PSA - Account Security - It's a thing - You should look at this thing.

**Mhaeric** · 05-10-2018 03:43 PM

Originally Posted by KisaiTenshi

Four random common words

This is what I do, with the addition of using a different set of four for every password I have (as long as the password requirements let me.) Even with the multiple accounts it's quite easy to remember them, and more importantly, to type them out.

**Myrhn** · 05-10-2018 03:54 PM

Also a good tip for passwords is to not actually use one word. Make it an easy to remember phrase.

**Hasrat** · 05-10-2018 04:02 PM

Re: passwords, that's pretty much why I hate sites that continue expecting more and more complex requirements. It gets to the point where I'm forced to write down the password and associated site (and sometimes the username if they've tried to complicate that). Which... kinda defeats the whole point of security, it feels like.

(and then of course is the instance when you couldn't remember the requirements or the site just plain expects you to change every few weeks or months or whatever, and you're forced to find ever more complicated junk to fit in that you'll never remember)

**NephthysVasudan** · 05-10-2018 04:28 PM

Or you can just keep it simple...
Use a unique password. One that is not easy to guess, one that is not a dictionary word or easily recognized.

And have OTP turned on.

If your going to turn your phone in...be smart enough to plan in advance...follow instructions.

Best way to avoid a nightmare...is to plan for the worst...don't be foolish.

Better a secured account..then a compromised one where you lose your house/your gear/your hard earned stuff.

This really isn't rocket science...we don't need lectures or 10 page explanations.
Just be smart about it....if you care about your account..then take better care as such.

**JackHatchet** · 05-10-2018 06:20 PM

you need to turn your OTP/TFA features on

I don't mean to be that asshole, but if you're going to try and convince a bunch of folks to use features that they probably don't use you should probably go through the effort to explain what said features are beyond using not one, but two acronym without explaining what they stand for. Short-hand is great when people know what the heck you're talking about. But using short-hand to explain a new concept without ever typing it out fully at all during any part of your presentation? Confusing!

**JackHatchet** · 05-10-2018 06:28 PM

I really wish FFXIV would just do what Blizzard does with the Blizzard launcher. I'd have no problem with a complex password if I only had to enter it into my computer like once a year. I love that Blizzard launcher so much.

Personally, I've always been kinda reckless with my gaming passwords (I'm super tight on email/banking), but for gaming I just go with something easy and then rely on the gaming company to be awesome at resolving account problems. Although I've never had my Blizzard account compromised, the folks I knew who did were able to get everything back in shape within 4 hours--max. I may be optimistic to expect the same from Square-Enix, but maybe if I get hacked and they can't fix it--then I just quit, lol.

**KisaiTenshi** · 05-10-2018 06:32 PM

Originally Posted by JackHatchet

I don't mean to be that asshole, but if you're going to try and convince a bunch of folks to use features that they probably don't use you should probably go through the effort to explain what said features are beyond using not one, but two acronym without explaining what they stand for. Short-hand is great when people know what the heck you're talking about. But using short-hand to explain a new concept without ever typing it out fully at all during any part of your presentation? Confusing!

OTP = One Time Pad/Password
TFA = Two-Factor Authenticaiton.

And no, you generally don't want your game client to save the session token on the PC because that means the session token can be stolen by anyone with access to that PC, or by malware if it's in a default location.

**JackHatchet** · 05-10-2018 06:34 PM

What's two-factor authentication? Is that the kind of security that ties into my cellphone and they text me a verification code I have to enter again?

If someone has access to my computer I probably have a lot worse problems then worrying about my FFXIV account, lol.

**KisaiTenshi** · 05-10-2018 06:54 PM

Originally Posted by JackHatchet

What's two-factor authentication? Is that the kind of security that ties into my cellphone and they text me a verification code I have to enter again?

If someone has access to my computer I probably have a lot worse problems then worrying about my FFXIV account, lol.

Two Factor authentication (2FA) is any "something you know, and something you have" type of process. So for most players 2FA is the OTP (One Time Password) for the "something you have" part, and why it's supposed to be on a second device. Other ways of doing 2FA include, sending an email, SMS, or being called on the phone to a "known" device you have.

Most Cell-phone based 2FA is also not secure at all. Because of exploits in SS7 ( https://en.wikipedia.org/wiki/Signalling_System_No._7 ) it's possible to not only spoof a source, but also possible to trick people by social engineering them into giving up the 2FA information to an untrusted source.

Likewise, the finger print sensors on smartphones simply "unlock" the secure enclave on the phone, they are still technically sending your PIN or Password to whatever service wants it. (This is how all bank apps work.)

There are also some really bad "cloud" password management systems that completely defeat the purpose of having a secure device.

Also, you laugh, but people who "get hacked", often do something really boneheaded that they were told not to do (like RMT.)

**JackHatchet** · 05-11-2018 03:39 AM

Yeah, I could see the link between RMT and getting hacked. I remember that used to be a big issue in Warcraft where some of the vendors would hack you after selling you gold and take it back. Or steal your credit card or something crazy like that. I only went by the rumors, still, there's always a little truth in each rumor.

You certainly know what you're talking about, so I'll trust your judgement on the technical advice. I am pretty familiar with what social engineering is, and to a degree I almost rely on that concept for my own protection safety. It's one of the reasons why I love socializing with my bank's staff and getting to know the community I'm in. I've had all sorts of banking issues resolved simply because they 'knew my face.' Usually the moment something goes wrong I pick up my phone and try my best to call a real person to help me out. I'm not specifically a big fan of all the new automated services they got going on these days.

Off chance, would you have a recommendation for a good cloud password system?

Also, I heard that the iPhone is more secure than the android for phone security, do you have an opinion that? You don't have to respond to that last one if it's too hot-button. (I use an iPhone, because I heard security was great).

Thread: PSA - Account Security - It's a thing - You should look at this thing.

Thread Tools

Search Thread

Display

Tags for this Thread