1 Topic by King Faldon

  • King Faldon
  • The queen of Faldon
  • Offline
  • From: Ra's anus on Tuesday morning.
  • Registered: November 6th, 2009
  • Posts: 140

Topic: Zer - Solution to Email/Account Stealing from Recovering Accounts

Sup bros!

So I was thinking about how the email thing doesn't work because people were abusing it in the past. You said you would put it back up if someone could think of a way in order to make it work. So this is what I suggest.

First of all, when someone logs into their character on Faldon prompt them to set a Personal Recovery Question/Security Question. Just like when you type "changepassword newpassword" make it "setrecoveryquestion newrecoveryquestion" and "setrecoveryanswer newrecoveryanswer". On the website underneath the Account Name or Character name or w/e add a new box that requires the answer to the recovery question. Or maybe, if that doesn't work, have them login using their account names on the website and set a recovery question but require that they input their email as well.

Although by going through this process the website way, people who have access to accounts but not the passwords to characters would still be  able to set a recovery question and thus take control of the account. So I would believe the in-game way would be the best way, if not the harder way. But remember, the harder it is to set recovery questions, the harder it is for a hacker/stealer to do so as well. This might thwart the would-be hackers but would not solve everyone's problems.

We would still have to deal with those who forgot their Account Usernames/Passwords or no longer have access to their emails. But in any case, it would be fairer to the majority. As it stands if you forget anything about your account you are left out. At least this way a few people would be able to benefit. It stands to reason that when you benefit a few, you benefit the majority, given that some characters would be recovered which would have valuable items on them.

Also, to change your email, maybe send a server-mail to all the characters on the account that email is attached to, and asking them to verify the change by putting a verification code that the in-game mail sends to you into a box in order to verify along with a verification to the new email and a notification of the email change to the old email.

Anyway, this is probably more trouble than Zer wants to go through...

Then again, it is Zer maybe he'll surprise us but I doubt not, for all I know he is dead and has been buried for years...

Last edited by King Faldon (August 24th, 2011 6:49 PM)

Member of SlutsOfFire! Heil ein Fuhrer Rob!

King Faldon's Website

2 Reply by Mumblee

  • Mumblee
  • Moderator
  • Offline
  • Registered: June 16th, 2003
  • Posts: 547

Re: Zer - Solution to Email/Account Stealing from Recovering Accounts

Account management is definitely a tricky problem to solve.  Your suggestion seems like a good one, one thing I would change though is to make setrecovery into a single call that takes two parameters, instead of having setrecoverypassword and setrecoveryanswer as seperate calls.  If you allow them to be updated individually you could end up with the values being desynchronized, which obviously don't help anyone.

3 Reply by Mr Spy

  • Mr Spy
  • Moderator
  • Offline
  • From: Netherlands
  • Registered: December 14th, 2003
  • Posts: 586

Re: Zer - Solution to Email/Account Stealing from Recovering Accounts

Having some sort of recovery question system would be a good idea but I don't think Zer's going to want to change any account management features because of the decade worth of legacy data which was all created with the current management features in mind.

Changing anything in account management would require a LOT of thought or we run the risk of unintentionally comprimising a large number of accounts, much like what happened when the website showed the email address tied to an account.


Correct me if I'm wrong but as I understand it with your suggestion anyone who can log a character on an account can set the recovery details and then go on the website, use the recovery details and is then able to see the email address tied to an account?

Wouldn't that make this scenario possible?

Player has access to someoneelses old character used for whoring purposes but doesn't have access to the email.

Player logs on the old character, sets the recovery question and answer.

Player goes to the website, logs in and uses the newly set recovery details and sees the email tied to it.

Player recreates the old unused email address and uses password recovery to get on the other characters on the account.

Player now changes the account password.

Player now has control over: the email tied to the account, the recovery details, all characters and has locked out anyone else who had knowledge of the account by changing the account password.

4 Reply by King Faldon

  • King Faldon
  • The queen of Faldon
  • Offline
  • From: Ra's anus on Tuesday morning.
  • Registered: November 6th, 2009
  • Posts: 140

Re: Zer - Solution to Email/Account Stealing from Recovering Accounts

Very true, Rick, but the solution to that problem is very simple indeed... change your character passwords often. Zer cannot and should not take the blame for every lost and compromised account. He states himself in the TOS or maybe the Rules or Suggestions, anyway, he has stated that if anything happens to your account because you let someone else use it, it's not his fault. And rightly so, you were the one who gave out the passwords to the characters on your own account.

And as I stated in the original post, this will not help everyone. The game has been out for too long, we have had deaths, quitters, poverty, and hacking which has driven people away and left old unused accounts on the system which no one has access too. Sure someone may hack an account but you can safeguard yourself against having that happen. Set the recovery questions up before they do, change the passwords on all of your characters, make sure you have your email security features enabled, etc. I know for a fact that my email is protected. I used a hard to guess password that contains uppercase and lowercase letters and numbers, I added 3 alternate emails in which to send information about changing my password, I set up the security on those emails, I added my own personal contact information  in case someone claims they own my account, etc. It's not hard to protect yourself.

Anyways, this suggestion would be highly appreciated among the community and I'm sure it would help out quite a few people. I was talking with a couple of older players who lost access to their old accounts and have been waiting for Zer to respond to their queries for over 3 years now.

Member of SlutsOfFire! Heil ein Fuhrer Rob!

King Faldon's Website

5 Reply by Mr Spy

  • Mr Spy
  • Moderator
  • Offline
  • From: Netherlands
  • Registered: December 14th, 2003
  • Posts: 586

Re: Zer - Solution to Email/Account Stealing from Recovering Accounts

It's true that in most cases it is the fault of the player when an account is compromised, but the reality is that people DO share accounts details and have been doing this for a long time but they've only agreed to doing so after having considered the current risks of sharing these details.

Currently there's no real risk in sharing the details to a character if the owner has a working recovery email.

Worst that could happen is that someone steals your stuff or gets you jailed.

However, if we would implement your suggestion the risks for sharing details change significantly as having access to an older character without a recovery question set means someone could potentially gain control over the entire account and associated email.


As you probably know Faldon players don't usually quit Faldon but they take breaks. These breaks can last from a few weeks to a few years but I think it'd be nice if they can be sure they still have their old accounts when they return. Then again a recovery system could help a lot of these people as they forget their details after their break.


In the end it is up to Zer to decide what risks to take and how much time to spend:

Helping quite a few players with lost password/email troubles + risking the raid of a load of old accounts + Zer having to build a recovery question system.

versus

Having the people with lost password/email troubles quit, start new accounts or just move on + Zer doing nothing.

6 Reply by King Faldon

  • King Faldon
  • The queen of Faldon
  • Offline
  • From: Ra's anus on Tuesday morning.
  • Registered: November 6th, 2009
  • Posts: 140

Re: Zer - Solution to Email/Account Stealing from Recovering Accounts

To sum up the debate in case someone doesn't want to read all that text:

1) Implement recovery questions that can be set in-game OR on the website. My suggestion would be for the in-game. Simply log into 1 character on the account and set them. If one wished to send an email to get the account name and password and character passwords they would have to input the recovery question.

2) People who have "quit" playing who own an account yet share it with someone else might possibly have their accounts stolen from them by the person they are sharing the account with, or another shady individual.

3) Alot of people said they will come back whenever the new client comes out. If its a new server. That means a "server wipe" meaning people will have to make new accounts so it really doesn't matter to those people anyway. The ones that are taking a "break" as you say.

In any case, there are good sides to both arguments and ultimately it's up to Zer and not us. If he thinks he can pull it off then do so.

P.S. Zer, if you think it's logical and makes sense, do it. You promised. Don't be lazy lol.

Member of SlutsOfFire! Heil ein Fuhrer Rob!

King Faldon's Website

7 Reply by Fireborn

  • Fireborn
  • Godly Moderator
  • Offline
  • From: Ohio
  • Registered: June 16th, 2003
  • Posts: 2,066

Re: Zer - Solution to Email/Account Stealing from Recovering Accounts

My account e-mail was changed a long time ago... because it surely isnt linked to the same e-mail address that I created it on lol

I don't question my sexuality, my sexuality questions me.
Self Gratification is God's greatest gift to man.

8 Reply by Mumblee

  • Mumblee
  • Moderator
  • Offline
  • Registered: June 16th, 2003
  • Posts: 547

Re: Zer - Solution to Email/Account Stealing from Recovering Accounts

Regardless of how messed up the current client is, I think it's important to hash out these details in the case that new client ever comes out,  in order to avoid this whole debacle happening all over again.

That said, I have a hard time being sympathetic for people who shared accounts or used dummy email addresses during registration.  I will grant Spy the point that the de facto system early on presented very little risk for doing so, but it was always against the ToS, not to mention common sense.