I raided a couple weeks ago but you weren't in my group! So basically, it's all your fault Haha, seriously though time is freeing up now, and I should be hella more active in a week or two.
The patcher skip login needs to accept pasted text from windows. Having a typable password is bad security. And I'm not sure why DBG limits passwords to so few characters. If you're hashing PWs, it doesn't really matter if my PW is 8, 15, or 255 characters. Transfer amount is trivial, and they all hash to the same length.
The method I use is posted here on reddit. It still requires bypassing the patcher, but I've been doing that for as long as I've been playing.
Hmm. My password is unique to EQ, it's a reasonable combination of characters, and since my login name is stored in the shortcut (and therefore automatically entered without the use of a keyboard or mouse event), any sort of keyboard or clipboard logging is only ever going to have half the puzzle. If you wanted to be a little bit more robust against any attackers, you could subtract come characters from the /login: field, and manually enter the missing characters on the login screen I guess. I also suspect the weakest link is always going to be the login request packets sent to the servers ... how easy are they to reverse engineer? Honestly though, I'm not going to go to much more effort just to secure an EQ account As for limiting the length of passwords, and not accepting pasted text in the login window ... they seem like reasonable things to change. Has it been brought up in the past?
It was less about security, and more about my quality of life. I use a max length PW of random characters, it's not meant to be easy to type or remember. So it's a pain in the halfling to type when I log in by skipping the patcher. Connections to the login server are through https, so they're secure against man-in-the-middle attacks for most users.
