Doesn't seem so fair

[Imperat0r]

Hello dear administrators and community of Nostalrius,
I am a former player of Nost...I have stopped playing like 2,5 months ago because my account got hacked and i couldn't get it back...
I had invested so much time and effort to my UD Mage...I was of first 60's and also with a really good reputation for my attitude my groups and helping around people on horde side...Well known on both factions for my pvp style and skills...I was actively trying to get people that did not trust this server at 1st and dragged them to play here with me...I reported every bug issue i found out or heard about it withought abusing it even 1 time.All this effort i did to enjoy a vanilla experience again just got wasted in just 1 mistake...I just don't think it's fair at all and that the administrators should put a little more effort on this subject.I understand that they have really hard work to do on the server and i want to congratulate them so far for the excellent work they have made to provide us such a good server...
So i want to make a suggestion about this issue.There are some ways to figure out the real owner of an account like giving out pics from lvling and all information and email needed on the creation of an account...like also first password and stuff like this...Maybe it's a minor majority that had such a problem, but you must also look these and do not take them the right to play their own and beloved character...You must really do something about the hacked accounts and not just sitting there watching it happen...I hope more people support my post and something change about it....
Sincerely Regards from Grek

[Aunstic]

So what do you suggest the admins put in so they can detect a stolen account?

I understand you have a long story that reckons you get some pity, but I don't see a suggestion here that an admin can implement.

[djwood84]

There's an old philosophy that says you should focus on the 98% that is working, not the 2% that isn't. It's a sad story but there isn't anything they can do in there -- It's not like Blizz where you can fax in your driver's license.

[Aunstic]

It's not like Blizz where you can fax in your driver's license.

Honestly, you could implement something like this though. It's pretty simple too.

First, remove the ability to change your email/password in-game.
Second, implement two-factor authentication (2FA) through a private key (crypto), second password, secret question, one-time password (OTP), IP-Lock, etc.

This allows the admins to safely tell the players that they are at fault for any security breaches on a single account because there's a vast majority of software that still hasn't implemented anything beyond a username+password or email+password combo. What's even better is that adding a column to the end of the accounts table in the emulator's db shouldn't affect anything in-game wise. All that needs to be done is add a check whether or not an account has 2FA enabled or not in order to use it.

tl;dr having 2 types of passwords for 1 account allows players to be fully liable for their account as many services only have 1 type of password.

[Imperat0r]

i don't know much about this stuff...The suggestion i wanted to make is like the rest of the other servers have secret questions and password recovery with email...Also if somebody can prove that he leveled that character with pics from lvling and other different stuff that the admins can confirm, they must help them a little...I made this post so the community of the server may support it and also give some ideas how to change the system a little...Yes i make this post because i really want my character back...I dont want to create another one...it wouldnt be the same for me...But it's not just about me, i am sure more people have the same problem as me and in the close future it will happen to more and more...As a community of the server we love , we must try for the best and solve little problems like this...

[AverageJoe]

While I support the concept of stronger security and better account recovery for this server, realistically the dev pool is very limited and I'd rather the devs' time be spent focusing more on delivering upcoming game content and fixing game breaking bugs. Honestly, any effort put into developing a good security setup is wasted if the user either doesn't take advantage of it or just flat out does stupid stuff like downloading malware and uses the same password for all their accounts and e-mail addresses.

I never have to worry about my account being stolen because I know what sites to avoid browsing, programs to avoid installing, never get infected with any kind of malware, and never share my credentials with others. Meanwhile there's users in the Support forum who openly admit to getting hacked on a frequent basis and losing access to their accounts for WoW, Rift, Tera, Guild Wars, etc. crying about how the staff needs to bend to their will and restore access, items, gear, gold, characters, etc. the way it was before they got hacked because "Blizzard and other companies do it."

So why should cautious, experienced players who know how to protect their data have to sit out and wait on the next big content patch or suffer through buggy, untested content because the staff is busy babysitting those who forgot their password for the 100th time or cry they got hacked again because they don't know how to avoid scams and malware?

[Aunstic]

While I support the concept of stronger security and better account recovery for this server, realistically the dev pool is very limited and I'd rather the devs' time be spent focusing more on delivering upcoming game content and fixing game breaking bugs. Honestly, any effort put into developing a good security setup is wasted if the user either doesn't take advantage of it or just flat out does stupid stuff like downloading malware and uses the same password for all their accounts and e-mail addresses.

I never have to worry about my account being stolen because I know what sites to avoid browsing, programs to avoid installing, never get infected with any kind of malware, and never share my credentials with others. Meanwhile there's users in the Support forum who openly admit to getting hacked on a frequent basis and losing access to their accounts for WoW, Rift, Tera, Guild Wars, etc. crying about how the staff needs to bend to their will and restore access, items, gear, gold, characters, etc. the way it was before they got hacked because "Blizzard and other companies do it."

So why should cautious, experienced players who know how to protect their data have to sit out and wait because the staff are busy babysitting those who forgot their password for the 100th time or cry they got hacked again because they don't know how to avoid scams and malware?

Hopefully this won't stray away from the main topic too much.

The only thing that needs to be done to suit better account security is to remove the ".account password" command in-game and add another column to the mangos db -> accounts table. The developers don't need to have much work to put in another factor of authentication really. If the developers don't wish to reinvent the wheel on this, github and other websites have libraries to easily implement 2FA such as https://github.com/eloquent/otis (PHP).

I understand where you're coming from when you want them to focus their time on bugs rather than a user control panel, but they have already reinvented the wheel with creating their own home page (https://en.nostlarius.org) so I believe they don't mind the time spent with creating modules for the user's security. Just look at the password reset function. It may not be the best, but it's something .

As for users not enabling 2FA on their accounts, people in the information security business would argue that even 1 user benefiting from this would mean it has shown some use. Assuming Viper or Daemon would put out an announcement for this just like the new features on the main page, I'm sure there would be more than 1 user enabling 2FA on their account(s). This is also beneficial for privileged users such as admins, developers, ISVV, staff, and any other group above user rank. If Viper and Daemon don't have their account(s) IP-restricted, I'm sure this will come in handy in case a real security threat comes into play such as the databases being dumped (hacked).

Malware on a user's computer eliminates privacy, but this allows players to be more secure if they use the same username/email and password for everything. A second password, key, etc may not be available on another site -- especially a phishing site that cannot determine whether or not you have a second password, key, secret, etc on your account at the time you "login" to a phishing website. Nostalrius knows because they own the database and the code allows only 1 of the options to be selected for the second factor.

The rest of your post that openly states that people are ignorant and the less ignorant users should not wait to be assisted as their problems are seemingly higher priority than the ignorant users. My reply to this is that not everyone has the same knowledge. Customer support, public relations, 'tech support', ambassadors of any sort, and any other field that deals with passing knowledge on to someone else for support are all important fields if you think about it. Let me dig up an example here:

Game Masters are here to assist with all problems that they can deal with. They own a delegated job. Administrators have the highest privileges because they should be able to fix any and all problem a user has, but they delegated powers in order to create a "support" group that are able to deal with the problems of users instead of the admins being the first person they come to. In a smaller example: if you own a car, you're not going to talk to the engineer who designed the car if you have a problem. You're going to talk to someone that knows the car and other cars so you can get your assistance. Car dealerships are almost like Game Masters in a way.

To conclude, a new module is not that hard to create and implement. Time can be saved if the developers implement a library for two-factor authentication instead of reinventing the wheel. The less ignorant users are not a higher priority than any ignorant users. I'm ignorant about cars.

[Nobody]

I completely agree that while this server is amazing and the devs have provided a beautifull experience, I think its completely ridiculous that there isnt a password recovery through email which is the most basic thing that all games and all private servers have!

To those saying they'd rather have the limited dev pool be focused on important stuff on server would change their opinion in a heartbeat if it was their hard work on the line!

Password recovery through email is something basic and is being used as a security measure everywhere, how hard can it be to be implemented here?

[Aunstic]

I completely agree that while this server is amazing and the devs have provided a beautifull experience, I think its completely ridiculous that there isnt a password recovery through email which is the most basic thing that all games and all private servers have!

To those saying they'd rather have the limited dev pool be focused on important stuff on server would change their opinion in a heartbeat if it was their hard work on the line!

Password recovery through email is something basic and is being used as a security measure everywhere, how hard can it be to be implemented here?

It's not that hard to implement, but it's hard to determine security beyond it. If someone has both email and account access, they own your account. The current password reset is determined on if the account has been played... which is another hard thing to do because what if you, the owner, is logged on to your account and someone wanted to change your password. Other way around, what if you wanted to change the password because someone else is on your account?

Exceptions are the bane of every program.

[Imperat0r]

It's a minor problem that should be taken care off...It doesn't need a big amount of time and it would help out a lot of people and also the administrators...I hope some admin check out my post and make something about it...