Security Update Discussion

First Riot Post
Comment below rating threshold, click here to show it.

airun

Junior Member

08-21-2013

i changed my password, and now neither my old or new is working. i don't know if i typed it in wrong twice or what? but i can find it out cause i'm getting a 404 message on the "forgot your password" page


Comment below rating threshold, click here to show it.

CheckeredDeath

Junior Member

08-21-2013

About the password strength... Mixture of Capitals and Lowercase along with numbers makes it strong... Doesn't have to be long. What are we just getting to the internet? No one knows how it works?


Comment below rating threshold, click here to show it.

mrwachandgame

Junior Member

08-21-2013

I have been unable to reset my paswrod, due to the changing procidure telling me my paswrod is invallid. I am in fact inputing the corect paswrod. I would love to actualy be able to change my pasword and continue playing.
from, an agrovated summoner


Comment below rating threshold, click here to show it.

Thalandor46

Senior Member

08-21-2013

While password strength is still a hot topic, I'd like to share a little piece of software called KeePass. Changed my electronic life, and it's completely free. I highly recommend everyone check it out.


Comment below rating threshold, click here to show it.

HybridDestroyer

Junior Member

08-21-2013

Well i have a bit of a problem. When i try to change the password to my account it says it good then when i try to log in the new password doesnt work


Comment below rating threshold, click here to show it.

AileTheAlien

Senior Member

08-21-2013

Quote:
Originally Posted by Veruco View Post
Example of a strong password:
correcthorsebatterystaple5
I'm astonished that you obviously saw that XKCD comic (and presumably read the relevant research papers), and LoL passwords still require numbers.
They add a small amount to the security of the password, but are hard to remember.
Full words, in whatever language you choose to type in, add a lot more to the un-guessability of the password, and are easy for humans to remember.
Is this because the password system in LoL is limited to 30 characters, or for some other reason?


Comment below rating threshold, click here to show it.

Void2258

This user has referred a friend to League of Legends, click for more information

Senior Member

08-21-2013

Quote:
Originally Posted by Veruco View Post
Passwords must be between 8 and 30 characters long, contain at least 1 number, contain no slashes or spaces, and must not be easily guessable. Now, "not easily guessable" is what seems to be tripping up a lot of people so I'll try to provide a bit more detail into what this means.

Account thieves are very good at guessing passwords because most people tend to use the same password for multiple websites and use a predictable word and letter combinations (i.e. password1 or sunshine5). This means your account information can be stolen on one website, but then potentially used on another. For this reason, the password strength meter detects if a password is 'instantly crackable' by checking if you are using a word from a list which hackers have used in the past to steal other accounts. If a word in your password appears in this list, then it drastically reduces the strength. Strong passwords are unique to the person using them, but hard for someone else (or a machine) to guess.

Example of a weak password:
sunshine1989

Example of a strong password:
correcthorsebatterystaple5
XKCD steal


Comment below rating threshold, click here to show it.

Obrek

Senior Member

08-21-2013

I am glad Riot came forward with this information and, according to an email they sent me, are going to look into other forms of account verification. As much as I hated my damn Battlenet Authenticator, it worked. I'd like to see something similar available for summoners.


Comment below rating threshold, click here to show it.

Chaossdeath

Junior Member

08-21-2013

what the heck riot i cant change passwords at all plz help fix this


Comment below rating threshold, click here to show it.

halpmehplz

Junior Member

08-21-2013

Also question, I'm not the smartest on security so maybe someone can explain, but if only the salted password hashes were stolen, why would that require a more complex password on my part?

If you have the salted passwords and you assume that at least someone has the password "password" you would then try salt/hashing until you found the salt? Then you would guess common passwords + salt/hash to see if its the actual password etc. Couldn't you just lock the account til the next time I log in and use a different salt to save the password again?

It would seem the only need for a more complex password would be if they were trying to brute force the login screen(which they weren't apparently), which obviously has an easy solution to limit the retries before an email or captcha requirement. Also, this wouldn't really require such an overly complex password either.

Maybe I'm missing something but it would seem that something is not being told to us?