Guild Wars 2

Ok so lets get this straight, I have Gmail with 2 step authentication turned on, I also have the mobile authenticator turned on for GW2, this makes “hacking” my account virtually impossible, unless my phone’s stolen.

Yet I’m going to have to create another long strong unique password..

Can you please tell me this will be the only time I have to do so?

Because I don’t see the point in having all the extra protection if you don’t feel my password is safe.

Change a number or letter or two in your password if it really is as strong as you believe. That way it’s still just as strong and it’s brand new. Sorted.

Changing a number or letter is irrelevant and is exactly what a hack script would do.

What does compromise password security as well is also forcing people to change their password (usually on a regular basis) as they inevitably end up using a password that is easy to guess/compromise as a result.

Another way to compromise passwords is to be made to use the same account for the game as well as the games official forums.

so, we will have a mandatory password change in february. is this because you had your database hacked or because you didnt have enough tools to guarantee the safety of our passwords?

i change my password whenever i feel it is necessary and i keep it safe. a mandatory password change is both annoying and worrisome. since it is everything safe on my side, this makes believe we might have major security problems on anet’s side.

can we have some oficial info about this topic? or lets just delete this post, infract me and send ninjas to my house?

that makes me strongly suspect anet might have had their databased accessed. this is both annoying and worrisome.

I’m looking forward to the people who just start trying passwords to brute-force ban all combinations.

The one thing I like about Anet and security is they’re astoundingly consistent. Present them with a problem, and they will come up with the worst possible solution. All this does is cause people to change ‘password1’ to ‘password2’. I’m not sure if this is worse than GW1’s “require a character name” change, but it’s pretty well up there.

We already have an ISA method for account security. 2-factor auth with password and rolling key code. It works plenty fine. You’ve even stickied it above.

Forcing password changes has never been shown to increase security. In fact, in most cases it’s been proven to degrade security, because it causes people to write it down and leave it in a position that’s easily compromised. Studies on SOX requirements have already proven this. Then again, this is coming from a company that had max-password length tagged at 14 characters for close to 8 years.

People’s accounts that get compromised get compromised for other reasons. All you’re doing is causing grief by changing the terms to try to protect people from their own poor choices.

rtommaso.3120:

that makes me strongly suspect anet might have had their databased accessed. this is both annoying and worrisome.

Didnt Blizzard get hacked a few months ago? this could lead to people’s GW2 account info getting out.

Knighthonor.4061:

rtommaso.3120:

that makes me strongly suspect anet might have had their databased accessed. this is both annoying and worrisome.

Didnt Blizzard get hacked a few months ago? this could lead to people’s GW2 account info getting out.

why? anet has their database on blizzard’s servers?

rtommaso.3120:

why? anet has their database on blizzard’s servers?

People have a tendency to use the same password for multiple sources. In fact, many people just use a variation of one password for basically everything. Password1, password 11, etc.

Usually if you know the password requirements and one of the user’s current passwords you can come up with the correct password in maybe 10 tries.

That’s where a lot of compromised accounts come from. People that have a guild forum, or curse or something like that, that use the same credentials on there that they do for the game.

rtommaso.3120:

that makes me strongly suspect anet might have had their databased accessed. this is both annoying and worrisome.

Then you haven’t been paying attention.

ANet began tracking the passwords being attempted during unauthorized account access attempts some months back after Blizzard’s database was compromised. From this, they’ve built a database of passwords they know are compromised and/or being tried by those who want to access someone else’s account.

This password change is forcing people to choose passwords that do NOT show up in the database of potentially compromised passwords that they’ve amassed.

Incidentally, in regards to other comments, this also means that if the individual seeking to compromise accounts is using software that varies the password by a character or a few characters, (password1, password2, etc.), the database will reject an attempt by a rightful owner to change their password in such an easily compromised manner.

Will this completely stop accounts from being compromised? Unlikely – people continue to be amazingly stupid about their choices when it comes to account security, and there will inevitably be someone who changes their password here… and promptly goes to every forum & game & social networking site they use and change all those passwords to the new one they selected for here. But that’s on them. They’ve chosen to essentially stick a big flashing neon sign out there that says “HERE’S MY PASSWORD!!!”

Changing it slightly sounds nice, but every time you change it the previous password is added to your blocks so over time if they continue forcing password changes it will become a huge pain. For me its an issue with freedom. I don’t want to support companies that force these types of things on me. I have never been hacked or protected by one of these systems in the 12 years I’ve been playing online games so I would say I know what I am doing. I guess I will not be playing this game anymore.

bloosh.6397:

Changing it slightly sounds nice, but every time you change it the previous password is added to your blocks so over time if they continue forcing password changes it will become a huge pain. For me its an issue with freedom. I don’t want to support companies that force these types of things on me. I have never been hacked or protected by one of these systems in the 12 years I’ve been playing online games so I would say I know what I am doing. I guess I will not be playing this game anymore.

Let me get this straight:

You’re going to quit a game you love…
Because you are being ‘forced’ to change your password…
Which will literally take two seconds.

This isn’t an issue of freedom or anything, the entitled consumer argument only goes so far. I know that you’re probably just being a drama-queen but seriously, nobody would stop doing something they enjoy because (HEAVENS FORBID!) they must protect their account.

… i already have to jump through hoops for the email verification and now this? are you kittening kidding me?

i’d rather take my chances on being hacked than have to deal with this. it’s like doing up your seatbelt on an airplane. it does nothing.

I like how the gestapos at anet think they can determine how I can play. Did I want to change my password?! No. This goes against their Manifesto, I want to play in the way that I deem fit.

vespers.1759:

… i already have to jump through hoops for the email verification and now this? are you kittening kidding me?

i’d rather take my chances on being hacked than have to deal with this. it’s like doing up your seatbelt on an airplane. it does nothing.

It may not save you if the plane goes down, but you’re sure going to be glad it’s hooked properly if the plane hits severe turbulence and it saves you (or your child) from being thrown about the cabin.

http://howsecureismypassword.net/

let’s find out…
it would take 6 billion years for my GW2 account, 377 billion years for my e-mail and 345 quintillion years for my steam account for the brute force method of an average PC to hack me.
septillions can be easely achieved when adding symbols.

i should be safe for a while (yeah i know, that site’s isn’t that accurate about that)
btw…i didn’t got forced or suggested to change my password yet.

i assume, that a-net’s blacklist is created mostly by all the failed log-in attempts using popular phrases and names.

Changing passwords every now and then is not more secure, and I really wished that so called “experts” would learn it’s bogus. If your password is secure, changing it often only leads most people to writing their passwords down in an area that is insecure (like sticky notes on a computer that anyone can see).

Plain and simple, forcing people to change their passwords is a foolish idea. I have NEVER had an account hacked because someone brute force (or even guessed) my password.

Passwords are generally not hacked, they are stolen by either finding sticky notes, giving the password out to “trusted friends”, or by a password stealing virus.

Guess what? None of those above situations can be remedied by forcing someone to change their passwords. Sticky notes are still there, “trusted friends” will still be trusted, and a password stealing virus (such as a keylogger) will still be on the persons machine stealing their passwords.

/facepalm

You only have to change it if you made this password BEFORE they first announced the password blacklisting.

I’d imagine we’ll only be forced to change passwords again if another major MMO or MMO community database gets their password database hacked. I doubt it’s anything they’ll do regularly.

Airala.8629:

It may not save you if the plane goes down, but you’re sure going to be glad it’s hooked properly if the plane hits severe turbulence and it saves you (or your child) from being thrown about the cabin.

Both are terrible analogies. A password is 100% secure, up until it’s not. A changed password is exactly as secure as the previous password. If the first password is compromised, there’s just an good chance that the new password will also be compromised. All mandatory changes, combined with unusual password requirements (which anet has NOT done) actually do, is force people to generate new passwords that they haven’t previously used; thereby decreasing the chance it’s been compromised through a non-controlled but meta linked source. Since they haven’t varied the requirements, they’re not even getting that right.

So, as the guy was saying, he hasn’t been compromised in the past. His password rules are probably working.

A seatbelt is a physical restraint. Not buckling it would be similar to not having a password at all. We can visually inspect physical restraints to (generally) see if they’re compromised in some way. It’s difficult to know if your password has been compromised, which is why a physical key (like a rolling code) works better.

Airala.8629:

vespers.1759:

… i already have to jump through hoops for the email verification and now this? are you kittening kidding me?

i’d rather take my chances on being hacked than have to deal with this. it’s like doing up your seatbelt on an airplane. it does nothing.

It may not save you if the plane goes down, but you’re sure going to be glad it’s hooked properly if the plane hits severe turbulence and it saves you (or your child) from being thrown about the cabin.

my password is not going to be half hacked. it will either be taken completely or not at all just like a plane will either fly or crash, in which case my seatbelt will not save me anyway.

wauwi.9162:

http://howsecureismypassword.net/

let’s find out…
it would take 6 billion years for my GW2 account, 377 billion years for my e-mail and 345 quintillion years for my steam account for the brute force method of an average PC to hack me.
septillions can be easely achieved when adding symbols.

i should be safe for a while
btw…i didn’t got forced or suggested to change my password yet.

Except that you just gave your password to some random website. Seriously?

Security isn’t a thing, it’s a process. Doesn’t matter how strong your password is if you don’t know how to protect it.

MuffinOrama.7531:

bloosh.6397:

Changing it slightly sounds nice, but every time you change it the previous password is added to your blocks so over time if they continue forcing password changes it will become a huge pain. For me its an issue with freedom. I don’t want to support companies that force these types of things on me. I have never been hacked or protected by one of these systems in the 12 years I’ve been playing online games so I would say I know what I am doing. I guess I will not be playing this game anymore.

Let me get this straight:

You’re going to quit a game you love…
Because you are being ‘forced’ to change your password…
Which will literally take two seconds.

This isn’t an issue of freedom or anything, the entitled consumer argument only goes so far. I know that you’re probably just being a drama-queen but seriously, nobody would stop doing something they enjoy because (HEAVENS FORBID!) they must protect their account.

I can live with changing my password. I had to put up with that from blizzard always detecting the school network as someone hacking me and I have to change a password every time (After two weeks of this I just decided to quit for a couple months until they fixed their crap so yes people actually do quit games they enjoy when the developers kitten them off). My issue is with how they made it so every time I change my password it gets added to a blacklist. I wasted 5 or so variations of my current password just testing it out. Its more like the lunch ladies in some elementary school a while back that forced a kid to eat school lunch instead of her lunch she brought because they thought it wasn’t healthy enough when in reality it was probably healthier then the schools anyway.

What is truly idiotic about this is the numerous reams of research data that has proven that mandatory password changes are LESS secure given the fact that it forces people to write them down and keep them in unsecure places.
Bravo Anet, you’re dropping the ball.
No….
You’re not dropping the ball, as that implies making a mistake…
You’re spiking the ball and you’re doing so at the expense of the players.

Also makes me think Anets been compromised, bit of a worry..

Learn to use and enjoy http://keepass.info
Its really helpful…

Leablo.2651:

wauwi.9162:

http://howsecureismypassword.net/

let’s find out…
it would take 6 billion years for my GW2 account, 377 billion years for my e-mail and 345 quintillion years for my steam account for the brute force method of an average PC to hack me.
septillions can be easely achieved when adding symbols.

i should be safe for a while
btw…i didn’t got forced or suggested to change my password yet.

Except that you just gave your password to some random website. Seriously?

Security isn’t a thing, it’s a process. Doesn’t matter how strong your password is if you don’t know how to protect it.

what are the odds that they’ll find out which services and usernames those passwords do belong to if they WOULD save it?
not to mention that you don’t have to press “enter” when punching in any letters there…

btw…why do people write down passwords in the first place?
if i ever have to choose and remember a REALLY lengthy password, like my routers one (63 randomly mashed keys), i photoshop a randomly chosen *.mp3 file stored at any portable media device (USB stick, mp3-player, phone).

If this only happens like once a year, it might not be too annoying. But having to get rid of my good, secure password in favor of another that I must now memorize, likely every month or two knowing this silly game, it going to really get the hell on my nerves.

keep in mind, that the rule of thumb about internet and password security is, the more it annoys you, the stronger the security is.

but it still should be an option, not mandatory…of course after a flashy red warning screen, which tells you about the risks of lower security.

rtommaso.3120:

so, we will have a mandatory password change in february. is this because you had your database hacked or because you didnt have enough tools to guarantee the safety of our passwords?

i change my password whenever i feel it is necessary and i keep it safe. a mandatory password change is both annoying and worrisome. since it is everything safe on my side, this makes believe we might have major security problems on anet’s side.

can we have some oficial info about this topic? or lets just delete this post, infract me and send ninjas to my house?

Glad I’m not the only one who assumed Anet had their database hacked “again” (believe they did so as well around last December hence why we had so many account hacks then, and failed to mention it.) =/

I’ll repeat it again:

NOTHING has been said that it’s going to be regular password changes. This is the forced password change they mentioned way back in September last year.

Seera.5916:

You only have to change it if you made this password BEFORE they first announced the password blacklisting.

I’d imagine we’ll only be forced to change passwords again if another major MMO or MMO community database gets their password database hacked. I doubt it’s anything they’ll do regularly.

What makes absolutely no sense is they are requiring everyone to change their passwords, regardless of whether or not those passwords are on the blacklist. If my password is not on the blist then it’s secure…I don’t want to come up with yet another unique password, this one is already original.

Regarding brute forcing, I’ve always thought those “time to crack” durations are bogus when dealing with online services that handle authentication. Last I checked you can’t attempt a log-in for GW2 thousands or hundreds of times a second. I’d assume after X failed tries the system would also lock you out.

I believe ANet get their password blacklist form the same places the hackers do. This is why they keep telling us to make a password unique to GW2.

My password is 29 characters long with multiple capitols and numbers. why am I forced to change my password when nothing is wrong with it.

Visiroth.5914:

Seera.5916:

You only have to change it if you made this password BEFORE they first announced the password blacklisting.

I’d imagine we’ll only be forced to change passwords again if another major MMO or MMO community database gets their password database hacked. I doubt it’s anything they’ll do regularly.

What makes absolutely no sense is they are requiring everyone to change their passwords, regardless of whether or not those passwords are on the blacklist. If my password is not on the blist then it’s secure…I don’t want to come up with yet another unique password, this one is already original.

Regarding brute forcing, I’ve always thought those “time to crack” durations are bogus when dealing with online services that handle authentication. Last I checked you can’t attempt a log-in for GW2 thousands or hundreds of times a second. I’d assume after X failed tries the system would also lock you out.

And how is ANet supposed to know yours isn’t one of them? I’d imagine they’re trying username and passwords, one by one, with some variations on passwords until they run into the lock out. If they hit the lock out, move on to the next one in the list.

Yes, it stinks that they feel this is the best course of action. But I don’t blame them for doing it. Reduces number of tickets they’ll receive due to the hacked database causing stolen accounts. Which means CS can spend more time on more important matters.

And well there is this saying: one bad apple spoils the bunch. The bad apple here being the person who uses the same username and password combination.

Not a fan of mandatory changes.
It’s the lazy way of administration.

But whatever, ill change my password, not because its mandatory but because its good practice.

http://howsecureismypassword.net/

mine is 90 quadrillion years lol…

funny website

I hate to change my passwords, If this happens I will invent one and after, change it back to the old one.

UNLESS there is any security issue for we are getting forced to change the password.

I fail to see why a forced password change is required on top of the already irritating ‘new IP wait 10 minutes for an email to log in’ thing I already had to put up with.

Suggesting we change it is one thing, but forcing us to do it? Seriously? Makes me wonder if I can even be bothered or I just won’t change it and not bother to log in anymore.

Weird how such a small and meaningless demand can be so infuriating.

This is frustrating. I came up with a very nice algorithm to make sure my password was 100% UNIQUE (exclusive to GW2) and the algorithm is also the means to remember it. Because of this, I’m going to have to come up with a new algorithm. Merely slapping on one new character would be more difficult to remember than sticking to the method I setup…

Unless Anet were to say this is because they were in fact breached, I find this very unreasonable.

I thought that this was only effecting the players with confirmed compromised passwords that hackers are atemting to use that have to do this?

This thread is pure lolcat bait.

I has ur passwerdz?

UnderdogSMO.9428:

I thought that this was only effecting the players with confirmed compromised passwords that hackers are atemting to use that have to do this?

Reads to me that if you made you account before Sept 12th and you’ve ignored the ‘change your password plx’ message on the launcher, then you will be forced to change it if you want to continue playing.

The blacklisted passwords seem only relevant via the fact you may not choose one when forced to pick your new password.

Seera.5916:

And how is ANet supposed to know yours isn’t one of them? I’d imagine they’re trying username and passwords, one by one, with some variations on passwords until they run into the lock out. If they hit the lock out, move on to the next one in the list.

Yes, it stinks that they feel this is the best course of action. But I don’t blame them for doing it. Reduces number of tickets they’ll receive due to the hacked database causing stolen accounts. Which means CS can spend more time on more important matters.

First of all, I thought the problem was originally that there was a list of usernames + passwords that was floating around from compromised sites. It should be trivial to flag accounts based on this.

Secondly, they could compare our hashed passwords in their databases with the hashes of the blacklist passwords? Considering that this is from September such a comparison program would have finished long before now. Forcing us all to change passwords 4 months later isn’t the best way to protect our security or lighten CS’s workload. If that was their goal, they should have done it in October, or even September.

Seera.5916:

I’ll repeat it again:

NOTHING has been said that it’s going to be regular password changes. This is the forced password change they mentioned way back in September last year.

This- if you changed your password after September back when you got the suggestion prompt you are fine- if you didn’t, you change it now.
This is exactly what they said they were going to do back then already.

don’t buy gold and you will not gona be hacked

I get it A.Net hates casualplayers. I myself am a casualplayer and I am not a minority anymore! You have to listen to us casualplayers because we payed money for the game and we are entitled, yes ENTITLED, to play the game the way we want. I don’t have time all they long remembering complicated passwords like some unemployed nerd that plays games 24/7. I still want to use passwords like test123 or thisismysecretpassword. YOU HEAR ME A.NET?

rtommaso.3120:

or lets just delete this post, infract me and send ninjas to my house?

This is the most probable result. Especially the ninjas part.

rtommaso.3120:

that makes me strongly suspect anet might have had their databased accessed. this is both annoying and worrisome.

In that case they would have made everyone change their passwords and not just people since september. Also, I think it’s by law they have to tell customers if their database has been breached?

I’ve worked in IT since 1994, I know what a good password is (and why it’s a BAD idea to use e-mail adresses for user names incidentally… giving away half the information required to hack an account pretty much for free).

My password is already strong. Changing it isn’t going to make it MORE secure. It’s a friggin long string of random characters already. So I consider the mandatory change to be a big pain in the behind.

On the other hand, 2 guildmates were confirmed as hacked. A third might be (toon seen on line, but not responding to guildmates). So I guess it may be better if we bear with it.

Also… dear male players: chosing words referring to the female anatomy for passwords.. or car brands, or alcohol brands… is not smart. They’re ALL in the top 100 of most used (and most hacked) passwords. =p

TexZero.7910:

Not a fan of mandatory changes.
It’s the lazy way of administration.

Mandatory changes every few weeks/months = lazy/bad idea anyway.

Mandatory changes when they have a list of weak passwords plus a list of accounts that weren’t protected by a security feature introduced after the game launched, as in this case = good idea.