Ryzom

Our forum names are our account logins why? That's an easy way for a hacker to bypass the biggest part of hacking an account, without our login they can not try and guess the password. Now all they have to do is browse the forum, pick an account and start guessing.

I didn't even want to post here because of it, I've seen it happen with other game's that did this, people on the forums being hacked all the time so they would have to change the system, but I had a tech problem so took a chance.

Just change it ASAP, set up an alias system like what Anarchy Online has for their forums, very easy to do. It's not too big of an issue as you actually required people to come up with good passwords that wont easily be guessed, but better safe then sorry. Hopefully you also have a system in place that stops IPs from accessing the game if they enter too many wrong passwords in a short ammount of time.

I've complained about this a few times already, these boards really are a very amateuristic setup and I too am thinking about no longer to visit these boards for that very reason.

Why use secure https for the game registration when one a few minutes later needs to enter the same username and password into a completely insecure forum. Username and password get transferred to the forum software unencrypted and thus could get picked up at every Internet hop, easily reveiling real name and address via the user profile.

This forum setup is an invitation to hackers to screw up a number of accounts.

Login information on a non HTTPS (no ssl certificate here on forums) does pass your information across in plain text, also, this is a PHP module.

Although I doubt you will see a change in how they do the forums, maybe they will use a verisign certificate and atleast secure the login itself, which is possible, and not have to SSL the entire forum site.

BUT it would take a hacker to put s niffer against the ryzom.com IP and then make sense of the packets.

Its easily fixed, if they decide to spend the $200 for the ssl certificate.

They don't need SSL sertificates - gremlins are protecting the user information 24/7...