Original Post
&
Embodiment of Awesome
Account Security - Why and How
Good evening, boys, girls, and everything in between. I would like to tell you a little something about account security and issues that we're seeing, and how you can help us in helping you at protecting your account from intrusion.
First of all, I'd like to show you an example of why I see the need to write this post. As some of you may or may not be aware of, a username/password list got leaked ages ago. This was taken care of by placing a damagecontrol-ban on the affected accounts. The idea was that when the owner of the account contacted us, he would be given instructions to change his password, so that the ones with access to the list would not be able to use it. This would then be followed by unbanning the account in question. For those of you who were affected by this, I am referring to "Your account has been compromised and has therefore temporarily been suspended. e-mail support, etc".
Now, some stats:
Accounts banned: 6388 <-- fair enough, the list was long, and shit happens.
Accounts opened: 138 <-- as of 16 oct, 2011. A lot of accounts on the list were inactive, so most will probably never have an open-request for them.
And now, what makes me a sad panda, is the fact that i ran the check again today. Of the 138 who had their account opened again after their knew very well that their account had been compromised, 22 reverted back to the same password as they had before!
It is then easy to calculate and extrapolate that 15.94% of our userbase lacks common sense. If you know 6 toribash players, and you can't put your finger on who lacks common sense, then this post is for you.
Password age
A password should be changed from time to time. And something odd happening should not be a prerequisite for this. Change it on a regular interval, so that a password that somehow got into the wrong hands cannot be abused until the end of the universe.
E-mail address
While users are getting better at this, it is worth mentioning the value of having a functional e-mail address associated with your account. If something does happen to your account, this is your best bet of getting your account back. And while e-mail security is not really within our jurisdiction, it should be noted that the same password-guidelines apply there as well; your account isn't safe if your e-mail has been compromised. Therefore it is generally not recommended to use the same password for these two either.
Sharing login credentials
Not only is this the number one cause of hijacked accounts, but it is also against the rules. Toribash staff will never ask for your password, and anyone who claims to be staff who does that is trying to scam you. And if you do share your login credentials with someone else for whatever reason one might do this, you are breaking the rules, and while it is something that is declining, people do get banned for this, everything from 3 months to permanent. This include "TC Generators" and other things that promises to give you unicorns and gold if you fill in a form.
Suspicious Links
While very obvious, it still happens. Any links provided to you by a random toribashian should be viewed as suspicious, especially if it is an executable. Sure, you ran it, and nothing happened. That means everything's fine, right? Nope, i'm afraid not. This normally means that some form of malware was installed in the background. While this could be anything, the chance of it being a keylogger or the like is there.
Follow the above guidelines, and chances of having all your items and TC stolen are pretty slim. If you do not, you're doing so at your own risk, and I'm being told that Hampa forwards a such people to santa who will add them to his naughty-list. You have been warned.
To quote Forrest Gump, that is all i have to say about that.. if i forgot something, feel free to ask/post below.
EDIT: Oh, and for your viewing pleasure:
The 20 most used passwords in Toribash
Below data is taken from the list of 6388 usernames/passwords mentioned above
In addition to the above, a depressing amount of 244 users (3.81%!) had their username as their password.
- Jarmund, Chief BOFH
First of all, I'd like to show you an example of why I see the need to write this post. As some of you may or may not be aware of, a username/password list got leaked ages ago. This was taken care of by placing a damagecontrol-ban on the affected accounts. The idea was that when the owner of the account contacted us, he would be given instructions to change his password, so that the ones with access to the list would not be able to use it. This would then be followed by unbanning the account in question. For those of you who were affected by this, I am referring to "Your account has been compromised and has therefore temporarily been suspended. e-mail support, etc".
Now, some stats:
Accounts banned: 6388 <-- fair enough, the list was long, and shit happens.
Accounts opened: 138 <-- as of 16 oct, 2011. A lot of accounts on the list were inactive, so most will probably never have an open-request for them.
And now, what makes me a sad panda, is the fact that i ran the check again today. Of the 138 who had their account opened again after their knew very well that their account had been compromised, 22 reverted back to the same password as they had before!
It is then easy to calculate and extrapolate that 15.94% of our userbase lacks common sense. If you know 6 toribash players, and you can't put your finger on who lacks common sense, then this post is for you.
Password age
A password should be changed from time to time. And something odd happening should not be a prerequisite for this. Change it on a regular interval, so that a password that somehow got into the wrong hands cannot be abused until the end of the universe.
E-mail address
While users are getting better at this, it is worth mentioning the value of having a functional e-mail address associated with your account. If something does happen to your account, this is your best bet of getting your account back. And while e-mail security is not really within our jurisdiction, it should be noted that the same password-guidelines apply there as well; your account isn't safe if your e-mail has been compromised. Therefore it is generally not recommended to use the same password for these two either.
Sharing login credentials
Not only is this the number one cause of hijacked accounts, but it is also against the rules. Toribash staff will never ask for your password, and anyone who claims to be staff who does that is trying to scam you. And if you do share your login credentials with someone else for whatever reason one might do this, you are breaking the rules, and while it is something that is declining, people do get banned for this, everything from 3 months to permanent. This include "TC Generators" and other things that promises to give you unicorns and gold if you fill in a form.
Suspicious Links
While very obvious, it still happens. Any links provided to you by a random toribashian should be viewed as suspicious, especially if it is an executable. Sure, you ran it, and nothing happened. That means everything's fine, right? Nope, i'm afraid not. This normally means that some form of malware was installed in the background. While this could be anything, the chance of it being a keylogger or the like is there.
Follow the above guidelines, and chances of having all your items and TC stolen are pretty slim. If you do not, you're doing so at your own risk, and I'm being told that Hampa forwards a such people to santa who will add them to his naughty-list. You have been warned.
To quote Forrest Gump, that is all i have to say about that.. if i forgot something, feel free to ask/post below.
EDIT: Oh, and for your viewing pleasure:
The 20 most used passwords in Toribash
Below data is taken from the list of 6388 usernames/passwords mentioned above
Passwords count
---------- -------
123456 126 <-- This makes me a sad panda. This is 1.97% of the total
123456789 59
12345 40
111111 23
123123 21
password 19 <-- yes, because this is such a clever password
toribash 19 <-- very original, there
123321 19
1234 18
master 16
12345678 16
123 15
1234567 15
789456123 14
qwerty 14 <-- left hand on keyboard, right hand down your pants
654321 12 <-- Getting advanced with them counting skills
lol 12 <-- because passwords are so fun
c73249328c 12 <-- probably someone with 12 alts.
dragon 12
killer 12In addition to the above, a depressing amount of 244 users (3.81%!) had their username as their password.
- Jarmund, Chief BOFH
Last edited by Jarmund; Oct 17, 2011 at 02:20 AM.
&
Embodiment of Awesome
Originally Posted by rickyz
Hello Mr. Jarmund, I would like to ask a question about "Sharing login credentials"
Will you still get banned if you share account(s) with a family member?
Short answer: Yes
Long answer: If you do share it with your great grandpa, and you're using the same machine, then it's hard/impossible to detect, so you can probably do so without any harm. Keep in mind though that if found out, it will be dealt with. Especially if your great grandpa is a douche who can't behave ingame this presents a problem for you, as you are responsible for being the only person who uses it.
