If the backup security option changes to something more secure than Date of Birth, either I'm not going to know it or Sylestia's not going to know it? D: What's more secure than Date of Birth? Isn't that the #3 most secure thing you're never supposed to give out?

Date of birth really isn't very secure. People inadvertently give it out on places like Facebook where there are fishing 'games' such 'give the song that was number one the week you were born'. A lot of sites use date of birth in sign-up data, if they are hacked then those details can become available. Often details are sold on the Dark Web. For example, the Neopets hack, those details were sold on. These are ways prospective hackers can get hold of people's details. The purpose of most hacking is to gain access to account details so hackers can get money directly or sell things for money, or enable them to hack other sites for those things.

I'm glad Krin caught this early and no real damage was done.

Thank you so much for warning us Krin. I will probably change my password anyways just in case.

Omg thank you for letting us know

Thanks for the notice Krin, best go check which e-mail I selected.

Link: https://www.sylestia.com/forums/?thread=95099&page=8#71 Author: Jadzhia Time Posted: 12/14/2020 at 2:47 AM If the backup security option changes to something more secure than Date of Birth, either I'm not going to know it or Sylestia's not going to know it? D: What's more secure than Date of Birth? Isn't that the #3 most secure thing you're never supposed to give out? Date of birth really isn't very secure. People inadvertently give it out on places like Facebook where there are fishing 'games' such 'give the song that was number one the week you were born'. A lot of sites use date of birth in sign-up data, if they are hacked then those details can become available. Often details are sold on the Dark Web. For example, the Neopets hack, those details were sold on. These are ways prospective hackers can get hold of people's details. The purpose of most hacking is to gain access to account details so hackers can get money directly or sell things for money, or enable them to hack other sites for those things. I'm glad Krin caught this early and no real damage was done.

There's also the fact that DoB are also Finite. Yeah, there are a LOT of them, but for most pet sites you can fairly reasonably assume that may players are fairly young, as in 20s or younger. There are outliers, and sometimes it seems like a pet site has more, but in general, players on a petsite are fairly young.

That reduces the number of DoBs that a person has to 'guess'.

Then there is the fact that DoBs are generally 'frowned' upon being told to other people, but Ages generally tend to not be, and birthday threads.

I could tell you I am a certain age and that my Birthday is in a certain month. That would narrow down the choices by a LOOOT.

I believe I have seen a thread on Sylestia about birthdays and posting so people can wish you happy birthday. I know I have seen them on other sites. I have seen people put/tell general ages (I have as well) or even specific ages on various sites.

Birthdays are probably one of the *least* secure ways of securing an account, because people are often very 'loose' with that information, and it wouldn't take a lot of digging to uncover it for many players. Add in sites like Facebook that ask for Birthdays, then turn around and notify all your friends of your birthday, and it gets even easier, especially if the person uses FB for gaming purposes, and needs lots of friends. They might not be as hesitant to add a complete stranger, as they would assume it is for a game. Then you have many sites that want to 'link' to facebook to make it easier to log in, or the people who want to connect on facebook as ways to chat that aren't bound under various site rules and it can just get to be a mess.

That is very creepy!

Tysm Krin!

Link: https://www.sylestia.com/forums/?thread=95099&page=7#70 Author: Varyntha Time Posted: 12/14/2020 at 12:40 AM Thank you for your constant vigilance, Krin! :D My concerns for the projected changes are: 1. Can we use a unique log-in "name" that cannot match our username instead of our email addresses? One that we can create ourselves? I already have so much trouble signing in that it impedes my use of the site a significant amount and having to sign in using my email address would make it even more difficult and tedious (I have already almost completely stopped using all of the other sites that require email address sign-in because of this). I have seen some sites use a separate login account name that no one else ever sees, kind of like a second password, and it seems to have been very effective. :) -Or possibly even just requiring two passwords that can't be the same may be effective. :D 3. Do mobile devices have IP Addresses that would need to be whitelisted? 4. If the backup security option changes to something more secure than Date of Birth, either I'm not going to know it or Sylestia's not going to know it? D: What's more secure than Date of Birth? Isn't that the #3 most secure thing you're never supposed to give out? D.D (The irony that almost every site that has membership requires such intimate PII is not lost on me...) All of these may be highly limited issues, but if they aren't voiced, they have no chance to be addressed, right? :D ^_^

For #1, that is a potential option. The problem though is I would bet the vast majority of people would just end up using the same Login ID as their Display Name. I would also have an issue of requiring unique Login IDs and I am sure a LOT of people will have very simple Login IDs - like "catlover". I really don't think allowing Login ID's and a separate Display Name would end up creating much of a security benefit for the vast, vast majority of accounts.

That's ultimately the issue here - this "breach" wasn't really anything on Sylestia's end. The breaching was happening because so many accounts utilize poor Username/Password use on their end allowing someone to pull data from actual breached Sites and just trying that same data against our database phishing for matches.

Email Address are already required to play Sylestia and I have no intention of changing that. An Email Address or a Phone Number are really the best ways to 'secure' an account while also providing proof of identity (on our end). And I would imagine 9/10 would-be Sylestia players would prefer to fork over an Email Address when registering an account for the first time over their personal Phone Number.

So I truly think Email Address-based security is the overall best fitting model for Sylestia. We aren't a bank. But we also aren't just simply a chat site. We are somewhere in between. So we need a little bit of security to ensure accounts are easily identified (on our end) and that players feel that their account is secured. However, we can't really become super burdensome on security because it will probably turn a lot of potential players away because they won't want to bother with it.

Security is always a balancing act. The more secure you make something, the more encumbersome it is to use.


I am still working my way through the details. The final systems will be a bit different than my original announcement as I come up with other ideas, run into potential complications, etc.

But I think Email Address makes it easy for players to remember. It's generally pretty unique and hard to guess. It's already required to create an account so it has to be a valid Email Address. It's not visible anywhere on the Site. And the Email Address will be required for players to have access to if they have trouble logging into their account. So, IMO, it checks all of the boxes.

Security is generally always about layers. Atm, Sylestia doesn't have hardly any layers. I am working on adding a few layers and I am confident that when I finish, it will make accounts secure in 99.999% of scenarios. So even if you don't think using your Email Address is totally secure, that is just simply one of the ultimate layers. You will also have your password. You will also have some new security checks that will require verification upon suspected intrusion. And you will probably also have an account PIN requirement. Each of these will be an added layer and the odds of a would-be intruder getting past every single layer will be exceptionally slim (assuming you aren't just sharing all of the information with someone else). And ultimately, that's the real goal.

What about custom security questions? Instead of having preset questions like 'What is your pet's name?' users could enter their own unique questions. It could lead to questions that are confusing to intruders, like 'How many [noun]s are there?' or 'What color is the 3rd [noun]?'. The correct answer would depend on the context that the user had in mind when they created question.

Im cool with the email address idea its long and lengthy but you can always set it up to auto punch on personal devices which is what most folks use. What Im worried about is not knowing what I used XP is there a way to change that in settings? And if so could other players that havent lived in for a while and came back from hiatus have an option to use their UN for the first sign in before switching to email? Just fear it may cause a lot of unnecessary double accounts.