Forums

Account Security Blog

Quick find code: 380-381-583-66107497

of 3
Iron Robsham
Aug Gold Premier Club Member 2018

Iron Robsham

Posts: 667Steel Posts by user Forum Profile RuneMetrics Profile
Angel2D4 said:


Even jagex has repeatedly stated that you use 3rd party clients AT YOUR OWN RISK.

If ANY of them were SAFE, jagex shouldn't have any problem endorsing them. However, currently (AFAIK) they don't endorse a single one.

Lack of jagex endorsement on ANY of them is strong evidence that they are NOT safe to use.

Jagex not endorsing 3pc, and not accepting liability for 3pc, is not evidence that people are being hacked via runelite, that's a massive non sequitur. You're just speaking garbage.

Explain to me, in detail, any of you, the mechanism by which someone has been hacked through runelite. I'll wait... You can't. Because you're all talking in hypotheticals, without ever providing any evidence that this is actually happening anywhere other than in your minds. Meanwhile, I can point to the probably around 40k people online and using runelite at any single moment, that haven't been hacked.
Anyone that wants changes to make ironman easier should be renamed wannabe-man and have their ironman icon replaced with a dunce hat.

28-Jun-2019 00:28:49 - Last edited on 28-Jun-2019 00:36:47 by Iron Robsham

RuffleSnatch
Jul Member 2019

RuffleSnatch

Posts: 291Silver Posts by user Forum Profile RuneMetrics Profile
Account security updates are one thing I'm very excited about. Jagex, I hope you guys roll some small changes such as password complexity sooner than later. Capitalization being ignored, which I've confirmed, is pretty crazy. Not being able to use special characters is also pretty insane.

I actually work in the IT industry, so I'm pretty close to this subject myself, and one thing I would love to see while you guys make these changes is support for PASS PHRASES.

The old style Thi$IsMyS3cr3tP@$$word days are long, long gone. Obviously where I work we use Multi-Factor Authentication to access accounts, especially from new systems and outside the trusted network. Before Pass Phrases were implemented we used to get a constant barrage of false authentication prompts, indicating some bot somewhere had guessed a user's password and had tried to use it to log in. After Pass Phrases, this pretty much disappeared entirely. It makes a huge difference and they should be encouraged! Not to mention we get a lot less forgotten passwords as we no longer need a rotating 90 day password expiration.

We also implemented something like what you're talking about to see if a user's password has been compromised elsewhere, part of what we implemented was this:
https://haveibeenpwned.com/API/v2

I myself was alerted of being pwned in the Feb 2018 "MyFitnessPal" breach, luckily I have 2 factor authentication on my email provider ;)

Good luck with the security updates, these are extremely welcome and desired!

Also, one more thing that would make MFA (multi-factor authentication) way better on Quality of Life! If logging in didn't require the code to be typed in but instead allowed us to use the Approve/Deny prompt on the authentication app, SO much easier. Thanks again!

29-Jun-2019 14:55:20

Rbnor
Jan Member 2019

Rbnor

Posts: 232Silver Posts by user Forum Profile RuneMetrics Profile
I lost 500m to a rat Lol, but you know what I didn't lose, untradeables, ferocious gloves etc, how about you make it easier, by making gear kits require a bank pin related code to remove it, which users can opt in by speaking to a bank, this would generally be unrelated so in worse case scenario, if they ever try taking your goods and incorrectly type a pin, it locks the account for users to be able to retrieve goods. It's a bummer I lost my stuff but hey, take it on the chin I guess. :D

Or have designated locations for untradeables to be disassembled like the ferocious gloves.

How I lost my stuff, recieved a rat, "computer went into shutdown mode" I thought w.e must be a bug which never happens, but I dont know if disconnecting my internet would've helped. Lol. I literally got taken for bank whilst sitting on my desktop. I tried locking the account whilst it was logged in but I tried spamming login so the account could possibly get locked out but nothing. Authenticator was removed so easily with just a login. Gmail had an auth but that was no used as it was removed with saved email/pass. You can eliminate this all with having a password removal for the authenticator on rs.
Set stuff to private because I know you'll have the odd weirdo looking up your profile :P

29-Jun-2019 20:40:17 - Last edited on 29-Jun-2019 20:44:13 by Rbnor

Dragon Medal

Dragon Medal

Posts: 45Bronze Posts by user Forum Profile RuneMetrics Profile
It's nice to see more security being available to accounts, I wish we had that kind of option back in 2007 :D Anyway, I checked up what changes will be done and it looks like it will only benefit the security. The thing is not to make it too complicated to be locked out of your account yourself, has happened to me after I had to factory reset my mobile phone and didn't have access to my Authenticator. I also hope that there won't be requirements to change my password to be more complicated as I keep forgetting them and I won't trust them to third-party. May password be only in my head - as long as I can remember them.

I noticed that the website will also get a 2-step verification system. Can we also have the Secure tag in front of the website address? I keep getting "Not Secure" when on the forums but the login screen is confirmed for Jagex. Or is that just my problem or Chrome's?
The Grumpy Estonian

04-Jul-2019 08:47:27 - Last edited on 04-Jul-2019 08:50:03 by Dragon Medal

Chelsy

Chelsy

Posts: 80Iron Posts by user Forum Profile RuneMetrics Profile
I am very excited to see this work being done. I do feel particularly limited in the complexity of my RS password in comparison to other sites that require, at the base level, passwords with letters of varying cases and the addition of at least one 'special character'.

I know it's likely beyond the scope of this work, I'd be especially interested in being able to create passwords that include non-Latin letters.

10-Jul-2019 05:34:54

Chelsy

Chelsy

Posts: 80Iron Posts by user Forum Profile RuneMetrics Profile
Dragon Medal said:
It's nice to see more security being available to accounts, I wish we had that kind of option back in 2007 :D Anyway, I checked up what changes will be done and it looks like it will only benefit the security. The thing is not to make it too complicated to be locked out of your account yourself, has happened to me after I had to factory reset my mobile phone and didn't have access to my Authenticator. I also hope that there won't be requirements to change my password to be more complicated as I keep forgetting them and I won't trust them to third-party. May password be only in my head - as long as I can remember them.

I noticed that the website will also get a 2-step verification system. Can we also have the Secure tag in front of the website address? I keep getting "Not Secure" when on the forums but the login screen is confirmed for Jagex. Or is that just my problem or Chrome's?


I also have the "Not Secure," and am also using Chrome.

10-Jul-2019 05:35:35

6O5

6O5

Posts: 1Bronze Posts by user Forum Profile RuneMetrics Profile
I feel as if this makes things easier on both ends of the problem. Yes, original owners will be able to recover their accounts back seemingly easier. However, from the way I understand recover appeals to work, the appeal with the higher amount of correct info, wins the appeal. As most account hijacking is done by social engineering, doxxing, and pulling the SSN/DOB of their victim. Meaning, they could just as easily recover the account with just the basic info given by say the streamer they plan to hack, I would assume it's easier after that as you already then have primary information to doxx from. This could either be great and kill account selling markets, or create a lucrative market for more committed hackers.

28-Jul-2019 11:11:32

Quick find code: 380-381-583-66107497Back to Top