Accounts security is lame

[adolfovon]

Yesterday someone somehow stole mi brother's account's password and now there's no way to get it back. This is due to the way the account system works.
Secret questions are not needed at all, especially because you provide an email when creating an account and emails already have those kind of security systems. Why would the server ask for an account name, email and security questions to retrieve your password when your email account already has a password? what other proof of being who you are claiming to be does the server need if you can get into the email account you provided? It should just ask for an email and it should send the info needed to restore the password to that email account since there's only one user related to one email account.

That is not the only problem.. a bigger problem is that you can change all the information required to retrieve your password (or change it or reset it) from within your truewow account. That just doesn't make sense. What happened to my brother now is just one example of what can happen to everyone's account: someone stole his password from within the game, went into his truewow account and changed all the information there, even the email account, which is the only link between an account and a real user.

- You shouldn't be able to change the email account related to your true wow account.
- You shouldn't have to choose secret questions (which aren't working at the time I'm writing this).
- The user's email account should be the key to save an account from possible attacks.

I know about this topics because I'm a web developer and I work with this kind of Issues all the time.
I hope the server's staff solve these issues because I really like this server.

[OkweL]

If you are web developer then you should know:

- passwords are YOUR problem, just like securing own accounts
- you should be able to change all things because of various reasons
- this website is running on free engine from pbwow.com - you can go and complain about bugs there, or you can even look into code and post there fixes
- your brother is not "hacked", he is rather scammed

[adolfovon]

I just give my advise, wether you tak it or not is your problem.. But the reality is that the account system sucks
Passwords can be stolen in a lot of ways.. and the email related to the account should NOT be able to be changed, the only persistent data from an account in truewow is the account's name, which is just a text typed by the user on account creation.

Why are you asking for an email if you are not sending anything to it, you are not requesting a confirmation from it and it can be changed a lot of times whenever the user feels like??

And just to make things clear, I'm NOT talking about the in-game security system, I'm talking about this page: truewow.org.

You should acknowledge that the accounts system has a problem and try to solve it.

[OkweL]

Right, I gave you wrong link, google out "MangosWeb" and ask them to fix certain things.
We have over 20k accounts, including Staff accounts (Moderator, GM, Admin, Owner) and they are all fine.
You should be able to change email in case your old box is deleted, not working anymore, host dies etc. Or you simply want to use different mailbox on purpose.

[Roel]

we have mangosweb v2, Only in my summer holiday I will have time to update to v3

[Elrithran]

Do it like i do in most games and online things.
Make 12 or 20 char/num passwords- no one can hack em except if you have a keyloger infection or if he hardhacked it, but if they would hardhack this with with raw hands it would take over 20 years or even more if he tries it every seconds of his life.