Alright. First off, I know I was previously banned on my "404" account and then I got an IP ban for ban evasion and that's what I'm doing right now. I'm sorry. But you may have seen the thread in General Discussion about how some idiot got into my Facebook account and my ingame account and was scamming people for most of today while I was at work.
Because of this, I've closed down my Facebook account (I rarely used it as it wasn't my "real life" Facebook account), enabled 2-step verification on my Gmail and changed my ingame password.
Here's my suggestion(s):
When you log in, have the game check your IP address. It should also store that IP address and a count of how many times you've logged in from it to determine the most commonly used IP address. This way if someone else logs into your account like what happened to mine, and their IP address is noticeably different, the game should kick the person back out to the login screen or even lock the account (not a ban, a new function idea called a "lock").
The lock would last for a day and would prevent the account from being logged into (even by the actual owner). The lock would give the actual account owner time to change the password to it. If you want to get extreme, may I suggest IP banning the hacker if they fail the IP check? It would result in people coming here to the forums to appeal a ban and everyone would find out why they were banned and that person would be laughed off of Helmet Heroes.
Alternate method: Hacker attempts to login, game detects different IP address. Game sends email or text message (2-step verification system I've outlined below would be needed for this) with a confirmation code that the player needs to enter to verify that yes it is their account and their IP address just changed. Obviously the hacker would not be able to get access to a text message on someones phone and thus they'd fail the confirmation code check and get IP banned.
Downsides to the IP check system: Country-based would be bad, what with the large concentration of filipino players. I would personally stick to checking the most commonly used IP address.
As for the password reset setup....Yahoo? Really? I'd honestly like to see a proper account system in place allowing players to link a cellphone or alternate email address to their ingame account so when they request a password reset, they would also have to check their phone/alternate email to get a confirmation code and enter that into the site before being allowed to reset their password.
If anyone reading this has any ideas for better account security, toss 'em up. I had to deal with ~100 people PMing me ingame a few minutes ago because of the idea who hacked my FB and scammed them all while using my account ingame. I don't wish that on my worst enemies.