Guild Wars 2

Horrorscope.7632:

Rabbi Rick – Or just download a random password generator and click generate. Done.

His methods are more secure (As in less chance of going to a site that has spyware on it) and more funny.

On a more serious note,

To all concerned -

Account security is never JUST the user’s problem. Rare is the user, especially a player in a game that demands a great deal of time, attention, and in some cases, capital, who does not demand that the company fix or restore their account after said account has been hacked, whether by brute force or user error.

I’ve been involved in the computer and Internet industry for more than two decades. Whenever the security of a user account relies solely on a password, it is not uncommon for the administrators to require a mandatory password change. Furthermore, it is also not uncommon for said change to have strict guidelines about the reuse of an already expired password. Kudos to Anet for taking it a step further and also banning the use of commonly known or tried passwords. (You would not believe the number of people who, over the years, actually use “password.”) Currently, I work at a major University that REQUIRES a password change every 90 days. There are many methods by which a person can make such changes effortlessly. While I myself do not use outside program generators, they do work for some. You can use the book method I describe above. You can use a Base password with some random additions (Kim Kommando has an article on this method). Whatever your method, in my considerable experience, the effort to change a password and remember it is far less of an inconvenience than recovering an account, losing credit, or opening other accounts to possible hacks because your effort simply involved adding a “1,” “2,” or “3” to the end of the word you use on every site/game/account you’ve ever owned.

Just my two coppers worth,

My only problem with the password change is that you can’t change it to passwords you’ve used in the past.

I’m now on variation c to the square root to the 23rd power of my original password… It’s just kinda frustrating.

Problem with your method Rabbi Rick is i lose said paper, and 3 weeks later i’ve forgotten my password, in which case i’m Kittened..

Dante.1508:

Problem with your method Rabbi Rick is i lose said paper, and 3 weeks later i’ve forgotten my password, in which case i’m Kittened..

Well that’s a problem with ANY password.

Dante,

Which is why I said a “Handwritten Journal.” If you keep a little black book, you are far less likely to lose it (although I’ve misplaced mine in the clutter of my desk occasionally, it’s a book, so more readily found.)

I have no problem with changing my password, but can you tell me why the accountmenu tells me that my new password was already in use by someone else instead of telling me that there are some characters not allowed?

I really don’t think that anybody used:

#Guildw4r$.2<3angewandt3phys1k@

before I did a few minutes ago.

It is a good thing to change your password. Recently I had 2 email accounts hacked. Both used different “strong” passwords which were not used any where else. One email account was previously associated with my GW1 account, but was no-longer at the time my emails were hacked.

Change your password, reduce the risk of getting hacked.

Nice, I can’t change it at all. Every time I change it to something else I get that message, no message or a page error.

Maybe you should fix that first, ANET.

I changed my password after the blacklist was made, the first time you told us to change our passwords.

Now I am still being told that I have to change my password. Annoying.

To everyone who didn’t bother reading the text, the mandatory password change is pretty much a one time only thing. Their password scheme has not changed since the begging of guildwars 1 and the password requirements then were very loose.. didn’t even require a number. This is simply forcing a new password to be created under the new guidelines (which are not that much stricter).

wauwi.9162:

http://howsecureismypassword.net/

let’s find out…
it would take 6 billion years for my GW2 account, 377 billion years for my e-mail and 345 quintillion years for my steam account for the brute force method of an average PC to hack me.
septillions can be easely achieved when adding symbols.

i should be safe for a while (yeah i know, that site’s isn’t that accurate about that)
btw…i didn’t got forced or suggested to change my password yet.

i assume, that a-net’s blacklist is created mostly by all the failed log-in attempts using popular phrases and names.

Yes, and by forcing you to change your password, Anet have just added a small risk of it being hacked during the change. Isn’t it great when people who don’t understand security get to mandate it to those of us who do?

I got one question about the password change:

If I understand correctly I will HAVE to change my password, what’s there to force me to keep the new one and not revert it back? From my understanding the whole purpose of this mandatory password change is for players to use passwords that are not on some kind of blacklist, so if you already have a very strong password, you can change it to a new one, then revert it. If your old password isn’t on the blacklist anyway, you should be able to change back to what you already had, right?

Cribbage,
Please enlighten those of us who’ve only been dealing with computers and account security for two decades as to how forcing a password change increases the hack risk if users follow the guidelines?

Maddoctor,
Part of the new password change is that you will not be allowed to use any password that you have used previously (a common practice). Moreover, from what I understand, you will not even be able to use a password that another has previously used.

Password changed. Simple as that.

Those who have came here to complain have spend more time doing so than changing the password.

Honestly whole problem is not about “OMG! I have to change my password and I don’t want to!”. The whole problem is that ppl with good and great passwords have to change it because of some morons out there who couldn’t even think that one 8 letter word is not good enough for protection and got hacked because of their stupidity.
Let’s be honest, if they used a unique password for GW2 (according to the recommendation and common sense) the whole community wouldn’t be forced to change their passwords now.
And yes I’ve change mine though I wasn’t pleased with the fact of creating new random letters/number configuration that I have to remember now:/

Spencer.1386:

I have the two step authorization set up with my email account. A password on my account isn’t even needed as no one can access my account without access to my email. I don’t like mandatory password changes. My account security is my own business and my own problem.

What if somebody gains access to your mail? I guess you didn’t quite understand the purpose of a two factor authentication.

Shlamorel.8714:

My only problem with the password change is that you can’t change it to passwords you’ve used in the past.

I’m now on variation c to the square root to the 23rd power of my original password… It’s just kinda frustrating.

That is common practice and and default for corporate environments. Using the same password again would render a change useless.

Cribbage.2056:

by forcing you to change your password, Anet have just added a small risk of it being hacked during the change. Isn’t it great when people who don’t understand security get to mandate it to those of us who do?

Humbug.

Actually, random letter / number combinations are not great. They’re hard to remember, so you will tend to use the same one in many places, because your human brain can’t remember more than a couple of these silly passwords like R0ti4JfirH~3

You either end up using the same one everywhere, or getting something like KeePass, which to me just seems like an open invitation to a trojan…

Passwords which are far, far more easy to remember are ones like DogFaceHamsterFootball. These are easy to remember if you choose well (the human memory works on images, not words, so imagine a hamster with the face of a dog playing football) and can be customised to each individual thing you need to log into, so my Guild Wars password could be NornHoldingTwilightLaughing or something like that. If I do want to write it down as a reminder for myself, I can draw a cartoon, much more entertaining and secure than a list.

It’s actually much more difficult for a computer to crack a long password with only letters than a short one with a jumble of letters, symbols and numbers, and you’re much less likely to use it more than once, reducing the risk of that one site being hacked / compromised screwing up your whole life.

Don’t forget, big sites get hacked all the time. PSN, Hotmail and EA to name a few. How many of you used the same password for your PSN that you used for something else? The hackers downloaded every single username and password from PSN, and can sit there trying every single password on that list on every and any site they can think of.

You can buy the list of passwords and email addresses they stole pretty easily, and run bots which sit attempting every single one until you get a hit. I’ve seen a list of passwords which was circulating (over 300 million) and I was shocked to find a couple of my own logins on it, with my “unique” password which I used to use everywhere on it. If I can get 300 million passwords just through curiosity, imagine what a determined hacker can get hold of…

Anet have been seeing this on their end, people making millions of attempts to log in, cycling through lists of un/pw combinations and are taking some steps to help us avoid getting our stuff stolen, and avoid clogging up their support inbox with “Help I’ve been hacked” queries.

If Anet knows your password has been compromised, chances are any hacker knows it as well. It really takes 1 minute or less to come up with a good one for each site you visit, and you can make it fun too.

R0ti4JfirH~3 vs DogFaceHamsterFootball would be 1.74 centuries vs 1.83 hundred trillion centuries according to https://www.grc.com/haystack.htm (read the explanations for the given assumptions).

Question:

Lets say my password is very simple like Home. That is one in 7.5 million combinations. That takes a very short time to break when you have free reign to attempt as many times as you like. However it is still 1 in 7.5 million.

So my question is this, how do outsiders get to bang that many attempts against something like GW’s before the game says “Ah no, we have locked your account, please contact us?”. I would think 10 chances every time you try before a successful should lock the person attempting out. Isn’t this a fair assumption that this would happen? So really the only way they can get in, is already knowing your password from using it somewhere else. Correct assumption?

So a unique password taking a trillion years to break, that is a crazy # of attempts and the server on the other end allowing someone to try so many fails and not raise a flag.

It seems simply having an uncommon unique password is really all that is needed. Length just past 4 even is 10’s of millions to 1.

If somebody should ever gain access to the encrypted password or the whole database, there’s nothing said person could do with it because it would take insane amounts of time to find a collision. Even more without any knowledge of the exact cipher used.

Chamone that may be true. But I rather choose random letters/numbers and I never had an issue to remember them as long as they 20 or less characters long. It’s just a matter of “visualisation”. Idk how to explain it better but all you have to do is imagine it a put some meaning behind them, i.e. ion your password: R0ti4JfirH~3 it could go like this: R is the letter that stands for my 1st love name, 0 is the number of how many times he brought me bouquet of my favourite flowers that starts with the letter “t” and so on. That method of memorization works for me so I’ll use random password. And I don’t know how about you but I wouldn’t feel secure if my password was made entirely out of words with no numbers in it.

I remember coming from GW1 to GW2 and my password was greater than 17 characters, which caused an issue with me being able to log in to GW2, so I had to shorten my pw for GW2. Now they want long passwords… XD

perfect.5198:

…So…fine, you are making me change the password. I change the first account from ‘incorrect’ to ‘incorrect1’. It works. Great.

I change the second account from ‘incorrect’ to ‘incorrect1’. It tells me it’s already in use. What? …

The what might be far worse then the what that you were thinking about.

They have built a feature that allows anyone to determine if any potential password is in actual use as a password.

In other words, their password-checker gives hackers a tool to generate a list of (valid) passwords…

frans.8092:

They have built a feature that allows anyone to determine if any potential password is in actual use as a password.

In other words, their password-checker gives hackers a tool to generate a list of (valid) passwords…

Except that this list would also contain all the black-listed passwords as well.

Iruwen.3164:

Spencer.1386:

I have the two step authorization set up with my email account. A password on my account isn’t even needed as no one can access my account without access to my email. I don’t like mandatory password changes. My account security is my own business and my own problem.

What if somebody gains access to your mail? I guess you didn’t quite understand the purpose of a two factor authentication.

Shlamorel.8714:

My only problem with the password change is that you can’t change it to passwords you’ve used in the past.

I’m now on variation c to the square root to the 23rd power of my original password… It’s just kinda frustrating.

That is common practice and and default for corporate environments. Using the same password again would render a change useless.

Cribbage.2056:

by forcing you to change your password, Anet have just added a small risk of it being hacked during the change. Isn’t it great when people who don’t understand security get to mandate it to those of us who do?

Humbug.

You can’t access my email unless you have access to my phone. So unless you’ve mugged me of my phone and gained access to both my email and game passwords you still can’t get in. But thanks for being rude.

I liked my password that I had, it was unique to GW and I knew it…..now I had to make a new one. I am required to change my passwords for work every 6 months and can’t use the last 6 or 10 that I have used (can’t remember which)…there are only so many passwords I can remember between multiple different games, 3-5 email accounts, my voice mail, and many other things.

I would have much rather had an opt out option that had a warning attached to it that would go something like “By not changing your password you acknowledge that you are increasing the risk that you will have unauthorized access to your account which may result in its termination and also absolve Arena Net of all responsibility if this were to happen” and have to have us put our electronic signiture on it.

I would have signed it, I have that much faith in my internet security.

What worries me, is that A-net is collecting/saving our old passwords when we change them. I for one will not give them the current password to add to a list! I question why they need this list of passwords.
if you dought that they are collecting the old passwords. just try to reuse that old password later & see what your told
I worked for the nsa for years & understand why they required password changes every 30 days. most IT people have no clue as to why that is. & are mistaken why they think it makes the password more secure. Turnover of personal is the only reason for the change every 30 days.
for those who think that random characters make for a safe password. Think again.
The hacker only has to write multi-programs starting at set points & run them from the same computer cuting the time way down. Using multi-computers runing multi-porgrams cuts the time even more.
going to a web site to check your password is like giving it to the hackers outright q;