Guild Wars 2

I think it’s a serious mistake to have the same password for the forums as for game accounts. Do a Google search for “gw2 forums” as I’m sure a countless people a day do. You see several virtually identical listings with different URLs. Sometimes these differences are subtle: forum.guildwars2.com vs guildwars2forum.com, for example. I confused those two a few minutes ago and wound up entering three different usernames with my gw2 password. Suddenly I realized my mistake and hastened to change my password. Hopefully my account will still be there when I log in for WvW this evening. But that other site is ideally positioned to harvest account passwords, along with any site that might contain a similar URL or title, even taking advantage of typos and misspellings. How about Gildwars or Giuldwars, for example?

Solution is to insist on different passwords for the account and the forum.

Personally, I’m a fan of content providers issuing PKI certs to users. A compromise of your public key doesn’t compromise your account unless they can get your private key, too. As long as we rely on username/password, the ability to harvest credentials through fraud will always exist.

That said, username/password is considered “good enough” for my bank; it is my responsibility to check the site to which I am connecting (A non-trivial task considering how often they merge and change their name).

Sounds like a potential problem. Having separate login and account-access methods could add some security, maybe. One way would only allow playing of the game for example, and the other way would allow for everything else with the account. Food for thought.