Hi everyone, First of all, I just want to say I welcome the new PIN system--it increases account security without causing inconvenience. Well done GMs! I've also thought of this idea that might further improve security. You know how for google account, they will alert you if you log on using a different computer/ip address. Would it be possible to set up a similar system for Mapleroyals accounts, i.e. if a log on was on a different ip address, the account owner gets notified by email? This way, if someone breaks through your password and not your PIN, you will know that your account security is being threatened have the opportunity to change password before any damage is done. I must say I have no experience with this type of work and don't know how much effort this requires. If it's not hugely time consuming, I imagine it would be a great addition to the existing security measures. Cheers, Joe
We had considered something via email, however, many people use fake/nonexistent emails and would wind up not getting the messages. When the discussion was had, my response was "tough luck, that's their fault since we say real email addresses need to be used" but other staff were a bit kinder than I was In all seriousness though, with the new source, we will hopefully implement some sort of additional security measures like you recommended as well as allow multiple accounts to share an email address so we can reduce the number of fake email addresses being used for accounts.
This would hardly help, as quality rather than quantity is the biggest issue - users should just register a non-simple password. A random combination of numbers and letters would be almost impossible to crack already
You are right. But even then 12 character passwords are not as good as 16 or 24 ones. It really doesn't matter for those with poor passwords because regardless of the max lenght they are still going to be poorly made ones, but i so think that being able to write a lenghtier password does give more space for creativity. On a side note, since you mention quality passwords, i do hope that the password policy becomes more strict. Something a long the lines of not being able to make a weak password for new accounts (just like many sites ask for special symbols in your password nowadays) and have older accounts be warned about changing to this new policy. There would still be weak passwords around, but not as many
+1 for that suggestion as that would definitely strengthen account security and would be very difficult for individuals to hack accounts. It will also allow users to have shorter passwords but far more complicated ones, which is a win-win situation!
Why, though? If I want to have a weak password (which I do), why not let me have that? You can choose whether you want a strong password or not. If people choose not to do so, let them take the risk. I have a very weak password on Royals yet I've never been hacked. Why? Because I don't use the same username/ppassword combo for everything.
I understand that, as any change, there will be those who will favour and those who will by against this. And your argument is totally fine, if you chose a weak password it's your responsability. But not everyone takes this in mind and what i'm suggesting is probably the easier, most effective but also more radical decision. It may sound bad saying that forcing everyone to have a quality password but at the end this will do more good than bad. Is it really that hard to just add few changes to a password so it's more secure? At the cost of having that bit of trouble you are getting the bigger plus of not getting your account hacked. It saves the staff team the need to explain why someone was hacked and what they should have done. Maybe many people are like you and understand the risks, but there is also people who just want to get into the game and dont really look into this kind of details and when the time comes they may complain like if they werent at fault, and they have the right to do so because there is no one who can guide them in this matter when they first attempt to join this server. Would people quit the game just for the fact that you are asked to prompt a stronger password? i don't believe so. There is already many sites that use this method and i highly doubt there is any problem with that. In any case i'm just suggesting this as a solution to many people worries, and there are many ways to implement similar systems (i.e. instead of forcing just have a message popping saying how weak the password is and warn them in advance about the consequences). This is in no way something that is 100% going to be implemented, let alone be implemented the way i'm mentioning. I'm sure the staff will discuss the matter and come with a solution, be it or not what i suggested. Spoiler: Sorry for the long post
Quite frankly, I don't see the need for us to require passwords being a certain "strength". That is something up to the player to decide on. As for lengthening the maximum password character count, that unfortunately is a client based restriction and one that we are unable to modify (to my knowledge). Believe me, I would be the first one to push for allowing longer passwords but until we have our custom client, it looks like we need to make do with what we have.
There's nothing wrong with suggesting users to have a strong password, in fact I think that's a great thing. But once you force people to have passwords that contain a lowercase, an uppercase, at least 1 number and symbol, that becomes a problem because a lot of people including me don't want that for reasons we don't need to justify. We just need to inform players that we don't provide refunds to hacked accounts and once that message becomes clear, it's up to the player's choice whether they want to risk getting their accounts hacked for an easy to type password or have a strong password. The new pin system is done well because it adds an extra wall for hackers to break down and at the same time it's not all up-in-your-face annoying.
I'm okay with not forcing them. As for the rest of what you just said though, it also means that things like donations are at risk because i think that people can easily get scared for this sort of stuff to the point where they would not donate because of the risk. In that sense i believe that security measures do have to be implemented fast enough so that this kind of insecurities dont happen. Also let me quote @John on this, even though the system is already implemented (posted on this thread): That quote alone does make me question wether or not the PIN system was implemented only to calm people down and not as a real security measure.
The PIN system is just not that good of a security measure. As for your point about people being scared to donate: I disagree entirely. If people care so much about their donation they can just make a password that would be very very hard to crack. The risk of being hacked when you have a strong password that you don't use for other servers/accounts is almost zero. I personally feel like this argument was only added to your case in an attempt to make the staff reconsider their stance though, of course, I could be wrong in that. It basically comes down to this: People who care enough about their account will make sure their password is safe and as strong as possible. People who don't care that much won't bother. It's up to the players to decide which category they fit into.
Ayy that last sentence stroke my heart so bad. Glad you did edit it though. I do care about donations, but only because they are what makes the server be able to work. And you are right about the rest. After all everyone needs to be responsible for their actions, even when it comes down to setting a password.
