Zips' Guide to Account Security - Old School Runescape
*This guide's purpose is to outline recommended practices and briefly delve into the purpose of each.* *This guide's format was definitely not stolen from Cow.*
Table of Contents
II. The RuneScape Account i. Password
II. The Email Account i. Password
Let me start by stating that security is flawed and there is no such thing as a perfectly secured account. Your account will be under threat by everything from database leaks to human error. This guide is only an outline of what is considered best practice given the options available.
II. The RuneScape Account
If you're on this forum you've likely an account with some gold on it. Likewise, if you've read that last sentence you care more about account security more than the average user. Congratulations, prep yourself for torture. Security is inconvenient and annoying.
Depending on how badly addicted you are to this game, you may want to have a secure password. There are many recommendations for password security across the Internet but most share points in common. I'll defer to a well respected expert;
- Use a unique password that uses a combo of words, numbers, letter-casing, and symbols. At least 8 digits.
- Do not use exily guessed passwords such as 'DragonClaws' or 'FishingLevelNice'.
- Do not use details of your life that can be gathered from places such as Facebook or Reddit.
- Avoid using simple combos like 'qwerty' or 'asdfghjkl'
- Some of the most memorable and secure passwords are a string of words. They can have special meaning, but see point 3.
- NEVER use the same password you've used on another site. This includes small additions to the password like a 1.
- Don't keep the password in plaintext on your computer. Services like LastPass work well, but are subject to leaks.
- Don't save your passwords in your browser. These can be recovered.
The above should be applied to all passwords used, not just RuneScape. There are a few details about runescape that conflict with the above:
- Runescape does not allow symbols in their passwords.
- Passwords on runescape are case-insensitive.
- Passwords are limited to 20 characters (boo-hoo, right?).
At this point you're likely thinking, 'My password is already secure'. To you I say, 'go back to the statement in the prefix.' A majority of us reuse passwords, or include things like our pet's name or our birthtown. Those passwords can be replaced with a secure, yet easy to remember password. Phrases like 'Miami10pineappleCake' are much more easily remembered than a password like 'B32^laN9-', especially when you recite it every day on login.
Now that we've discussed your account password, lets talk about bank pins. Use a bank pin. Period.
Congratulations, your account's password level is now 98. The only thing you're missing at this point is...
ii. Two Factor Authentication
Two-Factor Authentication is essentially a second password to verify you are you. Think of the movie with the nuclear launch and the two guys with the keys. That's 2FA.
2FA for RuneScape comes in the form of the 'Authenticator'. This can be set on either your phone or desktop (don't) and generates a One-Time Password for each time you login. This is a must have add-on for the security of your account, but it does come with flaws:
- When recovery is successfully used to get access to the account, your Authenticator is disabled.
- Having the 2FA set up on your PC makes it useless if when your PC gets compromised.
- If you lose your phone, you have to recover your account.
- It can be disabled with access to your email (I believe).
That's really it for 2FA. Technology has made it mostly painless.
So you've got your account security tightened up and 2FA enabled. Good on you. Now you need to be aware of the threats to your account; you.
The weakest link in security is the person using it always, and we are all susceptible to this. Even the guy writing this post and ranting about password. Some threats you may see against your account are:
- Phishing - Phishing is any technique used on a human to trick or coerce information out of them. You'll commonly see 'Visit my youtube video to earn 50m'. The comments contain a link to a fake runescape login page. They will take any credentials entered here and wipe the account clean. Use common sense and you'll never have an issue.
- Viruses/Keyloggers - These are programs or unauthorized code that run in the background and steal information. This can be anything from the gold duping program you downloaded when you were 12 to background code installed on your computer by a malicious advertisement. Best way to avoid these are to use an AV, an adblocker (UOrigin shoutout), and avoid shady RS sites like those that sell accounts.
- Database leaks - Websites that have been hacked or compromised will often have the database containing user credentials leaked, or sold, online. These password are not always stored securely (I'm sure James hashes with MD5 ATLEAST) and the plaintext passwords are available to try anywhere. This is why it is BAD to reuse passwords, or to use variations of used passwords. You'll be compromised, lose everything, and never know why. This is also why 2FA is important as it makes the password somewhat useless.
I'm sure I've missed some other threats, so let me know if you think of anything.
Account recovery is a double-edged sword; It can be used by you to recover your account incase of a lost password or email, but it can also be used by someone who has enough information to look like you. Account recovery relies on the following info to recover your account:
- Payment email, zip, type, duration and date of setup
- Any passwords you can remember
- Date and country of creation
- Whether or not you've moved in the past
I won't get much into the recovery account as this guide is about security. The reason that recovery is brought up is because several of these items can be found online if your accounts are not secured well.
Payment details: Payment details can be found in leaks online and can be tied to your email. If this is the same email that you use for RS (hopefully it's not) then they've just tied a payment method to your account. You've also bigger problems if your payment details are in a leak online. Passwords: Passwords can be found in online leaks. If any of the passwords in these leaks have been used on your account then they may help an attacker recover your account. ISP: If an attacker knows where you live, which can sometimes be found through leaks, it is sometimes possible to guess your ISP. This is much more of a threat to people in the US as we often times have one ISP with exclusive rights to an area.
A good resource to see if you're email has been in a leak is https://haveibeenpwned.com/ . The best defense against all of the above is to keep a seperate, secured email for the sole purpose of managing your RS account. That my friend brings us to...
II. The Email Account
Arguably the most painful of accounts to secure, and the most essential, your email is the one account that controls access to your other accounts. Locking this account down and giving it a unique passwords is absolutely essential in securing other accounts, in this case being RuneScape.
For password recommendations, I refer you to the same section located under 'The RuneScape Account'.
ii. Two Factor Authentication
2FA is essential to this account and is for the most part painless (See first 2FA section for specifics). Once you have an 2FA app installed and set up, adding new accounts is pretty painless. Also, just like RuneScape many services will give an option to remember the device instead of entering a key every time. There isn't really any reason to not be using this, and that's coming from someone who took two months to write this post.
2FA is supported by all major email providers, EVEN AOL. No excuse, go set it up.
For those who want to isolate their email from the sites they use, or as paranoid as I am, consider setting up proxy accounts. Proxy emails are essentially emails setup that serve one purpose: Receive mail from a website or group of websites, and forward it to your main account. This not only adds a second lay of defense and obscurity, but it also gives you notice of attack attempts if you set it up right. I can personally attest to this on GMAIL.
Phishing, viruses, and data leaks are still the largest threats when it comes to your email account. That being said, the accounts you create with your email are another threat. When an account is compromised, those who have it's info will likely try and get in your email as it is tied to every account you make. Unique passwords will help protect you, and god forbid you reused/leak a password your 2FA will save you.
I'm not going to give the spiel on this one. Account recovery is less of an issue on your email unless you have an account hijacked. In that cause there really isn't too much you can do. Your email likely your real, personal info attached to the account and that can be pretty easy to find. Although it's pretty stupid, setting non-stupid account questions could end up saving your account and is suggested.
That's a 'brief' OCD guide to account security. In the end, I'd argue that a little bit of OCD will cause a tiny bit of inconvenience (negligible) and a lot of security when it comes to your accounts. It really comes down to how much you care about your online identity.
If you want to know more, nitpick my grammar, or get more info, feel free to message me on the Discord (same name).
In light of the recent breach, I again extend an offer of discussion on Discord. Feel free to DM me directly or post your questions in the #Support channel.