Author Message

MIRAKA02

Rank 0
Joined
14 Oct 2012
Posts
1
Location
Japan
PostedApr 01, 2013 3:32 pm

Re: Security Update

Superman0X wrote:
About a year ago Aeria initiated a force password reset for our users and throughout the year we noticed this greatly helped with account security. As a result we would like to give you this friendly reminder to please reset your Aeria account password. You should never re-use a password (i.e. your new password should not be the same as the old, nor should it be one you have used elsewhere). We are continuing to make changes on our end that will help with account security, but this is one simple change that you can make for yourself.  
Advertisement

j.k.s.gonzales

Rank 0
Joined
22 Mar 2013
Posts
1
Location
Italy
PostedApr 01, 2013 3:53 pm
can u please check my ticket 9490617 u've blocked my account it was my account 3 years ago i noticed u blocked it 1 week ago can i have it again my old account pls

bjorkly

Rank 0
Joined
15 Mar 2013
Posts
2
Location
United States
PostedApr 01, 2013 4:57 pm
How long is this maintenance suppose to last???

Aaralyna

Rank 0
Joined
15 Mar 2009
Posts
3
Location
Netherlands
PostedApr 01, 2013 5:08 pm
So thats what happened. 4 years out of game and banned (they tell me i was hacked), then logged in, all characters deleted....

Ok so its Aeria that did...

MightySiQin

Rank 2
Joined
09 Mar 2012
Posts
539
Location
Silent Hills Russia
PostedApr 01, 2013 5:20 pm
Aaralyna wrote:
So thats what happened. 4 years out of game and banned (they tell me i was hacked), then logged in, all characters deleted....

Ok so its Aeria that did...  


lol it took you that long to figure out ?

minuzaki

Rank 4
Joined
08 Mar 2010
Posts
1620
Location
Hell. Denmark
PostedApr 01, 2013 6:18 pm
It's kind of a shame when one of your own forum moderators is complaining. The password reset, while 'required' and is kinda good since a lot of players do not change their passwords for years at a time, is sloppy. This many people should not be complaining.

has moved to aeriagames.com/user/Ayvii

Avyn

Rank 5.2
Avyn
Joined
16 Feb 2009
Posts
12966
Location
Western Canada
PostedApr 01, 2013 10:09 pm   Last edited by Avyn on Apr 02, 2013 5:14 am. Edited 1 time in total
Changing your password regularly does not increase security. If you keep your password to yourself, the only way someone else can gain access to your account is to either guess your password or crack it. Changing your password prevents or even decreases the likelihood of neither of those. The only time that you should change your password is after you realized someone else has accessed your account, to stop them from accessing it again. All other times, it's pointless. Some account stealer isn't going to have any harder of a time guessing your new password than they did your old one.
CERIAS wrote:
Now, looking back over those, periodic password changing really only reduces the threats posed by guessing, and by weak cracking attempts. If any of the other attack methods succeed, the password needs to be changed immediately to be protected—a periodic change is likely to be too late to effectively protect the target system. Furthermore, the other attacks are not really blunted by periodic password changes. Guessing can be countered by enforcing good password selection, but this then increases the likelihood of loss by users forgetting the passwords. The only remaining threat is that periodic changes can negate cracking attempts, on average. However, that assumes that the passwords choices are appropriately random, the algorithms used to obfuscate them (e.g., encryption) are appropriately strong, and that the attackers do not have adequate computing/algorithmic resources to break the passwords during the period of use. This is not a sound assumption given the availability of large-scale bot nets, vector computers, grid computing, and so on—at least over any reasonable period of time.

In summary, forcing periodic password changes given today’s resources is unlikely to significantly reduce the overall threat—unless the password is immediately changed after each use.  

Schneier wrote:
Someone committing espionage in a private network is more likely to be stealthy. But he's also not likely to rely on the user credential he guessed and stole; he's going to install backdoor access or create his own account. Here again, forcing network users to regularly change their passwords is less important than forcing everyone to change their passwords immediately after the spy is detected and removed -- you don't want him getting in again.  

The desire for mandatory password changes stems from belief that passwords to "leak out" over time. But mandatory password changes address only a symptom, not the underlying cause of these leaks. Eliminating account sharing, prompt account closing when users depart, regular auditing of all accounts, and educating users not divulge passwords under any circumstances would be far more effective for addressing the source of the leaks.  

As usual, Aeria has done something far more restrictive and penalizing to legitimate users than to actual threats. Apparently, it's a good idea to blanket ban 1,000 innocent players to catch 2 or 3 account sharers, because your customers love being locked out of your product and your (lack of) staff love wafting through 1,000 account recovery emails.

1) Get actual better security instead of forcing fake security onto the user.
2) Hire more staff. Even if your GMs are the greatest GMs of all time, there simply is not enough of them, period.

Kizuna7

Rank 5
Kizuna7
Joined
25 Dec 2007
Posts
4075
Location
Totally Not In Japan
PostedApr 01, 2013 11:00 pm
GG

~Lil_Kizuna

iBambi

Rank 5
iBambi
Joined
05 Oct 2010
Posts
4849
Location
Whale hunting in Norway
PostedApr 02, 2013 2:12 am
Most people that get hacked are people that shared their accounts, or stupidly tried to visit some shady site giving you a key-logger. That being said, security is always good, but as Avyn already said, you're doing it the wrong way. It's a huge inconvenience for us that have several alternative accounts we can't access now. I don't see how this does anything but add to the work of the GM's who have to handle a pile of account recovery RTs, which btw are handled ridiculously poorly.

MightySiQin

Rank 2
Joined
09 Mar 2012
Posts
539
Location
Silent Hills Russia
PostedApr 02, 2013 5:21 am
Avyn wrote:

2) Hire more staff. Even if your GMs are the greatest GMs of all time, there simply is not enough of them, period.  


lol we have like 44 G.Ms and double this number of G.Ss... just what are you talking about ?!
even if Aeria hired a hundred G.M, nothing would change as long as their screwed up HQs remain. what we need is a completely new Aeria management.
Display posts from previous:   Sort by: