Sign in to follow this  
Retrograde

Forum downtime and security update

Recommended Posts

WSA.png

 

Hi Everyone,

 

We will be taking the forums down for an update and configuration change to address some performance issues you have all been experiencing. The downtime will occur at midnight server time on the 29th of June (00:00 UTC+1).

 

Additionally, we identified a potential security issue and as such will be performing some security changes. All accounts will have a forced password reset after the update, and we will be enabling HTTPS for the entire forum.

 

Password security is very important, and always make sure to change your passwords regularly and do not use them across multiple websites or have the same password as your in-game account. We also advise taking the time to change in-game passwords to any accounts shared with other people to maintain good security practices.

 

We expect this downtime to be only a short period and will provide an in-game alert when they are back up.

 

Regards,
The Wurm team.

  • Like 18

Share this post


Link to post
Share on other sites

Turns out I dont know how midnight works and that dates go forward, correct time is midnight on the 29th.

 

Also HTTPS will be across the entire forum.

  • Like 3

Share this post


Link to post
Share on other sites

Got worried, thought I'd have to redownload the client again :P

  • Like 1

Share this post


Link to post
Share on other sites

hopefully you mean the forum password and not ingame accounts

Share this post


Link to post
Share on other sites
2 minutes ago, RavenLure said:

both?

I was asking Retrograde not responding to you, I'm concern as well.

Share this post


Link to post
Share on other sites
1 minute ago, Niki said:

I was asking Retrograde not responding to you, I'm concern as well.

oops sorry .. how do you reset them both.. or find the pass words

Share this post


Link to post
Share on other sites

Forum passwords will be forced to reset. You'll need to use the forgot password feature to set a new password after the downtime.

 

Account passwords will not be reset at this time, but it is good practice to change your passwords on occasion and to never share a password with more than one service. In today's day and age, this should be as instinctive as looking both ways before crossing a street seeing how hard people try to obtain your access.

 

I personally use a product called Lastpass to manage everything for me. My Lastpass password is not a single password but a phrase and I change it regularly. It's a phrase that's personal to me as well, complete with spaces. I then use Lastpass to generate all my passwords. That means I may not know a specific password, but I can always open Lastpass and copy it to use in the game client. I also use two-factor authentication whenever possible, and I'm looking forward to making that an option for forum users as well after this downtime is complete.

 

Security is no joke in an age when state-sponsored attacks regularly target civilians and small businesses. That's not even counting the bored folks out there simply looking for the 'lulz', as they say.

 

*tips hat*

  • Like 7

Share this post


Link to post
Share on other sites

when I log in world there is no reset pass word or forgot password,, I am glad it is just the forum one for now but better change all  passwords if I change one

Share this post


Link to post
Share on other sites

I also heavily encourage the use of a password manager and never ever using the same password at two "doors". I use KeePass as it is working on all platforms I use and also integrated with Firefox -although needs some headache to set it up on linux- so I don't need to copy/paste the credentials all the time.

Share this post


Link to post
Share on other sites
1 hour ago, Keenan said:

Forum passwords will be forced to reset. You'll need to use the forgot password feature to set a new password after the downtime.

 

Account passwords will not be reset at this time, but it is good practice to change your passwords on occasion and to never share a password with more than one service. In today's day and age, this should be as instinctive as looking both ways before crossing a street seeing how hard people try to obtain your access.

 

I personally use a product called Lastpass to manage everything for me. My Lastpass password is not a single password but a phrase and I change it regularly. It's a phrase that's personal to me as well, complete with spaces. I then use Lastpass to generate all my passwords. That means I may not know a specific password, but I can always open Lastpass and copy it to use in the game client. I also use two-factor authentication whenever possible, and I'm looking forward to making that an option for forum users as well after this downtime is complete.

 

Security is no joke in an age when state-sponsored attacks regularly target civilians and small businesses. That's not even counting the bored folks out there simply looking for the 'lulz', as they say.

 

*tips hat*

Haven't heard of Lastpass particularly but the thing that always concerns me about that type of thing is you now have a single point of failure for all of your passwords... in theory.

 

There was recently news of a password storage-type service that was itself compromised.  Nightmare scenario.  I forget which one it was.

 

Also heard of a guy that successfully stole someone's identity, only to be arrested and sent to jail on an outstanding warrant out for the identity he stole.  Since then, I believe my best defense against identity theft is to become a debt-ridden criminal.

  • Like 3

Share this post


Link to post
Share on other sites

When the single point of failure is a string that's impossible for a modern machine to brute force, it's fine. You just have to protect that information. Lastpass is great for that, although it syncs up online so that will always be a risk (and they have had at least one vulnerability in the past). Safest is to have a completely offline password safe, but being COMPLETELY offline isn't practical. 

 

The reality is that your personal information is never safe, there is no such thing as 100% safe, and you should assume your information has already been compromised (because it has). Using Lastpass just makes you better than the worst people, and that'll work out 99.99% of the time.

Edited by Chakron

Share this post


Link to post
Share on other sites
8 hours ago, Keenan said:

Forum passwords will be forced to reset. You'll need to use the forgot password feature to set a new password after the downtime.

 

Account passwords will not be reset at this time, but it is good practice to change your passwords on occasion and to never share a password with more than one service. In today's day and age, this should be as instinctive as looking both ways before crossing a street seeing how hard people try to obtain your access.

 

I personally use a product called Lastpass to manage everything for me. My Lastpass password is not a single password but a phrase and I change it regularly. It's a phrase that's personal to me as well, complete with spaces. I then use Lastpass to generate all my passwords. That means I may not know a specific password, but I can always open Lastpass and copy it to use in the game client. I also use two-factor authentication whenever possible, and I'm looking forward to making that an option for forum users as well after this downtime is complete.

 

Security is no joke in an age when state-sponsored attacks regularly target civilians and small businesses. That's not even counting the bored folks out there simply looking for the 'lulz', as they say.

 

*tips hat*

 

While we are living in such dangerous times, how can you know LastPass is not just another tool of state (or other) agencies, collecting passwords connected personally to you? :P

I know, as browser app, its source code is more or less readable and you can check it. Did you check it already? :ph34r:

But there could be server side functions or .dll, out of your control. And that mobile app is even more secured, hard to check, what is hiding inside ...

 

Most secure safe-deposit box for passwords I know is paper block hidden in my pocket, but it is rather impractical as there are none clipboard functions and high chance for OCR fails :/

 

Edit:

Spoiler

2ajw37d.png

Translated it means: All your passwords are synced with THEIR database, so THEY have fast access to all your passwords :D

 

 

Edited by Zakerak

Share this post


Link to post
Share on other sites

If a state actor is after you, it's already over. No security will save you.

Share this post


Link to post
Share on other sites

A quick update.

 

We had some people complaining that our forum emails were being blocked due to spam. We've since shifted all outgoing forum email to a service dedicated to that which should improve things quite a bit. If you have any missing email issues, please feel free to reach out to a a forum lead or myself so we can check on it for you.

  • Like 2

Share this post


Link to post
Share on other sites

I also use Lastpass. They did have a security breach a couple years ago, but no passwords were stolen. As for a single point of failure, browsers save passwords is lightly or unencrypted files, a high priority target for any malicious virus or malware. Apart from keeping the passwords in your head, no digital storage solutions are perfect.

 

17 hours ago, RavenLure said:

how do I find my current password I have it saved... UGH

 

If you go into your browser settings, there should be a list of saved passwords. Most browsers allow you to see the password if you choose to.

Share this post


Link to post
Share on other sites
1 hour ago, Keenan said:

A quick update.

 

We had some people complaining that our forum emails were being blocked due to spam. We've since shifted all outgoing forum email to a service dedicated to that which should improve things quite a bit. If you have any missing email issues, please feel free to reach out to a a forum lead or myself so we can check on it for you.

 

Was an official e-mail sent out notifying us of this forum password autoreset?  I've not recieved any e-mails form Code Club regarding this issue and haven't found any diverted to the spam blocker folders either.

Share this post


Link to post
Share on other sites
10 hours ago, Zakerak said:

 

While we are living in such dangerous times, how can you know LastPass is not just another tool of state (or other) agencies, collecting passwords connected personally to you? :P

I know, as browser app, its source code is more or less readable and you can check it. Did you check it already? :ph34r:

But there could be server side functions or .dll, out of your control. And that mobile app is even more secured, hard to check, what is hiding inside ...

 

Most secure safe-deposit box for passwords I know is paper block hidden in my pocket, but it is rather impractical as there are none clipboard functions and high chance for OCR fails :/

 

Edit:

  Hide contents

 

Translated it means: All your passwords are synced with THEIR database, so THEY have fast access to all your passwords

 

If you're really that paranoid, use something like Enpass. You store the password repository wherever you want, and it is encrypted so even if someone steals it they would not be able to decrypt your passwords without your master password.

 

The real advantage of password managers is that if someone does break into one or more of your accounts, it is trivial to generate extremely strong new passwords for some or all of your accounts without having to try to remember them. Compare this to using a strong single shared password for all of your accounts without a password manager, where if someone breaks into an account you have to remember every site you used it on.

 

Like you say, these are dangerous times. A password manager is not perfect, but given the limits of human memory, it is far better than having a lot of weak passwords that you have to memorize, or using a strong single shared password for multiple accounts that you have to remember to change every time a company gets hacked.

Share this post


Link to post
Share on other sites
2 hours ago, Keenan said:

A quick update.

 

We had some people complaining that our forum emails were being blocked due to spam. We've since shifted all outgoing forum email to a service dedicated to that which should improve things quite a bit. If you have any missing email issues, please feel free to reach out to a a forum lead or myself so we can check on it for you.

I used to be leadership for another group which had at one point this issue. It seems people were marking forum messages as spam instead of changing communication preferrences on the site. This lead to having the issue of lowering some ratings somewhere and thus all mails getting caught by spam filters.

 

If you are one of those people who marks all unwanted mail as spam, you might want to check your blocked sender lists to ensure wurm's website is not added there. Email providers generally add a domain to your blocked senders list when you mark an email as spam. Its worth checking. On the alternative, adding wurmonline.com to your trusted senders or contact lists will help to prevent issues of this nature.

  • Like 1

Share this post


Link to post
Share on other sites
5 hours ago, Keenan said:

A quick update.

 

We had some people complaining that our forum emails were being blocked due to spam. We've since shifted all outgoing forum email to a service dedicated to that which should improve things quite a bit. If you have any missing email issues, please feel free to reach out to a a forum lead or myself so we can check on it for you.

 

2 hours ago, Angelklaine said:

I used to be leadership for another group which had at one point this issue. It seems people were marking forum messages as spam instead of changing communication preferrences on the site. This lead to having the issue of lowering some ratings somewhere and thus all mails getting caught by spam filters.

 

If you are one of those people who marks all unwanted mail as spam, you might want to check your blocked sender lists to ensure wurm's website is not added there. Email providers generally add a domain to your blocked senders list when you mark an email as spam. Its worth checking. On the alternative, adding wurmonline.com to your trusted senders or contact lists will help to prevent issues of this nature.

Happened to me recently gmail flagged it as spam, messages that are sent to you are emailed. Not sure why people tend to do this but you're correct.

 

I have a lot of emails forwarding so it took a lot of work to get it fixed, was wondering what was up. Nothing is really missing, can always check inbox here. Glad it's sorted nevertheless.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this