Link: https://www.sylestia.com/forums/?thread=95099&page=8#79 Author: Sarikunezume Time Posted: 12/14/2020 at 4:17 PM What about custom security questions? Instead of having preset questions like 'What is your pet's name?' users could enter their own unique questions. It could lead to questions that are confusing to intruders, like 'How many [noun]s are there?' or 'What color is the 3rd [noun]?'. The correct answer would depend on the context that the user had in mind when they created question.

Unfortunately I could see this ending up like Krin mentioned with 'unique' logins. Most people would go for very simple questions/answers (I probably would because of my poor memory :P) and it would end up not adding much in the way of security.

For security questions in general, if Krin wanted to go that way, a way to go might be making security questions that players can choose, that are related to sylestia in some way.

Sort of like 'what is your favorite species' 'What is a festival activity for Fall Fest'.

I don't know if those would be better, but they would be guaranteed to not be something that can be guessed from a different site, and it would mean that whoever was trying to 'break' them had to have some knowledge of the site itself, which may or may not be the case.

Link: https://www.sylestia.com/forums/?thread=95099&page=8#80 Author: Katelynn4545 Time Posted: 12/14/2020 at 4:55 PM Im cool with the email address idea its long and lengthy but you can always set it up to auto punch on personal devices which is what most folks use. What Im worried about is not knowing what I used XP is there a way to change that in settings? And if so could other players that havent lived in for a while and came back from hiatus have an option to use their UN for the first sign in before switching to email? Just fear it may cause a lot of unnecessary double accounts.

You can view/change your account's registered email address under Account -> Settings. This can be done at any time. However, you have to verify your date of birth and have access to both the current and new email address.

In regards to players returning from hiatus post change, yes, that will be set up in a special way. Basically, the first that time they log in, it will prompt them and ask them to verify their identity via an email sent to their registered email address. If they do not have access to this email address anymore, they will have to contact our support to get it sorted out.

Cool just curious!!

thank you for letting us know, Krin

Thank you for alerting us, Krin!

Wouldn't an email be less secure against this sort of thing? I don't use the username Vin anywhere else, but I use the same email all over...

Link: https://www.sylestia.com/forums/?thread=95099&page=9#86 Author: Vin Time Posted: 12/15/2020 at 1:42 PM Wouldn't an email be less secure against this sort of thing? I don't use the username Vin anywhere else, but I use the same email all over...

The other protocols that I'm putting in place will prevent this style of intrusion moving forward.

Changing the login from your Username to Email will secure against direct 'in-house' intrusion attempts where anyone viewing Sylestia already knows half your login credentials.

Thanks for telling us this. I wonder if this is linked at all to that AJ security breach?

Alright - I have released the first pass of login/account security updates. Firstly, I have added the following Account Security Settings under Account -> Settings:



This new setting has replaced the existing IP Safeguard setting. The IP Safeguard is still active in the background with whatever settings you left it at, however, that will be phased out within a few weeks. It's just a matter of cleaning up the code and getting it out of the system.

This new setting has 4 options:

Safeguard Login Attempts Against: Unknown IP Addresses (Default Option)
Safeguard Login Attempts Against: Unknown Devices/Browsers
Safeguard Login Attempts Against: Every Login Attempt
Safeguard Login Attempts Against: None (Not Recommended)

When enabled for a selected option, any successful login attempt (meaning, someone logs in with the correct Username and Password) from an 'unknown' source will result in the following verification process:



This will also send an Email to your account's Registered Email address that will look something like this:



Simply follow the instructions from the prompts to authenticate your login attempt. Once successful, you will log into Sylestia like normal and the IP Address (if that safeguard is selected) or the Device/Browser (if that safeguard is selected) will be stored for 90 Days. After 90 Days, it will expire and you will need to re-authenticate from that location/device again. Please note, the Device/Browser safeguard relies on storing a cookie on that Browser. So if you don't save cookies, it will think you are logging in from a new Device every login attempt.

If you select the safeguard option for every login attempt, then, well, every login attempt will require the authentication verification. This is obviously the most secure option, but might not be suitable for everyone.

If you select no safeguard, there will never be a verification prompt and anyone who has your Username and Password can log in undeterred.


Additional Notes
So, just to reiterate, this is the first pass at improving account security. I have already started some additional security measures behind the scenes that will be fully implemented over the upcoming weeks/months.

At this point, everyone's account is automatically defaulted to the Safeguard against Unknown IP Addresses. Additionally, everyone's original registration IP Address as well as their last login IP Address were automatically saved as 'Known' IP Addresses for the next 90 days.

If you wish to change this Safeguard setting, just navigate to Account -> Settings and change to the desired setting.

When I have more time, I plan on expanding player customization for these security safeguards. This will include being able to see your currently saved 'Known' locations/devices as well as adjusting the expiration time (which at the moment is defaulted to 90 Days).


Overall, this was quite a chore to integrate into our existing login system. I tried to make sure everything is all synced up properly, but if I missed something and you do encounter any issues, please do not hesitate to let me know.

If you have any questions about anything regarding this update or future updates, please don't hesitate to ask.

thanks krin