Guild Wars 2

Behellagh.1468:

Obligatory xkcd comic.

For the record, you definitely would not use this method alone, since it would fall quickly to a dictionary based method. You still have to mix it with some other methods like substituting letters and random punctuation. Just throwing that out there.

Grendel.7918:

except that unless they’ve read this comic chances are no program will assume your password is four random words because that’s not how the vast majority of people create theirs.

Back before people cared about security, a random word or sentence was commonly used as a password.

I went to change my password and apparently, they blacklist all passwords that have already been used, meaning if you change your password, you can’t go back to the one you just had. If someone actually brute forced the password creation, they could lock out all passwords of whatever length they desired. But what I noticed is that they recommended that comic on how to create your password. So actually, if I was going to brute force a password, I would start with 4 random words, then go on to full brute forcing.

But people generally don’t brute force from scratch anymore since it takes too long and is too easily detectable. They try to get a variation of your password, either by phishing or hacking some old site you used to be on and work with that. The only time people really brute force is when they have a copy of your password, which for online services means they managed to break in and steal the database, obtaining the password hashes.

With other security systems in place, it truly doesn’t matter what your password is. Your password could be password and it wouldn’t matter as long as you have both IP verification and an authenticator. The only time a password needs to be strong is when the place storing your password gets compromised. But the problem is, the people who do get hacked don’t bother with these additional measures, since they’re not required.

I bet Anet loves these posts. You know that the state of the game is pretty good when players are arguing about passwords.

Zoletan.3672:

passw4rd.. lol yea.. like im that stupid.

If you really wanted to you could make THAT your password

Neural.1824:

I find it interesting that Anet feels it’s ok to tell people that one of their users is already using a given password.

This is interesting. They need to let us know that a password can’t be used though.
What are the chances of getting this message and then tying that up with the account’s email address? Small I guess, but it still seems like it’s giving away too much information. Not that I have any suggestions how to avoid this though.

Navzar.2938:

Behellagh.1468:

Obligatory xkcd comic.

For the record, you definitely would not use this method alone, since it would fall quickly to a dictionary based method. You still have to mix it with some other methods like substituting letters and random punctuation. Just throwing that out there.

though i’ve already answered this issue i’ll go ahead and make another point that came up in the xkcd forum’s thread about this comic. using four random words pulled from a dictionary is actually vastly more complex than you may be imagining. to quote from that thread "I found a dictionary containing 118620 words quite easily. Assuming you use at least one unique word in there your password would be closer to log2(118620) * 4 =~ 64 bits of entropy.

To have only 28 bits of entropy with that solution your password would have to be findable by a dictionary containing only 128 words. That seems quite unlikely."

in essence there are a lot more words than letters…

this means that depending on the length of the chosen words it would actually have a better shot guessing letter combinations rather than word combinations and simply hoping it’s not too long.

the mistake you’re making is thinking of a dictionary attack as needing to guess only one word. that’s how they usually work and that’s why they can be effective. 118000 words isn’t that much to guess, but each additional random word increases the difficulty exponentially such that by the time you hit four it’s basically unbreakable via brute force.

Again, I am going to suggest this program.

Not only will you have to remember just one password (to access the program), it will come up with far, far more complex passwords for individual applications than you could probably hope to remember. Also works portable (just put program/associated protected file on a USB stick and you can access your stuff anywhere and everywhere).

So, better passwords for individual sites/apps, more secure as it randomizes the passwords at creation according to parameters you set, you only have to remember one password ever again, and its completely portable. And since you only have to remember the one password, you can make it as long as you want. I think the limit is something like 120 characters (could be entirely off on that one).

I suggest you give it a go, its one of the best pieces of software I have ever encountered. Just make sure you back up the files externally

are people really having problems with a password?? The first thing I typed in was fine, and they had this rule in place. I can’t think of a reason why it would be so hard for some people unless they’re using passwords that other people have used, and if that is the case why would you want to use it?

1. Word +4 digit number + different word = good, easy to memorize password that is resistant to dictionary attack

2. 36 character randomized string + password vault = all the security you need, and you dont have to memorize anything

Namu.5712:

Or your system is compromised…. didn’t think of that did you, much easier to blame the company rather than your own ignorance thats understandable.

I mean hello 2 times you have been hacked? its likely on your end…

Yes, because networking technicians don’t know about trojans, key loggers, script vulnerabilities and virus’ and wouldn’t think to check their own PC.

The problem with arenanet and it’s fanboys is they’re far too fast to blame the user and unwilling to stand back and evaluate the actual source of compromise.

Now, the only people who know the e-mail addy are me, gmail and anet. he only people who know the password are me and anet. Someone in America had authenticated themselves to access my account – which would require them having access to my e-mail, this means someone at g-mail or anet had dropped the ball, or I have some kind’ve keylogger or virus not known to Avast! or MS Windows defender and do not have a software profile likely to flag an alert on Windows 7 UAC.

The latter is not impossible, but highly improbable considering I have performed extensive scans and come up clean.

If gmail is compromised, it’s rather odd the intruder then bothered to match that up with GW2, recover the password, and then authenticate himself, and THEN clean up the evidence – instead of using that time to say, steal someone’s bank details.

The final possibility the problem is on Arenanet’s end – which is a cleaner answer than the problem being on gmails end, and I’m not in a position to examine more closely (Despite their assurances companies are not hack-proof)

Ryuujin.8236:

Namu.5712:

Or your system is compromised…. didn’t think of that did you, much easier to blame the company rather than your own ignorance thats understandable.

I mean hello 2 times you have been hacked? its likely on your end…

Yes, because networking technicians don’t know about trojans, key loggers, script vulnerabilities and virus’ and wouldn’t think to check their own PC.

The problem with arenanet and it’s fanboys is they’re far too fast to blame the user and unwilling to look at themselves. Everyone who’s ever had a security issue in GW2 is the one at fault, it couldn’t possibly be on arenanet’s end; big companies never get hacked right? /sarcasm

Then you should also know that the likely hood of you being hacked twice using a new email and password and all that out of millions is very unlikely…. and a bit foolhardy to claim their database is compromised…. if that was the case then many many more people would be being hacked to the point where it would become public. However that is not the case.

For a network technician you sure are discounting the obvious.

Namu.5712:

if that was the case then many many more people would be being hacked to the point where it would become public.

I know at least 4 people who’ve had their accounts compromised* in our guild alone – and they all got the same response I’m getting. “It’s obviously your fault, if this was really a problem surely more people’d be getting hacked”, just what percentage of players need to be hacked before it becomes public; it’s public right now and you’re dismissing it

*All of them had the same thing I have – their account was essentially untouched; but someone besides them had been added to their authentication list, usually with a foreign IP. In my case it was an IP originating in california; I live in Europe – it’s not impossible that there is an authentication issue and the system is erroneously authorising people to the wrong accounts, and no ACTUAL security issue exists, it would explain why nothing was taken.

I got my account hacked. Somehow we maneged to get it back while i lost all stuff in the process. Really painfull experience. Now im really paranoid about this so I reset my password every month and its always 30-32 letters long. Account security is the number one priority and should be treated as such.

Multifactor is the only viable approach to security at the level we are talking about.

From many years of experience I can state 99% of “hacking” of passwords/accounts is the user at fault, but many years of user training and awareness has done no good either.

Hands up if you’ve been “well informed enough” to have used that LFG site but “know for a fact” that Anet is at fault for all account woes?