Relaxing Account Recovery Information

Status
Not open for further replies.

PlatRedditAccount

Active member
Oct 8, 2018
457
85
28
Elfville
Hi all, as title states, this thread is mainly about maybe getting the information required to be relaxed a tiny bit.
Before everyone goes on a witch hunt about "what about my security" or blabla, how many of you can honestly raise your hand and tell me you will change your password regularly (maybe once every 3 months?)

But whatever, on to my main point. Basically right now to change your email address, you require
Username, Password and your birthday (AKA the one you put when you registered your account)
yes i know, 90% of us probably or put a fake one.

Basically i'm here to ask if we can input
Username, Password, PIC, IGNs (4 layers) (& discord as well, i'll explain that later)
instead of
Username, Password and birthday. (cause a good 90% of us probably put a fake birthday)
what this SHOULD do is prove beyond a reasonable doubt it's US that's asking for email reset.
Cause let's be honest, if you give out your username, password and PIC to some rando, HOW ARE YOU NOT JIMPED YET??
As an additional layer, the admins could also ping you on Discord, asking you to confirm that you want to change it. (if they don't feel this is secure)
Then they could send an email to your current email asking for confirmation.

Just my 2c, feel free to weigh in constructively. Thanks everyone
 
  • Like
Reactions: Yika

Alex

Well-known member
Jul 20, 2018
161
219
63
Ch 4 Bowman Instructional School
Nah, I'm good tbh.

There are a few people with my account information, haven't gotten jimped (yet) and I seem to be doing fine? I used a random e-mail that I created for the purpose of these servers and have a set fake birthday that I use everywhere since information is ever so "important".

If we change it to what your'e suggestion, what stops the potential "jimps" from just straight up stealing the entire account instead of just my items?


EDIT: To be honest, just remove the birthday requirement entirely. Most e-mail services have 2FA options and if users would simply have that enabled for whatever e-mail provider they use then it should be secure enough for something like a private server. Simply remove the birthday requirement, require only the Username + e-mail address, send a link to the e-mail address, and allow the change.
 
  • Like
Reactions: Yika and Gina

Hene

Active member
Jul 19, 2018
246
88
28
The land before time
Probably an unpopular opinion here but:
Honestly I don't see the need for this. I don't see an issue specifically with the email change policy right now (honestly not even sure why changing email is even a thing). There's nobody else but yourself to blame if you forget the details you used to make the account. Just write it down on a notepad if you used fake information.

Feel like the better solution (if you're referring to the changing password) is changing your password (after being logged in) shouldn't require you to access your email, rather just needing to input the email address like how other systems like discord do it, maybe sending an email saying the password was changed.
HFZCqwE.png
 
  • Like
Reactions: Yika and Gina

Gina

Active member
Jul 19, 2018
242
68
28
Happyville
I agree with removing the birthday requirement. Or maybe an option to change your birthday could be added, for those who have access to everything except their "birthday". I'm in a similar standing as Alex, I have a set of fake birthdays that I use online, but I feel like the birthday requirement is where many people get stuck during the account recovery process, and one that isn't usually used for account recovery, so players don't often pay attention to that when creating their account.

I have to disagree with the Discord requirement because what if the player was too shy to talk on Discord and never went on the server before? Then it would look like they were in the Discord for the first time, and if they were accepted, what stops somebody from creating a new Discord account just to add to the recovery request? And of course, there's also the issue of creating more work for the staff members in charge as well as having to wait for a response from the player before they can continue with the process. The Discord option seems to only be helpful to members who are either well-known players or those who talk often on Discord.

EDIT: Actually, Hene's solution seems like a good idea. Most of the account recovery requests come from those whose passwords need to be changed. Even if someone's account was stolen this way (through changing their password), there could still be an option to change the password through email.
 
  • Like
Reactions: Yika

Joohyunieee

Member
Aug 2, 2018
38
6
8
Michigan
Probably an unpopular opinion here but:
Honestly I don't see the need for this. I don't see an issue specifically with the email change policy right now (honestly not even sure why changing email is even a thing)

I know you prefaced with unpopular opinion, but, I think this is very necessary. Personally, I am currently using an email with my university's domain name. And apparently, when I request to change password, I cannot receive it because my email has a 'foreign' domain name. So, I need to change my email to gmail, which is what I'm currently waiting on. Maybe a side solution to this would be to say straight up during registration to use a gmail account.
Also hi. I remember when I first started, I was in Reason with you :>

Regarding the original post and how 90% of people use fake birthdays. Is it not their fault? I don't see why we need to accommodate for people putting in fake information.. they're responsible for their own account and their own information
 

Hene

Active member
Jul 19, 2018
246
88
28
The land before time
I know you prefaced with unpopular opinion, but, I think this is very necessary. Personally, I am currently using an email with my university's domain name. And apparently, when I request to change password, I cannot receive it because my email has a 'foreign' domain name. So, I need to change my email to gmail, which is what I'm currently waiting on. Maybe a side solution to this would be to say straight up during registration to use a gmail account.
Also hi. I remember when I first started, I was in Reason with you :>
I addressed that issue with changing passwords in the 2nd paragraph since I know that issues can come up with losing accounts but having at least the actual email name alone should be required.
Also hi
 

snowfarrun

New member
Oct 4, 2018
25
4
3
Canada
I know you prefaced with unpopular opinion, but, I think this is very necessary. Personally, I am currently using an email with my university's domain name. And apparently, when I request to change password, I cannot receive it because my email has a 'foreign' domain name. So, I need to change my email to gmail, which is what I'm currently waiting on. Maybe a side solution to this would be to say straight up during registration to use a gmail account.
Also hi. I remember when I first started, I was in Reason with you :>

Regarding the original post and how 90% of people use fake birthdays. Is it not their fault? I don't see why we need to accommodate for people putting in fake information.. they're responsible for their own account and their own information


About the birthday date, it's sensible informations, while I do use my real birthday when signing up for games, it's different when playing private servers, admins can do whatever they want with your informations. I did personnaly develop a system to remember the fake birthday I use.[/QUOTE]
 

Joohyunieee

Member
Aug 2, 2018
38
6
8
Michigan
I addressed that issue with changing passwords in the 2nd paragraph since I know that issues can come up with losing accounts but having at least the actual email name alone should be required.
Also hi

Oh oops, did not see the second part (just assumed it was your signature lol). I'm a fan of what you suggested

About the birthday date, it's sensible informations, while I do use my real birthday when signing up for games, it's different when playing private servers, admins can do whatever they want with your informations. I did personnaly develop a system to remember the fake birthday I use.
[/QUOTE]

So the more I'm reading about this, the 'root' problem is not that people are using fake birthdays (this is just, what I call, a symptom of the real problem); the 'root' problem is that people do not want to give away any personal information for security and privacy reasons.

If that is the case, then I am all for getting rid of birthdays as an input!
 

Yika

Member
Oct 4, 2018
31
25
18
the toaster
@Joohyunieee In my case it wasn't really a security or privacy reason rather I just put a random birthday because I didn't think it would be that important. I'm not sure if the old website said that our birthday would be needed to change our emails (if it did I probably glazed over it).

One issue I do have, and is the reason why a lot of people request an email change, is the unsupported mail providers (I'm using yahoo). Back when I registered, I had no issues using my yahoo email which I know if anyone tried to register for an Aries account on the current website it would give them an error saying that the provider isn't supported. Not sure how this would work on the back-end side of things but I think adding more supported email providers to Elluel Network would in turn cause less people having issues/needing to change their emails.
 
Last edited:

PlatRedditAccount

Active member
Oct 8, 2018
457
85
28
Elfville
Simply remove the birthday requirement, require only the Username + e-mail address, send a link to the e-mail address, and allow the change.
My thoughts too, however I am seeing it from the point of the admins regarding security.
I would say that this is a good suggestion, however I'm not sure if Elyx & Nova would use it as its technically a step back in terms of security.

There's nobody else but yourself to blame if you forget the details you used to make the account. Just write it down on a notepad if you used fake information.
100% in agreement with you, but honestly how many people would do this? I agree that yes the burden is on user to remember, but at the same time we shouldn't just be like "oh you forgot your birthday? Too bad"

maybe sending an email saying the password was changed.
I do see this working, however I don't really see Elyx & Nova using this due to it being a step back in security.

the 'root' problem is that people do not want to give away any personal information for security and privacy reasons.
The irony is, in Elyx's & Nova's quest for security, most users also input as much fake info as possible to keep themself secure.
While I do applaud and understand their need for security, at what cost does it come at?

is the unsupported mail providers (I'm using yahoo). Back when I registered, I had no issues using my yahoo email which I know if anyone tried to register for an Aries account on the current website it would give them an error saying that the provider isn't supported.
There wasn't any issues last time when we used domains other than Gmail to register, and now that there are issues, those people who wish to change emails from unsupported domains to Gmail run into this issue of birthday/unreachable domain.

Perhaps an extremely unpopular and maybe even (not so secure) way would be to ask a player that the staff team trust, if they would be willing to create a throwaway email, and use it to mass email out confirmations to currently unsupported emails, asking if they would like to change their email to a Gmail. And if they do decide "yea I would like to change"
Then the player who did these emails would also fill out an excel with old email & new email (that the requester gives), for Elyx & Nova to see if they could change it.
 

Kit

Member
Oct 20, 2018
22
19
13
Singapore
A little late to the party but this whole security thing is a big load of nonsense.

I already made a suggestion awhile ago with regards to this issue and Spyro replied to me saying:
1. The security upgrade is due to players getting hacked. - Like really? You're punishing me for people who SHARED their account to get hacked.
2. They cannot assume people will use fake email/birthday. - If everyone used their real email and birthday, they are more likely to get hacked.

So in the end I got punished because some players decided to share their credentials and get hacked, which led to this flawed security 'enhancements'. Now I cannot even play my account which I have invested lots of time and effort into because I used a fake email/birthday (which wasn't enforced at the time I created the account). And mind you I didn't forget my username and password, I simply cannot play the game because my password is too "old" and I have to use the fake email which I do not have to simply change my password. Utter nonsense.

Kudos to Aries's team on implementing new policies without thinking/caring about backwards compatibility.
 
Status
Not open for further replies.