Guild Wars 2

I’m returning to GW2 with some friends. We haven’t played for almost over 2 years, so I couldn’t remember my password.
Well I reset it, and since the service is so “secure”, it refused to accept any of my complicated passwords that I have made up but am still able to remember, because it claimed that they are simply not secure enough…
Trust me… They ARE complicated enough…

So now I had to create ANOTHER, absolutely RIDICULOUS password, which I will now have to write down, because I will NOT remember this kitten…
So I’m just wondering, how is my account more safe now that I have a VERY complicated password, that no-one will be able to “guess”, but, that I MYSELF will have to write down to remember..?

EDIT****
This turned into a very interesting discussion about password security with several links to some very interesting reading regarding hacking/encrypting.
I have definitely learned a lot about passwords tonight.

Make a txt file and write your password down??

The reason for the first password being unable is most likely due to it being on the black-list. Either for being used by yourself earlier or from being known as leaked from other sites (there have been a bunch of MMO-sites that have had user-information leaked).

Or it simply wasn’t as complicated and unique as you want to think.

And yes, writing it down is a rather good solution.

Passwords that are easy to remember and pass the complexity test (at least for GW2) http://xkcd.com/936/

Huh…? I’ve been using the same 10 digit alphanumeric password for my gw1/2 account for the last 10 years. No symbols or anything. Also, you may find this link useful: http://wiki.guildwars2.com/wiki/Command_line_arguments#-password_.5Bstring.5D

warbignime.4610:

Make a txt file and write your password down??

That’s my whole kittening point!

lordkrall.7241:

The reason for the first password being unable is most likely due to it being on the black-list. Either for being used by yourself earlier or from being known as leaked from other sites (there have been a bunch of MMO-sites that have had user-information leaked).

Or it simply wasn’t as complicated and unique as you want to think.

And yes, writing it down is a rather good solution.

Yes security like that is good. If they are collaborating with 3rd party services to keep “compromised” passwords blacklisted, that’s a good thing.
I don’t know, to me, writing your password down is like a first class violation to “keeping your password safe – 101”.

Writing your password down is bad IF others have access to the place where you write it down.

Writing it down on a text-file called Passwords here!!!! in the middle of your computer desktop might not be the best idea, especially not if you are not 100% sure said computer is clean or someone else is using it.

You could however write it on your phone or on a simple piece of paper (without referring to it as a password or at least not as a password to a specific place.).

bibbis.7041:

lordkrall.7241:

The reason for the first password being unable is most likely due to it being on the black-list. Either for being used by yourself earlier or from being known as leaked from other sites (there have been a bunch of MMO-sites that have had user-information leaked).

Or it simply wasn’t as complicated and unique as you want to think.

And yes, writing it down is a rather good solution.

Yes security like that is good. If they are collaborating with 3rd party services to keep “compromised” passwords blacklisted, that’s a good thing.
I don’t know, to me, writing your password down is like a first class violation to “keeping your password safe – 101”.

Put your passwords in a notebook. I can’t imagine there’s a gang of housebreakers doing the rounds looking for gamers passwords.

i actually hate the blacklist system, if they really are concerned about leaking then don’t keep old passwords in the system……SERIOUSLY!!!
i have one password in several different ways (and there are allot), there is no way that i am ever gonna change my password ever again with this crap system.

sorudo.9054:

i actually hate the blacklist system, if they really are concerned about leaking then don’t keep old passwords in the system……SERIOUSLY!!!
i have one password in several different ways (and there are allot), there is no way that i am ever gonna change my password ever again with this crap system.

The reason for the blacklisting is other people leaking their password list and way too many people having the tendency to use either the same password or the same password with minor changes for multiple things.

Just make up a sentence you can easily remember… like “this is commander shepards favorite password on the citadel” or such nonesense. Super easy to remember without writing it down and a lot more secure.

MegumiAzusa.2918:

Just make up a sentence you can easily remember… like “this is commander shepards favorite password on the citadel” or such nonesense. Super easy to remember without writing it down and a lot more secure.

I have a password that I have evolved massively over the years, and I have several different variations of at ATM.
For me it IS super easy to remember, while still being very secure.
I was unable to use ANY of my variations here, so I had to create yet ANOTHER one…
There are some times when security really just crosses the line to where it just isn’t at all convenient anymore, and just creates extra difficulties.

I understand what you mean and yes it can be (ok..it is) irritating having so many passwords but believe me….the potential alternative (ie being hacked) creates considerable more difficulties.

If your password is being blocked, there is in all probability a very good reason for it. It’s not always about being as complex as possible though (there are some very good articles about debunking myths behind behind password creations out there)

bibbis.7041:

MegumiAzusa.2918:

Just make up a sentence you can easily remember… like “this is commander shepards favorite password on the citadel” or such nonesense. Super easy to remember without writing it down and a lot more secure.

I have a password that I have evolved massively over the years, and I have several different variations of at ATM.
For me it IS super easy to remember, while still being very secure.
I was unable to use ANY of my variations here, so I had to create yet ANOTHER one…
There are some times when security really just crosses the line to where it just isn’t at all convenient anymore, and just creates extra difficulties.

You’re saying it yourself: you are already using variations of it. Thus it’s not secure.

Yea… pretty sure this means they’re not salting the passwords, which is bad for security. I doubt that they have some master black list of compromised passwords.

https://crackstation.net/hashing-security.htm

I’m not 100% this is the case… but it probably is. If this is the case, IT IS BAD. By saying you require a unique password, they’re saying someone else has that password. Makes it a lot easier for a potential hacker to just search for that password and gain entry. They might have some security idk about, maybe even some master blacklist. But unsalted passwords are definitely a bad thing.

Using the same password, even variations of it, is not secure. You get one compromised and it’s really easy to guess the others. You’re also specifically instructed not to use a password for this account that you use anywhere else, and here you’re complaining that you can’t use a password that’s identical to one that you have on another site, but that you have to make a new variation of it.

You need to rethink your strategy for online security and start taking it more seriously.

Photonman.6241:

Yea… pretty sure this means they’re not salting the passwords, which is bad for security. I doubt that they have some master black list of compromised passwords. It’s all pretty technical.

https://crackstation.net/hashing-security.htm

I’m not 100% this is the case… but it probably is. If this is the case, IT IS BAD.

Actually:
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/
and
https://www.guildwars2.com/en/news/mandatory-password-change-is-coming/

MegumiAzusa.2918:

Actually:
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/
and
https://www.guildwars2.com/en/news/mandatory-password-change-is-coming/

That’s freaking hilarious. They’re still not salting their passwords, they require a unique password for each user. Which still means that i can get someone’s password from just failing to make an account. But it is kinda funny that they’re actually making a blacklist.

They are salting, but you can still compare the hashed and salted string with the ones on the list.

When have they said they’re salting? Legitimate question, have seen no evidence and would really like to believe it for personal piece of mind. I see almost no reason to require a unique password other than they’re not salting.

They give you ample reason, which still hold true when salting.

Photonman.6241:

When have they said they’re salting? Legitimate question, have seen no evidence and would really like to believe it for personal piece of mind. I see almost no reason to require a unique password other than they’re not salting.

When have they said they are not salting? I have seen no evidence that they do not. You do seem to keep claiming it as a fact though, so the burden of proof lies with you.

If they are doing password salting correctly, the password hashes for each user would be different, regardless of what password they actually use. This means they would have no way of determining if one person’s password is the same as another’s, since they would hash different every time.

Since they tell the user that their password has been used before by a different account, two possibilities exist: either they are not doing password salting at all, or they are doing it, and storing the passwords in some less secure form (like unsalted, or in plain text). Clearly not secure either.

Unique passwords solve this problem
http://xkcd.com/792/

It does not solve this one
http://xkcd.com/1286/
Since I can basically just ask the system, ‘is someone using this password’ and it’ll tell me yes or no. I can then just randomly plug that password to my hearts content.

Salting would make it impossible to cross reference passwords making it pointless to require a unique password, and impossible for people to compare the hash and cross reference it with other sites. I’d have to go in and manually enter the password, which I can do, but it makes my day a lot harder. Basically it’s never a good idea to say “someone else is using this password” which is what they’re doing.

For the record, I could be 100% wrong. I want to be wrong. Hey admins come tell me I’m wrong and that you’re salting!

lordkrall.7241:

When have they said they are not salting? I have seen no evidence that they do not. You do seem to keep claiming it as a fact though, so the burden of proof lies with you.

Lol you so funny with your logical fallacies. (For the record I never stated it as fact, simply a theory based on logic)

Photonman.6241:

Lol you so funny with your logical fallacies. (For the record I never stated it as fact, simply a theory based on logic)

One theory could be that they have a separate database of pre-salted passwords to check if a user has a unique password. But I’m not a security specialist and I have no clue if that wouldn’t decrease security.

Khisanth.2948:

sorudo.9054:

i actually hate the blacklist system, if they really are concerned about leaking then don’t keep old passwords in the system……SERIOUSLY!!!
i have one password in several different ways (and there are allot), there is no way that i am ever gonna change my password ever again with this crap system.

The reason for the blacklisting is other people leaking their password list and way too many people having the tendency to use either the same password or the same password with minor changes for multiple things.

and who’s problem is that, exactly…..
if you can’t shut up about your own pass then it’s not for Anet to fix things, i have never bin hacked even ones ever but i really don’t like this blacklisting at all.
what if i have no choice in the matter and Anet forces everyone to change the pass, if that happens i am screwed.

remove the blacklist part, i hate the whole system, i had to change my pass to something completely unknown because of that piece of crap system.

sorudo.9054:

Khisanth.2948:

sorudo.9054:

i actually hate the blacklist system, if they really are concerned about leaking then don’t keep old passwords in the system……SERIOUSLY!!!
i have one password in several different ways (and there are allot), there is no way that i am ever gonna change my password ever again with this crap system.

The reason for the blacklisting is other people leaking their password list and way too many people having the tendency to use either the same password or the same password with minor changes for multiple things.

and who’s problem is that, exactly…..
if you can’t shut up about your own pass then it’s not for Anet to fix things, i have never bin hacked even ones ever but i really don’t like this blacklisting at all.
what if i have no choice in the matter and Anet forces everyone to change the pass, if that happens i am screwed.

remove the blacklist part, i hate the whole system, i had to change my pass to something completely unknown because of that piece of crap system.

This is not about someone leaking their own passwords, this is about someone leaking your password on a site that you use. If any service that you use gets hacked, and you use the same or similar password everywhere with the same or similar account name, then every account you have with every other service is now compromised. It doesn’t matter how secure those other services are.

Let’s say you have an account name and password on a service like Facebook or Amazon, if they get hacked then someone out there now has your account name and password from that service. If your account information for Guild Wars 2 is too similar, then it doesn’t matter if ArenaNet never gets hacked, the person who has taken your information from another site can use that information to figure out or guess your password for Guild Wars 2.

Photonman.6241:

When have they said they’re salting? Legitimate question, have seen no evidence and would really like to believe it for personal piece of mind. I see almost no reason to require a unique password other than they’re not salting.

Not that kind of unique password.

Where did you even get the idea that individual players are forbidden from using the same password as other players? That’s completely absurd and it’s not what either article says. They’re talking about ‘requiring’ (and for obvious reasons, they do little more than ask politely) players not to use passwords for GW2 that they already use elsewhere.

You are not allowed to use passwords that would result in you having log-in credentials that match what ANet have seen tried by a hacker. That is all. And no, it’s not a measure that would be useless with password hashing and salting in place. Where do you get that idea from?

When you change your password, the system won’t allow you to pick your previous password, or any password that we’ve seen tested against any existing or non-existent account. Thus, after changing your password, you’ll be confident that your new password is unique within Guild Wars 2.

To be honest, that second sentence does suggest the conclusion Photonman has drawn here, although I’m not sure that’s actually the case. It would imply that the pool of blacklisted passwords was “Every password ever attempted including the legitimate ones.” I do think it makes more sense the way that you described it.

Each password works only once in GW2. If any other player used the password before it wont work. You need an unique password no other GW2 account is using or used before.

evilunderling.9265:

Not that kind of unique password.

Where did you even get the idea that individual players are forbidden from using the same password as other players? That’s completely absurd and it’s not what either article says. They’re talking about ‘requiring’ (and for obvious reasons, they do little more than ask politely) players not to use passwords for GW2 that they already use elsewhere.

You are not allowed to use passwords that would result in you having log-in credentials that match what ANet have seen tried by a hacker. That is all. And no, it’s not a measure that would be useless with password hashing and salting in place. Where do you get that idea from?

Have you seriously not tried making an account… It says all of that when you try to make an account.

You’re more likely to get your password stolen virtually than someone breaking into your house and stealing it, if they even knew what to apply it to. The reason for using a complex password is to prevent brute forcing the password. That’s when a computer keeps trying to log in with an email addy it has, using every variation of a password. Simple passwords are found quicker and those people lose accounts.

The odds are probably smaller that someone will break into your house, find your password and know what to apply it to, then someone brute forcing a simpler password.

Though I don’t believe brute forcing is the most common or effective way of stealing passwords these days anyway. Most of the password theft we’ve seen has to do with people reusing passwords on multiple sites and then one of those sites gets hacked.

This turned into a very interesting discussion about password security with several links to some very interesting reading regarding hacking/encrypting.
I have definitely learned a lot about passwords tonight.

I still want an admin to just come here and say “we’re salting our passwords”

Photonman.6241:

I still want an admin to just come here and say “we’re salting our passwords”

And if they did people could simply claim that they lied.

It is also rather unlikely that they would tell us anything about their account-security system.

lordkrall.7241:

And if they did people could simply claim that they lied.

It is also rather unlikely that they would tell us anything about their account-security system.

They’ve been pretty straight up until now, and honestly a lie would still make me feel better. They’ve already told us a ton about their security system, and telling us they’re salting passwords doesn’t really compromise security.