Security Update Discussion

First Riot Post
Comment below rating threshold, click here to show it.

Teensyy

Junior Member

08-21-2013

wow i changed my password earlier and it said it wouldn't work. figured it was an error and sent league a ticket explaining it won't allow me to login. i never got a reply and cannot play tonight? really. thanks.


Comment below rating threshold, click here to show it.

MazerRackhem11

Member

08-21-2013

To RIOT,

Look I'm all for account safety but these password requirements are completely over the top. I won't say where I work or what I do, but the work requires very serious security. When my first 3 new passwords were rejected by RIOT I tried out my work password, which it is estimated a standard PC would take over 4,000 years to break, it was rejected as too weak....Look guys, I'm all for security but this is insane. If my work password is secure enough for what I do it is more than sufficient for LoL. I get that you were just hacked and that sucks, but dial back the over reacting a bit please. If you're really that freaked out move to dual authentication like Blizzard.

PS. I ran my software on the password RIOT finally accepted. The math says a standard PC would take 157 Billion years to crack my new RIOT password. However, RIOT's new security measures only gave that password an "okay" ratting. This is nonsense guys, dial it down about 4 notches eh?


Comment below rating threshold, click here to show it.

Carazy

Junior Member

08-21-2013

Quote:
Originally Posted by Veruco View Post
Now, "not easily guessable" is what seems to be tripping up a lot of people so I'll try to provide a bit more detail into what this means.
"Not easily guessable" is an excuse for a script that is based off patterns of running numbers and words but make no sense and is extremely annoying.

Additional1 which is 11 characters long is not acceptable.
Additional12 <---- This is the one I can't figure out. This one is acceptable.
Additional123 not acceptable
To keep this shorter that pattern continues to
Additional123456789
but it's not over it then repeats!!
Additional1234567891 too weak!
Additional12345678912 <------ LOL once again acceptable.
Additional123456789123 to ..... Additional123456789123456 too weak!
Additional1234567891234567 <---- works?
Additional12345678912345678 27 characters but still TOO WEAK!
Additional123456789123456789 <--- WORKS!!

additional things that don't work and hit limit

God555555555555555555555555555
GodPassword5555555555555555555 (but GodPassword55 is okay. Apparently hackers hate things in 2's)
God111111111Password1111111111
No11111111111111111111111111Go (No1111111111111111111111111God works though)
1PasswordPasswordPasswordPassw
111111111PasswordPasswordPassw
1Nooooooooooooooooooooooooooo1
RunePage1111111111111111111111
123RunePage1111111111111111111 (123RunePage works though...)


Comment below rating threshold, click here to show it.

Podok the Mad

Junior Member

08-21-2013

I have forgotten the password to my other account, when i click "forget your password", it takes me to a screen where it asks if i want to change my email and ASKS FOR MY PASSWORD........


Comment below rating threshold, click here to show it.

Carazy

Junior Member

08-21-2013

Quote:
Originally Posted by Veruco View Post
Example of a weak password:
sunshine1989

Example of a strong password:
correcthorsebatterystaple5
Another example of a weak password is:
123456789123456789sunshine1989 (no lie. this password is too weak)


Comment below rating threshold, click here to show it.

ScholarUrf

Senior Member

08-21-2013

So cough cough

You know that 3.9 issue riot has swept under the rug?

Well is there any status update?

are you guys even trying to fix it?


Comment below rating threshold, click here to show it.

natterrs

Senior Member

08-21-2013

Last week I was unable to log into my account, the password that I had been using since I made my account was invalid. I was understandably a little concerned, and had to reset my password via email just to access my account.

I logged on today to learn Riot had been hacked - does this mean that the reason I couldn't access my account was because someone hacked my account? I haven't seen any purchases on my credit cards - yet.

Get your ****ing **** together Riot, and I think it's fair to expect compensation for this bull****. Sony did it, it's your turn to repay your player base for your ****ty security.


Comment below rating threshold, click here to show it.

sornvru

Member

08-21-2013

As someone who works with account security, I have difficulties understanding many of these rules for passwords. I have never had to deal with writing software that deals with security, but I don't understand a lot of these arbitrary rules behind password creation. If someone could please explain it to me, that would be great.

Mainly, why do so many people not allow spaces? I understand certain characters have to be disabled, such as ` is common, but why space? I subscribe to the "pass phrase > password" idea, so when I create a password it looks something like "I drive my car really fast." According to my understanding, password length is far more important and creating a long, easy-to-remember password is both more secure, and simpler to use than "randomphrase456" would be.

In my Teamspeak password, I can use something like "I needed a good sentence." without difficulty, so what is the limitations on websites or in the League client that prevents me from using that?

I understand that a limit of characters must be set for the sake of space. A database can only be so large for a server to be able to handle all the necessary records, but in a world where proper security is such a high priority, especially in particular situations, why, as users, are we always so terribly limited in the types of passwords we are allowed to create when we can come up with far better passwords than the system claims to be strong.

Maybe I am incorrect on this, but it seems like the only reason spaces are prevented are some kind of anti-SQL-injection measure, which seems more like a "security through obscurity" type of method from my perspective.

This is by no means specific to League and pvp.net but I don't have a lot of confidence in today's security practices.


Comment below rating threshold, click here to show it.

Dead x lMau5

Member

08-21-2013

What if I don't want my password to be more secure, because it's my account and I should be able to atleast have the password be whatever I want?? What then. What if I don't want to change my password to some ridiculous **** because it requires it to be so. The forced password change was bs.


Comment below rating threshold, click here to show it.

mrwachandgame

Junior Member

08-21-2013

I have been unable to reset my paswrod, due to the changing procidure telling me my paswrod is invallid. I am in fact inputing the corect paswrod. I would love to actualy be able to change my pasword and continue playing.
from, an agrovated summoner