It's a debated topic and there are good points on both sides. Honestly if I was going try to hack in by guessing a users email I would just brute force it anyway.
Telling someone an email does not exist in our system is a lot better than telling them it does. I really wouldn't worry about it.
All they need to do is update the error message to say "that email and password combination are not recognized" and things get a lot more secure.
Posted By Woogawoman at 5:55 PM - Tue Apr 18 2017
All they need to do is update the error message to say "that email and password combination are not recognized" and things get a lot more secure.
That is what i had in mind. just delete this post i see it was pointless for me to present my concerns.
I was actually trying to indicate my agreement with you. :)
A couple thoughts:
a) Why would anyone want to hack an account here? What would they possibly gain for the effort?
b) What's the worst that could happen if an unauthorized user got into your account? I see absolutely nothing of value that can be stolen.
Which actually leads me to another question. Why does CoE have such strict password rules? All that does is make it harder for regular users to remember their passwords. A hacker is NOT going to randomly guess passwords. They will first go through the list of most commonly chosen passwords and then, if they really want in badly enough, go through brute force methods. Which is why passwords by themselves offer only minimal security and requiring complex password rules inconvenience members of the community more than they offer any real security.
Better level of security is two-factor/two-step authentication. If you really worry about security, implement that. Ditch the complex password rules. That's only an illusion of security.
Friend Code: 4AC3A3
Posted By COECipher at 11:01 AM - Tue Apr 18 2017
A couple thoughts:
a) Why would anyone want to hack an account here? What would they possibly gain for the effort?
b) What's the worst that could happen if an unauthorized user got into your account? I see absolutely nothing of value that can be stolen.
Which actually leads me to another question. Why does CoE have such strict password rules? All that does is make it harder for regular users to remember their passwords. A hacker is NOT going to randomly guess passwords. They will first go through the list of most commonly chosen passwords and then, if they really want in badly enough, go through brute force methods. Which is why passwords by themselves offer only minimal security and requiring complex password rules inconvenience members of the community more than they offer any real security.
Better level of security is two-factor/two-step authentication. If you really worry about security, implement that. Ditch the complex password rules. That's only an illusion of security.
There are always those who want to hack an account, even if it is just for the fact to brag about it. There are people who have spent quite a bit actual money here, who would be rightly pissed off if someone hacked their account. Not only that but those people who have spent enough have access to the NDA sections, and would not like any old random hacker to gain access to those sections of the forums, and get blamed for it.
The Password requirements are all about making it harder to guess the passwords by increasing the potential value from each character. Instead of only 62 possible values from each character (a-z, A-Z, & 0-9) adding the Symbols makes each character that much harder to brute force. (depending on the symbols allowed each character could be in the range of 80-90 possible values) which significantly adds to the possible permutations of passwords available. Honestly even with that having a 6 character minimum is kinda low.
Now brute forcing over the web is usually easy to detect, but I have seen some attack attempts do it in a very slow and methodical method of trying 1-5 attempts every couple of mins. Attackers try and get around that by using vast botnets to hide that an attack is taking place.
I agree that I would love to see two-factor authentication as an option, and some places go overly complex with the requirements, in ways that negate the benefits you would get with having a bigger pool of values for each character, but the best thing would be if people would actually take password security seriously, and not choose bad passwords, or re-use them on multiple websites.
Sorry I know this thread is old but I just got here and wanted to add my voice to the requests for two factor authentication. It's been around long enough that it should be a part of any game login screen, even when it's just a website (for now). Thanks!!! :)
Hi. I see that you're good at Centipede.
Thank you, we appreciate your feedback!
Keep in mind a lot is in the early stages of what it will ultimately become. Once the final iterations of the website, forums, game, and many other elements are complete sometime into the future, much will be improved and refined.
Over time, all things CoE will evolve and I can assure you we will have two-factor authentication prior to launch.
Cheers!
"Stupid questions make more sense than stupid mistakes."