Minecraft Blogs / Article

Account Security - It's important....

  • 2,642 views, 0 today
  • 32
  • 12
  • 15
Ralex avatar Ralex
Retired Moderator
Level 13 : Journeyman Network
Considering the recent compromises of different accounts on different sites, I believe that we all need a nice reminder about account security.

Thanks to citricsquid over at MinecraftForum for writing most of this article for their internal moderation team.


Password security is very important and a lot of common wisdom around passwords is incorrect. A password used for multiple accounts, regardless of complexity, is not a good password, a good password is a password that is only used to access a single service. Every account you use must have a **unique** password, when a password is used for multiple accounts the integrity of that password is compromised.

Database Leak

The most common way that you will be compromised is through a database leak, this is when an attacker obtains a copy of a database from a website (such as myspace.com). A database leak will usually be used to target high value accounts, like PayPal accounts and email accounts.

Leaked databases are often found available for sale and are eventually published online, meaning that it is only a matter of time before your account credentials become public knowledge, and shortly following that every account you hold will be targeted with those credentials. If the username "Lord_Ralex" appears in a leaked database, you can be confident that at some point someone will google "Lord_Ralex" and identify that the Minecraft Forum account Lord_Ralex is high value and attempt to compromise it with the leaked credentials.

The only protection against this sort of attack is a unique password for each service. A unique password for every service that you use is absolutely essential, as any password reuse greatly weakens the security of the password, as it takes just one compromised website to leak that password to the world, which can then be used by malicious third parties to takeover your accounts on other websites.

The website haveibeenpwned.com provides a tool that allows you to see if your email address has been included in any previous leaks, they also provide a service called NotifyMe that will notify you any time a new database leak contains your email address. This service is a great way to understand how much of a threat database leaks are, they are becoming more and more frequent and as time passes you are more and more likely to be included in one.

Targeted Attack

A targeted attack can involve a number of different attack methods, including phishing, social engineering and using publicly available information to take over accounts. Protecting yourself against targeted attack is important, and unfortunately not an exact science because social engineering attacks are constantly evolving, however there are some good steps you can take:

1. **Do not use real information in security questions**, when asked "what was the name of your first pet?" or "what is your mother's maiden name?" you should enter fake information because real information can be found through social media profiles, public records and social engineering.

2. **Always enable 2 Factor Authentication on your email account**, if your email address password is compromised then all of your online accounts become compromised because access to an email inbox is often all that is needed to reset an account's password, 2 Factor Authentication gives you a second line of defense against password compromises. Any reputable email provider will support 2 Factor Authentication, Google Account users can learn more here. If your email provider doesn't support 2 Factor Authentication: switch to one that does.

3. **Always verify that you are logging into the correct website**. After clicking on a link to a website you should verify that you are on the correct website if you are asked to login, targeted phishing via Private Messages and emails is common.

4. **Never run files from untrusted sources**. If you do not know where the file comes from, don't run it. Chances are, you will get some of your data stolen, and that will be enough to start compromising you.

Password Security Best Practices

**A password must be unique** to a service, you must never use the same email and password combination for more than one account. There a few ways to manage this, you can create your own password formula based on the name of the service your account is for, you can randomly generate passwords and write them down in a book (kept in a secure location) or you can use a password manager.

A password manager is an application that stores a database of your passwords for every service you use, these applications are available for a variety of platforms, they can be local only (you store the database on your computer) or they can be cloud hosted (your passwords are accessible from anywhere). A password manager is the recommended way to manage your passwords, they will generate secure unique passwords for each service you log in to, too.

A password manager should be protected by a unique password that you have memorised, and where possible you should also enable 2 Factor Authentication on your password manager. A password does not need to contain a jumble of random characters, a good password can be a sentence or a combination of random words, this online generator provides examples of passwords you could use.

Password Managers

Dashlane - A password manager and secure digital wallet with a free service that will allow you to use the password manager on one device, for $40 per year you can sync your passwords, payment details and secure information across any number of devices. Dashlane supports 2 Factor Authentication.

Keepass - A free desktop application that **does not** offer any syncing across devices, users can use a service like Dropbox to keep their password database synced across their devices.

1Password - A password manager and secure digital wallet available across any device with cloud sync for $36 a year. 1Password has native support for 2 Factor Authentication.

LastPass - A free password manager with a browser extension that syncs your passwords in *the cloud* and provides a premium service for $12 a year that will sync to your mobile devices too. LastPass supports 2 Factor Authentication. This is what I use, and even paid for premium.


You should always take your account security seriously. Make passwords as hard to guess, but simple for you to remember. Never re-use passwords on sites. Password managers help alleviate this, but are only as secure as the password you used to secure them.

Recent compromises

MinecraftForge accounts were compromised and reports are that data from that is being used to compromise accounts elsewhere - http://www.minecraftforge.net/forum/index.php?topic=39636.0

Create an account or sign in to comment.

11/05/2020 5:33 am
Level 9 : Apprentice Explorer
MysticMage avatar
The point is, we'll have to follow the Microsoft ToS after that. They could literally do anything. They even could make us pay for updates with Microsoft accounts and literally everything else is also possible... Let's hope that this turns in a good direction.
12/29/2017 11:31 am
Level 1 : New Explorer
Catsandwarriors avatar
I have a password that my fam uses but with diff numbers So its my fams lil password word
11/06/2017 8:07 am
Level 51 : Grandmaster Professor
Acier avatar
True that
10/29/2017 2:40 am
Level 28 : Expert Miner
D324784 avatar
Еи тапак защо мизе нивото а еи мърло шатиеба майката >:<
11/15/2016 7:11 pm
Level 1 : New Miner
Virtual Drink Mods
Virtual Drink Mods avatar
You got a lot of nerve doing that
01/08/2018 9:44 pm
Level 1 : New Miner
jinsuol avatar
You got a lot of nerve posting this.
11/10/2016 4:18 am
Level 61 : High Grandmaster Meme
Vincent _1987
Vincent _1987 avatar
I've been using my password since I was eight years old ;-; maybe I'm safe because it's a word my uncle invented xD

dun't yu dare steal my steam account hakers!
04/27/2019 2:07 pm
Level 30 : Artisan Geek
Cardinal System
Cardinal System avatar
10/29/2016 10:40 pm
Level 41 : Master Pixel Painter
JozyP avatar
I see what you're trying to say. I decided to work with all my friends in school and online to hekp me come up with new passwords for my emails, accts, etc. It's also comforting to know that all my trusting friends on Minecraft and at school can help me if I forget my passwords, because they know them too! This is really the most secure way to store passwords.
10/30/2016 10:33 am
Level 13 : Journeyman Network
Ralex avatar
So, you chose to ignore the advice of don't share passwords? The best password is one only you know. If someone else knows it, that password is now useless. DO NOT DO THAT.
Planet Minecraft


© 2010 - 2023