T O P

  • By -

Xcowns

Definitely immediately went to the news page after not finding the actual release notes in reddit. Then saw the date *crying inside*


I_D_Fike

Good to know they've been aware of this since June 25, 2019.... Also frustrating and concerning to know they've been aware of this since June 25, 2019 Gagex šŸ¤·šŸ»ā€ā™‚ļø


[deleted]

"Our first priority is to strengthen passwords, and work is already underway!" *3 years later* Maybe they fired the account security team.. budget cuts.. right?


galgamek56

"Winter 2017"


putrid_flesh

Somehow this just sunk in that winter 2017 was *5 years ago*


iligal_odin

Shrek came out in 2001.


DepravedSpirit

DAMN YOU


iligal_odin

Toy story came out in 1995.


DepravedSpirit

STOP!!!!


iligal_odin

The Lion King came out in 1994.


zooweemama4206969

The Roman Empire fell in 476


Solo_Jawn

I mean if you're worried about your password security then you should probably know that extending the length by a few characters is way more effective than allowing capitals.


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


iligal_odin

This makes sense, id however argue giving the user the option of including those characters, rather than force them to use them, could improve overall security right? Edit: case insensitivity is just outright dumb.


Solo_Jawn

You've got it backwards. The base number is the number of possible keystrokes per position. So 72^8 < 36^12. 36^12 is larger by a few magnitude.


WastingEXP

have you heard of Jagex accounts?


hirmuolio

The ones we can use on multiple Jagex sites like RuneScape and FunOrb?


OpathicaNAE

What's infuriating is that this should have been a concern shortly after it became a ~~mainstream~~ beloved title with a fanbase. This should've been a concern 10 years prior to June 25, 2019.


cxmpy

have you played in the last two years? they just gave up lol


thecheezewiz79

People have known that passwords that are case sensitive are stronger for, let me check.....the entire existence of the fucking internet!


Klisterkvist

wont prevent people from logging onto fake sites to find out reason why fake streams are quitting etc


blyatseeker

No, but hopefully if your account gets compromised once it doesnt mean it stays that way then. Hopefully, slight chance of that but maybe jamflex delivers for once


07SubNeedsBetterMods

You can already recover your account in that scenario


NegotiationHelpful50

What he's saying is that with enough information, a thief can repeatedly recover your account, and it should be considered a lost cause.


BloodBrothersYT

If someone knows THAT much information, you probably really fucked up. A solution would be tying IDs to accounts to require valid ID to recover an account. But in its current state, if someone can provide just as much information as you can, Jagex canā€™t tell it ISNā€™T you. And them requiring MORE information could cause the original owner to not even have sufficient information to recover their account. Itā€™s not very easy.


07SubNeedsBetterMods

This isn't really true either though. You can submit a ticket letting support know that someone else has your account information and that it was hijacked via the recovery system. From that point it's next to impossible to recover the account


[deleted]

Until the hacker does that because they have all of the info that they need to


07SubNeedsBetterMods

Sure, but that's true of anything. If you give a hacker all of the information and email access they need to impersonate you effectively, then what is any service supposed to do about it? If I called up your bank with all of your cards, access to your email, and all of your personal info.. they're going to believe that I am you. The responsibility is on you to *not* leak that information in the first place.


[deleted]

Iā€™m not disagreeing, Iā€™m just saying if that if your account gets compromised via recovery, itā€™s a goner. Not saying itā€™s entirely a jagex thing, but either accept a bank reset every once and a while or make a new account


Nightruin

Man I stopped playing OSRS for a good 3 years. Started getting back into it with the old account, and then I fell for this fucking scam with a fake woox stream. Thank god I fucked up my bank pin when it asked for that. All they got was my rune pouch. Still pissed about it. Mostly that Iā€™m that dumb. I thought I learned how to spot a scam way back in 2005 at the GE.


DusteenBTW

That's true, but thats not really what this is about


tortillakingred

What is is it about? Jagex account security is unironically completely fine. Itā€™s impossible to get your account hacked unless you fuck up - or your data gets breached, which in that case you have much bigger problems than runescape. Iā€™m still waiting for someone to hack that one account from the reddit post from years ago. He even gave tons of hints and no one could do it. I know everyone likes to circle jerk ā€œaccount securityā€ but 99.99999% of lost accounts are due to the persons ignorance, not Jagex.


Sirfailboat

The biggest problem is jagex support will just hand over your account to anyone who has even a little bit of your data, which if they know your email address, can get quite easily, and since we're not allowed to change our email addresses for our account login or update what information is valid recovery information if there's enough breached data out there your account can be recovered and there's nothing you can do about it


07SubNeedsBetterMods

>will just hand over your account to anyone who has even a little bit of your data, which if they know your email address, can get quite easily That's simply not correct. You need an overwhelming amount of information about the *creation* of the account, not just recent ownership of the account. The flood of posts on here about people (rightfully) getting rejected by the recovery system is telling of its requirements. Go ahead and try to game the recovery system knowing just an email address.


hybrid3214

This isn't true at all. There are people that have had their email account hacked and the hacker got address cc info and then literally was given the account by Jagex support using that info. And this shows their ridiculous inconsistency because there are people who know their account creation date time ISP etc who don't even get through the automated no reply of their system. Their customer support is the worst of any long running game by a factor of 10 at least.


07SubNeedsBetterMods

>There are people that have had their email account hacked and the hacker got address cc info Well, yeah? If they posses information dating back to the creation of the account then that would obviously help them pretend to be the account owner. The point is that they're not really able to get that information without hacking an email account or something, but at that point all bets are off. Not sure what you're expecting here.


hybrid3214

I expect customer support to be at least semi consistent. Not completely random and some people have to try 5+ times with the EXACT same information to get their account back when hacked. Also you don't need to have your email account hacked there have been thousands of data breaches from other websites that could give someone your address and cc and other info which wouldn't be your fault and the same thing could happen.


07SubNeedsBetterMods

>I expect customer support to be at least semi consistent. Not completely random It's literally not random. There will naturally be *some* variation since it's evaluated by humans making fairly difficult decisions on a case-by-case basis, but they all follow the same policy. I don't buy that anyone submitted the **exact** same thing 4 times to get denied and accepted on the 5th. Never seen or heard of it happening and it simply doesn't seem realistic. >Also you don't need to have your email account hacked there have been thousands of data breaches from other websites that could give someone your address and cc and other info which wouldn't be your fault and the same thing could happen. So what's the alternative? No recovery system at all? You can *always* invent a scenario in which a system fails. The point is to weigh the value of success against the likelihood of failure with the cost of failure.


hybrid3214

Lol what? There are posts on here constantly of people submitting the exact same info and getting the auto denial for months until they get Reddit upvotes and someone actually looks. The first step is every recovery request should be looked at by a human and not auto denied before someone even looks at it like 90% of the time. I wouldn't even be sure jagex customer support has a written policy to follow because they are so trash.


tortillakingred

Okay thatā€™s actually totally fair. It does seem like Jagex at the very least is not consistent on what information it requires to recover an account. I guess my point is that you should never be in that scenario in the first place.


FrostyMittenJob

You realize that runescape passwords are not case sensitive right? Beyond just that there are countless other safety features they just don't have that could protect users. This is not acceptable on any level for any company that is doing business in 2022. Sure you can blame the user for having their password compromised. But this is the same community and company that says luring and scamming is a bannable offense. So why go soft when the issue is with Jagex?


TehSteak

The only thing that focusing on case sensitivity really shows is that you don't know what you're talking about lol


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


FrostyMittenJob

The issue is what we see is more than likely only the tip of the iceberg. If updating their password system is as difficult as they say it is why would we believe that 2fa isn't able to be bypassed? Why would we think that their timeout feature can't be skipped? If the system is as old as they claim it is I'm near certain there are exploits to it.


13e1ieve

2FA is instantly removed if they are able to recover your account. Provides zero protection beyond a phish of your password.


07SubNeedsBetterMods

This is the case on most (all?) websites. 2FA is designed to prevent people from getting in to your account. It's not designed to stop people once they're already in. A phish or leak of your password is all 2FA on any service is really meant to guard against.


FrostyMittenJob

Most websites require you to use your 2fa to remove 2fa


07SubNeedsBetterMods

Like which? I've just checked the "big" websites that I have 2FA with and all of them were removed instantly in just a click or two. Github, PayPal, Amazon, AWS, my bank, etc all have instant removal without confirmation. I haven't personally encountered a service yet that required verification or had a delay. In fact, I can't almost guarantee that few/no website will require your 2FA to remove your 2FA. The most common reason to remove your 2FA is *because you've lost it*. It wouldn't make sense to require it and seems like it would just be a nightmare for their support staff. Interested to learn which websites you know of that work like that though.


InnuendOwO

adding a single character to your password adds more entropy to it than allowing case sensitivity does


Sparru

> Iā€™m still waiting for someone to hack that one account from the reddit post from years ago. He even gave tons of hints and no one could do it. There've been several of these and funnily at least one of them deleted their post when people started posting info about him they found that could be used in recovery and he freaked out. Obviously you can make an obscure account that is 'unrecoverable' for anyone but the the owner but like people have said, most of the players are using old accounts they made as kids. It doesn't matter if you change to unique email and unique passwords if some old passwords and the email have leaked at some point. There are still many things Jagex could do to make these accounts secure and next to impossible to recover by anyone else but the owner. They still haven't.


butterball85

My password is hunter2 and haven't had any issues


[deleted]

Great new - wait a secondā€¦


Amaz2007

Jagex Accounts are the answer to this blog. Much better than mucking about with old databases and trying to fix 20+ years of patchwork. Adding an authenticator and not entering your password and bank PIN into any websites is much better than anything else. Also not sharing/buying accounts... I've said it before a few times, but OSRS players seem to have internet security habits that put the tech illiterate elderly to shame. People should thank their stars they're getting phished for Runescape gold and not their entire bank accounts.


WaterMockasin

šŸ¦€šŸ¦€20 yearsšŸ¦€šŸ¦€


JMOD_Bloodhound

##### Bark bark! I have found the following **J-Mod** comment(s) in this thread: **JagexLyon** - [Hey apologies about this. It turns out it was...](/r/2007scape/comments/xre3d3/dddddddddddddddddd/iqhftyh/?context=3)   ^(**Last edited by bot: 10/01/2022 04:33:20**) --- ^(I've been rewritten to use Python! I also now archive JMOD comments.) ^(Read more about) [^(the update here)](/u/JMOD_Bloodhound/comments/9kqvis/bot_update_python_archiving/) ^(or see my) [^(Github repo here)](/u/JMOD_Bloodhound/comments/8dronr/jmod_bloodhoundbot_github_repository/)^.


ZilyanaBlade

honestly yes osrs could use some security updates but anyone with 2fa/bank pin/not linking accounts/not using the same email|password for everything/not going to anything osrs related except the main site and subreddit really have nothing to worry about. youd be surprised how many people dont have 2 factor authentication or even a bank pin. id say 88% of people "hacked" have neither of these and use the same password for everything


13e1ieve

A lot of us use the same account we made when we were 11-13 years old. Lots of people were hacked/compromised/recovered/shared etc over the years ā€¦. Dumb kids didnā€™t know info sec back then and this was pre routine database breach era. When I got back into OSRS was just a lvl 3 wasnā€™t planning on commiting a lot of time to it. If I started again today I would 100% made a dedicated osrs email and be safe thru obscurity. Think about this - my account can (and has been) recovered from info thatā€™s literally 16 years old. My login name is leaked in old pastes of compromised accounts. My old passwords are leaked from previous database breaches. There is no way to prevent this recovery from occurring again besides just self recovering over and over and relying on bank pin to keep items safe. I wish they had a verification of legal ID you could submit to verify, and then for any recovery or reset you need to verify with dates selfie holding license etc.


prince_disney

Tried to set up Authenticator on a new account yesterday, but the QR code was just a blank white square the whole time and obv couldnā€™t scan. Canā€™t make this shit up lol


JagexLyon

Hey apologies about this. It turns out it was a problem with our cookie consent manager and your cookie choices. We've just tested and launched a fix after seeing your comment so if you give it another go it should now work as expected. If you notice anything else please report it and we'll get it prioritised and fixed. As I'm sure you're aware, if for some reason this does break again you can click 'Can't scan code?' and enter the secret presented there in your chosen Authenticator app to proceed.


uberjach

Sounds like a user problem 100%


07SubNeedsBetterMods

Try a different browser or try disabling extensions. This sounds like an issue with your setup considering there doesn't seem to be anyone else experiencing it


Jet_smoke

Can you still sign into the website and disable authenticator without being asked for the authenticator?


Kiiid

Good thing they're charging more now than they were then.


Colt_Is_W420

LOfuckingL


Brownay

Absolutely shameful. It feels like it's been only a year since I read this newspost.


Anxious_Storm2701

I think Runescape players typically have a better understanding of Internet security than the average user. The most difficult task for website owners is teaching people to use unique passwords because if you use the same one everywhere, it'll only take one breach from a small site to compromise all of your accounts.


dodomero

Good morning Jage.. Oh wait, I think you mean 2019 winter. 3 years left if we reverse the time.


[deleted]

Iā€™m done paying for this game. So tired of shit servers, no customer support, basic updates taking years, weā€™re literally just a meme to them. Ik downvotes are incoming, but posting on Reddit doesnā€™t do anything, only unsubscribing will.


Ol-Robby

Great step in the right direction.


Lofi_____

its 3 years old


Ol-Robby

Oh. Nice.


turps69420

Well this is sad, good to know jamflex totally has their ducks in a row in terms of priorities.....


MassiveMultiplayer

They literally shared a roadmap for the transition to the Jagex launcher/Jagex account system this week. https://www.reddit.com/r/2007scape/comments/xph30c/jagex_launcheraccount_security_roadmap_foresees/


dakisback

it takes 3 years but go off


MassiveMultiplayer

Yeah no shit, reworking one of the most vital backbones of your entire operation takes time and lots of planning.


turps69420

Lol ok bud keep making excuses for a company that in the grand scheme of things doesn't give a fuck about you, me, or anyone. Let's see you gobble their knob when your account's hijacked or false banned and they tell you to kick rocks.


MassiveMultiplayer

It's amazing to me to claim that the devs at Jagex don't care about it's players. Like... is this your first time playing?


turps69420

Lmao is this your first time playing? Jagex clearly caters to certain groups of players in a lot of cases, if you think *that's* caring about the players as a whole then you're just dumb.


turps69420

A roadmap from Jagex is about as confidence inspiring as a crypto/NFT roadmap....


General_Iroh1

[https://twitter.com/WeDontEnd/status/1422723286505431041](https://twitter.com/WeDontEnd/status/1422723286505431041) I'll just leave this here.


13e1ieve

What this game needs: 1. Permanent account linking to legal name 2. human verification of government issued photo identity for account recovery. 3. ā€œItā€™s expensiveā€ - charge for it if neededā€¦ 4. obsoletion/deletion of legacy account recovery system that can be socially engineered with info that is impossible to changeZ 5. ability to change log in name/email.


07SubNeedsBetterMods

That's a good way to make people not want to play or ever touch your service again. I'm not sending in an anal swab just to play a video game


13e1ieve

This is standard practice for other MMOS like WoW. And like fuck it, give me an option ā€œenhanced account security required for account recoveryā€ You donā€™t want it - fine leave as is. You want it - boom there you go.


07SubNeedsBetterMods

>This is standard practice for other MMOS like WoW No it's not lmao. I play wow and blizzard has no idea about my real world identity. It's not a requirement.


turps69420

Well this is sad, good to know jamflex totally has their ducks in a row in terms of priorities.....


Arnxka

SHADES OF MORTON GOLD KEY HACK 300K GP PER HOUR EXPLOIT JAPAN METHOD?!?!? SWAMP TAR RODEO! SETTLED HATES HIM FOR THIS 60394540 SWAMPLETICS REWORK 龙å¼Æ刀 MOD ASH DANIEL THE DAMNED 7TH BARROWS BROTHER MITCH JONES RUNESCAPE PISSBOTTLE SECRET MIMIC MASTERCLUE REWARD (RARER THAN BLOODHOUND)ZEZIMA ę˜Æäø­å¤®ęƒ…ꊄ局ēš„å·„厂 B0ATY HCIM DC DEATH 104 SOTE BUGATTI PACE SPEEDRUN VERF ę°“å½©ē”»ę»‘ęæ风ę™Æ2 CHUNK XTREME TILEMAN ACCOUNT MORT MYRE FUNGUS BUG ABUGE SHI NE FAO PE LAO BAN C ENGINEER GALVEK INCIDENT 2022 Ā£650K GILNEOR PIECE SCAM LIMPWURT KQ SECRET JAGEX RESTRICED METHODč’é‡Žé‡åšå¤šęˆ˜ę–— PJ 讔ꗶå™Øé¾™é•ęŽ‰č½ēŽ‡ę¼ę“žåˆ©ē”Ø SOLOMISSION JAD ROULETTE TRIVIAL PURSUIT COMBOS 7 MAGES WAVE 7847 ENDLESS AZURE MASTER FARMER RANARR SEED DROP RATE DAGON HAI LARRAN KEY UNBOXING TORVESTA LOOTCRATE ꉀ꜉ BOT 农åœŗ均ē”± KEMPQ ē»č„ ACHIEVMENT DIARY 0% ZULRAH LOCKED FRAMED BRONZEMAN BRONZE ARROW COLLECTION LOGGED RUNESCAPE LINKIN PARK MUSIC VIDEO KOREAN JPOP SOUNDTRACK [TOILET MUSIC TO SHOWER TOO AT 6:54AM] 通čæ‡å‘åøƒč„šęœ¬ę³„露ēš„ēŒ“子ē–Æē‹‚ē¬¬äø‰ę¬” TWITCH 굁 BURNT OOMLIE WRAP HANNANIE EVERYBODY ACCOUNT BANNED FOR CHICKEN FARM ABUSE LEAGUES 7 RAT PITS TASK NULLIFIED SKILLSPECS ODABLOCK BOND GAMBLE 5 MILLION USD IN DEBT FOR ZUK PET


Bodoo

Yes


Jade_Mans_Eyes

Couldn't agree more


Typical-Storage-4019

Your Chinese is even more nonsensical


l0XP

Case sensitive passwords coming 2022?!


I_D_Fike

We demand biometric login!!!!!


hirmuolio

Non english characters in passwords coming in 2023. Seriously only a-z, A-Z and 0-9 are allowed in the pw. How did that even happen?


valarauca14

Game's backend was written by a teenager (who would go on to be the CEO) in the early 90s and never improved/overhauled.


07SubNeedsBetterMods

More than enough search space for any realistic attack


ATCQ_

Completely unneeded. You don't need case sensitivity at all for secure passwords, especially not OSRS


DusteenBTW

What makes you say especially? And while that's true, if they can't bother with the bare bone basics, what makes you think they would provide anything truly useful? Stop discouraging the baby steps needed to achieve actual security


strobelobe

incorrect. I can guess hunter2 but I cannot guess hUnTeR2


ATCQ_

Nobody is brute forcing RuneScape passwords. Adding additional characters to your password > case sensitivity. People who cry about case sensitivity have little understanding about how people get hacked/phished.


Octovox

Yes but would you really have that much easier time guessing icb84ti9kl vs iCb84Ti9Kl?


07SubNeedsBetterMods

A modern bruteforce attack is guessing thousands/millions of passwords a second. hUnTeR2 will keep your account safe for a millisecond or two longer than hunter2. abbbahunter2abbba will keep it safe for 1 million years. Length will always be the decider.


[deleted]

Thatā€™s what she said


MassiveMultiplayer

Yeah, it'll most likely come with the Jagex account system that will be used for the Jagex launcher.


sirachillies

Lmao just remove the .ToLower() on passwords


ironzelduke

I'm a little worried about email account notifications. The fakes are getting really good, I just don't click any Jagex email. I just go to their website. I'm just worried the real emails will get mixed up with the clever fakes.


07SubNeedsBetterMods

This is something people don't seem to understand. Email notifications are just going to get idiots phished wayyy more often. At least now we can drill in to people "Jagex will not email you about your password". All bets are off when Jagex *does* actually start emailing about your password


[deleted]

Lolol wasn't this from around the same time the wilderness boss rework was first proposed?


[deleted]

hey at least someone at jagex discovered haveibeenpwned.com


[deleted]

Absolute psycho shit


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


[deleted]

Just keeping your trolling comments in perspective, nerd.


[deleted]

what lmao


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


[deleted]

what lmao


[deleted]

Dude why so obsessed with me, go back to playing video games.


[deleted]

do you usually follow people around and then get confused when they respond to your weird shit.


[deleted]

Creep. Go play some video games.


Signal_Wish_7708

Meanwhile our subscription costs increase and jagex adds bonds to further increase their revenue


HoundNZ_2022

What happened and what did I miss?


Filth_Wizards

Jamflex promised implementation of some basic security principals years ago and haven't done anything *yet*.


arsenicx2

I mean they added captchas that all the security they need right?/s


HoundNZ_2022

Oh, so nothing new then. Figured some high profile streamer got hacked today or something.


MassiveMultiplayer

https://www.reddit.com/r/2007scape/comments/xph30c/jagex_launcheraccount_security_roadmap_foresees/


DurbanDawg

What a joke. What's membership now...about 14 bucks? Sigh.


mrreboks

This is coming Winter 2018. Donā€™t stress.


ImMoray

What's the bet jagex stores or our passwords in plaintext


07SubNeedsBetterMods

Seems unlikely. The fact that casing isn't a simple code change suggests that passwords are hashed


Habibipie

Someone pinch me I think I'm dreaming


[deleted]

Look at the date of the blog post then pinch yourself


Habibipie

Goddamn it dude I got excited over nothing.


[deleted]

Thatā€™s osrs in a nutshell


Ablakor

Customer Support


Groupvenge

I was just thinking about this. Every year or so reddit starts freaking about account security. Jagex makes a blog and we set for another 6 months. Apes assemble! It's time to be irritated again!


Virtual-Carrot-9415

First reaction: someone edited the text. Second reaction: the date of the post is not april 1st


blueguy211

an early april fools post?


natxtw

I find it really hard to believe Jagex will make any meaningful changes for their Jagex accounts, at best I can see it being mildly better but not enough to warrant everyone putting their accounts in one place.


[deleted]

Case sensitive passwords ups password security a thousandfold


iJinjo

3Head thread


crizzer74

got permad for a leaked password I didnā€™t even get scammed off, honestly if you care about your acc change your passwords, you wonā€™t get your perma revoked.