User:Aichon/Other/Password Change Option
Password Change Option
Timestamp: —Aichon— 20:34, 12 October 2009 (BST) |
Type: Interface/settings change |
Scope: All players |
Description: Currently, there does not exist a means to change the password for a character. This can be problematic if a player's character gets "hacked" or if a player simply wishes to better secure their account by changing the password from time to time. I would propose that a typical password change option be added to the Settings page. It would prompt for your current password, your new password, and then for you to confirm your new password. In addition, a "veto" e-mail message would be sent to the e-mail address that is on file whenever you change either your password or e-mail address. This e-mail message would provide a link (valid for a few days) that could be used to undo any changes that might have been made by malicious parties accessing your character's account. |
Discussion (Password Change Option)
Just to point out the obvious, I'm sure we can all envision scenarios where the "bad guys" could still take over someone else's account or someone could get locked out of their account. That said, this solution isn't meant to be a catch-all, complete solution, but rather an improvement over what we have right now. I've tried to make it as simple and unobtrusive as possible, with the hope that we can either come up with a few more details to make it better now, or else that it can be improved upon further down the road. It should work as it is though. —Aichon— 20:40, 12 October 2009 (BST)
This would certainly useful - I can name three players I've known from my history with UD who simply lost control of their characters and had to start over. Not only is it bad for the player - the need to regain all your skills is really painful - but also bad for that character's reputation and the reputation of any groups or organizations they belong(ed) to. Kevan's likely too busy or unable ("how do I know whose account this really is") to manually change passwords for those with compromised accounts, so an automated system would be a huge boon. Even then, there's the concern of someone getting your password and then changing it to lock you out... perhaps an e-mail confirmation or a secret question as well? --Bob Boberton TF / DW 21:03, 12 October 2009 (BST)
- I apologize for not being clear enough in the description. With the example you gave, someone wouldn't be able to lock you out unless they compromised your e-mail account as well, since you'd receive a "veto" e-mail that would let you undo their changes and regain control of the account (essentially, it's a non-confirmation link, letting UD know that the changes were illegitimate and should be rolled back). As the description says, the veto e-mail messages get sent whenever someone changes your password or e-mail address. Ideally, this allows normal users to change their passwords without the hassle of confirmations or secret questions, while preventing the bad guys from taking over the account permanently unless they compromise the e-mail account as well. Let me know if I can rephrase the suggestion somehow to make it all more clear. —Aichon— 22:15, 12 October 2009 (BST)
- Which is nice - and I'm not very smart today - but there are also several people I've known who take month-long breaks and the like. They tend to be common in a game like this one where some players just get fatigued. Having your account stolen during such a break would offer no recourse... You can't feasibly solve every case, but then again, this would solve most of the already uncommon account theft issues. I'm for it. --Bob Boberton TF / DW
22:38, 12 October 2009 (BST)
- Yep, you're spot-on correct in that this doesn't solve everything, but it does help with a lot if the situations. Also, in regards to the newest example you mentioned, keep in mind that with people taking a break from the game, they'd also have to take a break from their e-mail in order to be completely compromised, otherwise they'd still get the veto message. But yes, if an attacker knew that someone would be away from computers for a period of time, they could wait until the person was gone and compromise the account then. Admittedly, this suggestion, as it is, does not provide a solution to that problem, though I'm up for incorporating other people's ideas so that it does. —Aichon— 22:47, 12 October 2009 (BST)
- Which is nice - and I'm not very smart today - but there are also several people I've known who take month-long breaks and the like. They tend to be common in a game like this one where some players just get fatigued. Having your account stolen during such a break would offer no recourse... You can't feasibly solve every case, but then again, this would solve most of the already uncommon account theft issues. I'm for it. --Bob Boberton TF / DW
- I like the idea. I had wondered why UD did not already have some kind of automated password change function already established. We should move this along to Peer Review quickly if unless there is a good argument against it. --Maverick Talk - OBR
404 10:29, 13 October 2009 (BST)
- It's a good idea. No system is perfect, so don't worry about getting this system perfect. However, I'd propose it works this way: when the suggestion is implemented, the first time you log into your account it asks for an email address. Then an automated system sends a verification link to your email. From then on, there would be a "forgot password?" link on the main page when you log in. That could be used to recover/reset your password if needed. This would cut down on zergs, as accounts would actually be linked to an email and would have to be verified. A small measure, but surely worth it to thin the zerg herd a bit.--GANG Giles Sednik CAPD 17:13, 13 October 2009 (BST)
- Regarding recovering passwords, Kevan already has a password recover feature set up. As for cutting down on zerging, I like the idea. That said, there are cases, such as with myself, where the same e-mail address is used for multiple characters, yet zerging doesn't occur since the characters are kept separate, as per the rules. Introducing some way to curb zerging via e-mail address is a good idea, but is a large enough one that it should probably be its own suggestion. —Aichon— 19:20, 13 October 2009 (BST)
- I'll probably push it up for review sometime later this week. While I would love to rush it through, I'd rather that we have the best idea possible, so vetting it through the Developing Suggestions discussion is a part of the process that I don't want to cut short. —Aichon— 19:20, 13 October 2009 (BST)
- It's a good idea. No system is perfect, so don't worry about getting this system perfect. However, I'd propose it works this way: when the suggestion is implemented, the first time you log into your account it asks for an email address. Then an automated system sends a verification link to your email. From then on, there would be a "forgot password?" link on the main page when you log in. That could be used to recover/reset your password if needed. This would cut down on zergs, as accounts would actually be linked to an email and would have to be verified. A small measure, but surely worth it to thin the zerg herd a bit.--GANG Giles Sednik CAPD 17:13, 13 October 2009 (BST)
We really need an account/character system like NW. It's simple, easy, helps detect cheating and grants players control of things like donations. However the amount of coding and integration to go from the current system to this one would probably make it prohibitive. -- .
. <== DDR Approved Editor 04:05, 14 October 2009 (BST)
- Sorry for not knowing what it is, but NW? I'm curious what it is now. —Aichon— 05:14, 14 October 2009 (BST)
- NW was Nexus War, another browser game made by a former member of this community, the leader of MOB, Jorm. It was recently closed down after quite a few years of being a red stain on his bank account. The system over there was that each user had a single account and logged into that account to access their characters (three free characters and more if donated for). Players had enhanced control over their characters such as a credit system to allow control of donations (something UD doesn't) and deletion of characters. Due to the way NW's group system worked it was also much easier to use this set up to detect cheats (players could not have two characters in the same group, if a player was accused of zerging or alt abuse then this could be proven that this was their character by a group leader for one of their current groups could invite the other alt, a message that they couldn't join because of the first character acted as proof). Because it was a single account, there were also much better safeguards, including requiring an email address to create an account. This obviously makes password recovery needed only once and a mere formality. --
. <== DDR Approved Editor 05:29, 14 October 2009 (BST)
- NW was Nexus War, another browser game made by a former member of this community, the leader of MOB, Jorm. It was recently closed down after quite a few years of being a red stain on his bank account. The system over there was that each user had a single account and logged into that account to access their characters (three free characters and more if donated for). Players had enhanced control over their characters such as a credit system to allow control of donations (something UD doesn't) and deletion of characters. Due to the way NW's group system worked it was also much easier to use this set up to detect cheats (players could not have two characters in the same group, if a player was accused of zerging or alt abuse then this could be proven that this was their character by a group leader for one of their current groups could invite the other alt, a message that they couldn't join because of the first character acted as proof). Because it was a single account, there were also much better safeguards, including requiring an email address to create an account. This obviously makes password recovery needed only once and a mere formality. --
Doing some quick looking up, I discovered this old peer reviewed suggestion that seems to cover very similar territory to the suggestion I have here. I'm afraid I'm kinda new around the wiki, so I'm not too sure of how to proceed at this point. Is this suggestion dead in the water, or does the extra part it has about the veto message distinguish it enough that it should continue? I'm not interested in wasting people's time, so if this is a dupe of a suggestion that's already been accepted, we might as well kill it now. —Aichon— 23:22, 14 October 2009 (BST)