Forgotten Tales

This is getting really frustrating. If your account has repeated failed logon attempts FT changes that password and emails it to you in whatever language the person who tried to break into has their app set at.

SO FAR.

Spanish.
Russian.
English.

Ive an idea who they are too.

Mostly russian break in attempts. Can we change this? Can FT not reset passwords BECAUSE of failed logon attempts?

Another russian attempt. Password changed again by ft servers. If this is a legitimatw tactic...

And again. Russian.

This is a really great way to illegitimately lock people out of an account. Any replies to this would be great. A change would be great.

Interesting.
You do not explicitely mention the reason why you are complaining about this mechanics - account sharing!

In FT, every account is meant to belong to ONE Person, the OWNER. This is the person who has access to the email address that is attached to the character.

So if any person (normally, it should be YOU) does not remember his password, he can start the recovery process.

In the beginning, the System did not change the password during that process. This has lead to big issues of account stealing. So compbatant changed that.

The current mechanics are meant to protect people. If - as a side effect - account sharing is made more complicated, creator's intention is emphasized.

Arachnia wrote:Interesting.
You do not explicitely mention the reason why you are complaining about this mechanics - account sharing!

I did mention the reason why I was complaining. People tapping on the recovery option 3 times plus a day. If you want, without going into detail here. I could lock you or anyone else out of playing the game for as long as I wanted to.

Arachnia wrote:In FT, every account is meant to belong to ONE Person, the OWNER. This is the person who has access to the email address that is attached to the character.

Agreed, have never considered debating such.

Arachnia wrote:So if any person (normally, it should be YOU) does not remember his password, he can start the recovery process.

Thats how it should be used. Yes. But its not used like that. This is why I have posted proposing change.

Arachnia wrote:In the beginning, the System did not change the password during that process. This has lead to big issues of account stealing. So compbatant changed that.

It shouldve stayed that way. Theres a reason why most other places dont change the password upon recovery. At least most mmo's ive played jist recover the account and let you edit the password once youve been emailed it.

Arachnia wrote:The current mechanics are meant to protect people. If - as a side effect - account sharing is made more complicated, creator's intention is emphasized.

Im not talking about account sharing in the slightest causing problems. This system can be used to protect people sure. But its far easier to just stop someone from playing the game by using this system. The side effect doesnt make account sharing difficult. At all. The side effect is completely stoping someone from playing. For as long as you desire.

Interesting. Dont know about that.

Regular password resetting annoy accaunts owner.
And at the other hand according to the rules of the game, players should use safe passwords.
Paragraph 1 of game rules say for us "A password is considered safe, when it has at least 8 characters and includes both numbers and letters."

Player can use safe passwords, which includes more 8 both numbers and letters.
But at any moment another player can reset this safe password to password, which includes
only 6 numbers. Such a password is easier to hack.

we should make it longer, yes. 10 digits will be safe again. millions of guesses needed and the server will recognize it early enough

reason: you are correct with pw safety here.

though it was meant as a short-time password due to the reset process by the owner.

as mentioned, it can be abused a bit... 3x per day are fine imo... we can reduce it to 1x per day, too.

but we have our reasons to give the players the option to reset it and also, that the pw will be changed. it avoids sharing and trading, what is a big issue for the team all day long. tbh, 80% of my time for FT, i talk to players, who "forgot" their passwords or got their chars stolen etc.

Limiting the reset still isnt a good idea. Because the pw still changes and you can still use it to annoy someone awesomely. During key points of a battle.

Im not talking here about account sharing at all. Nor the impacts this system has on account sharing. Which isnt too high anywah imo. The stats on acc theft is probably lower though. Thats for a different thread though.

Im focusing on how one can abuse the current system that changes someones password and how its used maliciously. Im debating that it shouldnt change the password to a series of numbers.

-It can be used repeatedly to lock someone out at present. Be it for malicious means or for "the lulz"

-changing it to purely numbers isnt safe. At all.

-Even at 3x a day if that goes in. Its 3x a day someone can make their enemy login slower. It could be a crucial point of a battle for instance.

If the pw isnt changed by ft servers and instead the current password of that account just emailed to the correct email, everything above becomes irrelevant.

-You cannot lock someone out indefinately.

-You cannot make someone log in slower 3x a day during a crucial point in a battle (if the 3x thing went through)

-It isnt changed to purely numbers. Which is unsafe even at 8 to 10 digits.

If you want to delve into the topic of sharing. Having an email account attached to a FT account makes it more likely for someone to share. Password recovery whether the server changes the password or not, means more people will share. This doesnt actually stop it. It actually promotes the idea "I will be able to get my account back no matter what". All it hinders is selling.

Limiting the reset still isnt a good idea. Because the pw still changes and you can still use it to annoy someone awesomely. During key points of a battle.

if we reduce to 1/day, it cannot be annoying imo. and "during key points of a battle" you are logged in, aren't you? so no harm done, too.

though we could erase the option to give the name. instead, you have to know the mail.

-It can be used repeatedly to lock someone out at present. Be it for malicious means or for "the lulz"

if its limited to 1 time per day, again no issue imo.

-changing it to purely numbers isnt safe. At all.

correct, if server would not log things but we will enlarge the number count, too. why only numbers? we do not know the keyboard language of the players, so we reset to numbers only.

If the pw isnt changed by ft servers and instead the current password of that account just emailed to the correct email, everything above becomes irrelevant.

sorry, but that is not an option due to account sharing and trading issues

-It isnt changed to purely numbers. Which is unsafe even at 8 to 10 digits.

10 digits are 10000 million guesses... that is enough

If you want to delve into the topic of sharing. Having an email account attached to a FT account makes it more likely for someone to share. Password recovery whether the server changes the password or not, means more people will share. This doesnt actually stop it. It actually promotes the idea "I will be able to get my account back no matter what". All it hinders is selling.

we thought through it very detailled. 1st issue: account trading. but then, account sharing goes up, correct. we also do not want this. so we change pw. that is it. nothing to change here.

if we reduce to 1/day, it cannot be annoying imo. and "during key points of a battle" you are logged in, aren't you? so no harm done, too.

Harm done. We die at times. 1/daily isnt implimented yet. If that was implimented then no. No harm done really at all. But currently. Doesnt matter if your logged in. Under the current system once you die and people are abusing this. Good luck getting on.

though we could erase the option to give the name. instead, you have to know the mail.

That would probably work a lot better than being able to give a logon name. That would probably solve the issue completely. If the current system of FT remains at changing the pw to a series of numbers.

if its limited to 1 time per day, again no issue imo.

Has it been set to 1/day? If it hasnt then its still an issue. However as mentioned by you. If only an email is accepted before recovery begins. 0 issues.

correct, if server would not log things but we will enlarge the number count, too. why only numbers? we do not know the keyboard language of the players, so we reset to numbers only.

I get russian emails. Spanish emails. English emails. All for account recovery. So it looks like the language of the email depends on the language setting in the apk of whoever made the request. And good point I suppose. So why not throw in some punctuation aswell? Minor point In all this I guess.

sorry, but that is not an option due to account sharing and trading issues

Why? Why cant it be an option? If the idea of not removing thr ability to recover by typing in a logon. Or not implimenting a 3x per day recovery. How does emailing a random numbered password differ to emailing the current password of the account being recovered?

If its being recovered by the owner of the email regardless of sharing why does it matter if the current password is being emailed and shown over the random numbered password given? Please explain as this makes absolutely no sense to me. Because it doesnt affect the sharing/trading of accounts in the slightest.

10 digits are 10000 million guesses... that is enough

0000000000-9999999999 takes me 8 hours to complete while playing sword coast legends or the witcher 3. Although thats offline with the hash file. Ive no idea how many passwords would be accepted by the ft server per second. But definate improvement over a 6 digit number password. Happy as.

we thought through it very detailled. 1st issue: account trading. but then, account sharing goes up, correct. we also do not want this. so we change pw. that is it. nothing to change here.

Changing the pw on recovery doesnt hinder account sharing. Stops theft a bit more. Well. Email recovery stops permenant theft. But changing the password when a recovery request is made. Doesnt hinder account sharing. Even if they choose to stick with that numbered password or choose to make a new one.