Guild Wars 2

bloosh.6397:

I can live with changing my password. I had to put up with that from blizzard always detecting the school network as someone hacking me and I have to change a password every time (After two weeks of this I just decided to quit for a couple months until they fixed their crap so yes people actually do quit games they enjoy when the developers kitten them off). My issue is with how they made it so every time I change my password it gets added to a blacklist. I wasted 5 or so variations of my current password just testing it out.

Yeah I’m not sure if I’ll ever play another Blizzard game, I quit WoW and unsubscribed and many months later I got a message from Blizzard that my account has been suspended for suspicious activity. Fast forward many months later and the D3 beta, I couldn’t log in… suspended account due to suspicious activity. First who is logging into and using a non-paid for account in my absence? There is no gain for them there. Second, it usually takes many days to get it cleared up and simply I refuse to waste my time on something hacked on a non-sub’d account, while I was doing something else. These systems to me, become customer service issues that can risk business. I am still all for a mouse-click pin entry after login as a second level of security. No need for an external authenticator.

Now that said, I monitored GW2 from the start and noticed a lot of hacking early on, that is when I went to a password generator for everything important. You get a web based one, because you won’t remember your passwords, which are now cryptic as can be. Everything I have of any importance is now different and more secure, if I am out of my office, then I can log into a website and get it if need be. So far, so good.

Places I’ve been hacked:
Steam
Blizzard
Origin

Steam now has Steam Guard, haven’t been hacked since.

Blizzard…. happened while I’m gone, not addressing that.

Origin, once, they had me up and going in 15 minutes, by far the best turn around I’ve had. Steam was about a day. Moved over to a generated password at that time. Blizzard with my son, a week to fix, he moved to an authenticator on his ipod, not hacked since.

I will say there is a little more tension, when I have had to retype, or redo something like what GW2 is asking with resetting a password. With a generated one, I have none, zero, never guess of a clue what my passwords are for anything anymore, it’s the same as punching my keyboard 4trTIojr$%, gobbly kitten. And just hope my lists are accurate and available, the application I use is easy and hasn’t failed, nor should it. But also having a password in memory has a comfort to it, that I have lost. For example after a recent update on GW2, my wife was asked to enter her password. Months ago I could have just stated it, I had to rely on an app to go back to get it.

rtommaso.3120:

that makes me strongly suspect anet might have had their databased accessed. this is both annoying and worrisome.

Agreed.

I had to dig a bit, but did find the blog where they explained and already announced the password reset:

https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

It looks like it will only be needed once.

can people stop being a bunch of [insert appropriate word]? how can changing a password be so kitten difficult? just changing your password instead of whining about it here will have it done before you’d have finished writing your post. if you have a super easy password to remember like “myhouseisred” and maybe even your address after. then change it to a equally easy password like “mybikeisblack”. (don’t use these passwords). it’s super easy to make a new password. and even if it wont help you it will help in general. maybe they save 100-1000 accounts from getting hacked this way. and changing your password to help those people is the least you can do.

don’t use that “check my password” website as very few hackers are trying to get to your password via brute force.

as esya.3427 said. this blogged gave a heads up. http://www.youtube.com/watch?feature=player_embedded&v=fhVTTQD8G7Q

it’s only those who didn’t change their password after the blacklist introduction in September. so if you bought the game after that date. you don’t need to change it. as the account name/password the hackers got already made it to the blacklist.

and there has been no breach in A-nets database. if so, we would ALL get forced to change our password. use you common sense please.

I honestly can’t tell if the complaints here are trolling or not.

it’s a one time task that takes all of ten seconds to accomplish and helps protect your assets.

I always keep different and even random gibberish passwords everywhere I am on the internet. Here I’m doing four random words only unique to my personality and what I like that no one can guess unless they know me personally (only one person can do this and he wouldn’t even give a kitten). Even if one part is found (can happen in my password structure) They don’t know me personally and can’t get to any of the other parts by machine generation. I do follow the xkcd method. I decided to change my password today anyways as I want to be even better at what I do.

It’s not like they’re hassling everyone with the 30 day password change business.

They want people to change the password, once. I think those of us that changed it when they suggested it a while back (months ago) don’t even have to do it again.

You’ll be fine, I promise. It isn’t even worth thinking about. 6 months from now, maybe they’ll ask you to change it again. It’ll be fine then too.

Is a password change really that difficult? I welcome it as most users don’t change them enough.

Do what I do, use KeePass 2 to hold and encrypt all your passwords, then use the built in generator for your password. Once you put it into GW2 you don’t need it again unless you log in from a different IP, but there’s an app for iPhone and Android if you need it.

Every single one of my passwords is different and not repeated this way, never had an issue so far with any online account.

The first thing you learn in any computer security course is that people and the passwords they choose are the weak link. I love the fact that ANet is proactively mandating a change.

Because some people can’t keep their accounts safe – everybody has to suffer. Sucks but it is the way life is.
Has nothing to do with how ‘difficult’ it is to change a password. It has to do with the fact that some random guy over there (point) and his actions cause effect on me.

Since the launch of GW2 the ArenaNet we know and love from GW1 died a quick death, and this new draconian Anet was born. This is another example of them shoving stuff down people’s throats rather than working to better their own infrastructure.

Not as if they even have to invent their own security, it’s 2013 there is a litany of past mmos and security measures to learn from.

An ‘optional’ password change, or ‘recommended’ password change would suffice. ‘Mandatory’ is very Orwellian.

Martin Kerstein.3071:

Judging by some of the comments, a lot of people have neither read the actual blog post nor have they read the one from Mike O’Brien back in September. So let me give you a TL;DR version that should hopefully clear up some concerns/questions:

- No, we have not been compromised.
- We announced in September that we will do this mandatory change at some point. This point is now.
- If you have changed your password after September 12, you are fine, no action required.

For added clarification, I was under the impression that this is in regards to anyone who used a blacklisted password. I’ve never received such a notification, hence I did not change it. Will I be required to change it now?

Martin Kerstein.3071:

If you have changed your password after September 12, no. If you still use a password you created before September 13, you will have to change it. Pretty straight forward.

Okidoki, thanks.

I’m pretty sure my password was changed after September 12th, but is there any way for us to check short of just waiting to see if we’re forced to change it? I don’t want to change my password if I don’t have to, but will happily do so if I need to. I’d rather do it sooner than later so it doesn’t sneak up on me is why I ask.

Rising Dusk.2408:

I’m pretty sure my password was changed after September 12th, but is there any way for us to check short of just waiting to see if we’re forced to change it? I don’t want to change my password if I don’t have to, but will happily do so if I need to. I’d rather do it sooner than later so it doesn’t sneak up on me is why I ask.

After you log into the launcher, but before you launch the game, you will get a news screen. If you are going to be targeted by the password change, you’ll see a red bar up telling you that you REALLY should change your password.

If you don’t see it, you’re golden.

Waraxx.4286:

can people stop being a bunch of [insert appropriate word]? how can changing a password be so kitten difficult? just changing your password instead of whining about it here

You are correct. Here’s to you not being the one that for some reason has a problem with it when something happens and then you are locked out for days. You know this is RNG to.

I know several people have mentioned KeePass. There’s also RoboForm. You do have to buy RoboForm, it’s not freeware, but it comes with a lot of good features and is a bit more straightforward for those who may not be even remotely computer savvy. My father-in-law, an otherwise brilliant professor, had a lot of difficulty getting KeePass to work for him – he didn’t find it as intuitive as he’d like. RoboForm fit the bill for him – he particularly likes the “safe notes” feature and the fact that he can add additional information to each Passcard such as answers to security questions.

But again, RoboForm isn’t freeware (or open source) like KeePass is, so that’s certainly something to keep in mind if you’re looking for password software. Either way, both options definitely make it MUCH easier to have different logins for every site and game without having to try and remember them all.

LastPass is another. Then there are just apps that are loaded on your computer to generate and store passwords. The reason online one’s are good, is you can be anywhere and get it. I don’t even know my email password anymore.

Airala.8629:

RoboForm fit the bill for him – he particularly likes the “safe notes” feature and the fact that he can add additional information to each Passcard such as answers to security questions.

You can also do this with Keepass as well. Keepass also keeps a history of your previously used passwords, and when set up right, can auto-enter the username/password with a single key combination, a feature I find pretty useful.

AnonEMouse.7932:

You can also do this with Keepass as well. Keepass also keeps a history of your previously used passwords, and when set up right, can auto-enter the username/password with a single key combination, a feature I find pretty useful.

That’s great to know, thank you!

When FIL was having such trouble with KeePass (and I didn’t have a lot of free time at the time to help him learn it), I switched us both to RoboForm… so that’s the only one I’m really familiar with at this point. I’ll be taking a much closer look at KeePass now – it may be that I’ll switch back when my RoboForm license expires. I was always very satisfied with it, it just seemed easier to have us using the same software so I could help him with any difficulties. I doubt Dad’ll be switching… “old dogs” & new tricks, not such a great combination apparently. LOL

My constant willingness to help him with his PC is probably why he’s been telling me for years that I am “the best daughter-in-law ever born.” LMAO

You can’t use the same password on multiple accounts?

I have three accounts. They have a pretty secure password (’incorrect’ is secure, right?) but I’m sharing that same password across all three accounts and I haven’t changed it since the game when live.

So...fine, you are making me change the password. I change the first account from ’incorrect’ to ’incorrect1’. It works. Great.

I change the second account from ’incorrect’ to ’incorrect1’. It tells me it’s already in use. What?

OK, fine. I change the second account from ’incorrect’ to ’incorrect2’. It works.

I change the third account from ’incorrect’ to ’incorrect2’ and it tells me it’s already in use.

All this is being done over the same IP, though the emails and account names are different, not linked. Is this game trying to tell me that I can only use a password once per IP?

Yes, I know it’s silly of me to be using a globalized password. That’s not the point. Does each account on a single IP have to have a different password and, if not, what is going on in my situation?

I mean, I’ll just go grab different IPs to have them all the same again but now I’m curious.

edit: Actual error

Unavailable password. You or someone else has used it before, or it’s on a known list of passwords stolen from other games or websites. Please use a new, unique password for your Guild Wars 2 account. We recommend a new one made with four random, unrelated words, as shown in this comic strip.

This leads me to believe that EVERYONE has to have a *unique* password. I can’t have the same as Jason’s who can’t have the same as John’s.

I highly doubt someone would hack the database, because if they did, my super secret password would have been found :P…

Anyways, most security people nowadays know better than to store passwords in plain text. Most likely, it was saved in SHA-1/2/etc, and then possibly encoded using AES.
It would take computers YEARS to just bruteforce one password.

Now, the easier way and most common way passwords are gotten are not from hacking the server, but installing keyloggers on the client.
This is especially the issue for people who use gold sites and happen to register with the same exact login info for their gw2 account.

The forced password change is just passwords on a blacklist. So change it… blacklist passwords aren’t something you want to use anyways.

Horrorscope.7632:

Waraxx.4286:

can people stop being a bunch of [insert appropriate word]? how can changing a password be so kitten difficult? just changing your password instead of whining about it here

You are correct. Here’s to you not being the one that for some reason has a problem with it when something happens and then you are locked out for days. You know this is RNG to.

I’m not quite sure of what you meant with your post… but anyway. i saw your earlier post and that sounds like a horror movie. I’ve never had any problems with my passwords. I have however received a loggin attempt from china. (note; I live in sweden). so i realized that my password has been compromised and i have now changed passwords everywhere. Anets info and dedication have improved my internet security as a whole and that alone is worth the money I gave for this game. I didn’t know this info about the hackers until i read that blogg post. +1 for Anet.

I was saved because of the authentication system. but other people might not be so lucky.

change a password, save an account

Waraxx.4286:

Horrorscope.7632:

Waraxx.4286:

can people stop being a bunch of [insert appropriate word]? how can changing a password be so kitten difficult? just changing your password instead of whining about it here

You are correct. Here’s to you not being the one that for some reason has a problem with it when something happens and then you are locked out for days. You know this is RNG to.

I’m not quite sure of what you meant with your post…

For some this change will fail and they will be locked out and they’ll be kitten off. It will happen, basically it’s RNG. We will read this in the Tech Section the day it goes into affect. Hopefully it’s not you, because you will change your tune on the whole deal, it’s just a simple password change.

My company a couple weeks ago changed their password rules for login at the web site, the steps were clear, but boy did the phones blow up.

Until you have the problem, it really can’t be appreciated. That said, it is simple like you state and if it has to be done, then so be it.

People will complain about ANYTHING in these forums.
Just do it and move on, seriously whats the problem? Maybe they are reworking something in their system and need to have people change their PWs.
Stop making it all about you.

Daemonne.5018:

People will complain about ANYTHING in these forums.
Just do it and move on, seriously whats the problem? Maybe they are reworking something in their system and need to have people change their PWs.
Stop making it all about you.

wouldn’t be the first time they lied to us

I have a big red bar when I login but I have not changed my password because it is complex and unique to Guild Wars 2 as are all of my passwords on all sites I use. The only way my password is a problem is if Anet itself has been compromised.

A more reasonable policy would be for you to check to see if I am using a blacklisted password and force me to change it if I am. It is not reasonable to force me to change a password because I MIGHT be using one.

People complain for anything nowadays… sigh.

However, I must agree with previous comments of using email as username being an utter fail.

the “database” also consists of your password with capslok on or off. Just FYI. In fact there is even more to it than that based on my analysis but seriously, choose a secure password, and don’t try and use xkcd’s suggestion as that 2000 word database is now in every autohack library available. In fact i question why anet would promote that specifically.

Not only that, they just opened up people to keylogger’s who were perfectly safe before because they used autofill.

Fangarr.8695:

I have a big red bar when I login but I have not changed my password because it is complex and unique to Guild Wars 2 as are all of my passwords on all sites I use. The only way my password is a problem is if Anet itself has been compromised.

A more reasonable policy would be for you to check to see if I am using a blacklisted password and force me to change it if I am. It is not reasonable to force me to change a password because I MIGHT be using one.

unfortunately such a database, and the entire process of informing you to and making sure you do something about it, creates its own security breach.

Be assured that the “database” is more of an algorithm than a list. This whole exercise is one way to increase password strength across the board, although negative aspects affect those with already strong passwords and safer practices more than those who hve no clue.

Why? Were you hacked Anet? Is someone out there sitting on my information or something?

It has to do with password blacklisting.

You can read all about it here:
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Warning: wall of text

I am yet another one who is using a ‘completely unique no way that my password could possibly be used by someone else’ in addition to being only used for this game. the numbers involved are actually relevant to the word pattern so incrementing would be just as bad as changing one of the words.

by requiring me to change my password you make it MORE likely for me to choose one i use for a different game (which i no longer play) that (was) technically unique, than it is for me to memorize a brand new one, compromising the security of both logins. assuming of course that account wasn’t compromised and someone didn’t get my account blacklisted from that password already.

i have several types of passwords, each with patterns. first the ‘i don’t care if this thing is hacked because quite frankly i think they will sell my email and spam me’ pass. email accounts themselves (all unique but woefully old passwords), real life involved stuff (banks ect) true random giberish passwords i just hit password reset on when i need in, junk game logins (similar to junk sites but different pattern). and then valued games (steam, anet, blizzard)

could i generate a brand new truly unique password? sure. is it the easiest path? no. human nature is to follow the path of least resistance. while ANET may feel they’re successfully improving security by using a password that’s never been seen before… most of the population will just randomly increment or re use passwords until it successfully goes through the system.

that try your password website (no i didn’t use a real one, just a modified pattern) is a joke btw. using an assumed 4 billion passwords per second. different password hashes have different calculation times. (and if the hashes were also encrypted with no clues on when you successfully decrypted the hashes and can now compare them, good luck). Its quite easy to buy computational time or hooking multiple computers in parallel, driving 40 days down to 1 minute. Additional note: compared to hashing a password, looking up matches in a list of all known hashes is trivially fast. It may take 5 hours to brute force 1 password, it will also take 5 hours 2 minutes to brute force 100000 if they have the same allowed keys and length.

unless the password database is compromised, brute forcing just will not work. (number increment brute force is the only thing that has a shot before the account is disabled). most cases nowdays attack lazy reuse, phishing, or keyloggers. i am practically immune to the last 2 >=)

Airala.8629:

rtommaso.3120:

that makes me strongly suspect anet might have had their databased accessed. this is both annoying and worrisome.

Then you haven’t been paying attention.

ANet began tracking the passwords being attempted during unauthorized account access attempts some months back after Blizzard’s database was compromised. From this, they’ve built a database of passwords they know are compromised and/or being tried by those who want to access someone else’s account.

This password change is forcing people to choose passwords that do NOT show up in the database of potentially compromised passwords that they’ve amassed.

Incidentally, in regards to other comments, this also means that if the individual seeking to compromise accounts is using software that varies the password by a character or a few characters, (password1, password2, etc.), the database will reject an attempt by a rightful owner to change their password in such an easily compromised manner.

Will this completely stop accounts from being compromised? Unlikely – people continue to be amazingly stupid about their choices when it comes to account security, and there will inevitably be someone who changes their password here… and promptly goes to every forum & game & social networking site they use and change all those passwords to the new one they selected for here. But that’s on them. They’ve chosen to essentially stick a big flashing neon sign out there that says “HERE’S MY PASSWORD!!!”

Nah, actually what i see is people blaming blizzard for anet failure. I change my password every once in a while, when i feel it is time to do so. now anet is forcing me to change my password. while anet fanbois will blame blizzard (like blizzard fanbois will blame anyone else), that “forced change” makes me think thet probably had some kind of security issue. my main concern is: did anet database leaked? and, if so, is my credit card info safe or it might have leaked too?

Serious things should be taken seriously. I want to know if Anet is failing to protect only my password or if it is failing to protect my credit card info as well.

Halanna.3927:

It has to do with password blacklisting.

You can read all about it here:
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

This is what Anet says. But I dont really trust them.

http://howsecureismypassword.net/

316 Octillion Years !

Chuo.4238:

http://howsecureismypassword.net/

316 Octillion Years !

Mine only takes 6 billion years to crack!

Time to make a more secure one!

Well GJ Anet! Since I already had a unique password that was different from the others I have, now I’ll have to put one I use on another game/site. Great way to make me less secure!

I find it amusing that they’re telling me I need to change my password to pretty much what my password already is… just… not that password, because those existing before February are cursed or something.

EDIT: wait, the curse begins in September, it just manifests in February.

Chuo.4238:

http://howsecureismypassword.net/

316 Octillion Years !

Imagine making a site like that, which records the entered password + the site that person was linked there from.

That would be hilarious. I wonder if there would be a way to link it to their account, or if you’d just need to get a lot of passwords collected and cycle through emails/usernames until every so often one matches.

With all this emphasis on security, riddle me this:

Why do you force me to use the same password for GW and GW2?

If someone hacks one, they now have the other…

i did a quick check on the howsecure site, there is no followup communication with any server according to my web proxy and i didnt see anything really fishy in the javascript. but of course its just stupid to use your actual password.

The new password system is horrible, and actually less secure than even.
It looks like If you choose a password that someone else has already chosen, then the system tells you "the password has been use my you or someone else before, of is on the bad list)

So an ideal way for hackers to create a password list containing “currently used” and bad password. Then by removing the obvious bad and the onces from other password lists you get a list with allot of currently used passwords.

Bearer of Burden.4621:

The new password system is horrible, and actually less secure than even.
It looks like If you choose a password that someone else has already chosen, then the system tells you "the password has been use my you or someone else before, of is on the bad list)

So an ideal way for hackers to create a password list containing “currently used” and bad password. Then by removing the obvious bad and the onces from other password lists you get a list with allot of currently used passwords.

All I have to do now is make a script to change my password. For every ‘someone else is using this’ error, I know that someone, somewhere in game has this password. I cycle that list against the email addresses and I now have the usernames and passwords for people.

By telling us that someone is using the password already, you are giving account thieves information that they can use to compromise more accounts, not less.

koldan lonly.4293:

i did a quick check on the howsecure site, there is no followup communication with any server according to my web proxy and i didnt see anything really fishy in the javascript. but of course its just stupid to use your actual password.

lol, I don’t think it’s actually doing that, it just seemed like it would be a really funny way to get passwords.

vormav.8702:

Well GJ Anet! Since I already had a unique password that was different from the others I have, now I’ll have to put one I use on another game/site. Great way to make me less secure!

Well, after reading through this travesty of a thread, I feel I could help some of you who find it too difficult to create a new “unique” password. My wife made me promise to compose this in a way that is least likely to get me infracted. I’ll do my best. Whatever you do, do not reuse passwords.

Easy ways to create a new “Unique Password.”

Method 1.
a. Look around the room you are sitting in.
b. Find a thing that looks like a stack of paper that is surrounded by two thicker
pieces of paper (sometimes these are hard). Pick this up. It is called a “book.”
If you don’t see a book anywhere near you, get out of your chair and look
around. You may actually have to look in another room.
c. Open the book anywhere observing that the letters look like the language
you’ve been taught to read. If they don’t, you have the book upside down
(or you’ve picked up an instruction manual in multiple languages; in this event,
find the section in your language and reopen to a page in that section.)
d. Find the first word on the page – write it down.
e. Find the page number – write it down.
f. Find the last word on the page – write it down.
NOTE: for even more randomness, use the word that matches your birthday.
i.e. if you were born on the 5th, use the 5th word and the 5th word from the
end.
g. Make your password firstwordpage#lastword. Capitalize some of the letters.
h. You now have a random password. Keep a private HANDWRITTEN journal
somewhere that tracks your password. To be even more secretive just write
the site/game name and the name of the book and the page number.

If you are unable to locate a book in your entire house, go to a library. (I’ll avoid snarky comments about learning to read, getting off of your computer and out of your basement, etc.)

Method 2 – If Method 1 is too confusing or too complicated for you.

a. Place your right hand (or left hand, if left-handed) with the palm firmly against
the back of your head.
b. Lean in real close to your keyboard so that you can clearly see the keys.
c. With a rapid movement pull your head down until your face makes full contact with your keyboard. Hint: The more times you repeat this step, the more secure your password will be.
d. Write down the sequence you see on your screen once your vision has cleared.
e. See step h above.

I hope this helps some of you password-challenged individuals.

Just my two coppers worth,

XD You, Rabbi Rick, win an internet.

I have the two step authorization set up with my email account. A password on my account isn’t even needed as no one can access my account without access to my email. I don’t like mandatory password changes. My account security is my own business and my own problem.

Rabbi Rick – Or just download a random password generator and click generate. Done.