OSRS Account Security: How to Protect Your Account After Purchase
OSRS Account Security: How to Protect Your Account After Buying
Old School RuneScape accounts represent serious investments. Whether it's thousands of hours of grinding, billions in gold, or rare items and achievements, losing an OSRS account means losing something that took real effort (or real money) to build.
If you've bought an OSRS account, securing it properly is not optional — it's the most important thing you do. This guide covers every security feature Jagex offers, how to set each one up, and best practices that go beyond the basics.
Why OSRS Account Security Matters More Than You Think
OSRS accounts are high-value targets for hackers and scammers. Here's why:
- Real-world value — OSRS gold and accounts have established real-money value, making them attractive targets
- Irreversible trades — If someone logs into your account and trades away your items, Jagex generally does not restore them
- Recovery system exploits — OSRS uses a recovery system that relies heavily on historical account information, which previous owners may still have access to
- No item binding — Unlike some MMOs, OSRS items aren't bound to your character. Anyone who logs in can trade everything away in minutes
Step 1: Secure the Email First
Before touching anything in-game, lock down the email associated with the OSRS account. The email is the master key to everything.
Change the Registered Email
- Log into the RuneScape website (not the game client)
- Navigate to Account Settings
- Change the registered email to one you own and control
- Verify the new email by clicking the confirmation link
Your Email Should Have
- A unique, strong password — Different from everything else, at least 16 characters
- Two-factor authentication — Google Authenticator, Authy, or your email provider's 2FA
- No forwarding rules — Check that no email forwarding has been set up to send copies elsewhere
- Recovery options you control — Make sure the email's recovery phone number and backup email are yours
Best Email Practices
Use a dedicated email address for your OSRS account — one that isn't used for social media, shopping, or anything else. This reduces the attack surface significantly. If your gaming email is never used publicly, it's much harder for someone to target it.
Gmail is a solid choice because of its strong security features, but any major email provider with 2FA support works.
Step 2: Set Up the Authenticator
The Authenticator is Jagex's two-factor authentication system. It requires a time-based code from your phone every time you log in from an unrecognized device.
How to Enable It
- Go to the RuneScape website and log in
- Navigate to Account Settings > Security
- Click "Enable Authenticator"
- Download an authenticator app if you don't have one (Google Authenticator, Authy, or Microsoft Authenticator)
- Scan the QR code with your authenticator app
- Enter the 6-digit code to confirm setup
Important Notes
- Save your backup codes — Jagex provides backup codes when you set up the authenticator. Store these securely (password manager, printed paper in a safe place). If you lose your phone, these codes are how you regain access.
- Use Authy over Google Authenticator if possible — Authy offers encrypted cloud backup of your authenticator codes, so losing your phone doesn't mean losing access. Google Authenticator stores codes only on the device.
- Don't trust "remember this device" on shared computers — Only use the trusted device feature on your personal computer.
Why the Authenticator Isn't Bulletproof
Here's the uncomfortable truth: the OSRS authenticator can be removed by anyone with access to the registered email. That's why Step 1 (email security) is so critical. If someone compromises your email, they can disable your authenticator and log in without it.
This is a known weakness in Jagex's security system, and it's why the community has long requested an authenticator removal delay. As of now, authenticator removal is instant once confirmed via email.
The takeaway: your email security IS your authenticator security.
Step 3: Set a Bank PIN
The bank PIN is your last line of defense. Even if someone logs into your account, they cannot access your bank, Grand Exchange, or certain other storage without entering the correct PIN.
Setting Up Your Bank PIN
- Log into OSRS
- Visit any bank and speak to a banker
- Choose "I'd like to set a PIN"
- Enter a 4-digit PIN of your choice
- Confirm the PIN
- Choose a delay setting — Jagex offers 0, 3, 7, or 30 days before the PIN can be changed or removed. Longer delays mean more protection against someone who gains access and tries to wipe your PIN.
Bank PIN Best Practices
- Don't use obvious PINs — Avoid 1234, 0000, your birth year, or any easily guessable number
- Don't share it with anyone — There is no legitimate reason for anyone to need your bank PIN
- Remember it — There's no "forgot PIN" recovery that's instant. If you forget your PIN, you have to wait the delay you configured (up to 30 days) for a reset, during which your bank is inaccessible
- Never enter your PIN on a third-party site — Jagex will never ask for your bank PIN outside the game client
What the Bank PIN Protects
- Bank access (items and gold stored in bank)
- Grand Exchange offers
- Managing Miscellania
- Player-owned house storage
- Seed vault
- Certain other storage interfaces
What the Bank PIN Doesn't Protect
- Items currently in your inventory or equipped
- Items in a looting bag
- Coins pouch (partially)
Step 4: Change the Password
Set a strong, unique password for the RuneScape account itself.
Password Requirements
- OSRS passwords are limited to 5-20 characters — use the full 20
- Since passwords are case-insensitive and have historically had limited special-character support, focus on length (always 20 chars) and uniqueness rather than relying on character-class variety
- Never reuse this password on any other service
- Use a password manager to generate and store it — a manager easily handles the 20-char cap and keeps the password unique across sites
Password Tips Specific to OSRS
- OSRS passwords are case-insensitive — This is a known limitation of Jagex's system. Because capitalization provides no extra entropy, length and uniqueness (not mixing case) are what actually protect you. Max out the 20-character length.
- Don't use in-game names in your password — Character names, clan names, or server names are easy guesses
- Change it periodically — Especially in the first few months after purchasing an account
Step 5: Review Login and Account History
After changing all credentials, review the account's settings and history.
Check For
- Linked accounts — Remove any linked social media or third-party accounts you don't recognize
- Active sessions — Log out of all active sessions, then log back in fresh
- Communication preferences — Update email preferences so account-related notifications come to your new email
- Display name history — Review past display names; consider changing the current display name if desired
Step 6: Understand the Recovery System
This is crucial for anyone who bought an account. Jagex's account recovery system allows someone to submit information about an account to prove they're the original owner. This can include:
- Previous passwords
- Creation date and ISP
- Transaction IDs from membership purchases
- Previous registered emails
- Previous recovery questions
Building Your Own Recovery History
The best defense against recovery attempts is building your own provable history of account ownership:
- Pay for membership yourself — Use your own payment method to add membership. This creates transaction records tied to your identity.
- Play consistently — Regular play from your IP address builds a pattern that Jagex can see
- Contact Jagex support — If there's ever a billing or account issue, interacting with support builds your history as the account owner
- Keep records — Save payment confirmations, screenshots of account settings changes, and any communication with Jagex
Step 7: Additional Security Measures
Beyond Jagex's built-in features, these additional steps strengthen your security:
Secure Your Computer
- Keep your operating system and browser updated
- Use antivirus/anti-malware software
- Don't download OSRS "cheat clients" or "bots" — these are frequently malware that steal credentials
- Use only the official OSRS client or well-known approved clients (RuneLite)
- Be cautious with browser extensions that might capture keyboard input
Secure Your Network
- Use a VPN if you play on public WiFi (though home networks are generally fine)
- Ensure your home router firmware is updated
- Use WPA3 or WPA2 encryption on your WiFi network
Beware of Social Engineering
The most common way accounts are compromised isn't through hacking — it's through social engineering:
- Phishing emails — Fake emails claiming to be from Jagex asking you to "verify your account." Always check the sender domain carefully.
- Fake login pages — Links that look like the RuneScape website but aren't. Always type the URL manually or use bookmarks.
- In-game scams — Players claiming to be Jagex moderators, offering to "double your money," or asking for your password. Jagex will never ask for your password in-game.
- Discord and social media scams — Fake giveaways, fake support channels, or direct messages pretending to be official
Use RuneLite Safely
RuneLite is the most popular third-party client and is endorsed by Jagex. But make sure you:
- Download it only from runelite.net (the official site)
- Never download RuneLite from YouTube links, Discord messages, or other sources
- Keep it updated
- Be cautious with third-party plugins from unknown developers
What to Do If Your Account Is Compromised
If you suspect unauthorized access to your account:
- Change your email password immediately — This is the priority because it controls everything else
- Change your RuneScape password — Do this from the website, not the game client
- Check your authenticator — Verify it's still enabled. If it was removed, re-enable it
- Check your bank PIN — If it was changed or removed, set a new one (there will be a delay)
- Contact Jagex support — Submit a support ticket explaining the situation. Include any evidence you have.
- Review your email for suspicious activity — Check for password reset emails, forwarding rules, or unfamiliar login alerts
Important: Jagex's Item Recovery Policy
Jagex generally does not restore items lost due to account compromise. This is their stated policy. The reasoning is that they cannot reliably distinguish between legitimate compromises and players trying to duplicate items.
This makes prevention vastly more important than cure. If an attacker gains access and cleans out your bank, those items are likely gone forever.
Security Checklist
Use this checklist to confirm you've covered everything:
- Email changed to one you own
- Email has 2FA enabled
- Email has no forwarding rules
- Authenticator enabled on RuneScape account
- Authenticator backup codes saved securely
- Bank PIN set to something non-obvious
- Password changed to a strong, unique passphrase
- Password stored in a password manager
- Linked accounts reviewed and cleaned up
- All sessions logged out and refreshed
- Membership purchased with your own payment method
- Computer is clean and updated
- Only using official or RuneLite client
- Aware of phishing and social engineering tactics
The Bottom Line
OSRS account security is only as strong as its weakest link. The authenticator means nothing if your email is compromised. The bank PIN means nothing if someone has your account for days. Every layer of security you add makes it exponentially harder for someone to take what's yours.
If you've purchased an account, the first 48 hours are the most important. Complete every step in this guide before you do anything else in-game. Your future self — and your bank tab — will thank you.
Looking for a Secure OSRS Account?
Browse our OSRS account listings for verified accounts ready for transfer. Every account comes with transfer support to help you complete the handoff and security setup smoothly.
---
*This guide is current as of 2025. Jagex occasionally updates their security systems, so check the official RuneScape support pages for the latest information on available security features.*
