PSA - Account Security - It's a thing - You should look at this thing.

[KisaiTenshi]

I want to add on that in this day and age, lots of people just don't make good passwords in general. Passwords should be longer than five characters with uppercase, undercase, numbers, and symbols in them. My password for the game is at least 11 characters long with a combination of various things, it's also nothing that could be easily guessed from even people that know me well enough, but, like above what the OP said.

I also use a One-Time-Password via my cellphone as well for extra security measure because it still is possible that hackers could crack my password with the tools that they have available.

Don't bother with making an overly complex password, just make something you can remember unique to this game.


The OTP is your insurance against someone being able to replay-attack/keylogging. Also do not use an Android emulator for your OTP on the same machine. Buy an authenticator if you're unwilling to put the authenticator software on your personal cell phone or tablet. OTP doesn't protect against session jacking.

Now you might ask... wait, why can my account get jacked anyway?

Yes. MMO's can be jacked several ways

1) Username and Password jacked by brute force (which is usually not done) by emulating the launcher.
2) Username and Password jacked by password reuse
3) Username and Password jacked by keylogging/malware by hooking the keyboard api.
4) Session jacked by unauthorized third party software/mods (don't trust anything you can not get the source code for and compile yourself)
5) Session jacked by network replay attack (compromised browser plugins)
6) Session jacked by shared proxy (players using VPN's)
7) Account compromised by Remote access tools (eg Teamviewer) on the system.

Clearly the easiest is #2, which you shouldn't reuse passwords in the first place.

Of these, #4 is not that hard to pull off as it bypasses the username/password/OTP process by simulating the game launcher and passing along the session string while it's hooked into the process, while it secretly passes along that information to a third party. So you will probably find that people who report being hacked, were probably engaging in RMT, or modding, or used a third party tool for some reason and naively trusted a total stranger on the internet.

Earlier on in V2.x A player reported to the forums that they couldn't log into the game, but I found them in the game, being a RMT spammer. So, people will deny they did anything wrong, even if they clearly did, and just want to save face.

With #7, Teamviewer is often a vector by which accounts get stripped and deleted as well. If you used TeamViewer or other remote access tools to let someone "Borrow your account" or play remotely yourself, you are opening yourself up to a world of hurt if you don't uninstall the software immediately after you don't need it anymore.

The only way to prevent all of above is by requiring a OTP to login/delete the character. If your game is idle and goes AFK, it should also request a OTP to come out of AFK mode. But it doesn't do that.

a OTP is good to have... until the day that you have to hand in your phone at the end of its 18-month lease. Then you HAVE to deactivate all 2-factor for any and all apps that use it on your phone. Once you have a new one, you gotta reset all your 2-factors. I got this coming up in September and my options are: do what I said (deactivate Steam's 2 factor, SE's, uplay's) and risk compromisation OR pay $216 to own the phone. security token apps are only good if you have a smartphone too or want to spend more on them every few years. While it's possible to crack my account, I have proof of ownership to get it back.

I actually use my ipad 3 for this. As it doesn't recieve updates anymore from Apple, the only risk of "losing" the OTP generator is by losing the ipad or it being damaged. I didn't put it on my phone because SE's authenticator doesn't work through major OS updates, and the phone tends to update automatically.