Curse

Bristlebane · Jul 08, 2011, 06:18 PM // 18:18

You know that 24h no-trading/dropping they put on new accounts? What if they would add it on accounts that recently changed passwords or had x number of failed attempts before successfully logging in?

Here's my suggestion:
With an *optional* settings in Guild Wars, accounts are automatically put in 24h lock mode once suspect behavior is detected, mainly password change, or 3+ failed login attempts before a successful login. An email is also dispatched to the owner's currently registered email. This email can't be changed during the 24h lockdown as well.

However, it would be possible to play the game normally, just with a few restrictions:
* No item dropping, no trading, no character deletion, no email/password change.

In case someone do get hacked, they have 24h to react (assuming their email address was correct and read), which is a good time to change your password.

NOTE: Please, no topics about "hacked account is your own fault", we've seen enough posts like that, it won't lead to anything productive.

RedDog91 · Jul 08, 2011, 06:26 PM // 18:26

If such a system were put in place, more people would complain about it messing up their trading than would be protected by it.

Bristlebane · Jul 08, 2011, 06:28 PM // 18:28

Since it's an optional lockdown feature, and since the time is relatively short (24h), I think many people would consider it a fair price to pay. It's not like people type their password wrong everyday.

jazilla · Jul 08, 2011, 06:30 PM // 18:30

I think they should just add an in-game password system for the Xunlai Vault. Make it so it has to be different from your log-in password. That way you get extra protection for your in game valuables.

Bristlebane · Jul 08, 2011, 06:33 PM // 18:33

Quote:

Originally Posted by jazilla

I think they should just add an in-game password system for the Xunlai Vault. Make it so it has to be different from your log-in password. That way you get extra protection for your in game valuables.

While I'm all for anything that adds a bit extra security, I doubt this would help much. Many people use characters as storages and they wouldn't be protected by this. You also didn't mention how often you need to type your password. Once every usage? Once every login? Only after x failed login attempts?

Another Felldspar · Jul 08, 2011, 07:06 PM // 19:06

/signed

If this were an option I would use it. I would also include a 24hr lockout if my account were accessed from a Chinese IP address.

This isn't a bad OPTION at all.

drkn · Jul 08, 2011, 07:53 PM // 19:53

So let's say i use that option. I log in into my account normally, no mistakes inputing u/p.
Then a hacker tries to log into my account, knowing everything but password. He didn't succeed, despite a great amount of tries. Next day, i log onto my account and, if i understand you correctly, i can't trade my stuff, out of a sudden.
All in all, i pay the price of a hacker's failed attempts in getting onto my account.

Sounds a bit silly.

Bristlebane · Jul 08, 2011, 08:01 PM // 20:01

Quote:

Originally Posted by drkn

All in all, i pay the price of a hacker's failed attempts in getting onto my account.

For 24h yes, but I know what you're getting at. It could be used as a way to cause grieving to others by deliberately doing a few failed passwords everyday. Solution to that would be if the successful login was made within 10 minutes of the failed attempts. You could also limit the lockdown time to say 8 hours giving you a chance to react to the security email. Such an email would contain additional information like the [potential] attacker's IP address etc.

But if you ask me, I rather get my account locked from trading and dropping items for 24 hours rather than losing all my gold, minipets, weapons, armors and characters.

jazilla · Jul 08, 2011, 10:09 PM // 22:09

Quote:

Originally Posted by Bristlebane

While I'm all for anything that adds a bit extra security, I doubt this would help much. Many people use characters as storages and they wouldn't be protected by this. You also didn't mention how often you need to type your password. Once every usage? Once every login? Only after x failed login attempts?

Every usage would be great. I use passwords so many times a day as it is, what does it matter if I am using them more? Also, I would look at my valuables less in game

Hooper287 · Jul 09, 2011, 01:02 AM // 01:02

/signed
I've been hacked before too, and my account was permanently banned because of it. It was a 4 year old account and there was absolutely no way of getting it back. There are some of my friends who claim they have been hacked too, and they have proven it to me, they haven't even given out their passwords or anything that would allow someone to access their account.
Most people just say "oh, stop QQing about your account being hacked (insert leet speak insult here) you couldn't have been hacked without giving out your pass". Me and apprx 500 other people beg to differ.

Chrisworld · Jul 09, 2011, 03:39 AM // 03:39

I like the idea. But add *no item deletion* and *no item salvaging* to the list as well.

I find it hard to believe anyone would complain about this being a problem. If they change their password so often that it becomes a problem then they have the problem. Same goes for putting in the wrong password several times.

This is a great idea.

Master Ketsu · Jul 09, 2011, 04:21 AM // 04:21

/signed for including it as an option the players could enable for themselves.

/unsigned for forcing it.

I would definitely enable it for myself. IMO this is the most brilliant suggestion I've seen here for a long time.

Ximvotn · Jul 09, 2011, 06:26 AM // 06:26

A optional lock feature with a code different than your password. You can choose what to lock... for example: storage, armor, gold, weapons, characters, etc. that way nobody can move anything you change. If you lock character X then anyone who logs onto that character can not move items from his bags, or a complete storage lockout so nothing can be moved from that either. A more complex and selective lockout feature would hold my interest I suppose.

/signed

shadowfell · Jul 09, 2011, 07:01 AM // 07:01

I mean, this sounds crazy and all, but the authorized location for ncsoft should be applicable to the in-game login too. Say, if someone tried to log into my account from anywhere other than my authorized location, red flag goes up and the account is locked or they get a =sorry, this location is not authorized= and are denied access. I would even still be ok with still getting booted out of game with the warning that goes something like, "Someone has attempted to access your account while you were logged in", disconnection error.

Then, I not only know someone tried to log into my account and that I have to go into panic mode, but that I have time to adjust whatever is needed to make sure it doesn't become a problem.

The downside is, if they're bruteforcing and just plugging in random emails to try and access a real account, that would pretty much notify them that they had a live one.

Also, Rift's Coin-Lock system, We need that here. It's better than Wow's authenticator, imo.

I had many other brilliant ideas, but it pretty much included banning china from accessing the internet at all and I don't think that will go over well.

Bristlebane · Jul 09, 2011, 07:09 AM // 07:09

Biggest concern is just how to avoid people grieving others on purpose. For example:

Say someone doesn't like you, manage to get your login email and enters a few bogus passwords every 24 hours putting account in a permanent lockdown mode.

Solutions to that would be that you could break the lockdown with a secondary password, and that you receive the exact time/date/ip address of whoever tried to access your account. That way you have a chance to track down who is grieving you.

gremlin · Jul 09, 2011, 12:30 PM // 12:30

Quote:

Originally Posted by Hooper287

/signed
I've been hacked before too, and my account was permanently banned because of it. It was a 4 year old account and there was absolutely no way of getting it back. There are some of my friends who claim they have been hacked too, and they have proven it to me, they haven't even given out their passwords or anything that would allow someone to access their account.
Most people just say "oh, stop QQing about your account being hacked (insert leet speak insult here) you couldn't have been hacked without giving out your pass". Me and apprx 500 other people beg to differ.

Anything that improves security is good, If they are going to do something I would prefer a secondary password or ability to lock my account.

Friend gets hacked and proves it !!! really and you know for a fact they didn't give out their password.

The reality is we never know what people do, If my brother lost stuff from his account there is no way he could prove to me he didn't engineer it himself or post his password on the net.

I trust him, I believe him but he couldn't prove it, and that is the real problem in GW.
Absolutely no one knows the truth about hacking even those who are hacked only know their own situation.

No one not even anet can be sure about the level or not of genuinely hacked accounts.

Bristlebane · Jul 09, 2011, 12:53 PM // 12:53

I had my account hacked once and I went a frekkin communication security class. A place where we hacked everything from WEP, Windows Server, DHCP etc. I do use a strong password (except ncsoft, they don't allow such a thing), I never ever shared account, never used my login email in any forum. And I'm certain I didn't have any keylogger, malware or virus on my computer as well. My point is, people who say "it's your fault" don't really know anything, they just repeat what others said on forums thinking they're now security experts.

Arghore · Jul 09, 2011, 08:03 PM // 20:03

I like this idea, maybe not in it's current form (like changing passwords regulary tends to be a good thing, so why put a penalty on it), but the lock out of trading if a login has occured after X-times trying would be a good idea, and the password change would also be good if only it were accompanied by the X-times failed login. In those situations i would actually prefer a longer time (like a week perhaps even) given that the player can lift this restriction in some way, f/e contact with support and supplying them with the box codes for the account.

Bristlebane · Jul 10, 2011, 06:59 AM // 06:59

Or unlocking it with a master password, or by typing in one of your product keys again.
It's good if it's somewhat automatic so we don't have to bug support too much about it.

CorDa616 · Jul 10, 2011, 10:27 AM // 10:27

I /sign this, but there are some complications to this idea.

Firstly, no dropping of items would cause a vast majority of new bugs to arise and is absolutely pointless as the drops they get really doesn't matter. For all you know the crafty bastard farms a VS and then realizes he can't sell it - that part you can consider payback and reward.

The restrictions put on the account, the 24-hour thing, won't exactly work properly as some, if not most, people don't log in every 24 hours. A better approach to this would be to revert the said account to a trial version account, at least schematics wise. Trail accounts can't trade and thus he won't be able to trade anything.

To end this a reasonable approach would be to have the person verify the changed password in their email address and have the account reset to normal functioning. This will severely limit the amount of hackings that occur from third-party apps and such.

However, the human stupidity factor still remains, which is the biggest part of why accounts get hacked.

Another way to approach this is to set up a 'master' password like you suggested, but not the keys as some people don't possess those anymore. What could be done is a 'secret question' type of thing. Not an automated one as a hacker can just string you through those questions. I would suggest you get to pick it, but when you need to type it in again the box does not reveal the original question.

IF you have a NCsoft account the question could be linked to that like the CD-keys, but not physically show when you try to access the account; or an alternative email can be set up where the question is sent if requested.

I applaud the idea but since GW2 is coming out soon it might just be useless. The con-men aren't going to stick around to fry small fish when a bigger one swims around. I think this would've been great if implemented from the start.

That's it from me and excuse any typo's, been awake a solid 30 hours.