Account Breach incident

For those who use Chrome: A recent update gave you the ability to have it auto-gen you a strong password and for it to auto-remember it (not good if you're using a public computer!!) this password has all the positives about a strong password: it's long (I think at least 16 characters), has a mix of upper and lowercase letters, numbers, and symbols.. Also: pins are...for lack of a better word, dumb. The less numbers in a pin the easier it is to crack, and thhose randomly generated "ensure you aren't a bot, and answer this stupid math question" thing really only works for sign ups. If I have to go get a pin everytime I log in from a new location/device I'd have to stop playing PFQ. I have so many different IPs I cross through while at work, it's no longer funny. Now assume I log in from 12 of those (2 stable) that's 12 pins on day one and 10 pins every other time until I finally log in enough that it's rarer to get a pin. Now imagine how frustrating that would be to have to get a new pin everytime you log in? Most 2 step verifications don't require you have to go back and forth--it's usually something right there. Plus, security questions aren't all that secure. Let's say we need to add three questions, and my three are as follows: "What's your pet's name? What's your mother's maiden name? What city were you born in?" Anyone who knows me well enough (or has found my online family tree, which is semi-public), can have the answers to those in about 5 minutes. They only really work to ensure that you utterly give up, especially if you answered different to that first question than you would now. I'm all for 2FA but please, for the love of Sally, do not use pins or security questions, it's just too much hassle..

Finally finished reading through the rest of this announcement and I'm glad the thief was named, even though I already knew who it was thanks to some other people who found out before I did. I'm beyond disgusted they could do something like this instead of saving up and earning their melans themselves, instead of resorting to the 'easy way out'. Guess they got their 'dream team', but at the cost of getting banned. I always thought "wow that user could afford to dish out such a huge amount on just ONE melan legend, I wish I could get a job that paid that well." I legit just thought it was some person with a high end job lmao.

redacted

Thing is, how secure would a static pin be? I guarentee you there are sophisticated enough RNGs out there that can generate hundreds--if not thousands--of random 12 digit coombinations which a user could then just paste into the box. Even with the waiting, they could go do something else until the time is up--like watch a music video on YT. Pins are only secure if they're generated every time. Like Yahoo. If I forget my password, in order to chain it, I have to get a code they send me and enter all 8 alpha-numeric characters into the box. But it's not static. And having to get a new code every X amoutn of time is about as memorable as sites that require you to use an entirely new password every 30 days, you finally just resort to storing them somewhere and trying all of them.

The 2FA I use for most of my accounts is the kind that generates a new 6 digit (numbers only) code in an app every 30 seconds or so. You enter that number every time you log in on a new device (it's typically cookie-based, not IP). Most people use an app on their phone like Google Authenticator to generate the codes, but these days there are a lot of options including some that run on desktop or sync your codes across devices (technically less secure, but very convenient). The purpose is that if someone guesses or tricks you into giving up your password, they won't have your app-generated code, and there's no way to effectively guess or collect it since it changes so often. It's still technically vulnerable to certain types of social engineering etc but that can get pretty tricky to pull off. Static PINs you have to memorize are no better than a password. Same with security questions.

The point is, it basically makes it so that you are required to have your phone on you (or whatever device has your registered authentication app) in order to log in successfully. Preliminary review of things looks like it should be possible to implement on PFQ as an option.

Oh my God, am I glad I am not too rare. Although I do remember some eggs being mysteriously hatched some time back while I was offline. I hope she didn't guess my password I definitely didn't procrastinate changing. I'd die if my bacon baby was stolen, and report it on the spot. Thank you everybody who helped

I just want to bring this forward because I don't believe that there was an answer on this and it was skipped over?

Oh wow. I seriously expected not to recognize the user at ALL, but that is a name I have seen far too often. I don’t remember trading with them in the past few months, but I have most DEFINITELY traded with them over the past few years. Quite frankly I’m shocked, and it makes me wonder if they were pulling similar things back then as well.

I can answer that right quick. While I don't know the code behind it, ( halp, Niet ) if anyone tries to make an account on an IP with a locked account on it that will be blocked from creating another account onto that IP. Say there's an account ( PokemonFan1357 for example ) on your IP. Maybe it was your brother. You think "okay, I'm gonna make an account too!", but as you are creating your account a box pops upthat says - in condensed terms - "oh no! We cannot complete your registration process because there is a locked account on this IP!" Turns out, PokemonFan1357 was locked because they broke a rule too many times. Darn.