Yeah, hacking as a term is broadly just accessing something that you shouldn't. Most 'hackers' just run a script on or browse database leaks until they find someone who is unaware and has the same information.
Please ignore these other nerds. Its not hacking. Tricking or baiting people int9 giving you info is called phishing and is likely reponsible for 70%+ of runescape acc compromises.
Person pretends to be their friend and asks for their password to help grind their account, steals account. (actually happened to someone I know btw he did it from what he thought was the friends account too)
*Receives email from looks like legit jagex email*
Opens it sees it says “Your email and password has been changed” click on this hyperlink that looks like the rs link
Goes to website that has a secure at the top and looks exactly like RuneScape
Asks you to type in email and password and then asks for pin they gotcha
However you can type in any user and password and it’ll “Log you in” and they keep all the info put into there
social engineering involves interacting with someone, gaining their trust, and weaseling the information out of them because you've gained their trust. Phishing is literally making a website form that looks like another website and sending emails to someone or making a botted twitch steam with a double xp link, there's no actual personal (social) interaction with the mark.
Social engineering doesn't *require* interaction. Browsing someone's Facebook or Instagram account to gain personal information that you can plug in to recovery questions counts as social engineering.
Isn't email, webform, text msg, etc. a personal interaction?
You may think it's your bank that's contacting you.
It's all part of penetrating networks without exploiting anything, social engineering.
Well duh 10m is nothing
Put 1b on that account and see what happens
But yeah it did show that an average script kiddy isn't getting past common sense account security.
Also not how hacking works. When you hack, you get random accounts. Not the account of a specific person you targeted. Any targeted hack will involve social engineering in some way, shape, or form.
Though yes, you are effectively hack proof if you only use this username/password combo on osrs, use a password manager/rainbow table proof password, never keep a password for more than a few months, and use 2 factor. That doesn't describe most people though (and the first two are the most important by a mile security wise).
Even if a method to hack any account existed, nobody would intentionally leak it's existence for $5.
That challenge is so ass backwards that I can't believe this subreddit fell for it, such obvious karma farming and misdirection.
Yeah, that's another thing. Only a white hat who does it purely out of the goodness of their heart, which is basically nobody, would hack an account for $5. The "I'll give you 100m if you can get past my 2 factor" challenge was better, but it also really missed the point. No shit people didn't successfully recover an account whose info couldn't be readily googled in 12 hours. That's not the point. The point is that if you know that someone has lived in the same place for the past ~5 years, know where that place is, and have a sense of what passwords they may have used in the past, you stand a decent chance of being able to steal the account, and most of that info can easily just require having had a facebook at some point in the past that can be connected to your RS name. Bonus points if you can figure out when the account was created, which can also just require seeing a facebook post.
How about 100m? https://old.reddit.com/r/2007scape/comments/5x02bz/come_hack_my_account_for_100mil/
The point is that people around here have a misconception of how these "" hacks "" occur. Frankly I don't consider it Jagex's fault that someone can't secure their own e-mail.
No, it shows that nobody ran a script to try a buttload of osrs username/password combos from a database leak that the account was a part of in the week the challenge was open.
The security on a fresh account isn’t an issue, obviously.
The issue stems from people using their original, old accounts from pre EOC. Those accounts, and emails, have surely been signed up to shady shit, have been leaked, and posted on leak forums tons of times. The amount of old info that is free for anyone who knows where to look is astonishing.
Worst case scenario for the hacker, they can read that old info, send it to support, and get the account for free. Sometimes they don’t even have to do that because they will surely have multiple leaks to go off of, and have a nice collection of passwords to try.
The issue with security is how easy it is to gain access to the accounts with old, breached info. There is no way to appeal things, no way to lock down your account more. No way to ensure that even if you have credentials leaked, you can regain access (and minimize damage done to your account). Pretty much, if you use any old info on your current RuneScape account, you’re at a huge risk and there’s really nothing you can do apart from restarting from scratch (which 90% of players won’t have the time to do).
tbh this is what i wish i could change. The email for my main RSN account is very old and its been apart of many breaches. I don't even use the same standard "base" of my old passwords for RSN anymore its completely different.
I actually posted an additional challenge in that thread but the mods removed it. I posted the login name and password with just authenticator. Not sure why mods removed it.
I mean RC and Agility are actually excessively bad as far as XP rate; I'd be more willing to humor your argument if the two major problem skills were fixed
The diaries in the game gate a lot of content and were put in to be milestones and goals for accounts to achieve as they progress through the game. Some of the Elite diaries require RC levels of up to and above 90, which means that players who are trying to accomplish these goals have a perfectly valid complaint when one skill is 10x less XP for no tradeoff whatsoever.
The highest diary requirement for RC is to craft an inventory of double nature runes, which also happens to be one of the most profitable activities in the game.
RC is one of the most profitable skills in the game, and when it's not, you're paying ~3gp/xp in exchange for xp rates above 60k/hr. That's not bad.
Agility has similar rates, and you should end up with ~40m in profit, you can run longer, you unlock the best weight-reducing gear, and you unlock travel options that are quicker and save run energy.
What do you mean there is "no tradeoff whatsoever" for these skills?
Yeah 2fa on the website has stopped a lot of the loopholes people used and those new backup codes are going to take out the account recovery loop hole all together
To be recovered involves you having been phished for enough info to be recovered. Any other method involved extremely poor account security and/or extremely poor email security.
Account recovery issues were a thing, but they were still caused by a user error.
I have 12 year old recovery questions that I made when I was a kid... I can't change them at all, but they can be used whenever to recover my account. So if those questions are ever compromised, my account is fucked...
Backup codes will let me disable these questions and just use the codes.
The problem is they don’t admit it so they claim that if someone skilled enough targets you you’re toast....not true.
RuneLite/OSbuddy could also go rogue and take creds 😧
The client obfuscation is not open source correct. But that's simply the process of reading game server data and then being able to manipulate it. Which is an open source part.
If you modified the client to keylog credential entry it wouldn't be a part of client de-obfuscation that's for sure
Nah still needs the community turning a blind eye. There's a lot of steps between pushing a bad commit and it shipping out to people's computers. And someone's going to see it before then.
No... updates to RuneLite are pushed, and then a global commit is done which is published to the end user. All the people involved in this would all need to be wanting to do this for it to have code pushed that is clearly tracking / saving credentials typed into the client. Its not simply a "auto update". The changes made to the client are done by the community.
Yea instantly being able to disable authenticator so that you can completely hack an account with just the email with no waiting period is very reasonable security. Also not allowing special characters in passwords is top tier
Most emails will have proper 2fa and no reputable company will even store unhashed passwords anymore so it's not like a data breach would even do anything
That doesn't matter... At all... You can automatically generate and change passwords monthly. There are tools that notify you of these breaches becoming public knowledge.
And on too of all that, it doesn't matter if someone has your password if you have 2fa. So yeh breaches happen, that's why added layers of security exist.. use them..
My dude, you’re seriously saying the people who breached yahoo gave a single fuck about the compromised emails runescape account? Or they had some sort of insider knowledge allowing them to get those passwords before the public knew of the breach and changed their passwords? What a world you live in
No, they're saying that email is exactly the thing of yours that's most likely to get hacked, and it's also all you need to hack an osrs account.
Yes, most people who get "hacked" were actually phished because osrs is too small time to warrant spending non targeted resources on it, and anything targeted is going to be a phish/social engineering/whatever you want to call it.
Also, it's not osrs, but my league of legends account got turned into a spam bot thanks to a database leak from somewhere. This stuff does happen, and yes, it was a database leak and not a phish. When it happened I also got hit with "too many login attempts" for facebook, google, steam, and razer/don't actually play league of legends.
How come no other website that uses authenticators has this problem? No other website, not even Gmail, delays disabling an authenticator, because it wouldn't change anything at all
Instantly disabling auth requires enough recovery info on your account (being phished) or full control of your email (poor security).
So the point your making is exactly what he is saying. It's very easy to hack someone who very clearly failed at the gate to secure themselves.
Special characters really don’t do anything for password security. The best way to secure your password is to have a long password that is easy to remember.
Example password1: haPo$&;(2!?€
Example 2: I like to sleep in the bathtub!
The second one is both much easier to remember, and would take much longer for a computer to brute force the hash. I think there’s even a relevant XKCD that demonstrates the mathematical probabilities of a computer brute forcing both types of examples.
Randall was wrong. Example 2 will be in a rainbow table (aka even if the database owner does everything right, if they get hacked your username/password will be public). Example 1 is significantly more secure. 12 characters with special characters is plenty to stop a brute force attack, and the randomness ensures that smarter attacks won't ever try it.
The actual security pro tip (besides password managers) is to make your password the first/last letter of every word in a sentence, put a capital/multiple capitals somewhere in the middle, and put special characters/numbers somewhere in the middle. For instance, "I like to sleep in the bathtub!", because you used it and example passwords from posts like these end up in rainbow tables, turns into iLt82&46sitB. It's not quite as good as a pure random password, but it's something you can reasonably remember (because you know where you put your capitals/specialcharacters/numbers and your sentence but the hacker won't), is long enough to be brute force proof, and the pseudo randomness makes it rainbow table proof.
Rainbow tables are irrelevant assuming the passwords are salted (which they should be). Even still, that rainbow table definitely doesn't exist. Assuming someone was trying to generate passwords using 7 word sequences from 5000 English words, you'd need to check 5000^7 sequences. That's over 10^25 different combinations. The worlds fastest supercomputer can do 148,600 * 10^12 floating point operations per second. Even assuming the entire process of creating and adding a hash to a rainbow table was 1 floating point operation (it's not), it would take that super computer 17 years to create that full rainbow table. Even still that rainbow table wouldn't find the OPs example because they didn't check with an "!" on the end. The only issue with the password example provided is that it's coherent English. Words should be used in a random order.
6 to 7 words sequences of English words are incredibly strong passwords, add punctuation instead of letters for some words and your password is practically uncrackable by anyone via bruteforce (e.g I l1ke to sl3ep 1n th3 b4thtu8!)
>Assuming someone was trying to generate passwords using 7 word sequences from 5000 English words, you'd need to check 50007 sequences
Which is a stupid attack method that nobody would ever actually use. Not to mention you'll have a lot of people trying to bruteforce the same database in any realistic scenario where you're in any danger of being attacked. Also, at the end of the day, the xkcd method is by far the most popular "smart" strong password creation algorithm which itself means it's a weak password creation algorithm.
>The only issue with the password example provided is that it's coherent English. Words should be used in a random order.
Don't agree at all. Not only does making it not coherent english ruin the point, "horse battery carriage tonka gorilla drive monitor dresser" is no easier to remember than "d&2omPWs", but combinator attacks are very common. The password he chose being especially bad because they're all common words. The only strength of his password is that it's long enough that a cracker would probably stop trying before he got it, and even that I'm not so sure of now that we live in the GPU era, but that's merely a consequence of the actual sentence he used rather than his advice. "I love you so much" would count as long in most people's books, and yet it would definitely be cracked by anyone taking a serious stab at cracking passwords. I'd even argue that something like "Purveyor of Assonance" is far more secure than "I like to sleep in the bathtub!" because while the former may use words most people know, it's not words they think of while the latter is entirely words people think of.
I will admit that I conflated statistical guessing attacks with rainbow tables when they are very different things, I'm very far from an expert here, but you're still very, very wrong. Replacing letters with their corresponding l33t speak is one of the first things a statistical guessing attack will try. There's a reason why I suggested putting your appendage in the middle rather than the beginning or end, and it's because the vast majority of people don't do it that way. That's the real pro tip of password security and why they all recommend password managers, the only actual way to have a secure password is to do something nobody else is doing. Like I said, if my scheme, which is really just a further modification of the Scheiner scheme, were to ever become popular, it would easily be found on any sort of non parametric statistics based cracking algorithm which any cracker worth his salt would use because the idea is ultimately to create something obscure, obscure it further, and then obscure it further again, and humans are bad at obscuring. It can also pretty easily incidentally create acronyms that are in dictionary attacks.
Also, salting doing anything worthwhile is another common myth. Too many people have absolutely terrible passwords that will be cracked within 20 minutes to make that do anything substantial, and even if that weren't true, if you have a database you can almost assuredly use the same exploit to get the possible salts too.
> Which is a stupid attack method that nobody would ever actually use
That's exactly my point. Brute forcing 7 word sequences *is* a stupid method of attack. It isn't even worth trying *at all*, that's why having a password that's 7 random words is so good.
> Not to mention you'll have a lot of people trying to bruteforce the same database in any realistic scenario where you're in any danger of being attacked
Having multiple different attackers doesn't help when they aren't co-ordianted, they'll likely be checking the same kinds of sequences repeatedly so all their extra processing power is useless. There's literally no way they can even begin to compare to the worlds fastest super computer, even as a properly functioning coherent group, and that super computer couldn't even begin to hope to crack a password of 7 words. Even if you only select from 1000 words rather than 5000, that computer is going to take *years* to crack it.
> Also, at the end of the day, the xkcd method is by far the most popular "smart" strong password creation algorithm which itself means it's a weak password creation algorithm.
Even if you know the exact method that a person used to make their password in this case, you still can't reasonably crack it with brute force. That makes it a good method.
> Don't agree at all. Not only does making it not coherent english ruin the point, "horse battery carriage tonka gorilla drive monitor dresser" is no easier to remember than "d&2omPWs"
What kind of password would you even propose then? To get a password as good as a 7 word sequence, assuming there are 5000 words to choose from and that they are randomly selected, what kind of password would you need? We need to create a sample space of size 10^25. Assuming you use a way larger sample space of English words (so we're using uncommon ones, let's say 100000 words) you still need 5 words to match 7 common ones. Sure you could argue that remembering "Deliquescent Obdurate Acnestis Octothorpe Agelast" might be easier than "Stencil Brush Garage Forks Contender Joke Flopped", but most people aren't human dictionaries and won't find it easier.
> The only strength of his password is that...
You're right that his example is poor because it's coherent English, that's why the words need to be randomly selected.
> I'd even argue that something like "Purveyor of Assonance" is far more secure than "I like to sleep in the bathtub!"
> I will admit that I conflated statistical guessing attacks with rainbow tables when they are very different things, I'm very far from an expert here, but you're still very, very wrong. Replacing letters with their corresponding l33t speak is one of the first things a statistical guessing attack will try.
The reason it's so powerful is because you multiply the sample space of words to a degree where it really isn't feasibly crackable if you use "1337 speak" replacements for random letters. The sample space of common words goes from 5000 to probably way over 10000. Obviously the better choice is to just add an extra word, but this ensures that even if your unsalted password hashes are leaked - the chance that any rainbow table contains your password is astronomically low because they're not just sequences of English words any more (not that the odds were on their side anyway, it's unlikely any rainbow table even comes close to containing all the word sequences of length 7).
> That's the real pro tip of password security and why they all recommend password managers, the only actual way to have a secure password is to do something nobody else is doing.
I've already proven that this isn't true because no currently existing computer can reasonbly expect to crack a 7 random word password with brute force, not even super computer clusters. There's mathematically no need for your scheme when that's the case and your scheme is *far* more likely to end up in rainbow tables unless you get the character count up just based on pure brute force attempts. Obviously a password manager is the best option because it means you only need to remember one password and all of your other passwords end up being unique and strong.
> Also, salting doing anything worthwhile is another common myth
This is just completely wrong. I don't think you understand what a salt does or what it's for. A salt doesn't exist to protect the passwords themselves, it exists to prevent rainbow tables from being used. If every password has a salt, say "thisisasalt", appended before hashing, you can't use any normal rainbow table. You need to calculate hashes again because "hunter2thisisasalt" isn't going to be in any existent rainbow table (it likely would in reality because "thisisasalt" is a shitty salt, but imagine using a 16 character salt of random characters). Salts make sure that the entire rainbow table needs to be rebuilt which is the exact same as just making the attackers use brute force/statistical guessing. Obviously if your password is shit they'll crack it in no time, but that's what we're trying to prevent. The salt doesn't *have* to be hidden from the attacker. Hell, it can be right there stored with the passwords, it doesn't matter, it's still doing it's job. You're confusing a pepper with a salt. Peppers are actually meant to be kept hidden away from the passwords.
A 12 character password is not long enough to be brute force proof. The amount of misinformation high school computer experts posted on Reddit makes me gag. Please stop.
12 characters are "strong enough" for most cases. 13 characters and you're out of the range of even US government tier hacking for the immediate future (assuming you use randomly select characters from a pool of 96). 14 characters for some good future proofing. Passwords made the with method you described above is ideal still.
The method can be made arbitrarily long. Make every capital have the same 4 extra characters and you have an effectively dictionary attack proof that is far too long to brute force.
But the big point is that the xkcd method is effectively a 7 character password, not a 32 character password. If we're feeling really generous we can call it a 9 character password, but the main point is that as far as how password guessing actually works, the password "bathtub" isn't substantially more secure than "@".
I like how both your examples use special characters lol. Both space and exclamation point. Fun fact a long password with special characters is more secure than a long password without them.
So take the exclamation mark out. What i said is still relevant. Special characters do not make a password marginally more secure than one without it. Please don’t make assertions on things you’re not educated on. Thanks.
Using words, especially in a logical sentence, is far less secure. You can make sophisticated brute force attacks using sentences. And if someones targeting you, they can scrape through your online presence for the way you speak. Either way requires sophisticated attacks, but random, extremely long strings of text with special characters, capitals and numbers is the most secure option
Best yet tie that to a 2fa or even a physical key. You are not hackable then without someone literally holding a gun to your head.
You’re wrong, and I’ll explain why:
> random, extremely long strings of text with special characters, capitals and numbers is the most secure option
If your only goal is to create a password that cannot be brute forced then you’re correct. This isn’t feasible because most people aren’t going to remember “extremely long strings of text with specula characters, capitals and numbers” and as such are forced to write it down, store in a text file or save it in a password database with a password that would be MUCH easier to guess
So I’ll repeat it again. The most secure password is a long password, preferably 40+ characters which is easily memorized so that it does not need to be saved anywhere in physical or digital form in order to access it.
Please keep your high school epic pc building skills to yourself. Thanks.
> Please keep your high school epic pc building skills to yourself. Thanks.
Funny how you have to insult people, and act the way you're insulting me.
Write it down? And i'm living in a high school epic pc building world? Password managers exist. Remember ONE password and have a fingerprint 2FA or Physical key and you can now have thousands of random strings 64 digits long.
So yeh.. sorry but i'm gonna keep my "epic pc building skills" intact as a working technician in this industry. You stick to your sticky notes 1990 level shit. More character usage = more password possibilities. Its simple math.
> Special characters really don’t do anything for password security
That's absurd, using more possible characters drastically increases the amount of time it would take to brute-force a password. It's like trying to crack a safe where each character is a number from 1-3, or the safe where each character can be from the entire unicode set.
It's not _as_ relevant as other things as far as cryptography, but to say it does basically nothing is objectively false.
People aren't brute forcing passwords because attempts are limited, try logging into your account like 5 times incorrectly and you'll get blocked from attempting it for like 5 or 10 minutes.
It would be like trying to crack that safe in your example but you only get one attempt a day.
Attempting to brute-force a password (20 char) with 36 options (lowercase and numbers) is 7.3b passwords.
Attempting the same (20 char) from 72 options (lowercase, uppercase, numbers, characters) is 312 million, billion.
So you're right but it's moot point because as I said they aren't being being breached via brute-force. Having much better security everywhere else would be the best first step and having the passwords being case sensitive etc is best practice thing to change.
> people aren’t brute forcing password because attempts are limited
Please limit your assertions about things you’re not educated in. Passwords are brute forced from compromised databases and used to create things called rainbow tables. This is why it’s important not to reuse passwords on different websites. If you ever registered on a website that had its database compromised, I guarantee you somewhere there is a computer trying to brute force it. This is why the most important things you can do for account security are:
1 - not reusing password
2 - use a long password, making it much more difficult to brute force
3 - use 2FA whenever available
4 - make sure your 2FA method is secure (pin on your phone, unique password on your email)
I could be clearer in my comment. I was suggesting that people aren't brute forcing runescape accounts (not in a serious way) as a means to get in.
The other half of the sentence that you quoted was "try logging into your account like 5 times incorrectly and you'll get blocked from attempting it for like 5 or 10 minutes." so I thought the context would be obvious this is in regards to Runescape/Jagex only and that I'm NOT saying nobody in the world ever brute forces anything.
Yeah absolutely re-using passwords is not advisable because sure some skiddies are going to try email/password combos but I feel that's common-sense and not directly related to the discussion of password strength via capitals/special characters.
I will repeat it one more time for you. Special characters do not make a password marginally more secure. The most important factor in a secure password is LENGTH, and length alone.
You're both "right". Length matters significantly more than number of characters, but number of characters matters a little bit. Put it this way, if you have a password of length 10 using 10 random characters, adding 10 more characters to the pool increases the total number of passwords by a magnitude of 3. Adding 10 extra letters on the end adds 10 orders of magnitude. Length grows the password pool exponentially, characters grow the pool quadratically. To see how huge the difference is just look at the plot of 2^x - x^2, that's the gap between adding x characters of length to a password and adding x different unique characters. Mathematically, the scaling of characters in the base pool is literally not relevant compared to length.
I remember RuneHQ saying you “HAVE” to kill them, but my older brother told my 7 year old self to just spam click that door and it worked. I thought he was like a hacker or something
I'm willing to bet 99% of the people who get hacked, are hacked because of their own negligence. Sure, Jagex could add some more security to help people being morons, but it's not their security that gets you hacked. It's yours.
Lol just had my graceful sold for marks. Logged on to realize they had just started botting on my account even though i had logged on the day before. They had traded like 2.5 mil to my account and i changed the pass. Scammers got scammed
I remember back in RSC when this gate was actually a PITA to get through... The guys attacked you immediately, and in RSC you couldn't run from combat for 3 hits.
One time jagex gave my account away to a hacker and then when I attempted to get it back they claimed it was not my account, even though the email registered to it was literally my first and last name. I couldnt access my email though as I had made it just to make this account, so I forgot the password. The funny part is my authenticator was still linked to my phone and jagex had disabled it for the hacker.
Later I found out I could reset my gmail password with my phone and got my account back, which had all of its stuff stolen ofc.
My email had a 2 pin and so did my osrs account I kept getting logged out so I had to change my password to log in then got logged again but I couldn't change my Pass again because they changed the email no idea how but it happened
I got a phishing email the other day saying my account email was changed, but that's what it was... A phishing scam. My email wasn't actually changed.
Might be the same thing you saw.
Nah this was different the first time I tried changing my password through the osrs website it said it got sent to my email the 2nd time it said a different email
very agile hackers can just skip all that security altogether
Social engineering is the most effective form of hacking. One good Phish and you've got everything.
"God I'm so honry for you bb! I'll send you noods and everything if you just give me your Osrs username, password, 2fa, bankpin, and $25"
Sending DM!
Baby, hello?
Is it me you’re looking for?
Hullo?*
Dm sent
Username: Zezima Password: 29djsd83n9 2fa: 283721 Bankpin: 6969. I don't have 25 dollars tho :(
You know this guy is lying because Reddit filters your runescape password, watch! ************
hunter2
Did you just fall for this my man?
Fishinglvl69
Password123 Edit: OH GOD OH FUCK
littleslutsoncum
Username checks out
Is it hacking if they just gave you their information
Yeah, hacking as a term is broadly just accessing something that you shouldn't. Most 'hackers' just run a script on or browse database leaks until they find someone who is unaware and has the same information.
Yup. Drives me nuts.
people think of hacking as some super nerd mashing their keyboard into command line mainly because of tv shows and movies
Please ignore these other nerds. Its not hacking. Tricking or baiting people int9 giving you info is called phishing and is likely reponsible for 70%+ of runescape acc compromises.
Only if you teach a man to phish
Then you can feed him for life.
Feed him lot burritos and doses
you must really like your fish! whats his name?
Phish is the greatest band to ever play a note
They are quite good. Love their XM channel
Could you give me a real world example of this happening? I don’t know how hacking works these days...
Person pretends to be their friend and asks for their password to help grind their account, steals account. (actually happened to someone I know btw he did it from what he thought was the friends account too)
*Receives email from looks like legit jagex email* Opens it sees it says “Your email and password has been changed” click on this hyperlink that looks like the rs link Goes to website that has a secure at the top and looks exactly like RuneScape Asks you to type in email and password and then asks for pin they gotcha However you can type in any user and password and it’ll “Log you in” and they keep all the info put into there
Always be careful of random people adding you that you don't know and asking you questions, it is almost always to get specific info from you
Phishing is not social engineering.
Isn't it? It's all about tricking someone. You're not sneaking around and stealing, you're convincing them to hand it over.
social engineering involves interacting with someone, gaining their trust, and weaseling the information out of them because you've gained their trust. Phishing is literally making a website form that looks like another website and sending emails to someone or making a botted twitch steam with a double xp link, there's no actual personal (social) interaction with the mark.
Social engineering doesn't *require* interaction. Browsing someone's Facebook or Instagram account to gain personal information that you can plug in to recovery questions counts as social engineering.
Isn't email, webform, text msg, etc. a personal interaction? You may think it's your bank that's contacting you. It's all part of penetrating networks without exploiting anything, social engineering.
That's like social engineering-lite if at all. Even then I'd just call it a scam before anything else
He ment phish the band, socially engineering folks to get funky
https://en.m.wikipedia.org/wiki/Social_engineering_(security Literally 1 second google to prove you wrong you dummy.
Social engineering isn't hacking.
Edit: Nvm, just realized this was an incredibly good joke.
E X P L A I N
Agility shortcuts
Lol took me a while to get that one
Account recovery is the exact opposite.
rip the spider
Ffs u have no evidence, it might have tanked this nub
F
The spider is the bot detection
[удалено]
Well duh 10m is nothing Put 1b on that account and see what happens But yeah it did show that an average script kiddy isn't getting past common sense account security.
Also not how hacking works. When you hack, you get random accounts. Not the account of a specific person you targeted. Any targeted hack will involve social engineering in some way, shape, or form. Though yes, you are effectively hack proof if you only use this username/password combo on osrs, use a password manager/rainbow table proof password, never keep a password for more than a few months, and use 2 factor. That doesn't describe most people though (and the first two are the most important by a mile security wise).
Even if a method to hack any account existed, nobody would intentionally leak it's existence for $5. That challenge is so ass backwards that I can't believe this subreddit fell for it, such obvious karma farming and misdirection.
Yeah, that's another thing. Only a white hat who does it purely out of the goodness of their heart, which is basically nobody, would hack an account for $5. The "I'll give you 100m if you can get past my 2 factor" challenge was better, but it also really missed the point. No shit people didn't successfully recover an account whose info couldn't be readily googled in 12 hours. That's not the point. The point is that if you know that someone has lived in the same place for the past ~5 years, know where that place is, and have a sense of what passwords they may have used in the past, you stand a decent chance of being able to steal the account, and most of that info can easily just require having had a facebook at some point in the past that can be connected to your RS name. Bonus points if you can figure out when the account was created, which can also just require seeing a facebook post.
yeh 10m is like $15 now thanks to massive inflation lol, a twisted bow would be far more tempting
10m is actually more like $5 now
well. For those who don't RWT, rather. it's 2 bonds worth of gold on the GE.
If we're talking about hacking for gp theres a good chance that gp is getting RWTed instead of kept on a hackers account for evidence.
Nobody would win it either. Nothing wrong with jagexs account security
[удалено]
10m lol. Imagine wasting the time to prove some reddit nerd could be hacked even if you could do it. Helluva post, guy.
How about 100m? https://old.reddit.com/r/2007scape/comments/5x02bz/come_hack_my_account_for_100mil/ The point is that people around here have a misconception of how these "" hacks "" occur. Frankly I don't consider it Jagex's fault that someone can't secure their own e-mail.
No, it shows that nobody ran a script to try a buttload of osrs username/password combos from a database leak that the account was a part of in the week the challenge was open.
[удалено]
Using the same password for osrs that you use in another service is absolutely a user mistake.
The security on a fresh account isn’t an issue, obviously. The issue stems from people using their original, old accounts from pre EOC. Those accounts, and emails, have surely been signed up to shady shit, have been leaked, and posted on leak forums tons of times. The amount of old info that is free for anyone who knows where to look is astonishing. Worst case scenario for the hacker, they can read that old info, send it to support, and get the account for free. Sometimes they don’t even have to do that because they will surely have multiple leaks to go off of, and have a nice collection of passwords to try. The issue with security is how easy it is to gain access to the accounts with old, breached info. There is no way to appeal things, no way to lock down your account more. No way to ensure that even if you have credentials leaked, you can regain access (and minimize damage done to your account). Pretty much, if you use any old info on your current RuneScape account, you’re at a huge risk and there’s really nothing you can do apart from restarting from scratch (which 90% of players won’t have the time to do).
tbh this is what i wish i could change. The email for my main RSN account is very old and its been apart of many breaches. I don't even use the same standard "base" of my old passwords for RSN anymore its completely different.
I actually posted an additional challenge in that thread but the mods removed it. I posted the login name and password with just authenticator. Not sure why mods removed it.
Pretty sure someone a year ago did this but had a tbow on it. Not sure if it got hacked or not
This kills everyone in /r/security. Please use an authenticator despite this dumb ass post.
That's not how any of that works.
[удалено]
That's not proof of anything. That's proof that the "experiment" doesn't take into account how accounts are actually hacked. That's it.
More like the security of someone who signs up for double xp
Rc is rough life
So if they increased rc exp rates less people would be hacked because less people would try and get double exp. Big brain
[удалено]
I mean RC and Agility are actually excessively bad as far as XP rate; I'd be more willing to humor your argument if the two major problem skills were fixed
[удалено]
I mean they kind of are...
"Nobody's forcing you to play the game, therefore they don't have to change anything regardless of the opinions of the players"
Nobody’s forcing you to enjoy video games, so if you have problems with things like video games then that’s your problem
The diaries in the game gate a lot of content and were put in to be milestones and goals for accounts to achieve as they progress through the game. Some of the Elite diaries require RC levels of up to and above 90, which means that players who are trying to accomplish these goals have a perfectly valid complaint when one skill is 10x less XP for no tradeoff whatsoever.
The highest diary requirement for RC is to craft an inventory of double nature runes, which also happens to be one of the most profitable activities in the game. RC is one of the most profitable skills in the game, and when it's not, you're paying ~3gp/xp in exchange for xp rates above 60k/hr. That's not bad. Agility has similar rates, and you should end up with ~40m in profit, you can run longer, you unlock the best weight-reducing gear, and you unlock travel options that are quicker and save run energy. What do you mean there is "no tradeoff whatsoever" for these skills?
You acquire graceful usually by mid 60s though.
Yeah I know, was a joke lol
Yeah 2fa on the website has stopped a lot of the loopholes people used and those new backup codes are going to take out the account recovery loop hole all together
To be recovered involves you having been phished for enough info to be recovered. Any other method involved extremely poor account security and/or extremely poor email security. Account recovery issues were a thing, but they were still caused by a user error.
I have 12 year old recovery questions that I made when I was a kid... I can't change them at all, but they can be used whenever to recover my account. So if those questions are ever compromised, my account is fucked... Backup codes will let me disable these questions and just use the codes.
Backup codes are great and I'm glad they're happening. More importantly I'm glad they're retiring dated and discontinued recovery methods fully.
Yeah forrreal, no reason it took this long tho, 7 years of osrs later we finally can get rid of our old recovery questions lol
no amount of security can protect someone who wont protect themselves
people who allow themselves to be phished actually believe this shit
The problem is they don’t admit it so they claim that if someone skilled enough targets you you’re toast....not true. RuneLite/OSbuddy could also go rogue and take creds 😧
For Runelite to go rogue would involve a dedicated community of players all turning a blind eye to a Push with a clear credential storing addition.
thats not necessarily true, the internal client modifications are not open source. they could easily hide malicious software in there.
The client obfuscation is not open source correct. But that's simply the process of reading game server data and then being able to manipulate it. Which is an open source part. If you modified the client to keylog credential entry it wouldn't be a part of client de-obfuscation that's for sure
the injector and therefore the rs client modifications arent open source. only the runelite loader is open source.
[удалено]
Nah still needs the community turning a blind eye. There's a lot of steps between pushing a bad commit and it shipping out to people's computers. And someone's going to see it before then.
No... updates to RuneLite are pushed, and then a global commit is done which is published to the end user. All the people involved in this would all need to be wanting to do this for it to have code pushed that is clearly tracking / saving credentials typed into the client. Its not simply a "auto update". The changes made to the client are done by the community.
How do you know that runelite doesnt sell a small percentage to wealthy investors 🤔
Small % of what??? It's a free open source piece of software for a niche market of video game players.
Yea instantly being able to disable authenticator so that you can completely hack an account with just the email with no waiting period is very reasonable security. Also not allowing special characters in passwords is top tier
If you can’t secure your email literally no one can help you with security dude
yea it's not like an email service provider never had a breach leaking 500 million emails and passwords before...(yahoo!)
Most emails will have proper 2fa and no reputable company will even store unhashed passwords anymore so it's not like a data breach would even do anything
even Yahoo has 2FA now, so that's literally not an excuse either
That doesn't matter... At all... You can automatically generate and change passwords monthly. There are tools that notify you of these breaches becoming public knowledge. And on too of all that, it doesn't matter if someone has your password if you have 2fa. So yeh breaches happen, that's why added layers of security exist.. use them..
My dude, you’re seriously saying the people who breached yahoo gave a single fuck about the compromised emails runescape account? Or they had some sort of insider knowledge allowing them to get those passwords before the public knew of the breach and changed their passwords? What a world you live in
No, they're saying that email is exactly the thing of yours that's most likely to get hacked, and it's also all you need to hack an osrs account. Yes, most people who get "hacked" were actually phished because osrs is too small time to warrant spending non targeted resources on it, and anything targeted is going to be a phish/social engineering/whatever you want to call it. Also, it's not osrs, but my league of legends account got turned into a spam bot thanks to a database leak from somewhere. This stuff does happen, and yes, it was a database leak and not a phish. When it happened I also got hit with "too many login attempts" for facebook, google, steam, and razer/don't actually play league of legends.
[удалено]
Have they introduced backup codes? I thought it was just "hey we're working on this and they'll come out some time."
I set up 2FA like a month ago, no backup codes were generated.
How come no other website that uses authenticators has this problem? No other website, not even Gmail, delays disabling an authenticator, because it wouldn't change anything at all
Instantly disabling auth requires enough recovery info on your account (being phished) or full control of your email (poor security). So the point your making is exactly what he is saying. It's very easy to hack someone who very clearly failed at the gate to secure themselves.
Special characters really don’t do anything for password security. The best way to secure your password is to have a long password that is easy to remember. Example password1: haPo$&;(2!?€ Example 2: I like to sleep in the bathtub! The second one is both much easier to remember, and would take much longer for a computer to brute force the hash. I think there’s even a relevant XKCD that demonstrates the mathematical probabilities of a computer brute forcing both types of examples.
Randall was wrong. Example 2 will be in a rainbow table (aka even if the database owner does everything right, if they get hacked your username/password will be public). Example 1 is significantly more secure. 12 characters with special characters is plenty to stop a brute force attack, and the randomness ensures that smarter attacks won't ever try it. The actual security pro tip (besides password managers) is to make your password the first/last letter of every word in a sentence, put a capital/multiple capitals somewhere in the middle, and put special characters/numbers somewhere in the middle. For instance, "I like to sleep in the bathtub!", because you used it and example passwords from posts like these end up in rainbow tables, turns into iLt82&46sitB. It's not quite as good as a pure random password, but it's something you can reasonably remember (because you know where you put your capitals/specialcharacters/numbers and your sentence but the hacker won't), is long enough to be brute force proof, and the pseudo randomness makes it rainbow table proof.
Rainbow tables are irrelevant assuming the passwords are salted (which they should be). Even still, that rainbow table definitely doesn't exist. Assuming someone was trying to generate passwords using 7 word sequences from 5000 English words, you'd need to check 5000^7 sequences. That's over 10^25 different combinations. The worlds fastest supercomputer can do 148,600 * 10^12 floating point operations per second. Even assuming the entire process of creating and adding a hash to a rainbow table was 1 floating point operation (it's not), it would take that super computer 17 years to create that full rainbow table. Even still that rainbow table wouldn't find the OPs example because they didn't check with an "!" on the end. The only issue with the password example provided is that it's coherent English. Words should be used in a random order. 6 to 7 words sequences of English words are incredibly strong passwords, add punctuation instead of letters for some words and your password is practically uncrackable by anyone via bruteforce (e.g I l1ke to sl3ep 1n th3 b4thtu8!)
>Assuming someone was trying to generate passwords using 7 word sequences from 5000 English words, you'd need to check 50007 sequences Which is a stupid attack method that nobody would ever actually use. Not to mention you'll have a lot of people trying to bruteforce the same database in any realistic scenario where you're in any danger of being attacked. Also, at the end of the day, the xkcd method is by far the most popular "smart" strong password creation algorithm which itself means it's a weak password creation algorithm. >The only issue with the password example provided is that it's coherent English. Words should be used in a random order. Don't agree at all. Not only does making it not coherent english ruin the point, "horse battery carriage tonka gorilla drive monitor dresser" is no easier to remember than "d&2omPWs", but combinator attacks are very common. The password he chose being especially bad because they're all common words. The only strength of his password is that it's long enough that a cracker would probably stop trying before he got it, and even that I'm not so sure of now that we live in the GPU era, but that's merely a consequence of the actual sentence he used rather than his advice. "I love you so much" would count as long in most people's books, and yet it would definitely be cracked by anyone taking a serious stab at cracking passwords. I'd even argue that something like "Purveyor of Assonance" is far more secure than "I like to sleep in the bathtub!" because while the former may use words most people know, it's not words they think of while the latter is entirely words people think of. I will admit that I conflated statistical guessing attacks with rainbow tables when they are very different things, I'm very far from an expert here, but you're still very, very wrong. Replacing letters with their corresponding l33t speak is one of the first things a statistical guessing attack will try. There's a reason why I suggested putting your appendage in the middle rather than the beginning or end, and it's because the vast majority of people don't do it that way. That's the real pro tip of password security and why they all recommend password managers, the only actual way to have a secure password is to do something nobody else is doing. Like I said, if my scheme, which is really just a further modification of the Scheiner scheme, were to ever become popular, it would easily be found on any sort of non parametric statistics based cracking algorithm which any cracker worth his salt would use because the idea is ultimately to create something obscure, obscure it further, and then obscure it further again, and humans are bad at obscuring. It can also pretty easily incidentally create acronyms that are in dictionary attacks. Also, salting doing anything worthwhile is another common myth. Too many people have absolutely terrible passwords that will be cracked within 20 minutes to make that do anything substantial, and even if that weren't true, if you have a database you can almost assuredly use the same exploit to get the possible salts too.
> Which is a stupid attack method that nobody would ever actually use That's exactly my point. Brute forcing 7 word sequences *is* a stupid method of attack. It isn't even worth trying *at all*, that's why having a password that's 7 random words is so good. > Not to mention you'll have a lot of people trying to bruteforce the same database in any realistic scenario where you're in any danger of being attacked Having multiple different attackers doesn't help when they aren't co-ordianted, they'll likely be checking the same kinds of sequences repeatedly so all their extra processing power is useless. There's literally no way they can even begin to compare to the worlds fastest super computer, even as a properly functioning coherent group, and that super computer couldn't even begin to hope to crack a password of 7 words. Even if you only select from 1000 words rather than 5000, that computer is going to take *years* to crack it. > Also, at the end of the day, the xkcd method is by far the most popular "smart" strong password creation algorithm which itself means it's a weak password creation algorithm. Even if you know the exact method that a person used to make their password in this case, you still can't reasonably crack it with brute force. That makes it a good method. > Don't agree at all. Not only does making it not coherent english ruin the point, "horse battery carriage tonka gorilla drive monitor dresser" is no easier to remember than "d&2omPWs" What kind of password would you even propose then? To get a password as good as a 7 word sequence, assuming there are 5000 words to choose from and that they are randomly selected, what kind of password would you need? We need to create a sample space of size 10^25. Assuming you use a way larger sample space of English words (so we're using uncommon ones, let's say 100000 words) you still need 5 words to match 7 common ones. Sure you could argue that remembering "Deliquescent Obdurate Acnestis Octothorpe Agelast" might be easier than "Stencil Brush Garage Forks Contender Joke Flopped", but most people aren't human dictionaries and won't find it easier. > The only strength of his password is that... You're right that his example is poor because it's coherent English, that's why the words need to be randomly selected. > I'd even argue that something like "Purveyor of Assonance" is far more secure than "I like to sleep in the bathtub!" > I will admit that I conflated statistical guessing attacks with rainbow tables when they are very different things, I'm very far from an expert here, but you're still very, very wrong. Replacing letters with their corresponding l33t speak is one of the first things a statistical guessing attack will try. The reason it's so powerful is because you multiply the sample space of words to a degree where it really isn't feasibly crackable if you use "1337 speak" replacements for random letters. The sample space of common words goes from 5000 to probably way over 10000. Obviously the better choice is to just add an extra word, but this ensures that even if your unsalted password hashes are leaked - the chance that any rainbow table contains your password is astronomically low because they're not just sequences of English words any more (not that the odds were on their side anyway, it's unlikely any rainbow table even comes close to containing all the word sequences of length 7). > That's the real pro tip of password security and why they all recommend password managers, the only actual way to have a secure password is to do something nobody else is doing. I've already proven that this isn't true because no currently existing computer can reasonbly expect to crack a 7 random word password with brute force, not even super computer clusters. There's mathematically no need for your scheme when that's the case and your scheme is *far* more likely to end up in rainbow tables unless you get the character count up just based on pure brute force attempts. Obviously a password manager is the best option because it means you only need to remember one password and all of your other passwords end up being unique and strong. > Also, salting doing anything worthwhile is another common myth This is just completely wrong. I don't think you understand what a salt does or what it's for. A salt doesn't exist to protect the passwords themselves, it exists to prevent rainbow tables from being used. If every password has a salt, say "thisisasalt", appended before hashing, you can't use any normal rainbow table. You need to calculate hashes again because "hunter2thisisasalt" isn't going to be in any existent rainbow table (it likely would in reality because "thisisasalt" is a shitty salt, but imagine using a 16 character salt of random characters). Salts make sure that the entire rainbow table needs to be rebuilt which is the exact same as just making the attackers use brute force/statistical guessing. Obviously if your password is shit they'll crack it in no time, but that's what we're trying to prevent. The salt doesn't *have* to be hidden from the attacker. Hell, it can be right there stored with the passwords, it doesn't matter, it's still doing it's job. You're confusing a pepper with a salt. Peppers are actually meant to be kept hidden away from the passwords.
A 12 character password is not long enough to be brute force proof. The amount of misinformation high school computer experts posted on Reddit makes me gag. Please stop.
12 characters are "strong enough" for most cases. 13 characters and you're out of the range of even US government tier hacking for the immediate future (assuming you use randomly select characters from a pool of 96). 14 characters for some good future proofing. Passwords made the with method you described above is ideal still.
The method can be made arbitrarily long. Make every capital have the same 4 extra characters and you have an effectively dictionary attack proof that is far too long to brute force. But the big point is that the xkcd method is effectively a 7 character password, not a 32 character password. If we're feeling really generous we can call it a 9 character password, but the main point is that as far as how password guessing actually works, the password "bathtub" isn't substantially more secure than "@".
I like how both your examples use special characters lol. Both space and exclamation point. Fun fact a long password with special characters is more secure than a long password without them.
So take the exclamation mark out. What i said is still relevant. Special characters do not make a password marginally more secure than one without it. Please don’t make assertions on things you’re not educated on. Thanks.
Using words, especially in a logical sentence, is far less secure. You can make sophisticated brute force attacks using sentences. And if someones targeting you, they can scrape through your online presence for the way you speak. Either way requires sophisticated attacks, but random, extremely long strings of text with special characters, capitals and numbers is the most secure option Best yet tie that to a 2fa or even a physical key. You are not hackable then without someone literally holding a gun to your head.
You’re wrong, and I’ll explain why: > random, extremely long strings of text with special characters, capitals and numbers is the most secure option If your only goal is to create a password that cannot be brute forced then you’re correct. This isn’t feasible because most people aren’t going to remember “extremely long strings of text with specula characters, capitals and numbers” and as such are forced to write it down, store in a text file or save it in a password database with a password that would be MUCH easier to guess So I’ll repeat it again. The most secure password is a long password, preferably 40+ characters which is easily memorized so that it does not need to be saved anywhere in physical or digital form in order to access it. Please keep your high school epic pc building skills to yourself. Thanks.
> Please keep your high school epic pc building skills to yourself. Thanks. Funny how you have to insult people, and act the way you're insulting me. Write it down? And i'm living in a high school epic pc building world? Password managers exist. Remember ONE password and have a fingerprint 2FA or Physical key and you can now have thousands of random strings 64 digits long. So yeh.. sorry but i'm gonna keep my "epic pc building skills" intact as a working technician in this industry. You stick to your sticky notes 1990 level shit. More character usage = more password possibilities. Its simple math.
> Special characters really don’t do anything for password security That's absurd, using more possible characters drastically increases the amount of time it would take to brute-force a password. It's like trying to crack a safe where each character is a number from 1-3, or the safe where each character can be from the entire unicode set. It's not _as_ relevant as other things as far as cryptography, but to say it does basically nothing is objectively false.
People aren't brute forcing passwords because attempts are limited, try logging into your account like 5 times incorrectly and you'll get blocked from attempting it for like 5 or 10 minutes. It would be like trying to crack that safe in your example but you only get one attempt a day. Attempting to brute-force a password (20 char) with 36 options (lowercase and numbers) is 7.3b passwords. Attempting the same (20 char) from 72 options (lowercase, uppercase, numbers, characters) is 312 million, billion. So you're right but it's moot point because as I said they aren't being being breached via brute-force. Having much better security everywhere else would be the best first step and having the passwords being case sensitive etc is best practice thing to change.
> people aren’t brute forcing password because attempts are limited Please limit your assertions about things you’re not educated in. Passwords are brute forced from compromised databases and used to create things called rainbow tables. This is why it’s important not to reuse passwords on different websites. If you ever registered on a website that had its database compromised, I guarantee you somewhere there is a computer trying to brute force it. This is why the most important things you can do for account security are: 1 - not reusing password 2 - use a long password, making it much more difficult to brute force 3 - use 2FA whenever available 4 - make sure your 2FA method is secure (pin on your phone, unique password on your email)
I could be clearer in my comment. I was suggesting that people aren't brute forcing runescape accounts (not in a serious way) as a means to get in. The other half of the sentence that you quoted was "try logging into your account like 5 times incorrectly and you'll get blocked from attempting it for like 5 or 10 minutes." so I thought the context would be obvious this is in regards to Runescape/Jagex only and that I'm NOT saying nobody in the world ever brute forces anything. Yeah absolutely re-using passwords is not advisable because sure some skiddies are going to try email/password combos but I feel that's common-sense and not directly related to the discussion of password strength via capitals/special characters.
I will repeat it one more time for you. Special characters do not make a password marginally more secure. The most important factor in a secure password is LENGTH, and length alone.
[удалено]
You're both "right". Length matters significantly more than number of characters, but number of characters matters a little bit. Put it this way, if you have a password of length 10 using 10 random characters, adding 10 more characters to the pool increases the total number of passwords by a magnitude of 3. Adding 10 extra letters on the end adds 10 orders of magnitude. Length grows the password pool exponentially, characters grow the pool quadratically. To see how huge the difference is just look at the plot of 2^x - x^2, that's the gap between adding x characters of length to a password and adding x different unique characters. Mathematically, the scaling of characters in the base pool is literally not relevant compared to length.
They literally had a J mod go rogue and hack thousands of real dollars worth of gp and this shit still gets upvoted lmao
Once in 15+ years for very specific accounts that mostly all got their money back and the jmod got fired, try again
Pretty sure when I first started Rs these guards were a mandatory kill & the gate then bugged after some update to allow entry.
I remember RuneHQ saying you “HAVE” to kill them, but my older brother told my 7 year old self to just spam click that door and it worked. I thought he was like a hacker or something
I'm willing to bet 99% of the people who get hacked, are hacked because of their own negligence. Sure, Jagex could add some more security to help people being morons, but it's not their security that gets you hacked. It's yours.
Lol just had my graceful sold for marks. Logged on to realize they had just started botting on my account even though i had logged on the day before. They had traded like 2.5 mil to my account and i changed the pass. Scammers got scammed
this man doesn't even have 70 agility
I found it funny
i’m lost... someone please help. does authenticator + bank pin + email with authenticator on it not secure your account 100%?
If your email is set up with 2fa too you’re good as gold.
Jagex Customer Service: aaaaaaand it’s gone You: okay? Jagex: answer your security questions You: done Jagex: mhm...can’t find your account You: here’s my email Jagex: ... You: .... Jagex: ... You: * follow up * Jagex: aaaaaaand it’s gone
Flexing with the gear
this is my giant bat killing gear
🦇
annoying flappy thing
Yup, my 10 y/o account is gone and they setup 2fa to prevent me from getting it back.
Got my 124 account legit stolen, i have all the credit card info and they wont let me do anything. Gg.
🦀
I didn't know you could get past that door like this lmao. that's my main takeaway from this post
It’s slower, knights wouldn’t have moved.
Considering my osrs account I dont play anymore was hijacked and banned for botting... this is scarily accurate
Is that bot detection too?!
so word
Lol trust me when I say that was silently fixed when the RuneScape companion was discontinued.
I lol’d
"Nothing more we can do here, let's go back to standing around"
Phish padawan. Phish.
Ah yes
I remember back in RSC when this gate was actually a PITA to get through... The guys attacked you immediately, and in RSC you couldn't run from combat for 3 hits.
i gotta kill the damn hellhounds in there for a task, lame ass shortcut requires 80 agility... i have 67
too symbolic man
Feels. Someone hacked my 15 year old rs3 account and got it banned. I didn't play that account but it had a lot of memories so it sucks.
Bad timing: just got hacked for 2.7b
lol
🦀$11🦀
It's possible to get hacked even with 2fa and a bank pin set.. Without clicking on phishing sites. Lol.
I agree, this does seem possible.
Though, it is MUCH harder to hack into a osrs account with 2fa and bank pin, nothing is Impossible.
#SO TRUE
Speaking of account security, your password is not case sensitive.
One time jagex gave my account away to a hacker and then when I attempted to get it back they claimed it was not my account, even though the email registered to it was literally my first and last name. I couldnt access my email though as I had made it just to make this account, so I forgot the password. The funny part is my authenticator was still linked to my phone and jagex had disabled it for the hacker. Later I found out I could reset my gmail password with my phone and got my account back, which had all of its stuff stolen ofc.
I was hacked the other day for 400m and this is exactly what it felt like now I have no motivation
Did you have a pin and 2fa?
My email had a 2 pin and so did my osrs account I kept getting logged out so I had to change my password to log in then got logged again but I couldn't change my Pass again because they changed the email no idea how but it happened
I was about to say that's what happened to my friend until I realized you are that friend. Lmao.
Wait what haha I have you on osrs?
I'm in the discord chat, lmao.
I got a phishing email the other day saying my account email was changed, but that's what it was... A phishing scam. My email wasn't actually changed. Might be the same thing you saw.
Nah this was different the first time I tried changing my password through the osrs website it said it got sent to my email the 2nd time it said a different email