Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Eekiki]

That's just because the devs speak japanese, so it's much easier for them to communicate. That does NOT however mean that stuff doesn't get read on the NA forums nor does it mean that our excellent community reps don't communicate any of our concerns to them.

Someone's trying to get invited to Bayohne's house for Thanksgiving dinner.

[Iymala]

Glad someone posted about this. I hope SE fixes this ASAP.

[Tsukki]

This really should be a high priority I hope we get a response soon.

[Silverwalk]

Because session IDs are 32 hex digit GUIDs with 2^128 possible combinations. Good luck finding an active one especially since the server isn't going to let you check them at any kind of reasonable rate.

It's highly likely it only uses a subset of all possible combinations, it may be a hash function instead of a truly random number.

In which case by looking at valid session ID's and trying around those numbers it makes it much more likely to find a "hit".

Also consider that there may be no maximum attempts like a password system, allowing a hacker to try hundreds of possible session ID's a second.

This is much like finding a wireless encryption key.

Why did they remove the IP lock used in version 1.0? Any time your ip changed you had to change your password to unlock your account.

[Livilda]

I was able to find this in literally five clicks. Two to start the software, one to select FFXIV, one to open the context menu and one to hit 'properties'. Furthermore, I was able to close the game, copypasta the command line into a console, and it worked.

Also, to all those freaking out over being able to hack SIDs, it's far more likely that someone will try to just use one you've already been using. Someone could just grab the one I found below and use it after I log out; the issue is not the ability to brute-force or guess, it's that the SIDs don't expire upon logout.

[Zzyn]

What does this all mean?

I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password. I was also able to log into my account while my friend was logged into it at the same time with a different session ID. ...... If the computer gets infected with a virus targeted at stealing FFXIV accounts then it is too late. No amount of changing passwords or generating new one time passwords will help.

This part scares me the most, and if true, is the most ameteurish thing I have ever seen in an MMO. O M G.

[Zzyn]

Session ID's should ALWAYS become invalid at the end of a session. yikes!

[Cienna]

Bumping for the night/evening crew. This needs to be fixed please.

[Moontide]

I'd like to hear some proper comments on this. How secure are actual logins if this all is true? Is there any point in having a security token at all until then? How afraid do I have to be on every login before this gets fixed (if it is an issue that needs fixing in the first place)?

[Alavastre]

This is very scary. Seems like a slip up on SE's part. I'm glad people are bringing this up so they can fix it.

For everyone else, be careful when you log into or go onto FFXIV related sites. Make sure they're trustworthy. Like the OP said, sounds like they don't even have to phish or keylog it. Just a virus from a browser vunerability might be enough to get around your security.