have to click a link in that email showing its your account.

The email address for an eqemulator account can be changed without requiring any confirmation; That's the point... The system was designed to be used in situations where a user didn't have access to the email address currently on file, so why would it require confirmation from the old address? That would be silly.

I understand, but that's the modification to Vbulletin / EQEmu I'm suggesting. Instead of just sending an e-mail to the new address to change your e-mail, make it send it to the old and new address. This stops any hacking attempt unless the hacker has both access to the EQemu account and email account.

It could pose a problem if a user somehow loses access to their e-mail account, but these days that's pretty rare. Hotmail, Yahoo, Gmail all have tools to recover lost e-mail passwords and they don't delete accounts, ISPs give ample warning before they cut off access to e-mails, etc.. And even in that instance unless you lose access to your e-mail account AND get your EQemu account hacked you should be fine.

I think it's the best compromise unless modifying Vbulletin's password recovery is too much of a hassle.

Honestly someone be our hero and help with PW recoveries!! I love you lon time.

.

everyone should write their password on a postcard and send them to Santa at the North Pole, then when you loose it you can just ask for it back for X-Mas.

Honestly if santa helped me recover my PW i would kiss him passionately.. oh so softly.

I'm really against anything that allows users to change their passwords in-game (via a command in chat or something). I give out my password to a lot of people I know in-game (so they can log in my cleric at Seb entrance and res their group if they need to, etc.) and I like the separation of EQEmu and loginserver. It means they can't ever change my password and take off with my character.

I hope we maintain that separation in any system Rogean decides on. It's superior to any of the MMOs out there where giving your login means possibly losing your account if you're not careful.

I'm really against anything that allows users to change their passwords in-game (via a command in chat or something). I give out my password to a lot of people I know in-game (so they can log in my cleric at Seb entrance and res their group if they need to, etc.) and I like the separation of EQEmu and loginserver. It means they can't ever change my password and take off with my character.

I hope we maintain that separation in any system Rogean decides on. It's superior to any of the MMOs out there where giving your login means possibly losing your account if you're not careful.

What we are sugesting would actualy make your pw more secure because currently if someone hacked your eqemu he could change your pw and you would never be able to recover it. This way the original owner always can get it back I love it.

The issue as I understand it:

There are people out there with outdated Eqemu forum databases dumps with hashes of all the forum passwords. Any method of recovery has to take this into account.

Why not make a new form hosted on EQemu that for a short time will allow people to reassociate their loginserver account with another forum account? Make it last two weeks or a month to give everyone a chance and those who miss it, too bad (if you're that inactive does it matter if hackers control your accounts?).

Then after this grace period you can react whatever recovery method you want knowing most accounts are secured. Those who lost access to their EQemu forum account but still had access to their LS account have had a chance to get it straighten out.

I like the idea of e-mail being included someway in the recovery option but that's up to you.

Something as successful as EQEmu and P1999 really needs a password recovery option. I've lost access to one of my LS accounts and I cry a little every night thinking how much time I wasted that I can't recover. <-- Truth

Bump ~ because it's a huge issue not to have a method of recovering or resetting passwords without having Rogean do it.

The email address for an eqemulator account can be changed without requiring any confirmation; That's the point... The system was designed to be used in situations where a user didn't have access to the email address currently on file, so why would it require confirmation from the old address? That would be silly.

I may be dense, but I don't get it. Why wouldn't the person have access to the current email address on file? How often would that be true? Maybe if someone gave their forum account to someone else, and if someone forgets how to log in to their old email account, all email providers that I've ever seen have their own password recovery methods. What am I missing?

EDIT: I just read my post and realized it may have sounded like I was being critical. I'm not. I just really am that dense and don't get it.

What could happen is Rogean use his 10 million dollars he's stolen from P99 peoples and have those WOW account key dongle's made. Then he could use tax records and SSN's to verify the account ownership and send the account owners the key dongles.

I'm trying to think of a way to handle ls server account account recovery/password recovery options I have a few questions for Rogean though since I don't know how the servers operate.


From reading here i have gathered the only way the Forum account is tied to the LS account is through creation and display you can't control anything on the ls account from the forum account correct?


Since they are tied in some way albeit limited is it possible to pull known characters on an EQEMU server just by knowing a forum account name?

Example: I have my forum account and 1 LS account, On that LS account I know I have a character on P99 named Newguy. By knowing a forum login only and possibly required the EQEMU server name is there a way to return Newguy from a query?

My idea is to have a dropdown of server listings and build a query to return a character name that exists on an LS account that would have to be an exact match on an input. This should be a complicated but good way to verify original or existing owners of an LS account, you have a main you should remember it's name.

the downside is LS account names being compromised if you know a character name on the LS account you would be able to gain access, which, I would hope the EQEMU users would be secure enough to not give out their LS account names.

It's not 100% foolproof as people do forget things so in extreme cases GMs/Rogean would have to manually reset password for LS accounts but it might be a nice thing to try out for automation.

The email address for an eqemulator account can be changed without requiring any confirmation; That's the point... The system was designed to be used in situations where a user didn't have access to the email address currently on file, so why would it require confirmation from the old address? That would be silly.

How about a three security question set-up that doesn't involve email addresses at all? Just brainstorming here.

On a side note, after hours of trial and error after error I somehow let my mind wander and my fingers just typed the correct password. I'm in (5 months later)! It's a password I've never used before and is not used anywhere else.

So, I guess the final solution to this problem is hypnotism.

After having not played for several months I can't remember the password to my account. I can't imagine why its not one of the few passwords that I've used over and over. So much gone :(

If I could get my password back I would be a daily player until spring.. I wonder how many others have been in this same position.. start from scratch on a server with way too much platinum on it or nothing... sigh

bump.

bump.

Make a RSA key pair with each eq-emu account. Server keeps the public key(I say public but really only the server has access to it) and the user keeps the private key. When a user wants a password recovered, you can just send them the encrypted password or set up some challenge response authorization. Basically PGP.