FYI: check and change login passwords ASAP

[VelKallor]

Because not everyone else can access those, as we're not from the US/EU?

I am in Aust , I have the software token / one time pad for mobile.

[Shibi]

This attack is a pretty simple one. It's just plugging in details scraped from other hacks and leaks over the years.

If you use a password manager, and don't reuse your passwords you are as safe as you ever are.

[KatieConnr]

Keep in mind, the picture below is what the REAL log in to the Lodestone looks like https://na.finalfantasyxiv.com/lodestone/

FAKE SITES will have jibberish letters like .xya inserted and the OTP on the same page as your name login and password.

Holy tabs Batman!!

[VelKallor]

If you use a password manager, and don't reuse your passwords you are as safe as you ever are.

Perhaps

Better safe than sorry later, Shibi. Password security is a big deal.

[SaberMaxwell]

Can't recommend password management software enough for something like this too.

[Aurikai]

Using OTP with FFXIV login is painful, bad enough you need to enter password every time, but OTP also. There's a thing called OAuth that issues security tokens once you pass all authentication checks so you don't need to provide this stuff every time, apparently Blizzard can implement this but not SE. Cumbersome login processes always forces bad security habits by users.

[SaberMaxwell]

Using OTP with FFXIV login is painful, bad enough you need to enter password every time, but OTP also. There's a thing called OAuth that issues security tokens once you pass all authentication checks so you don't need to provide this stuff every time, apparently Blizzard can implement this but not SE. Cumbersome login processes always forces bad security habits by users.

Convenience and security are ever on opposite sides of a spectrum.

[Aurikai]

Convenience and security are ever on opposite sides of a spectrum.

No they aren't, OAuth is easily fixes this, this isn't host based security, doubt you have a clue about IAM systems, so not surprised you would say something that naive.

Lots of banks and other institutions use that same technology to ease logins, even Office 365 does, even Blizzard, so you're just making excuses for SE spending poorly on security because you lack knowledge of how it works.

[SaberMaxwell]

No they aren't, OAuth is easily fixes this, this isn't host based security, doubt you have a clue about IAM systems, so not surprised you would say something that naive.

My guy, I merely stated a pretty standard security adage which holds true almost no matter what. It's why "layered defenses" are better no matter what kind of system you're trying to create. No need to get hostile.

"No authorization or authentication standard is guaranteed to protect your information. If your information is available online, it’s susceptible to being stolen. If hackers breach a server of any service that you use, they could potentially take your login information or personal information, like name, address, and credit card information. [...] What makes OAuth great is that it restricts how many third-parties know your passwords. No, that doesn’t mean your personal information is 100% safe. But, by reducing how many entities have your passwords, you’ll lessen the chance that your passwords will get compromised."

[Aurikai]

My guy, I merely stated a pretty standard security adage which holds true almost no matter what. It's why "layered defenses" are better no matter what kind of system you're trying to create. No need to get hostile.

"No authorization or authentication standard is guaranteed to protect your information. If your information is available online, it’s susceptible to being stolen. If hackers breach a server of any service that you use, they could potentially take your login information or personal information, like name, address, and credit card information. [...] What makes OAuth great is that it restricts how many third-parties know your passwords. No, that doesn’t mean your personal information is 100% safe. But, by reducing how many entities have your passwords, you’ll lessen the chance that your passwords will get compromised."

No you stated a blanket statement that had nothing to do with the topic at hand, which was OAuth would make it easier for users to login. Saying nothing is 100% secure is like saying you should never drive or fly because cars aren't 100% safe, it's pointless thinking and completely dismissive. You can make excuses for SE not implementing that technology all you want, nothing you've said has provided any relevant counter arguments for why they shouldn't.