Well, how much time to spend on it is for me to decide, and that's why I asked to see if many people had experienced trouble with it.
What I do, is attempt to acquire information before making decisions.
EDIT:
Also I put questions out there in case people come up with good ideas. I don't just leave things in a (possibly) broken state (or hard to use) when a small improvement will make a world of difference (and maybe avoid a thousand tech support emails).
EDIT2:
Also I can see a live stream of the master server and I see a lot of "Your unlock code does not match" (which is different from "You need to set an unlock code") so I do wonder if they are really just typing in the wrong thing (e.g. a WEB password or old GAME password) or they are getting a sort of copy and paste error.
It should auto clear if you paste straight in when the dialog is open (without clicking within the text). When you see all the text highlighted (like CTRL+A) that will be replaced when you paste the new value. You can confirm this with the number of characters which will be 20 if it's a valid key.
I wonder if the way that specific dialog works should be improved to make it easier and avoid any errors.
By the way, has anyone had a problem like they really think they copied and pasted the unlock code correctly, but it just says "Your unlock code does not match" after you click the unlock button?
That seemed to happen to me after setting a new code. Maybe I didn't copy it properly? But it's hard to know what can be the problem as it looks like a load of dots. I've heard a couple of reports like "the code didn't work" that could be like this.
Eventually I copied again (without getting another new code) and it did work.
I think maybe the update needs an 'eye' icon beside the unlock code field so you can see the unlock code.
To be clear, the new system does not 'consume' one of your unlocks, if your LFS was already unlocked with your old password. The consumption of an unlock could only happen if you clicked "Lock LFS - return to Demo" by mistake (which is not needed).
You are supposed to do simply this:
1) Visit details page
2) Click: send email with a new unlock code
3) Get email.
4) Paste code from email into LFS "GAME password"
5) Click unlock.
That's all there is to it. It's really not a big deal. I have added one unlock to your account so it will let you try again now.
Sorry but your report doesn't make that much sense.
The system is well tested and has already worked for hundreds of people.
You'll have to be very specific about exactly what you do, step by step, and the exact error messages you see, so we can try to see where it goes wrong for you.
As Flame pointed out, email verification has always been required to create an account.
No personal details are required, other than your email address.
This is all about protecting the accounts of our users, so "grotesque" is a bizarre description of our increased security measures. If you find it grotesque to provide an email address, you'd better not join in the first place.
That is correct but you do need to click the link "send email to set new address" to start the 7 day timer, which you should clearly see on your details page.
1) Visit details page
2) Click "send email to set new address"
If you can't access your existing email address then you need to wait a week after clicking that link, then you can proceed without access to your old email, to set a new email address.
3) Wait one week and come back to your details page, you will see a link to proceed.
It's the only way we can prevent license thefts. It is very important to make sure your LFS email is up to date.
Please do not ask technical support for help. Geraldine cannot help with this, she would have to email the old address to make sure the existing owner hasn't had their account stolen, then give them a week to reply. We have an automated process in place to do that. She doesn't have the time for this. It is your responsibility to keep your email address up to date.
In case you get one of these messages and you don't know what it is:
A change has been made to improve security.
You now have only one password, that you use for the website.
In game, you use an "unlock code" instead of the old "GAME password".
How to use your unlock code:
Please install the test patch with better support for the new unlock code. Test patch: [EDIT: official version is now available]
Then...
1) Visit details page
2) Click: send email with a new unlock code
3) Get email
4) Paste code from email into LFS "GAME password" (or "Unlock code" in the new test patch)
5) Click unlock
The "GAME password" or "Unlock code" field is in the LFS unlock screen, accessible by a button at the bottom right of the entry screen.
If you do not have access to your registered email account:
You will need to register a current email address to receive your unlock code. But with our improved security, to change email instantly you need to confirm the change by receiving an email on your old address. Alternatively you can wait 7 days to proceed without confirming the email on your old address.
To do this, visit your details page and click the link "send email to set new address" even though you know you won't receive the email. Now you can see the time, 7 days ahead, when you will be able to set a new email address without the instant confirmation. This time remains visible on your details page.
Why do we need confirmation on the old email address or force you to wait 7 days?
This is to prevent license theft by anyone who manages to log into your account by somehow obtaining your password. Some people may have had passwords that were easy to guess. Others entered their LFS user name and password into at least one site run by hackers. This really happened and we had to rescue hundreds of accounts and return them to their original owners.
Before recent changes it was possible to change password and emails instantly, enabling theft of licenses. Now we send an email to the old email address and we give the recipient seven days to respond.
There was a 20 minute break when I zeroed the old passwords on the master server. Testing in a test environment only resulted in a few seconds pause, but the main master server took a lot longer than expected. Maybe that's what you are talking about?
I think it may be a good idea to release a compatible patch for this and the other updates in the current Test Patch with the new translation texts that you mention.
As part of the ongoing security updates, We have made a change which is significant in a way while not technically a big change.
The WEB password is now called simply "password" and you can no longer manually set a GAME password.
The GAME password is now called "unlock code" and is set automatically and sent to you in an email when you click a link on your details page.
In the next few days we will start passing through and zeroing any old GAME passwords that have not been updated for the new system.
EDIT: Now that we have already zeroed the old GAME passwords...
How to use your unlock code:
Please install the test patch with better support for the new unlock code. Test patch: [EDIT: official version is now available]
Then...
1) Visit details page
2) Click: send email with a new unlock code
3) Get email
4) Paste code from email into LFS "GAME password" (or "Unlock code" in the new test patch)
5) Click unlock
The "GAME password" or "Unlock code" field is in the LFS unlock screen, accessible by a button at the bottom right of the entry screen.
If you do not have access to your registered email account:
You will need to register a current email address to receive your unlock code. But with our improved security, to change email instantly you need to confirm the change by receiving an email on your old address. Alternatively you can wait 7 days to proceed without confirming the email on your old address.
To do this, visit your details page and click the link "send email to set new address" even though you know you won't receive the email. Now you can see the time, 7 days ahead, when you will be able to set a new email address without the instant confirmation. This time remains visible on your details page.
Why do we need confirmation on the old email address or force you to wait 7 days?
This is to prevent license theft by anyone who manages to log into your account by somehow obtaining your password. Some people may have had passwords that were easy to guess. Others entered their LFS user name and password into at least one site run by hackers. This really happened and we had to rescue hundreds of accounts and return them to their original owners.
Before recent changes it was possible to change password and emails instantly, enabling theft of licenses. Now we send an email to the old email address and we give the recipient seven days to respond.
I did repeat the operation for demo racers as well. So, just like licensed racers, all demo racers on the hacker list got an email and their passwords were removed if a match was found. It seemed the right thing to do for their security.
On the continuing security improvements:
- email address can now be changed by two possible methods
1) receive a confirmation email on your old email address and proceed instantly
2) wait 7 days to proceed if you cannot access your old email
[after each of these, the new email address must also be confirmed, as before]
- immediate logout on all browsers when WEB password is reset
- must wait half an hour after 3 failed unlock attempts
Another update, I've worked all day and evening and finally could take action after enough data processing and testing.
Using an automated script, I have sent an email to all licensed users whose usernames appear in the file.
If they don't have matching passwords, the email is just an advisory and suggestion to check they can still log in and possibly update their passwords. If matching passwords were found, the real passwords have been removed. The emails are adjusted for the action taken.
This drastic action was necessary for all the accounts in the file, with passwords that match real LFS passwords. Unfortunately in some cases we will just be sending an email to someone who has already stolen the account. I hope we will prevent a lot of accounts being taken over and used online.
Maybe I will repeat this action for the Demo accounts tomorrow.
This morning I've been detecting which of the listed user names have a password that matches an LFS WEB or GAME password.
Many of the users on the hacked database aren't really LFS users. We know this as around 40% don't have a user name that matches an LFS user name. Around 60% do match an LFS user name, but even then, it's not necessarily an LFS user.
The only way to be fairly certain it really is an LFS user, is if the hacker list username+password matches an LFS username+password (WEB or GAME password). Password matches are a significant minority that we have to deal with because of the security implications. In those cases (password match) we intend to change the password and notify the user (via email) using an automated process.
But I've done a quick test to find out which countries the matching user names come from. This is from the full list of hacker list usernames that match an LFS username, including DEMO accounts.
To be clear, these numbers are too high, because they include some user names that are not really an LFS user (e.g. someone just happened to choose the same username as an LFS user). Also to be clear these are mainly DEMO accounts. I've only shown countries that have more than 100 users listed.
Looking at the numbers below, it seems most likely to me that the source is "LFS Pro" which was a pirate community and master server system based in Brazil.
I'm thinking this because Brazil itself is 2nd on the list and Portugal is 4th, which is higher than expected given the size of Portugal. In my opinion it's because of the language connection to Brazil. Also 3rd on the list is Argentina, probably due to the South American connection.
I'm not really sure why Turkey is on top. Maybe it's because LFS has always been popular in Turkey and LFS seemed expensive there, so a lot of Turks went for LFS Pro. Or possibly the list has come from two separate sources?
TR 7523
BR 3745
AR 1250
PT 1167
BG 737
LT 727
ES 693
US 677
RO 488
PL 438
IN 428
ZA 399
GB 371
HU 337
FR 323
IT 309
DE 275
SA 264
GE 262
PK 245
CZ 236
RS 224
LV 221
CL 213
CO 187
FI 181
UY 167
SE 162
NL 162
GR 150
AE 148
DZ 144
PH 142
EG 141
AU 137
CA 130
ID 125
MX 124
EE 113
DO 110
BA 108
SK 107
MA 106
An update on the recent thread about a leak of LFS passwords from an unknown source.
After an LFS user admitted having a list of tens of thousands of username + password combinations, after some heated discussion on a thread that has now been removed, the user admitted he shouldn't have done this and decided to send the information, to start to put right the situation.
We are grateful for this action, after the initial disruption, this was the right thing to do.
I have started to analyse the data. I don't want to give exact figures but the user names are in the 10s of thousands.
Of these, roughly 5% are invalid (too short or too long, can't possibly be an LFS user name)
Of the possibly valid names, around 40% are not found in our database.
The other 60% are valid user names. Of these, more than 90% are DEMO and under 10% are LICENSED.
So many user names are invalid, proving that if these names come from a single source, it's not an official LFS source. I believe that people may have used their username somewhere else. Maybe in a pirate community or in some other app that required their user name.
I will do further checks on this data, but wanted to give you an update on the progress so far. Many of the licensed users will need to be contacted in some way, probably by an automated email.
I'll leave the thread closed for now as I don't really think I need more info at this point.
Changes I have made in the past few days regarding security:
- You now get a notification email if anyone logs in using your account.
- WEBpassword can only be changed via an email (like the "Forgot your password" system).
- GAMEpassword can also only be changed via an email.
So now it should be impossible for you to lose control of your account if you haven't already. Although for all the accounts we have not yet protected, if your password is known to any hackers with this data, they can obviously log in to your account and change various settings. At least you will receive an email if they do log in.
A note on security, even if it may sound repetitive:
- Please, DO NOT use a GAMEpassword that is the same as your WEBpassword
- Please, DO NOT use passwords that are the same as the passwords on any other accounts you care about - NEVER ENTER YOUR LFS USERNAME AND PASSWORD INTO ANOTHER WEBSITE OR PROGRAM - IF YOU HAVE EVER ENTERED YOUR USERNAME AND PASSWORD SOMEWHERE ELSE - CHANGE YOUR PASSWORDS NOW!