Old School Runescape

Old School Runescape Dev Tracker

27 Jun


Originally posted by CogMonocle

I'm impressed that managed to pray range on exactly the tick that mattered, and at no other time

Old man panic tbh.


Originally posted by tbow_is_op

this isnt their post, its from the osrs facebook

Ah. Thanks for letting me know - think I've found the post, and will follow up there.

Apparently I need more caffeine.


This absolutely brightened my morning.

Would love to send you both some concept art (perhaps your son will appreciate it when he's a little older) - please DM me and I'll sort that out for you.

26 Jun


They stole the rugs and dyed them. Truly the most evil thing they could do!


Originally posted by DixonCidarMouth

when can we expect the Arceuus Spellbook teleports implemented into the Portal Nexus?

Not you again.


Originally posted by [deleted]


Behave yourself mum.


Originally posted by PiggyPepper

You’re breathtaking

No, you're breathtaking!


Originally posted by MelbCentralIsLeaking

Don't ignore my comment cause im 18 hrs late!

example scam email pic

RE: Sending players emails .I get one of these scam emails 3 times a week. I know its a scam becausea) it doesn't use my player nameb) Jagex only contacts us thru the player inbox aside from password resets.c) hovering over the link reveals it to be a phishing website.

You can also see the email address has been spoofed to be IDENTICAL to the jagex one.

If Jagex start sending emails to players which may include actions, how will anyone be able to tell what is and isn't fake anymore? And I'll admit, the first time I saw this one, I panicked and almost submitted my details.

That phishing email is widely known about, in fact it is the very first example we provide in our suspicious emails advice article.

You are spot on that not having a personalised greeting and the link pointing to a phishing site are clear giveaways that it is not from us, but I also accept we could do more to educate people about phishing so they are not deceived. It's also true that genuine notifications from us could be confused with phishing attempts, that isn't a reason to not do it, but it does also mean we need to carefully consider our messaging and raise awareness of how to spot phishing.

I'll make sure you...

Read more

Originally posted by Velluu

Allow us to scan our personal ID card / driver's license to our account info page (unable for us to see after it's uploaded). If we ever lose access to our account because of a forgotten password then ASK US TO SEND A PICTURE OF OUR ID CARD / DRIVER'S LICENSE. Don't let anyone recover accounts without it. Or allow us to authenticate ourselves with a real-life bank credentials.

People spend thousands of hours playing this game. To me my account is worth thousands of hours that I can't get back if it ever gets hacked (a BTW). Allow us to take this seriously.

Thanks for your feedback, we have discussed real life ID options and we are open to looking at all solutions. It does present a couple of significant challenges. Firstly obtaining, processing and storing that volume of personal data does have huge data privacy implications and secondly many of our users may not have ID they can provide. It's a sensible suggestion of course, and is used by other companies - but is certainly not a straight forward solution that would work for everyone all of the time.


Originally posted by DroolingLiver

I just found an email from sunday in my spam folder saying it changed my email address. I have an authenticator and a PIN on my bank account. I never check my spam. And yes it was from @a.runescape.
How the hell did this happen? I cancelled the email change but I still can't log in anymore?!?!

That sounds like a phishing email, the way you have described it is exactly like the first example we provide in our suspicious emails article. Please set a new password for your acc ASAP

25 Jun


Originally posted by Sanctitty

What about a 60days recovery master password that i can set? It wiuld take 60days for master password to set in place. Only time u enter it is to recover your account. Itll give legit account owners access to their account on demand. Warning u 60days counting down on logon that it is gonna be placed incase u did get hijacked. Itll also take 60days to remove it if u forgot the password with recoveries while giving u an ingame notification about it being removed. U can add this to different increment of time from 60days to 90,120 plus. Less then 60 is too easy for hackers to own the account.

Thanks for the feedback, my initial thought is that if people forget their current password, they would also forget their 'master password'- and in that scenario you would still need a route round it. Your feedback has been noted though, as we said in the blog 'we haven’t ruled anything out just yet' - so do keep the suggestions coming!


Originally posted by BasicFail

I also think that re-introducing security questions could be a good thing. Granted, it isn't perfect, but does it have to be?

A lot of people seem to get hijacked through their email. Jagex doesn't ask anything other than having access to it. Jagex could ask to answer a security question before sending the email.
Many services still use recovery questions. There has to be a reason why. Most seem to use them in the way I described, but I could be wrong.

As for the previously mentioned problems, there has to be a way to mitigate most of that, right? Jagex could allow us to change them when our account has been in "good standing" for 12+ months. Or when Jagex determined that an account has been hijacked.

Just a thought...

All good points, feedback will really help us make informed decisions moving forwards so thanks for your comments.


Originally posted by [deleted]


There are no plans to charge for any additional security, we want accounts to be secure, there won't be a 'paid security feature'. In terms of smart phones, although you don't have one, many people do - 2fa really does make a lot of sense and is widely accepted as a 'norm' for online security. Our Auth is also available to people who don't have a smart phone, I'll admit it is a slightly more clunky set up than with a smart phone, but it does at least allow everyone access to the benefits of 2fa.


Originally posted by DuneHburst

Adding authentication to the website is a HUGE step forward in account security. All of these upcoming changes seem great. Keep up the good and hard work Jagex.

Thanks for your comments, I'll make sure the team working on web auth know their efforts are appreciated.


Originally posted by naringsliv

Thank god for 2FA on the website "coming soon." My main support of authenticator delay was because there was no support for 2FA on the website (potentially explicitly against? I don't remember).

Considering you can access account settings (including change password and authentication -- I know these require interacting with an email), and through the website you can access subscription information, which is a recovery detail, this should have been a no-brainer when implementing 2FA.

Thanks for your response. Any subscription info you can obtain through account settings would be of very very little use in a recovery attempt (for example the password you used to actually access the account settings in the first place would carry more weight), but I don't wish to detract from your key point of support for auth on web log in - which you rightly identify as a necessary security measure.


Originally posted by ChaoMing

Do note that we already offer 2FA and it is currently used by about 50% of active players. If you haven't already done so, then please setup 2FA as soon as possible!

I'm curious how much of that "50% without 2FA" statistic are bots and how badly the number is skewed because of it.

I'll check that out - we've used the word 'active' so that usually means playing regularly over a set period, which wouldn't include bots as most are removed within their first session - I'll double check though. That said, even if it includes bots, it won't skew the figures that much, I would estimate single digits at most


Originally posted by Who_is_pancakez

What's the email address from a jagex email? I know people can modify what their email looks like, it's easy to spot the fakes, but I just honestly never open emails from anything jagex related because you guys used to say "we'll never email you"

This article has all our official contact emails and a few tips on how to spot phishing emails.


Originally posted by [deleted]


We can't share the details, but all the required security procedures are in place.

Other sites