• Welcome to The Wilderness Guardians - OSRS Clan - PvP, PvM and More - OSRS Mobile Clans.
 

[color=red][b][Security][/b][/color] RuneScape Account Security

Started by Vio, August 29, 2011, 03:05:57 PM

Previous topic - Next topic

Vio

Last updated 12/05/2013

Have you ever been hacked? If not, take a moment to think about what it would be like for you. Imagine logging on and finding everything you own gone - your entire bank cleaned. How much would you lose? Now, ask yourself the following question: "Am I really taking all the steps necessary to prevent this happening to me?" And I know, a lot of you have probably been hearing this question for years in various places, but this time it's coming from me - a clanmate and friend.

Ask yourself.

It's not hard to have good security practices. However, I'm quite proud to say that in almost nine years of RS, I have NEVER been hacked. Why? Because I don't just have good practice, I have the absolute best. You all know the usual "don't tell anyone your password blah blah blah", but there are MANY areas of security to cover. This guide covers all of them - everything from basics to best. It's a tl;dr, but if you don't want to take the risks, go ahead and read it. I know I would. It won't protect you 100% from being hacked, but you never know if you might learn something new that could save you.




CONTENTS

Your Password
Other Security Features
Hacking Methods
General Safety Practice
Final Notes





YOUR PASSWORD

What's in a password? Well, a RS password is not easy to brute-force (use a program to guess), but that does not mean it's impossible. So what's a good practice for password security?

  • At least 8 characters, or more. Longer is better.
  • Alphanumeric. This means a combination of both numbers and letters.
  • Hard to guess.
Let me touch on that last point. A person I knew was once hacked because he used his birthday (not the same, but an example: "September18th1995") as his password. That example is 17 characters, alphanumeric, and still pretty bad. Do NOT underestimate us when we say "hard to guess", because we mean it. I've known people to use passwords like "dragonkite#" and even as bad as a simple one or two words. It shocks me.

You may ask, "what's hard to guess?", in which case I reply with "meaningless."

My password is a 20+ jumble of characters in alphanumeric uppercase and lowercase. They were all randomly thrown in off the top of my head, and there is absolutely no meaning to them. Well, there you have it - I have just explained my password one step short of actually revealing it on a public forum. And I'm not insane, nor wanting to get hacked. I know I won't, because my password is SECURE.

To explain, I'll use some comparisons of password strength under a brute-force hack attempt. Thanks to Robbie for some of these stats. His backup PC is a dual-core 2.6ghz Athalon, which can test 5,546,000 keys per second.

A 5-character password with just numbers would be cracked in less than ONE SECOND.
A 5-character password, alphanumeric, would be cracked in less than THREE MINUTES.
^ Take heed of that line. I know this doesn't account for RS's time limits, but it does make you wonder. How secure are you, really? Now, let's move onto more secure numbers
A 10-character password, alphanumeric, would take more than 4,795 YEARS to crack at that speed. We can trust the hacker doesn't have a network of supercomputers, so you should be in the safe zone there. See, it's easy to be an idiot about security, but it's not exactly hard to be safe either.

Just for bragging rights, my password is obviously more, but let's call it 20 characters and alphanumeric. That's 62^20 possible variations. At Robbie's rate of over 5.5 million keys tested per second, it would take in the realm of 125,863 yottaseconds to try each one without restriction. One yottasecond is 32 quadrillion years, or 32,000,000,000,000,000 years. Bring it.

However, having a theoretically impossible-to-guess password does NOT make you immune to hacks. The longer your password, in general the harder it is to remember. If you have it copied in a file on your computer and it gets compromised, which I've known some people to do, your hard work is all wasted. If you must, writing it down somewhere else is a much more feasible option. A certain page in a book I'd call the best - somewhere you can access easily, but not a location where people will think to look (or have an easy time looking for that matter), or if they do find it, they won't assume "RuneScape password!". No books? CD sleeves or DVD covers work just as well!

Final tip: NEVER use the same password for other things such as multiple accounts (spare and pures. Well, this isn't as bad - what I do is use one password for my main, a second for my secondary, and a third for all my other spares as they have no real value anyway) clan/fansite boards, and ESPECIALLY not your Email address. Let's move onto that.




OTHER SECURITY FEATURES

What's the first thing Jagex ask for when you try to recover an account? Your Email address. Your Email account needs to be JUST as secure as your password, and I cannot stress this enough. A close friend of mine once lost in the realm of 1.5b because one of the popular clan forums (DI) was hacked, and his password was not linked to his account, but his email. It's suicide, and it's just as bad as using your RS password. Keep your Email account just as secure as you do your RS account.

Recovery questions. Well I won't say it's as "bad" if you use them the way they're supposed to be used (You actually answer the questions they ask)... but I don't recommend it. The stuff Jagex ask you can give away in a simple conversation with someone who's intent on finding out your information... and a lot of the time you won't even notice. How do you prevent this?

  • Decent: Make up your own questions - stuff you won't usually give away. Don't use something simple like "First clan?", something along the lines of "Number of pairs of socks you own?" (I personally know this off by heart, but most normal people don't... lol, well you get the idea).
  • Better: Randomize the answers. Make them completely different to the questions asked, for example, Q: "Colour of your first bedroom?" A: "A cat called Waffles". Also ideal writing these down as explained in the Passwords section, because this will be harder to remember.
  • Best: use the method explained in Passwords - an alphanumeric upper/lowercase jumble for each one. Questions become meaningless, and impossible to guess. Of course, you aren't likely to remember all 5 mixes (as you don't use your recoveries as often as your passwords), so I suppose writing them down is a must. Take the care you would in ensuring their security as described in the Passwords section.

Bank pin. Do you know how many people I run into who don't have a bank pin set? Too many. Two people in my last clan got hacked, and when I spoke to them about it, they said they both didn't have a bank pin set because it was "too much of an effort". And I was trying so hard to resist the urge to say "WELL IT'S YOUR OWN F***ING FAULT YOU F***ING IDIOTS". If you do not have a bank pin, then set one, or don't start crying if someone clears out your bank even though they never would have been able to otherwise. And of course, set the longer recovery time.

I did a test on pins, The stop-times for wrong guesses are 0 seconds, 10 seconds, 14 seconds, 10 minutes. The 10 minutes may seem off-putting, but you can still achieve roughly around 24 attempts per hour. 24 possible pins that a hacker can test in a single hour is easily enough to cover the basics.

  • BAD: For god's sake, don't use your birthday or the year you were born. It's their first guess.
  • BAD: Actually, avoid using years at all. 19## and 20## will be top guesses.
  • BAD: Something stupid like 1111 or 1234. It's their second guess.
  • GOOD: Something meaningful to you personally e.g. Duration of your favourite song
  • GOOD: 4 random, meaningless numbers, higher and lower, e.g. 7162. Memorise it, it's not hard.

Antivirus Software. Reasons for this will be covered in the next section. You *can* get away with using free antivirus software - it's better than nothing. AVG is my preference. Keep it updated - there's no point in having antivirus software if it's out of date. Usually it will automatically update, but if not, DO IT RIGHT NOW. You can set it to update while you finish reading this.

If you can, purchase something better. My two recommendations are Norton or Kaspersky. This is strongly recommended. Basic knowledge applies: keep it updated, and two or more antiviruses running at the same time is just as bad as having none at all. Do constant scans - not daily, but weekly. Monthly at the very least. You never know when you could get an infection.




HACKING METHODS

It's not all about brute-forcing. Sometimes it's about phishing or keylogging. These are actually more common, so let's get straight into it.

Phishing sites. or "hack sites". or "scam sites". Whatever they are, the ultimate endgame is to get your password. So, before you EVER enter your password on a webpage, there are 2 things you should consider:

  • How did I get here? Did I follow a link someone gave me on the IRC? Did I click on a link from somewhere not on the original RuneScape website?
  • Am I on the actual RuneScape website?
If you're unsure about #1, ask #2. Then take a look at the web address you're currently on. Do NOT judge from the webpage itself - it is really not hard to make a replica of the RuneScape website which looks almost 100% legit at first glance. What you should look at is the WEB ADDRESS. The cheap scam sites will be blatantly obvious, something similar to "www.runescape.com.imafaggot.tk", but I have seen people go as far as to actually buy a domain - for example "www.runeescape.com". Did you notice the 2 e's? Because there are quite a few people who don't.

Don't fall for the obvious. Secure pages (shttp:// or with the lock symbol) are NOT a definite sign that you are on the true RuneScape website. If it looks too good to be true, it is (The "post on my forums topic for a free 100m!", I've seen it so many times). There is no RuneScape 3 beta testing well, there is now, but you get the picture. But let's just assume you have entered your password on one of these sites by accident. More often than not, you well get SOME form of error - be it a "technical issues" page or whatever. If this happens and you realise you're on a phishing site, CHANGE YOUR PASSWORD RIGHT THE FUCK NOW. Then scan your entire computer, and then change it AGAIN.

Phishing emails. Back in the day, these weren't a big threat, but with the integration of Email addresses into account security, they've become a real bitch. In fact, some people have even managed to make it look like the Email came from Jagex Ltd legitimately - address and all. The majority of phishing emails will be something along the lines of "Your account has received a major infraction", which Jagex DO NOT EMAIL YOU ABOUT. If you want to check for yourself, go to the RuneScape homepage YOURSELF, and log in there. DO NOT CLICK THE LINK IN THE EMAIL.

Keyloggers. It is really not too hard to keep yourself safe from keyloggers. Frequent virus scans as well as being smart about what you download is enough. Too good to be true? It is. "HURR THIS PROGRAM LETS YOU DOUBLE YOUR MONEY HERP DERP" is really the extent of keylogging. You don't NEED to download anything to play RuneScape (except TeamSpeak for WG and maybe SwiftKit). If you think you have a keylogger, update your antivirus, scan your computer, and THEN change your password once you are sure you are clean.

IP Addresses. Can you get hacked if someone knows your IP address? Yes, you can. However, the level of skill required to actually do this (which involves accessing and modifying your router in order to infect your computer) is not something most hackers will waste on RuneScape accounts. If your IP is revealed, usually the worst that happens is you get a DDoS attack from the guy you camped in the last PKRI (If you have a dynamic IP, unplug your router for about a minute to reset your address). But I am NOT saying that IP hacks do not happen. The deterrents for this are a strong password on your router, a good firewall and antivirus, and of course not waving your IP address around for everyone to see.




GENERAL SAFETY PRACTICE

This section covers game-related security practice.

Check the Login Screen. It's there for a reason. Get into the habit of checking the "last login from" section EVERY time you log in. Get to know your IP address and hostname. Just a quick glance works - is this me? Yes - I'm ok! No - hit the panic button. There are also four boxes below that - Email Registration, Recovery Questions, Messages and Membership. They all should be green ticks, but you only need to worry about the first two. Did I request this Email change? Did I set these new recovery questions?

Bank your items when you log out. It's that simple. I don't care if you're only going for dinner for 10 minutes. Do you know when you're about to be hacked? NO, you don't. And if someone who doesn't know your pin logs into your account to find that 90% of your wealth is what you're wearing or in your inventory, they're going to be one happy hacker. Don't take chances.

Lend rares out at night. Make a noob happy. If you have a rare or really valuable lendable item, give it to someone on a 12 or so hour lend before you go to sleep. The two most common places a hacker goes for are bank and Grand Exchange, but usually they don't go for the returned items box. There's an epic video on RSFailBlog of a guy who gets hacked for around 600m, but the hacker misses the yellow partyhat he had lent out the previous day.

Consider hack-insurance. Hack-insurance is a way of hiding valuables around RuneScape, so that your accumulated wealth is not all into your bank. There are many ways to do this.

  • The Treasure Chest in a costume room of your house can hold various treasure trail rewards such as Third Age armour, worth millions.
  • The Artisans Workshop furnace in Falador can store around 50m worth of ores, and is protected by a bank pin.
  • For less rich players, the tool leprechauns can hold 255 compost and supercompost (at the time of writing these amounts are roughly worth 245k and 36k respectively).
  • The Miscellania kingdom (Quest: Throne of Miscellania) could also be used as a form of hack-insurance.
  • And of course, transferring some money/items onto spare or separate accounts always works nicely.

Account placement. This isn't general practice, but can be used if the risk of being hacked is higher - e.g. you're not going to be playing for a while if going on holiday and so. If your account is at the GE, it makes things easy for hackers, but if it's somewhere awkward and hard to reach a bank, then it won't stop all hackers, but it will be off-putting. One of the best ways is to bank everything except a knife, go up to the Mage Arena entrance in deep wilderness (mage bank), cut one web, enter the room between both webs, and drop the knife. If a hacker logs in, it's impossible for them to escape without someone else coming to cut the webs. However, this will only work if you do not have a knife or hatchet in your toolbelt.




FINAL NOTES

I was considering adding in a "what to do if you get hacked" section, but considering the rest of the guide is about preventing yourself from getting hacked, it would be awkward. Basically just learn from your mistakes to ensure it doesn't happen again, don't ragequit - it's easy to rebuild, and PLEASE don't go around spamming "I got hacked pls donate".

If you've read through the entire guide, I congratulate you. But if course, you must be thinking, "It's impossible to do all this s*** without getting fed up." I can tell you, I've been doing it for 8 years and I'm perfectly fine with it. It's all about getting into a routine - once you do, it becomes a habit. And in some ways it's actually enjoyable - I love the feeling I get when I type my password in, because I know it's one of the most secure passwords out there, or when I walk past the furnace in Falador and know I have 50m worth of ores tucked away there. I'm weird like that.

In 2003 I was not exactly hacked, but scammed out of my account (around age 9, fell for the "change ur password and press alt+f4 for free stuff"). Since then I've taken whatever steps I deem necessary to ensure my account's safety. I don't call it being a security whore, it's more like being smart. I have not been hacked in the nine years I've played, and so I've shared my knowledge on how I help ensure that with you here. This guide will not prevent you 100% from being hacked - I know that it could happen to me at any time. But I'm sure as hell not going to make it easy.

LilRyan


LilRyan


Death_Outlaw

GJ Keanu, obviously took alot of effort :D
I hope you make a 'How to rebuild' guide also, so if people do get hacked they can read it and learn from it instead of just automatically rage-quitting.

Redcharm hacked me once via IP Address from MSN :'(

Quikdrawjoe

#4
64 character upper and lowercase letters, numbers, and symbols.

Hacker no hack
Former Tip.It Super Moderator, LND Legionnaire, WG Elite Guardian

Tip.It and WG Real Life Meeting Attendee

Vio

#5
Quote from: Quikdrawjoe on August 29, 2011, 03:41:48 PM
64 character upper and lowercase letters, numbers, and symbols.

Hacker no hack

I tried working out how long it would take to brute-force that.
My calculator broke.

Zemus

Quote from: DG Keanu on August 29, 2011, 03:46:59 PM
Quote from: Quikdrawjoe on August 29, 2011, 03:41:48 PM
64 character upper and lowercase letters, numbers, and symbols.

Hacker no hack

I tried working out how long it would take to brute-force that.
My calculator broke.

I tried working out how long it would take to type that in all the time.
My face broke


But umm yh read the whole guide, good read. Didn't realise how big of a difference it makes for brute-forcing. Generally my passwords are pretty long with random numbers/letters like yours, but then sometimes im lazy with certain passwords ##



Mark



I set the standard.

Sean

Unfortunately, RuneScape passwords don't take into account the upper/lower case letters. HeLlO is the same as hello - that is, unless they've changed it recently.

You might want to update your guide :p




~ Former Elite of The Sabre Clan :: RuneFest 2010 & 2011 Attendee ~
~ Original Descendant Guardian :: Ex-Wilderness Guardian (2005-2006) ~

Taibz

I got hacked a few days ago :'(

Logged onto RS after a few days of not playing and everything was normal. I had all my items in bank and such.
I stood AFK while looking at OUR forum.
When I was done reading on our forum I decided to do something on RS.
I saw that i was logged out, but since it had gone a few minutes since I went AFK I didn't freak out.
When I tried to log in it was the wrong password. I tried several times but it didn't work.
Luke managed to get back the account (I bought it from Luke if you didn't know) and I logged on.
I found myself at GE without any items on just as before, but when I opened the bank I saw something different.
I had 1gp, my BGS was gone and so was my ZS and my whip.

Now I have around 3m bank alltogether. I'm lucky the hacker didn't take all my pk supplies.

Sucks bad..
[spoiler]
[/spoiler]