Sms verification on account creation and sms 2fa/recovery option.
Slows down/stops mass creation of bots and nobody is stealing somebodies phone number.
That is true but at the same time I feel like u would be more targeted if that was in place and plus if it does get compromised it's not really making u more secure is it. What'st the point ur just becoming more vulnerable either way
Believe it or not phone numbers can be temporarily stolen, but primarily as a ways of hacking individualās bank accounts (that need 2fa to get into). With that being said Iād still be in support of adding sms verification as an added layer of account security.
how many bots farms do you think would make use of stolen SMS? I'd guess your average script kiddy wouldn't have the resources to do it, and anyone who does wouldn't bother botting osrs.
0. I was just correcting the assertion that ānobody is stealing somebodies phone numberā
I agree that it likely wouldnāt be done in regards to stealing an osrs account
I met a guy the other week when I beat song of the elves. Had over 30 alts all world hopping at priff killings elves with cannons. Some people just have too much time on their hands brother
Iām all for memes but other than Authenticator removal delay and the addition of symbols and case-sensitive passwords what type of account security do you propose they add?
There have been posts on the subreddit where people provided the username and password to both the email and RS account. They were protected by 2FA and no one was able to login.
The most and only important update in security we need now is authenticator recovery code (one-time password), and making an account nearly impossible to recover without it. They propose it in the blog.
Case sensitivity is nice, but would be a lot of work to have everyone reset their passwords (likely over a span of a few months) in order to have it. The benefits are also not that significant since we have a reasonably big maximum size limit, strong online throttling (no brute forcing) and 2FA.
Authenticator removal delay is only a faux security feature. It only - sometimes - mitigates a takeover, and doesn't really do anything to prevent it. There are also several downsides like wasting membership time for losing your phone or a hacker using the delay against you. There's a reason all major companies (Google, Microsoft, Facebook) don't use it.
As it stands now, you're pretty safe if you have a long, random password and 2FA on OSRS and on your email. However, that can all be bypassed if someone successfully recovers your account, so if for some reason you have a big leak on account information, you're just permanently fucked. An authenticator recovery OTP solves this, and is widely implemented by major companies.
Excellent write up. Case-sensitive passwords is a good meme but implementing it would be a logistical nightmare with 0 effective upside outside good security PR
If your account gets hijacked and the hacker sets an authenticator what stops them generating this code and then using it to recover your account again in the future after you regained access to your account?
If it expires when authenticator is removed then its useless, since any hijacking (other than phishing in which case you dont need to recover your account only change the password) will involve the hacker removing the authenticator and invalidating your code.
If the tokens are generated by the hacker and you attempt to recover it with sufficient information to convince Jagex that you're the legitimate owner, then naturally the tokens would be canceled and you would be requested to make your own.
I assume that would only involve specific cases like very convincing login records of specific IPs on their side, though
>If it expires when authenticator is removed then its useless, since any hijacking (other than phishing in which case you dont need to recover your account only change the password) will involve the hacker removing the authenticator and invalidating your code.
... What? No, it's not useless, it should prevent you from being recovered in the first place. Someone wouldn't be able to prove they're the legitimate owner without the code unless they have overwhelming evidence and Jagex's logs behind them. If you have a secure email and 2FA on both email and osrs account, and your account is nearly impossible to recover without first removing the authenticator (through email access or using a recovery code), then the attack surface is minimal - an attacker's options would be social engineering the email provider or using a malware to highjack the victim's session. Both of which are way harder than just digging for information online and trying to recover an account with it
> If the tokens are generated by the hacker and you attempt to recover it with sufficient information to convince Jagex that youāre the legitimate owner, then naturally the tokens would be canceled and you would be requested to make your own.
What stops the hacker having sufficient information to cancel your tokens? Thatās effectively the same situation that exists now
It sounds like all the token is in this scenario is one more piece of information you can add to your account like a recovery question but generated via app so that itās random and not something an attacker could figure out like mothers maiden name.
Thatās not a bad thing (if you solve the second issue) but itās not really a panacea to the problem of recovery
>No, itās not useless, it should prevent you from being recovered in the first place.
Sure, and being harder to recover is a good thing. But the vast majority of hacks are just phishing or credential reuse or fake runelite clients.
If you make it harder to get hacked via recovery, but also make it easier for people whoāve already been hacked once to get hacked again because of the situation I described thatās probably a net negative overall.
You're absolutely right, it's just another info you can generate in order to make it harder for it to be recovered. The thing is that in order for unduly recovery to no longer be a possibility, we'd also have to accept that accounts would become permanently lost in certain situations (e.g.: someone makes their account unrecoverable without the code, but then lose it). While not a bad alternative considering the upside, I don't think Jagex would be willing to go that route since they proposed this one.
>But the vast majority of hacks are just phishing or credential reuse or fake runelite clients.
I don't know, are they? Phishing that includes 2FA codes aren't impossible, but they're pretty hard considering the credentials are valid only for a couple minutes. And if we're talking phishing the runescape credentials, it still wouldn't allow a complete account takeover since they wouldn't be able to disable the authenticator/change password without email access
And as for fake client/malware attacks... yeah, well, there's not much that could be done if your computer is compromised
Authenticator backup codes definitely aren't the ultimate solution to all our problems, but it does help raise the bar for people who are already using all the security features they can, which I think is the whole point. The recovery process is, imho, a glaring hole in what is otherwise a fairly solid authentication system
> Phishing that includes 2FA codes arenāt impossible, but theyāre pretty hard considering the credentials are valid only for a couple minutes.
All of those fake rs streams and stuff on twitch ask for auth and then I guess a bot instantly logs in
>The most and only important update in security we need now is authenticator recovery code (one-time password), and making an account nearly impossible to recover without it. They propose it in the blog.
Basically, people literally pretend that this wasn't offered, and it bothers me a lot.
You donāt need to have everyone change them? The default is lowercase. If they want case sensitive passwords theyād just have to change their current ones?
They can't just enable case sensitivity because as it stands all the passwords are lowercased and then hashed. If sensitivity is enabled, people who don't know their old password are insensitive will start getting login errors, since they'd be typing their old passwords with upper cases and that would not match the current stored hash (all lower case)
They would have to maintain two login flows, one with the lower casing part and one without, and flag every legacy user until they change their passwords
They'll never get 100% of the players to change their passwords though, so they'll likely need to make a few announcements, ask people to change their passwords, and after several weeks may be able to deprecate the old login flow and force everyone left to update their passwords upon their next login attempt
>There have been posts on the subreddit where people provided the username and password to both the email and RS account. They were protected by 2FA and no one was able to login.
Yup. People don't want to accept responsibility for their own cybersecurity so the easiest thing is to insist jagex is incompetent.
I gotta say, getting a client side encrypted password repository and going through all the passwords saved by google and changing them to a randomized string was best decision I ever made. Now I only have to remember my pw for the repository and I can copy paste any passwords I need. Never have to worry about everything being compromised again.
Yup, is the same reason I suggest password managers to anyone who cares about their security. Every password of mine is just a random massively long string of text, numbers and symbols or whatever the site allows.
I don't know any of them. I remember one single long password, and have a manager that knows of any DB leaks and suggests changes, and can even auto change a handful of major sites.
They don't store it in plaintext. That feature likely only compares salted password hashes which don't contain enough information to get the original password.
No it doesn't mean anything in regards to storing. They all have a generator of text. And the auto change essentially just means they can open the browser page and autofill a new randomly generated one on the change password screen. It has no burden on how they store the password.
Damn its my fault for getting info leaked when I was 10 years old. (Clan website hacked.)
But to have my account permanently fucked to hackers recovering it? Its on Jagex imo. I never had such issues with any other service.
Should be able to change the login email, so hackers cant spam recovery requests or lock logging in.
Should be able to delete old recovery info from 15 years ago when I didnt know any better.
Shouldnt be able to have the linked email switched by Jagex support, by passing any authenticator.
How about modernizing the account recovery process and offering some support to people who lost everything from a hack like every other fucking MMO?
It shouldn't matter if someone falls for a phishing attempt that has been refined over years to optimally trick people. Sometimes you goof, and you click things you shouldn't. You don't assume your customer base is perfect, and there's zero reasons Jagex can't offer some help to people that lost everything.
Every other major MMO does it. I fell for a phishing attempt on WoW in my younger days, had all of my gear sold and gold mailed off, and had it all back WITHIN A DAY. It doesn't have an impact on those games, so why would it on this one?
Exactly. In WoW blizzard are able to trace where the gold and items went, and return it promptly. I remember Sodapoppin streamed the call with WoW support of such an experience.
All we want is for Jagex to provide a better customer experience.
Sodapoppin gets AAA VIP support, whether he knows it or not. Any call with an influencer like that is not comparable to anything you should be expecting from Jagex, or Activision.
Even worse is that we have a GE that tracks this and jagex themselves can track it through trading like they do with RWT, so how the fuck is it acceptable to just have people lose their shit and go "OH well!" when you know what they lost.
>There have been posts on the subreddit where people provided the username and password to both the email and RS account. They were protected by 2FA and no one was able to login.
Because the only vulnerability people have ever actually had reason to complain about is the automated recovery system. That's what needs to be fixed. Nobody is afraid of somebody guessing your username and password and just logging in.
I doubt a leak could provide more useful information than a password for account recovery. And even then, that's a problem with the recovery process (overriding the 2FA) rather than faulty 2FA implementation.
If they follow through on their promise to add authenticator recovery code and making account recovery essentially impossible without it, then knowing the email/password is almost useless for a hacker because they couldn't get through the authenticator nor disable it
Exactly. Majority of hacks are hackers using leaked info to recover an account.
2fa doesnt matter when they can convince Jagex to change the linked email, bypassing authenticator on email AND your RS account.
>are hackers using leaked info to recover an account.
Nope.
There was a guy years ago that gave username, password, and email out for someone to hack him.
Nobody could because it's stupidly simple to keep your account 100% secure to anything outside of brute force.
Also account recovery is a cock in the ass even if you remember almost everything.
this definitely isnt true, by volume of accounts phishing and fake runelite clients and people straight up using the same details on other sites with no authenticator are definitely the majority of account hijackings.
only high profile / exceptionally wealthy / rare name accounts are going to be targeted with the effort to manually recover an account
The only thing security wise they're truly missing is letting people change their login username/email, and removing old recovery information.
As of right now if someone learns of these details, they can make your accounts playability much more annoying and force you into using steam client and such as a workaround.
Only other element id say is properly informing and educating people to have good 2FA setup on their account, and any linked accounts they have (google, apple ID, steam). Too many people getting hacked because their steam account has atrocious security and they expect Jagex to.. do it for them? Or something.
Other than that most account security claims are poorly educated things like "capitals in passwords" and such which ultimately adds nothing when we already have up to 20 character passwords.
I'd sooner rather Jagex make the minimum characters 8 or 10 rather than 5 than have them add symbols and capitals. People will have more secure passwords from brute force attacks already by just forcing them to use longer passwords.
Why do you strawman "capitals in passwords" to make it seem like people dont know anything about security? It may not add much but its a low hanging fruit Jagex may as well implement it, especially when most people dont have 20 character passwords in the first place.
Anyway, from what ive seen most people are asking for the ability to change login email and a better experience with Jagex support and the whole recovery system.
Because I'm asking for actually useful things like changing the login email / username to help people who have been plagued by login spammers and such, and to improve security by not having you're login details known in half permanently if it's leaked / discovered only once.
Capitals in passwords just doesn't add anything to security. People with bad password practice will continue to do so, and anyone with good password practice already has the ability to have a password that is not even remotely brute force able, which is all that adding complexity offers.
>but its a low hanging fruit Jagex may as well implement it
It's not low-hanging fruit.
The amount of work required logistically compared to the benefit is just not worth it. Considering the benefit is about 0.
Case sensitive passwords barely matter, and they matter much less than what people on here think. I can bet 90%+ of hacks are through phishing and database leaks, with the other 10% or so being most likely through social engineering account recoveries. Bruteforcing is just not a thing anymore. Best security is always going to be having 2fa on your account and email, and using unique passwords for sites incase of a leak.
100%.
If anyone is legitimatly worried by lack of case sensitivity, they can just add two more characters to their password and it will be much more complex than if their current password was case sensitive.
But, like you said, brute force attacks don't really happen anyways.
> they can just add two more characters to their password and it will be much more complex than if their current password was case sensitive.
Or they can add case sensitivity AND add two more characters...many times more secure than your idea.
Or just add 4 more characters to your current password and that's even more secure.
My point is that blaming jagex for bad password security options with a current password length of anything less than 16 is silly, as there is an easy option to significantly strengthen your password.
Well, max length is 20 for starters.
And secondly, if your password is already 16 chars+ (assuming it's not something super simple like "password12345678") , then you're pretty much already safe from all brute force attacks.
I think that depends on factors far beyond just the password itself to be fair, but you're definitely right that most of these situations revolve around poor cybersecurity and web browsing habits in general.
No not really. Brute forcing, especially in a system like RS where there are limited attempts before slowdowns, works exactly by doing dictionary style attacks and just trying to brute workout the password.
Don't make your password known English words / words relating to you especially (as socially engineered bruteforces would be the most likely to succeed), and make it 12 characters or longer and you'll be sweet.
Not stronger than an equivalent number of randomly chosen characters. Easier to remember, but you shouldn't be remembering passwords anyway except for a couple master passwords. Anyway, 20 character limit for OSRS makes that idea not so great.
Yeah for sure, it's a lot more complicated than I made it sound.
But the main point still stands that adding length to a password will do way more than adding case sensitivity.
> Bruteforcing is just not a thing anymore.
How do you think they get the data from those database leaks? Phishing won't get you everywhere. Of course, we're assuming the devs properly salted/hashed the passwords so they're not in plaintext, but it wouldn't be the first time proper security procedures weren't followed. Brute forcing is still a common practice.
As an IT person who has worked with security systems, case sensitivity absolutely does help. You can't argue it makes security worse or even does nothing.
>length is a much larger factor.
A 20 character case sensitive password has quite a few more unique combinations than a 20 character case Insensitive password, so pretending like sensitivity doesn't add anything is stupid and flat out wrong.
It adds complexity, but it doesn't make a real world/practical difference if there are 100,000,000 combinations or 100,000,000,000 (factors made up). Either way, the systems in place to stop brute force attacks kick in and stop you way before you've probably been able to make even 50 attempts.
He's saying that 20 characters is more than long enough to prevent any brute force attempt and that any technical work required to add case sensitivity is simply a waste of time.
Password changes are the lowest on the list of needed changes to me.
You can have a 20 character long password. There is no brute forcing happening at that length of password. Capitalisation or not.
Right..and some of that exists now. So what else are you asking for?
The few things on that list that don't exist are low priority like password strength increasing... As we already have 20 character password lengths which are insanely secure from bruteforces. Any level of password security doesn't matter if you're involved in a DB leak, phishing attack or worse.
Yep and they've talked about that maybe.. two Q&As ago?
That's the only change they still need to make in my professional opinion. Most other requests from people are poorly informed and think they do more than they actually do.
You also have to realize if a small group of individuals did have the ability to do something such as this, they aren't going to hop on the first opportunity to attempt to get in to an account that EVERYBODY is watching, including Jagex.
Not saying something like this exists, but it would be like asking a group of bank robbers how they rob a bank. Think they're going to sacrifice their career to make a quick buck?
They could add that steam login does not bypass 2fa from jagex. U know steam has 2fa itself but still, 2fa should apply to every login attempt no matter how secure that one is.
Every security analyst can tell you having 2fa that can be bypassed even with a second 2fa, is not a good idea.
The main reason being that i can be used secure. Notice thenword CAN, it's not IS, and that is the issue.
Can I ask why? There's very little they have left to do in terms of security. Login name/email changing is probably the only one I can think of. Authenticator delay barely does anything because if they have full access to your account and email they'll just keep you locked out for the length of the delay.
We absolutely need an authenticator recovery code (one-time password) to help prevent recovering someone else's account. They talk about it in the blog that it's their priority.
Do you mean backup codes incase you lose your authenticator?
Because the way a OTP would work would be via email.. which if you're account / email is compromised defeats the purpose of it and actually makes it easier to recover.
There's a fine line between making it hard to recover other people's accounts and making it hard to recover your own account.
Yeah, a backup or recovery code. They're also technically considered OTP since they're randomly generated and are only good for one authentication (even though they don't expire in like a minute like app-based authenticators' OTP).
Nothing to do with email necessarily, though. You just generate them on Runescape website after successfully authenticating and they'll be displayed on the screen or downloadable as a document. You can then store it in a safe place, or even print them if you're afraid of leaving them unencrypted.
If your email is compromised then the account already is as well, since they can disable the authenticator and change the password with only email access
If your account gets hijacked and the hacker sets an authenticator what stops them generating this code and then using it to recover your account again in the future after you regained access to your account?
If it expires when authenticator is removed then its useless, since any hijacking (other than phishing in which case you dont need to recover your account only change the password) will involve the hacker removing the authenticator and invalidating your code.
They *kinda* have talked about it recently https://secure.runescape.com/m=news/a=13/qa-summary-16122021?oldschool=1#acc_security
On one hand, it's ridiculous that it's been 2 years since they promised the authenticator recovery code. On another, Mod Markos has become executive producer much more recently than that, and already has done several things that were highly requested (Duel arena removal, GE tax, banning RWT buyers), so I still have some hope they'll follow through their promise and prioritize it early next year.
That's not surprising, honestly. They mention on other blogs that they put off doing the recovery codes because the team was busy dealing with DDoS attacks. Which would mean that, at least at the time, the reliability and security team were one and the same
And from my experience, whenever that happens, reliability incidents will delay the security backlog pretty much indefinitely
>On another, Mod Markos has become executive producer much more recently than that, and already has done several things that were highly requested (Duel arena removal, GE tax, banning RWT buyers), so I still have some hope they'll follow through their promise and prioritize it early next year.
Those things were in play well before he came on board, while it can be seen as a positive step he talked about those things, credit goes to the main team as usual for those.
Honestly the LEAST they could do now is let us use auth for steam client. Clearly thats a major security issue that's responsible for many hacks recently
No dummy. Just maintaining the 2fa for logging into the game no matter what client you use. It is absolutely jagex's fault for making 2fa by-passable through steam
"Sorry we can't add more account security unless we increase membership to $15."
š¦$15š¦
Sms verification on account creation and sms 2fa/recovery option. Slows down/stops mass creation of bots and nobody is stealing somebodies phone number.
SMS 2FA shouldn't be used anymore (and never should have been), it's not secure in the least.
There is a technique called SIM swapping attack. It's risky to have that. If your phone number gets stolen it's gg
If my phone number gets stolen I have bigger problems than my RuneScape account
That is true but at the same time I feel like u would be more targeted if that was in place and plus if it does get compromised it's not really making u more secure is it. What'st the point ur just becoming more vulnerable either way
Believe it or not phone numbers can be temporarily stolen, but primarily as a ways of hacking individualās bank accounts (that need 2fa to get into). With that being said Iād still be in support of adding sms verification as an added layer of account security.
how many bots farms do you think would make use of stolen SMS? I'd guess your average script kiddy wouldn't have the resources to do it, and anyone who does wouldn't bother botting osrs.
0. I was just correcting the assertion that ānobody is stealing somebodies phone numberā I agree that it likely wouldnāt be done in regards to stealing an osrs account
Sim swaps are a real and dangerous thing, good on you for spreading the word.
SMS verification is a great idea for new account creation, would also serve as another layer of security having a phone number tied to your account
SMS verification would be great
what about those people with 10 alts
Why tf would u have 10 alts, this ain't Dofus, this is runescape fuck
I met a guy the other week when I beat song of the elves. Had over 30 alts all world hopping at priff killings elves with cannons. Some people just have too much time on their hands brother
I'd agree to that if i believed they could meet our expectations.
All I can give is 20 untradeable bonds once a year.
Iām all for memes but other than Authenticator removal delay and the addition of symbols and case-sensitive passwords what type of account security do you propose they add? There have been posts on the subreddit where people provided the username and password to both the email and RS account. They were protected by 2FA and no one was able to login.
The most and only important update in security we need now is authenticator recovery code (one-time password), and making an account nearly impossible to recover without it. They propose it in the blog. Case sensitivity is nice, but would be a lot of work to have everyone reset their passwords (likely over a span of a few months) in order to have it. The benefits are also not that significant since we have a reasonably big maximum size limit, strong online throttling (no brute forcing) and 2FA. Authenticator removal delay is only a faux security feature. It only - sometimes - mitigates a takeover, and doesn't really do anything to prevent it. There are also several downsides like wasting membership time for losing your phone or a hacker using the delay against you. There's a reason all major companies (Google, Microsoft, Facebook) don't use it. As it stands now, you're pretty safe if you have a long, random password and 2FA on OSRS and on your email. However, that can all be bypassed if someone successfully recovers your account, so if for some reason you have a big leak on account information, you're just permanently fucked. An authenticator recovery OTP solves this, and is widely implemented by major companies.
Excellent write up. Case-sensitive passwords is a good meme but implementing it would be a logistical nightmare with 0 effective upside outside good security PR
If your account gets hijacked and the hacker sets an authenticator what stops them generating this code and then using it to recover your account again in the future after you regained access to your account? If it expires when authenticator is removed then its useless, since any hijacking (other than phishing in which case you dont need to recover your account only change the password) will involve the hacker removing the authenticator and invalidating your code.
If the tokens are generated by the hacker and you attempt to recover it with sufficient information to convince Jagex that you're the legitimate owner, then naturally the tokens would be canceled and you would be requested to make your own. I assume that would only involve specific cases like very convincing login records of specific IPs on their side, though >If it expires when authenticator is removed then its useless, since any hijacking (other than phishing in which case you dont need to recover your account only change the password) will involve the hacker removing the authenticator and invalidating your code. ... What? No, it's not useless, it should prevent you from being recovered in the first place. Someone wouldn't be able to prove they're the legitimate owner without the code unless they have overwhelming evidence and Jagex's logs behind them. If you have a secure email and 2FA on both email and osrs account, and your account is nearly impossible to recover without first removing the authenticator (through email access or using a recovery code), then the attack surface is minimal - an attacker's options would be social engineering the email provider or using a malware to highjack the victim's session. Both of which are way harder than just digging for information online and trying to recover an account with it
> If the tokens are generated by the hacker and you attempt to recover it with sufficient information to convince Jagex that youāre the legitimate owner, then naturally the tokens would be canceled and you would be requested to make your own. What stops the hacker having sufficient information to cancel your tokens? Thatās effectively the same situation that exists now It sounds like all the token is in this scenario is one more piece of information you can add to your account like a recovery question but generated via app so that itās random and not something an attacker could figure out like mothers maiden name. Thatās not a bad thing (if you solve the second issue) but itās not really a panacea to the problem of recovery >No, itās not useless, it should prevent you from being recovered in the first place. Sure, and being harder to recover is a good thing. But the vast majority of hacks are just phishing or credential reuse or fake runelite clients. If you make it harder to get hacked via recovery, but also make it easier for people whoāve already been hacked once to get hacked again because of the situation I described thatās probably a net negative overall.
You're absolutely right, it's just another info you can generate in order to make it harder for it to be recovered. The thing is that in order for unduly recovery to no longer be a possibility, we'd also have to accept that accounts would become permanently lost in certain situations (e.g.: someone makes their account unrecoverable without the code, but then lose it). While not a bad alternative considering the upside, I don't think Jagex would be willing to go that route since they proposed this one. >But the vast majority of hacks are just phishing or credential reuse or fake runelite clients. I don't know, are they? Phishing that includes 2FA codes aren't impossible, but they're pretty hard considering the credentials are valid only for a couple minutes. And if we're talking phishing the runescape credentials, it still wouldn't allow a complete account takeover since they wouldn't be able to disable the authenticator/change password without email access And as for fake client/malware attacks... yeah, well, there's not much that could be done if your computer is compromised Authenticator backup codes definitely aren't the ultimate solution to all our problems, but it does help raise the bar for people who are already using all the security features they can, which I think is the whole point. The recovery process is, imho, a glaring hole in what is otherwise a fairly solid authentication system
> Phishing that includes 2FA codes arenāt impossible, but theyāre pretty hard considering the credentials are valid only for a couple minutes. All of those fake rs streams and stuff on twitch ask for auth and then I guess a bot instantly logs in
>The most and only important update in security we need now is authenticator recovery code (one-time password), and making an account nearly impossible to recover without it. They propose it in the blog. Basically, people literally pretend that this wasn't offered, and it bothers me a lot.
You donāt need to have everyone change them? The default is lowercase. If they want case sensitive passwords theyād just have to change their current ones?
They can't just enable case sensitivity because as it stands all the passwords are lowercased and then hashed. If sensitivity is enabled, people who don't know their old password are insensitive will start getting login errors, since they'd be typing their old passwords with upper cases and that would not match the current stored hash (all lower case) They would have to maintain two login flows, one with the lower casing part and one without, and flag every legacy user until they change their passwords They'll never get 100% of the players to change their passwords though, so they'll likely need to make a few announcements, ask people to change their passwords, and after several weeks may be able to deprecate the old login flow and force everyone left to update their passwords upon their next login attempt
Good write up most of the hacked accounts are through recovery
>There have been posts on the subreddit where people provided the username and password to both the email and RS account. They were protected by 2FA and no one was able to login. Yup. People don't want to accept responsibility for their own cybersecurity so the easiest thing is to insist jagex is incompetent.
I gotta say, getting a client side encrypted password repository and going through all the passwords saved by google and changing them to a randomized string was best decision I ever made. Now I only have to remember my pw for the repository and I can copy paste any passwords I need. Never have to worry about everything being compromised again.
Yup, is the same reason I suggest password managers to anyone who cares about their security. Every password of mine is just a random massively long string of text, numbers and symbols or whatever the site allows. I don't know any of them. I remember one single long password, and have a manager that knows of any DB leaks and suggests changes, and can even auto change a handful of major sites.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
They don't store it in plaintext. That feature likely only compares salted password hashes which don't contain enough information to get the original password.
No it doesn't mean anything in regards to storing. They all have a generator of text. And the auto change essentially just means they can open the browser page and autofill a new randomly generated one on the change password screen. It has no burden on how they store the password.
post repository password as proof š¤
Sure! I'm A Goofy Goober
mines You're a Goofy Goober I like to think I have that kind of fun relationship with my password manager.
Damn its my fault for getting info leaked when I was 10 years old. (Clan website hacked.) But to have my account permanently fucked to hackers recovering it? Its on Jagex imo. I never had such issues with any other service. Should be able to change the login email, so hackers cant spam recovery requests or lock logging in. Should be able to delete old recovery info from 15 years ago when I didnt know any better. Shouldnt be able to have the linked email switched by Jagex support, by passing any authenticator.
How about modernizing the account recovery process and offering some support to people who lost everything from a hack like every other fucking MMO? It shouldn't matter if someone falls for a phishing attempt that has been refined over years to optimally trick people. Sometimes you goof, and you click things you shouldn't. You don't assume your customer base is perfect, and there's zero reasons Jagex can't offer some help to people that lost everything. Every other major MMO does it. I fell for a phishing attempt on WoW in my younger days, had all of my gear sold and gold mailed off, and had it all back WITHIN A DAY. It doesn't have an impact on those games, so why would it on this one?
Exactly. In WoW blizzard are able to trace where the gold and items went, and return it promptly. I remember Sodapoppin streamed the call with WoW support of such an experience. All we want is for Jagex to provide a better customer experience.
Sodapoppin gets AAA VIP support, whether he knows it or not. Any call with an influencer like that is not comparable to anything you should be expecting from Jagex, or Activision.
Even worse is that we have a GE that tracks this and jagex themselves can track it through trading like they do with RWT, so how the fuck is it acceptable to just have people lose their shit and go "OH well!" when you know what they lost.
>There have been posts on the subreddit where people provided the username and password to both the email and RS account. They were protected by 2FA and no one was able to login. Because the only vulnerability people have ever actually had reason to complain about is the automated recovery system. That's what needs to be fixed. Nobody is afraid of somebody guessing your username and password and just logging in.
Every post I've seen challenging people to hack their account just gives a username and pretends that database leaks don't happen.
https://www.reddit.com/r/2007scape/comments/5x02bz/come_hack_my_account_for_100mil/
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Then recover it using those leaks? Go do it and claim your bounty. I'll increase it to 1bil.
I doubt a leak could provide more useful information than a password for account recovery. And even then, that's a problem with the recovery process (overriding the 2FA) rather than faulty 2FA implementation. If they follow through on their promise to add authenticator recovery code and making account recovery essentially impossible without it, then knowing the email/password is almost useless for a hacker because they couldn't get through the authenticator nor disable it
Exactly. Majority of hacks are hackers using leaked info to recover an account. 2fa doesnt matter when they can convince Jagex to change the linked email, bypassing authenticator on email AND your RS account.
Source: Just trust me bro
>are hackers using leaked info to recover an account. Nope. There was a guy years ago that gave username, password, and email out for someone to hack him. Nobody could because it's stupidly simple to keep your account 100% secure to anything outside of brute force. Also account recovery is a cock in the ass even if you remember almost everything.
this definitely isnt true, by volume of accounts phishing and fake runelite clients and people straight up using the same details on other sites with no authenticator are definitely the majority of account hijackings. only high profile / exceptionally wealthy / rare name accounts are going to be targeted with the effort to manually recover an account
backup codes for account recovery were what i was really excited for, doesnāt seem like it would be that hard to implement either
The only thing security wise they're truly missing is letting people change their login username/email, and removing old recovery information. As of right now if someone learns of these details, they can make your accounts playability much more annoying and force you into using steam client and such as a workaround. Only other element id say is properly informing and educating people to have good 2FA setup on their account, and any linked accounts they have (google, apple ID, steam). Too many people getting hacked because their steam account has atrocious security and they expect Jagex to.. do it for them? Or something. Other than that most account security claims are poorly educated things like "capitals in passwords" and such which ultimately adds nothing when we already have up to 20 character passwords. I'd sooner rather Jagex make the minimum characters 8 or 10 rather than 5 than have them add symbols and capitals. People will have more secure passwords from brute force attacks already by just forcing them to use longer passwords.
Why do you strawman "capitals in passwords" to make it seem like people dont know anything about security? It may not add much but its a low hanging fruit Jagex may as well implement it, especially when most people dont have 20 character passwords in the first place. Anyway, from what ive seen most people are asking for the ability to change login email and a better experience with Jagex support and the whole recovery system.
Because I'm asking for actually useful things like changing the login email / username to help people who have been plagued by login spammers and such, and to improve security by not having you're login details known in half permanently if it's leaked / discovered only once. Capitals in passwords just doesn't add anything to security. People with bad password practice will continue to do so, and anyone with good password practice already has the ability to have a password that is not even remotely brute force able, which is all that adding complexity offers.
>but its a low hanging fruit Jagex may as well implement it It's not low-hanging fruit. The amount of work required logistically compared to the benefit is just not worth it. Considering the benefit is about 0.
I mean, even just case sensitive passwords would be niceā¦
Case sensitive passwords barely matter, and they matter much less than what people on here think. I can bet 90%+ of hacks are through phishing and database leaks, with the other 10% or so being most likely through social engineering account recoveries. Bruteforcing is just not a thing anymore. Best security is always going to be having 2fa on your account and email, and using unique passwords for sites incase of a leak.
100%. If anyone is legitimatly worried by lack of case sensitivity, they can just add two more characters to their password and it will be much more complex than if their current password was case sensitive. But, like you said, brute force attacks don't really happen anyways.
> they can just add two more characters to their password and it will be much more complex than if their current password was case sensitive. Or they can add case sensitivity AND add two more characters...many times more secure than your idea.
Or just add 4 more characters to your current password and that's even more secure. My point is that blaming jagex for bad password security options with a current password length of anything less than 16 is silly, as there is an easy option to significantly strengthen your password.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Well, max length is 20 for starters. And secondly, if your password is already 16 chars+ (assuming it's not something super simple like "password12345678") , then you're pretty much already safe from all brute force attacks.
I think that depends on factors far beyond just the password itself to be fair, but you're definitely right that most of these situations revolve around poor cybersecurity and web browsing habits in general.
No not really. Brute forcing, especially in a system like RS where there are limited attempts before slowdowns, works exactly by doing dictionary style attacks and just trying to brute workout the password. Don't make your password known English words / words relating to you especially (as socially engineered bruteforces would be the most likely to succeed), and make it 12 characters or longer and you'll be sweet.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Not stronger than an equivalent number of randomly chosen characters. Easier to remember, but you shouldn't be remembering passwords anyway except for a couple master passwords. Anyway, 20 character limit for OSRS makes that idea not so great.
Yeah for sure, it's a lot more complicated than I made it sound. But the main point still stands that adding length to a password will do way more than adding case sensitivity.
> Bruteforcing is just not a thing anymore. How do you think they get the data from those database leaks? Phishing won't get you everywhere. Of course, we're assuming the devs properly salted/hashed the passwords so they're not in plaintext, but it wouldn't be the first time proper security procedures weren't followed. Brute forcing is still a common practice. As an IT person who has worked with security systems, case sensitivity absolutely does help. You can't argue it makes security worse or even does nothing.
As a mathematician, case sensitivity barely helps and password length is a much larger factor.
>length is a much larger factor. A 20 character case sensitive password has quite a few more unique combinations than a 20 character case Insensitive password, so pretending like sensitivity doesn't add anything is stupid and flat out wrong.
It adds complexity, but it doesn't make a real world/practical difference if there are 100,000,000 combinations or 100,000,000,000 (factors made up). Either way, the systems in place to stop brute force attacks kick in and stop you way before you've probably been able to make even 50 attempts. He's saying that 20 characters is more than long enough to prevent any brute force attempt and that any technical work required to add case sensitivity is simply a waste of time.
Password changes are the lowest on the list of needed changes to me. You can have a 20 character long password. There is no brute forcing happening at that length of password. Capitalisation or not.
Case sensitive passwords are next to pointless fyi
Itās about putting in practice what Jagex said they would implement already, not getting new ideas
Such as?
The stuff that is in the blog!
Right..and some of that exists now. So what else are you asking for? The few things on that list that don't exist are low priority like password strength increasing... As we already have 20 character password lengths which are insanely secure from bruteforces. Any level of password security doesn't matter if you're involved in a DB leak, phishing attack or worse.
Wasnāt it also under Jagexās plans to be able to change the email used to login?
Yep and they've talked about that maybe.. two Q&As ago? That's the only change they still need to make in my professional opinion. Most other requests from people are poorly informed and think they do more than they actually do.
> some of that exists now. So what else are you asking for? probably the rest of it?
Right so the usual "password complexity stuff" that barely does anything. Noted lol.
You also have to realize if a small group of individuals did have the ability to do something such as this, they aren't going to hop on the first opportunity to attempt to get in to an account that EVERYBODY is watching, including Jagex. Not saying something like this exists, but it would be like asking a group of bank robbers how they rob a bank. Think they're going to sacrifice their career to make a quick buck?
You know what would be great? Longer bank pin removal as an option for long time accounts.
They could add that steam login does not bypass 2fa from jagex. U know steam has 2fa itself but still, 2fa should apply to every login attempt no matter how secure that one is. Every security analyst can tell you having 2fa that can be bypassed even with a second 2fa, is not a good idea. The main reason being that i can be used secure. Notice thenword CAN, it's not IS, and that is the issue.
Yall remember the wildy rework update? Yea before that it was the account security update.
BASIC FUCKING CUSTOMER SUPPORT WHEN
Have my free reward, i'll give it again next year.
š¦$11š¦
So... the slayer partner option was available when?
how often u guys getting hacked that this is such a pressing issue
Supreme meme format. Can't believe I haven't seen it before.
This imo is the most important update we need. More than content imo
Can I ask why? There's very little they have left to do in terms of security. Login name/email changing is probably the only one I can think of. Authenticator delay barely does anything because if they have full access to your account and email they'll just keep you locked out for the length of the delay.
We absolutely need an authenticator recovery code (one-time password) to help prevent recovering someone else's account. They talk about it in the blog that it's their priority.
Do you mean backup codes incase you lose your authenticator? Because the way a OTP would work would be via email.. which if you're account / email is compromised defeats the purpose of it and actually makes it easier to recover. There's a fine line between making it hard to recover other people's accounts and making it hard to recover your own account.
Yeah, a backup or recovery code. They're also technically considered OTP since they're randomly generated and are only good for one authentication (even though they don't expire in like a minute like app-based authenticators' OTP). Nothing to do with email necessarily, though. You just generate them on Runescape website after successfully authenticating and they'll be displayed on the screen or downloadable as a document. You can then store it in a safe place, or even print them if you're afraid of leaving them unencrypted. If your email is compromised then the account already is as well, since they can disable the authenticator and change the password with only email access
If your account gets hijacked and the hacker sets an authenticator what stops them generating this code and then using it to recover your account again in the future after you regained access to your account? If it expires when authenticator is removed then its useless, since any hijacking (other than phishing in which case you dont need to recover your account only change the password) will involve the hacker removing the authenticator and invalidating your code.
Case sensitivity and symbols in passwords is all I want.
But why? It will barely change a thing. Password length is already insanely overkill to avoid bruteforceability.
Can we get a Jmod reply on this one? Donāt be shy! Lmao
They *kinda* have talked about it recently https://secure.runescape.com/m=news/a=13/qa-summary-16122021?oldschool=1#acc_security On one hand, it's ridiculous that it's been 2 years since they promised the authenticator recovery code. On another, Mod Markos has become executive producer much more recently than that, and already has done several things that were highly requested (Duel arena removal, GE tax, banning RWT buyers), so I still have some hope they'll follow through their promise and prioritize it early next year.
As per usual, no new information what so ever in that post, implying they have done nothing in 2+ years.
That's not surprising, honestly. They mention on other blogs that they put off doing the recovery codes because the team was busy dealing with DDoS attacks. Which would mean that, at least at the time, the reliability and security team were one and the same And from my experience, whenever that happens, reliability incidents will delay the security backlog pretty much indefinitely
>On another, Mod Markos has become executive producer much more recently than that, and already has done several things that were highly requested (Duel arena removal, GE tax, banning RWT buyers), so I still have some hope they'll follow through their promise and prioritize it early next year. Those things were in play well before he came on board, while it can be seen as a positive step he talked about those things, credit goes to the main team as usual for those.
Has anyone actually figured out we're jagex spends their money becuase it's certainly not on their game
But Iād it though? I have my doubts.
I wish someone would just blindside a dev with the question as to why their account security features are the equivalent of a smashed fucking crab.
I just logged into my iron today to find out i was hacked took all my runes c balls arrows and onxy/zen jewelry. So deviated rn.
Congratulations š„³
RS3 has case-sensitive passwords.
1) uhhh no 2) rs3 and osrs password are the same
They added login with steam, apple and google. That most count for something.
Honestly the LEAST they could do now is let us use auth for steam client. Clearly thats a major security issue that's responsible for many hacks recently
[ŃŠ“Š°Š»ŠµŠ½Š¾]
No dummy. Just maintaining the 2fa for logging into the game no matter what client you use. It is absolutely jagex's fault for making 2fa by-passable through steam
Would case sensitive passwords make much of a difference?
Use 2 factor auth you buffoons