Password Change Request Due to Other Sites Being Compromised

Earlier this year a few well-known games and sites were compromised, and lists of usernames and passwords became widely available. Yesterday, it was revealed that DOTA2 was the latest victim.

We continue to be fortunate enough to not be one of the victims of these attacks. However we are under a hacking attack that is using these leaked username/password combinations to try and login to Shroud and has succeeded several times so far. If you have played one of these games that has been compromised you may be one of the victims we identified today.

You must make sure your username, or at least your password is unique on our site. We insist that you change your password if you have any doubt. FYI, this is good security behavior in general.

For now we have temporarily disabled login to the official website until 6:00 PM CDT (11:00 PM UTC). When we bring it back up, please login to the website, click on "Account" to go to your Account Page, click "Edit Profile" link beneath your profile image, and enter a new password on your Profile Settings page.

 

Two Factor Authentication would be nice.

 

2FA could have prevented this...just sayin'.

But yes, using the same password on multiple sites is not a good thing.

 

Yubikey support would be appreciated.

 

Without knowing the list of "a few well-known games" or what DOTA2 is, it's impossible for anyone to make an accurate risk assessment. My password is only used here, and is very strong because it's good practice ESPECIALLY IN THE ABSENCE OF 2-FACTOR AUTHENTICATION and I like keeping my substantial investment with Me.

 

Thanks for the heads up!

Fortunately I always do the right thing and never reuse a password or passphrase anywhere. Still, it's always a good habit to change passwords frequently for reasons just like this, so I have.

 

@Berek - is there a way to change our account username? password strength is half the solution. When I look at my profile I can change my password and my display name but not my username.

 

How about the ability to type longer passwords? The string length seems shorter in the available space than I use on some other sites. Or is it just difficult to see more characters being added?

 

@Chris Discussion on 2fa is nice. Doesn't do a bit of good to just talk about it, however. Force it on us today.

 

If you log into your account exclusively via Steam, it might be cool to have a feature where you could disable regular SotA logins for your account via the profile settings page. Not as good as 2fa for everybody, but could be a reasonable interim solution for that subset of users.

 

I'd like the ability to change user name too.

 

Glad to see this addressed proactively.

 

what would the second factor be, since the nist is now actively warning against using phones?

 

I use unique passwords on all sites.
That being said, Google Authenticator compatible 2fa would help my smart phone being clutter free.

 

The cheapest option would be $18. Which of course is not feasible to "force" people to buy, nor is it reasonable for Portalarium to put pledge dollars towards that. However, it would make a great premium option that I would very much support.


Not to mention you could totally brand this as the Oracle Authenticator, and sell it in the shape of a watcher.

 

Also...

http://www.slate.com/blogs/future_t...from_sms_based_two_factor_authentication.html

 

Reluctantly, I agree that we should have 2 factor authentication. It is just not worth the risk not to. Besides, Portalarium should not want to have to return stuff to many many users if they have a big failure.

 

2Fa would be nice,or at least give us a option to have a code sent to our cell phone number we provide with a verification code to enable a password change or a log in from a unknown computer.