Out of interest, how come it can't be chosen at account creation?
The name has been used in the past, and then sat on a dormant account, it was then freed up in a large name release. To reduce the chances of bots and mass created accounts 'sniping' these freed up names for hoarding or sale, they were restricted to name change only and not account creation
Hey, quick question.
I wanted to use the name "Coole Pinda", for an Ironman, which is the Dutch translation for "Goofy Goober" from the Spongebob Movie, but it says the name is rejected.
I can't see anything offensive in it? The literal translation from Dutch would be "Cool Peanut". Is there any chance I could get that name? Or at least a reasoning as to why this isn't allowed?
That name is fine, you can change your current name to it, but it can't be chosen for a new account at creation
Can you private message me your acc details, the name has been on so many accounts and moved about so much it's hard to clearly identify who you are - thanks.
Hey mod steven I sent the report to a [email protected] but I will send you the in game info. I haven't seen him on in the past few days so it worrisome.
OK thanks for the good intent, that email address is for the Police to contact us, to put your mind at rest we have already dealt with this though. For future reference you can report incidents in game to flag it to us, or if you feel there is a very real and imminent danger then obviously just phone your local Police (who in turn can contact us 24/7 if they need to).
This incident wasn't reported in game and we have not been contacted by the Police about it - we do think we have identified the account so we will carry out a due diligence check and will arrange intervention if appropriate.
Isnt having email notifications about account changes just going to give phishing scammers a new base for getting peoples information?
That is true, it's not a reason to not do it ... but it does appear under the 'cons' list for this approach.
What is being done about RWT, gold farming, and gold selling? The reason why people are getting hacked/scammed/recovered so often is because their in game items have real life value that can currently be relatively easily transferred or sold... Are there plans on making stricter rules/bans for people who buy gold from shady websites? I know of several people who have bought/sold gold in the past but never had any consequences to their accounts
We share your frustration, it's hard to see how we could be 'stricter' than permanent banning people though? RWT is a complex problem, what I can say that is although it is not directly related to this blog, our team do ban about 6 million accounts a year for this sort of rule breaking, and they are continually looking at ways to deal with RWT.
Read moreSo does this mean we will now have Case Sensitive passwords and passwords longer than 20 characters?
Jagex mods won’t see this but a suggestion. For every new login from a new IP or device maybe make us require the usual 2FA code and then like confirm it through email for example; if you get email saying “you attempted to log into a new IP(show location and device) if this is you please confirm by clicking this link” and if it’s not you just say you can ignore the email and secure your account. You only have to confirm the IP once and we can go into our account settings to remove any device/IP so we can 2FA/confirm by link in email again. The email authorizing link should also have a set time where it expires like in an hour or 24 hours.
Basically authorizing our login through email even with the 2FA code. So even if email is compromised they would need still need the 2FA code(Google Auth and hopefully Phone Number SMS) as well as get notifications of login attempt...
Thanks for the feedback, it does sound like you would introduce a lot of friction into the log in flow, especially as IP changes regularly, especially for VPN users. Your process does also rely on Auth set in the first place, which we know currently only covers about half of all accounts. That said, it's not my intention to dismiss your suggestion, in fact the complete opposite, it has been captured in our feedback - thanks!
Don't ignore my comment cause im 18 hrs late!
RE: Sending players emails .I get one of these scam emails 3 times a week. I know its a scam becausea) it doesn't use my player nameb) Jagex only contacts us thru the player inbox aside from password resets.c) hovering over the link reveals it to be a phishing website.
You can also see the email address has been spoofed to be IDENTICAL to the jagex one.
If Jagex start sending emails to players which may include actions, how will anyone be able to tell what is and isn't fake anymore? And I'll admit, the first time I saw this one, I panicked and almost submitted my details.
That phishing email is widely known about, in fact it is the very first example we provide in our suspicious emails advice article.
You are spot on that not having a personalised greeting and the link pointing to a phishing site are clear giveaways that it is not from us, but I also accept we could do more to educate people about phishing so they are not deceived. It's also true that genuine notifications from us could be confused with phishing attempts, that isn't a reason to not do it, but it does also mean we need to carefully consider our messaging and raise awareness of how to spot phishing.
I'll make sure you...
Read moreAllow us to scan our personal ID card / driver's license to our account info page (unable for us to see after it's uploaded). If we ever lose access to our account because of a forgotten password then ASK US TO SEND A PICTURE OF OUR ID CARD / DRIVER'S LICENSE. Don't let anyone recover accounts without it. Or allow us to authenticate ourselves with a real-life bank credentials.
People spend thousands of hours playing this game. To me my account is worth thousands of hours that I can't get back if it ever gets hacked (a BTW). Allow us to take this seriously.
Thanks for your feedback, we have discussed real life ID options and we are open to looking at all solutions. It does present a couple of significant challenges. Firstly obtaining, processing and storing that volume of personal data does have huge data privacy implications and secondly many of our users may not have ID they can provide. It's a sensible suggestion of course, and is used by other companies - but is certainly not a straight forward solution that would work for everyone all of the time.
I just found an email from sunday in my spam folder saying it changed my email address. I have an authenticator and a PIN on my bank account. I never check my spam. And yes it was from @a.runescape.
How the hell did this happen? I cancelled the email change but I still can't log in anymore?!?!
That sounds like a phishing email, the way you have described it is exactly like the first example we provide in our suspicious emails article. Please set a new password for your acc ASAP
Thank you so much for the response Stew, i sent you my RSN in a chat message! I will preach Jagex Support from the mountain tops if you are able to recover my account!
OK got it, your account has been hijacked in the past and banned, we've reviewed that appeal and removed the ban so you could play on. Since then, you've been hijacked and banned AGAIN - I've asked a security specialist to review your account, there's a good chance they will help you out and get you back in game, but if they do you really do need to up your account security to stop this happening over and over. Make sure your email is secure and apply 2fa to it, set a new pass and enable Auth!
My big question about passwords that’s not answered here:
Will it be able to tell the difference between lower and upper case letters? The fact that I can type my password with either and it works both ways terrifies me, possibly more than it should, but it’s always struck me as weird. I’m sure there’s some reason why it’s there (there’s always old code that’s hard to fix), but it’s still troubling.
Although it is still work in progress, one aim is for case differentiation to be an element of the changes which will then allow more complex passwords to be set.
What about a 60days recovery master password that i can set? It wiuld take 60days for master password to set in place. Only time u enter it is to recover your account. Itll give legit account owners access to their account on demand. Warning u 60days counting down on logon that it is gonna be placed incase u did get hijacked. Itll also take 60days to remove it if u forgot the password with recoveries while giving u an ingame notification about it being removed. U can add this to different increment of time from 60days to 90,120 plus. Less then 60 is too easy for hackers to own the account.
Thanks for the feedback, my initial thought is that if people forget their current password, they would also forget their 'master password'- and in that scenario you would still need a route round it. Your feedback has been noted though, as we said in the blog 'we haven’t ruled anything out just yet' - so do keep the suggestions coming!
I also think that re-introducing security questions could be a good thing. Granted, it isn't perfect, but does it have to be?
A lot of people seem to get hijacked through their email. Jagex doesn't ask anything other than having access to it. Jagex could ask to answer a security question before sending the email.
Many services still use recovery questions. There has to be a reason why. Most seem to use them in the way I described, but I could be wrong.As for the previously mentioned problems, there has to be a way to mitigate most of that, right? Jagex could allow us to change them when our account has been in "good standing" for 12+ months. Or when Jagex determined that an account has been hijacked.
Just a thought...
All good points, feedback will really help us make informed decisions moving forwards so thanks for your comments.
[deleted]
There are no plans to charge for any additional security, we want accounts to be secure, there won't be a 'paid security feature'. In terms of smart phones, although you don't have one, many people do - 2fa really does make a lot of sense and is widely accepted as a 'norm' for online security. Our Auth is also available to people who don't have a smart phone, I'll admit it is a slightly more clunky set up than with a smart phone, but it does at least allow everyone access to the benefits of 2fa.
Adding authentication to the website is a HUGE step forward in account security. All of these upcoming changes seem great. Keep up the good and hard work Jagex.
Thanks for your comments, I'll make sure the team working on web auth know their efforts are appreciated.
Thank god for 2FA on the website "coming soon." My main support of authenticator delay was because there was no support for 2FA on the website (potentially explicitly against? I don't remember).
Considering you can access account settings (including change password and authentication -- I know these require interacting with an email), and through the website you can access subscription information, which is a recovery detail, this should have been a no-brainer when implementing 2FA.
Thanks for your response. Any subscription info you can obtain through account settings would be of very very little use in a recovery attempt (for example the password you used to actually access the account settings in the first place would carry more weight), but I don't wish to detract from your key point of support for auth on web log in - which you rightly identify as a necessary security measure.
Do note that we already offer 2FA and it is currently used by about 50% of active players. If you haven't already done so, then please setup 2FA as soon as possible!
I'm curious how much of that "50% without 2FA" statistic are bots and how badly the number is skewed because of it.
I'll check that out - we've used the word 'active' so that usually means playing regularly over a set period, which wouldn't include bots as most are removed within their first session - I'll double check though. That said, even if it includes bots, it won't skew the figures that much, I would estimate single digits at most
What's the email address from a jagex email? I know people can modify what their email looks like, it's easy to spot the fakes, but I just honestly never open emails from anything jagex related because you guys used to say "we'll never email you"
This article has all our official contact emails and a few tips on how to spot phishing emails.
devtrackers.gg