Glorious Alpha Two Testers!
Alpha Two Realms are now unlocked for Phase II testing!
For our initial launch, testing will begin on Friday, December 20, 2024, at 10 AM Pacific and continue uninterrupted until Monday, January 6, 2025, at 10 AM Pacific. After January 6th, we’ll transition to a schedule of five-day-per-week access for the remainder of Phase II.
You can download the game launcher here and we encourage you to join us on our for the most up to date testing news.
Alpha Two Realms are now unlocked for Phase II testing!
For our initial launch, testing will begin on Friday, December 20, 2024, at 10 AM Pacific and continue uninterrupted until Monday, January 6, 2025, at 10 AM Pacific. After January 6th, we’ll transition to a schedule of five-day-per-week access for the remainder of Phase II.
You can download the game launcher here and we encourage you to join us on our for the most up to date testing news.
Error Message on Login
Xotix
Member
First off: I'm no expert
When logging with let's say a wrong username, like e.g. if someone uses the email, you get the following error message:
Which is a bit weird. The error is "Username can't be an email address" or more general "If existing, the provided username and password don't match." but there's no reason to talk about the "complexity requirements". That only matters when registering.
Sidenote:
Also please note that having complexity requirements isn't necessarily good. An attacker usually receives the password encrypted (if he got it unencrypted, there's no security measure other than 2FA that works anyway). The attack has to crack it. If you have complexity requirements like "Please have: At least one number, at least one upper case, at least one special character" the attacked can e.g. downsize the dictionary used for the attack.
Now the funny thing is, that as far as I can see, the only requirement for the password is "be at least 6 characters long", so the error above is even more weird.
Maybe just provide an entropy score? That doesn't give away information.
When logging with let's say a wrong username, like e.g. if someone uses the email, you get the following error message:
Username or password do not match the length or complexity requirements of our accounts system.
Which is a bit weird. The error is "Username can't be an email address" or more general "If existing, the provided username and password don't match." but there's no reason to talk about the "complexity requirements". That only matters when registering.
Sidenote:
Also please note that having complexity requirements isn't necessarily good. An attacker usually receives the password encrypted (if he got it unencrypted, there's no security measure other than 2FA that works anyway). The attack has to crack it. If you have complexity requirements like "Please have: At least one number, at least one upper case, at least one special character" the attacked can e.g. downsize the dictionary used for the attack.
Now the funny thing is, that as far as I can see, the only requirement for the password is "be at least 6 characters long", so the error above is even more weird.
Maybe just provide an entropy score? That doesn't give away information.
0
This discussion has been closed.
Comments
I can understand how that may be a bit confusing based on the error message it provides seeming like it may be talking about your password when it's likely referring to your username (in this case, the fact that you're trying to enter your email address vs. your username), so I'll be sure to share that feedback with the team!
I'm going to go ahead and close this thread out now, but please don't hesitate to reach back out if there's anything else we can assist with in the meantime!