No Limit On Login Attempts
I couldn’t agree more. I actually wondered the same thing.
I’d second this. I find it incredulous that in this day and age after watching so many MMOs and other services compromised, that security wasn’t taken seriously at launch.
This might even be a way to farm GW2 accounts by simply trying if the password they keylogged works.
Proud Medic of the Splinter Warband. PM me to know more.
Our team already made some changes last week that should address your concern. Are you still seeing this issue?
Content Marketing Lead
Twitter: @ArenaNet, @GuildWars2
In-Game Name: Cm Regina Buenaobra
Twitter: @ArenaNet, @GuildWars2
In-Game Name: Cm Regina Buenaobra
Also, there’s not ‘’Forgot password’’ button.
Fedd
Luxon [Lux]
Jade Quarry
Luxon [Lux]
Jade Quarry
The “Forgot password” button has been temporarily disabled for additional security. If you need your password reset, please contact our support team for assistance (http://en.support.guildwars2.com/). Thank you!
Our team already made some changes last week that should address your concern. Are you still seeing this issue?
Yes, just before making this post I tested it. I didn’t want to ask the question only to have had it already been fixed. I purposely entered the wrong password more than 10 times, then entered the correct password and made this post.
Also, I wanted to say that I received an infraction for asking my question. I did not mean, nor do I think anything I said was rude. I simply want to know why this security vulnerability exists because my account is important to me. I apologize if someone has taken offense, but I honestly don’t understand how anyone could be offended by what I asked.
(edited by Oxe.6142)
I just tested myself and it has not been fixed. I typed in the wrong password 15 times.
Thanks for not only bringing this to our attention but also taking the time to ensure it had not been corrected yet. This issue has been escalated to our security team for further investigation. Thanks again!
Hi all,
I’d like to clarify our position on this particular question.
First and foremost – there is a rate limiting mechanism in place, which severely impairs the ability of automated attackers to brute-force account logins. We have carefully balanced this mechanism so as not to inconvenience legitimate users, while still presenting a substantial impediment to unauthorized account access.
Second, it is correct that we do not currently lock out accounts for failed login attempts. The reasoning for this is that if an attacker knows your email address, he can basically deny you access to the forums/game indefinitely by just logging in with bogus passwords every few seconds – something trivial to automate. This form of attack would be much more difficult to stop and create a much larger burden on customer support for resolving “locked account” issues.
Last but not least – we take security very seriously and are making every effort to ensure that our game and associated services are as trustworthy and safe as possible. We appreciate your feedback on these issues and welcome further suggestions regarding how to improve our collective safety.
Thanks!
Thank you for your reply Mike. I have noticed the pause after a few attempts, but it is extremely short. It doesn’t seem like much of a deterrent to me. I feel there are better ways to handle this particular security matter out there. Some sites I’ve used bring up one of those squiggly line things that computers can’t read after so many attempts. This avoids your second point while still allowing the legitimate owner of the account access and thwarts bots running endless login attempts. Perhaps a system like that would be better served here.
The pause is deliberately short because we don’t want to interfere with people who legitimately need a minute to remember (or correctly type) their password. As I mentioned, we wanted to make sure that it doesn’t inconvenience people. So the rate at which you can “humanly” hit the login page won’t cause issues until you’re doing a substantial number of attempts.
Automated attempts generally have to be done at very high volume to be effective, though, and the rate limiting will hit those attackers much harder than it will ever hit someone who just retypes their password a few times on the login screen.
Obviously I can’t get too specific, but suffice it to say we are monitoring the rate of login attempts from various sources, and we have strong evidence that this system is hampering attackers precisely as we intended.
CAPTCHAs on logins are certainly an option, but creating one that is still human readable while being immune to computer cracking is extremely difficult. Even the best known methods are mostly broken, such as reCAPTCHA (which has an 80% crack rate at this point using a variety of attacks). Since we don’t have any experts to help create a strong CAPTCHA system internally, our general feeling is that we can do other things which have better bang for the buck so to speak.