Password Change Request Due to Other Sites Being Compromised

Thank you portalarium for working so hard on the game we love and the security we need.

 

I use 1Password to manage passwords (mac/win). It basically generated a 26 character length password of caps, symbols, letters and numbers. So 26 characters works fine here.

 

2FA with support for yubikey
batten down the hatches
force on users from the get go
makes everyone'e experience better

 

I made my new password 32 characters long, which is my preferred length, and the site didn't complain it was too long. No idea what the upper limit is, supposing there is one (there usually is).

 

The only caveat I would put on an authentication system is what others have said, don't make it cost the players extra money because not all can afford it and you'd effectively lock them from their game. In addition, I know it's hard to believe, but keep in mind not everyone on the planet gets a smart cell phone. There are still many many people who use standard phones or even neanderthal cell phones, so the forces use of a smartphone app will also isolate some people from the game.

 

NIST is actively warning against using SMS, not phones with 2FA apps.

 

It will happily accept 50 characters at least.

 

For the person who is responsible for the mail who was sent out. Please reconsider the use of tracking links in such important mails.
You send out mails to people that they should change their password and provide a link to your website. But the link doesnt point to your website "shroudoftheavatar.com", rather it points to "http://shroudoftheavatar.us4.list-manage.com" which will be redirectet later to your orginal site.
Thats exactly the same like scamming mails works, like the paypal ones i am getting daily which are saying "please change your password - login here paypal.bad-scammer.com"

Just simple rule for people - never click on links in mails - go to the website manually and dont use the same username/password combination all the time.
And for companys - dont provide password change links who dont point to your own site direkty, they are just not trusthworty and thats the least you want, that people cant trust your very important mails.

 

Does Steam actually require 2FA? Because it's not required on my Wife's Steam account.

Nonetheless, I don't even know my SotA password. I set it to some ridiculously-long random string of characters, and put that away inside my password database. At least the Steam login has 2FA.

 

I have to say that I really don't like capcha.

 

Took me 4 tries on the stupid cantcha, hate 2 factor even more, especially with a game that has me switching between friends only and mmo.

That said, it's shitty to have to try to protect against such things, and it's really really difficult to balance convenience and security. Good luck to the team.

 

The capcha is probably temporary. Quick to put in place to ward off multiple attacks.

 

Google has mastered captcha with the "I am not a robot" button. That feature is free to everyone on the Internet to use.

 

No, but some Steam features are restricted if you don't use it (mostly the Trading and Market stuff). Configure 2FA here (you'll need the Steam app installed on your phone):

https://store.steampowered.com/twofactor/manage

 

My login name is 2fa and my password is yubikey melikey. So far no hacking.

 

I still get these wrong sometimes too. "Oh, I could have sworn that was a french fry!" and "Oh, that did not look like a car" etc...

But yes generally theyre much nicer than old school recaptcha

 

Didn't know that about the restrictions, but I've had 2FA configured on my account for years now. Only commenting on my wife's account.