Lock.Unlock account... a joke?
"+million I wouldn't mind confirming it with email code - because it would be one-time operation. "trusted computer" check is good idea too - there can be only one (first), ofc. "Wrong. Sometimes it asks just for password, but sometimes it needs a password and email code. And there is no relation at all between region/city change and code requests. And on top of it, if I entered right password, then me is me. Already. And if not, why ggg limits itself with just one email check? Why not 2(3,5,10) emails on different boxes. Just to be sure that me is me... And worst change is putting almost all bosses in new version of maps into fucking small areas, where you can't kite well or dodge stuff. What a terrible idiot invented that I want say to him: dude flick you, seriously flick you very much. Last edited by silumit#4080 on Apr 8, 2014, 4:17:40 AM
|
|
" Wow, I'm glad to hear that phishing doesn't exist anymore. As for the OT, as people have mentioned, dynamic IPs are extremely commonplace, and having one myself I have never had issues with it asking me to re-enter my credentials all the time. It sounds to me like there's something more at work than just having a dynamic IP... I don't suppose any of you are using some form of VPN, or are otherwise causing your IP to change more often than normal? However, whether or not the dynamic IP is an issue, having trusted computers would be a nice addition. That way laptop users could go to a friend's house, PC cafe, etc. and still be able to play without any issue, even though I consider it to be an extremely minor annoyance. I think when it comes to account security, though, I think more is better as long as it's not being exceptionally intrusive, and having to re-enter your password isn't intrusive in my book. Perhaps trusted computers could have a secondary password (4 or 5 digit PIN?) for connecting from a new location on the same computer? Seems reasonable to me. Even with that, that's no more security than a lot of games (particularly MMOs) have built in. IGN: iAreNubcake - PM me on here otherwise
Note: If you whisper me and someone responds with a stupid IGN, it's probably me. |
|
" Wrong? I know quite a bit about how this system work. When it only asks for a Password, it's because your "stored password" is no longer valid because your IP address changed. The IP address is used as a salt in the encryption/decryption key for the stored password. This prevents people from taking your .credentials file and using it on their own PC and stealing your password. If your IP changes or the .credentials file is on a different PC with a different IP, the decryption fails which is why it makes you re-enter the password. The "unlock code" is specifically and ONLY related to the geolocation. The information they use is very similar to this one. Go to that URL and write down the IP, Country, Region, and City. The next time it asks for an Unlock Code, go back there and look again. Not only will the IP change (requesting a password entry), but the City or Region will have also changed (which is why you're asked for the unlock code). They only need the unlock code to confirm you are you.. because hackers might also have your password.. if they enter it correctly, do you want them having access to your account to strip it? The whole point of this system is to prevent hackers from gaining access if you've taken proper precautions to secure your email. In order for hackers to get into your PoE account, they not only need to know your PoE username and password, but they must also have the password to that email address.. That is why you need to make SURE that your PoE password is NOT the same as your Email password (since the email address is the same in both cases). If a hacker gets your PoE password and it's the same as your email password, they can log in as you, take the unlock code, unlock your account for themselves and strip the account in a matter of minutes. This system was put in place to help prevent account theft by adding an extra step onto verification. In a reasonably secured system, this step is enough to keep hackers out (for the most part)... especially if your email address is itself secured with 2-factor authentication (which is should be). If you have questions about the system, please ask them. But don't go around telling other people they are wrong when you don't understand the system or how it operates. I'd be glad to explain more about the system and why it is the way it is if you have specific questions on the matter. The system is there for your protection, and in the majority of cases, it works well. Last edited by Drakier#1520 on Apr 8, 2014, 12:51:24 PM
|
|
|
I have a wireless IP and ALWAYS get locked for the last year. Sigh..............
|
|
"When I enter login/pwd at "pathofexile.com/login", then me is me. Instantly. Without any email codes or anything else. So why the hell GGG thinks it shouldn't be so when I enter login/pwd in client? Drakier, thank you. It seems I have missed one critical fact: that GGG geoip base is utter shit. When I get code emails, locations in them are all over my region. Not just 2-3 cities, no, there are tens of cities, and sometimes it's even "%countryname%,%regionname%,N/A". Maybe GGG should update all of them to N/A? What is the point of such "protection" if it CANNOT tell AT ALL was my location changed or wasn't? "Thank you C.O. :) I thought of simpler solution: make it possible for player to disable "email code confirmation" mode, but this will change "remember pwd" option to remember login name only in client. It'll do effectively the same thing - "the evil hackers" won't steal the pwd (because it is not stored anywhere in any form), but there will be no freaking unlock code requests. I'd better go with entering pwd every time because I'm already doing it, but at least I won't have to check email every fcking time I want to play PoE. PS. All that talk about "security"... just look: 1)I can change email and password from site. To log in to site I need pwd ONLY. 2)I can not change email and password from client. To log in to client I need BOTH pwd AND unlock code. Does it make any sense? And worst change is putting almost all bosses in new version of maps into fucking small areas, where you can't kite well or dodge stuff. What a terrible idiot invented that I want say to him: dude flick you, seriously flick you very much.
|
|
" It's not a good idea to assume that an email address and password is enough verify you as a legitimate login. A persons email address can often be found easily on the web; and many passwords are commonly used, making them inherently insecure (even if it's not stored anywhere, if it's a dumb and commonly used password like 'password1' then its at high risk). We understand that dynamic IP addresses can be problematic for some of our users. If anyone would like to have their account processed to remove this security step please email support@grindinggear.com with your details |
|
"OK, I even can agree with that, but then why "? And worst change is putting almost all bosses in new version of maps into fucking small areas, where you can't kite well or dodge stuff. What a terrible idiot invented that I want say to him: dude flick you, seriously flick you very much.
|
|
" You cannot change the email and password from the site without a verification email being sent to the address on file. Try it. You can LOG IN to the site with just the email address and PoE password, but you cannot change anything (especially email) without a verification email being sent to the address on file. So the actual email is not changed until you click the link in the email that is sent. Edit: " GGG doesn't own the GeoIP database. It's a freely available database online maintained by other people. The problem isn't with GGG. It's that IP addresses are "virtual" and not fixed to the earth like your house. Your house has a valid physical address because it can't really move. IP addresses are free to move about the world, and the ISPs generally do a good job registering their locations in the GeoIP database. In a lot of areas though, the ISP covers a wider region so you can get multiple cities because the ISP itself and the pool of IPs it gives out are distributed around the region. In my area, I get 3 different cities as well because that's mostly where the ISP operates and distributes IPs from. The only fault GGG has in this is that they only store the "last valid" location. Once you confirm the unlock code, it stores that location in their database for your account. When you go to log in again, it compares the stored value against the one you are signing in from. If they match, it lets you through. If it doesn't match, it requests a new unlock code to store the new location. Last edited by Drakier#1520 on Apr 9, 2014, 12:39:23 PM
|
|
"ROFL man. I thought yesterday exactly the same thing as you wrote there - maybe I'm stupid, and really you need pwd and email to change pwd. But NO YOU DON'T! Try it yourself. I changed my password yesterday without any email confirmation. Moreover, there was no notification in my email that my pwd was changed. Sweet. Don't know about email change, but to change the pwd, you need only pwd, no email confirmation. "In that case the only fault GGG has is them using this database which contains totally wrong information. And BTW, I made a suggestion to store 3-5 last valid locations in another thread aaaaaawhiiiiile ago. No response, no change - nothing at all. And worst change is putting almost all bosses in new version of maps into fucking small areas, where you can't kite well or dodge stuff. What a terrible idiot invented that I want say to him: dude flick you, seriously flick you very much. Last edited by silumit#4080 on Apr 10, 2014, 4:21:55 AM
|
|
|
it doesn't matter if you can change the password or not without email confirmation. If someone changes your password, you just recover it to your email.
I know for a fact you cannot change the email without email confirmation because it is often an issue here. Password I wasn't 100% sure of. But again, it doesn't matter if they change your password on you because you can just recover it to your email any time you want. As for the database, it is "the" geoip database. Everyone generally uses the same one.. whether the information is accurate or not. That has nothing to do with GGG. It's a safety measure a lot of systems use for security. Steam even uses it. Difference is their implementation. Yes GGG should store more locations, or have more configuration. They don't. It's not exactly a high priority to "fix" a system that isn't exactly broken. When the system was implemented, it was put there to fix a problem. There was a huge outbreak of hacked accounts and they needed to put a stop to it. So they very quickly implemented this system, and it did exactly what it was intended to do. Stop the massive amount of account theft that was going on. Now that the system is in place and works, there isn't really a lot of reason to devote a lot of time changing it. GGG WANTS to change it, but it's just not as high of a priority as other things. It's their game. They make the priorities. You don't have to agree with them. You can either deal with it, or stop playing. That's life. You're not a shareholder, you aren't an owner.. you have no "stake" in the company or the say in what they decide to do or not do. You can certainly make suggestions (as many others have), but ultimately the decision is theirs to make. There's no point arguing about it at this point. The system is what it is. I've offered ways to make it less intrusive and faster to deal with. You can either take my advice, or not. I can't force you one way or the other. Just offer up my experiences and suggestions. Gmail is not only faster at the delivery, but they're also more secure. If you choose to not do that, then that is your choice to make. It's a free game with no subscriptions. Sometimes you have to take the bad with the good. I'd much rather deal with an unlock code system that keeps my account secure but might not be the best implementation if it means I'm not paying subscription fees, etc. You might not share my opinion on that. *shrug* |
|
