"Please consider changing your password" ???

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Ramooh.3286

Ramooh.3286

After downloading the latest patch, there is red message at the top of the launcher telling me to change my password. Have there been login attempts from a Chinese IP? Has ArenaNet determined that my password isn’t strong enough? If I keep the same password for too long, will a veteran destroyer troll rise from the depths to destroy my town?

I don’t know because ArenaNet has chosen not to provide any useful information with the message. Anyone know what the deal is?

(edited by Moderator)

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Unpredictability.4086

Unpredictability.4086

Upon starting the launcher, I saw this: http://imageshack.us/a/img442/2166/91453144.png

Never had password problems in the past, and my computer is secure. Is this showing up because there were 2 other connections going on at the same time? I noticed under account management my IP is showing as having being connected 3 times… like it shows up 2 minutes ago, 1 minute, and then currently. When I click disconnect I get the generic browser 404 page but they are disconnected too. I really don’t want to have to change the password, as I already have so many I need to remember. I’m hoping this is just related to the disconnect issue and not really necessary.

(edited by Unpredictability.4086)

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Kadyn.4510

Kadyn.4510

Not sure why it says that but I would seriously consider doing so if I were you. I just found out my account was being logged in from Chengdu China…..however I myself can’t change the password because it’s bugged or something, so not sure how that works….But yeah it don’t let me change it and I definitely need to if someone in China already has the account and password….so I’d consider it if I were you and try changing the pass

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Unpredictability.4086

Unpredictability.4086

Weird, cause I haven’t received a single authentication email besides the ones I’m responsible for (like resetting my router than logging in). Did you get an email alerting you to the china one though?

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Kadyn.4510

Kadyn.4510

That’s a good thing, for you it’s just suggesting to update with a new password to keep it on the safe side. If I remember correctly, that’s always there on the log in. And yes I got an email authorization for that and immediately refused it and blocked but yeah trying to be safer…if they know the account they can always get the password….and eventually they’ll find a way to bypass security….usually do. That’s why I’m trying to change it asap to prevent that. Luckily for you it was just suggesting xD

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Kadyn.4510

Kadyn.4510

Hm, I doubt that it’s remotely close to commonly used or used by hackers. I had just come up with it with this game and it’s far more complex than any I’ve ever used. Took 4 words, cut em in half to make one big word with really randomized lettering. It’s still a word just not one in a dictionary xP

And even if it was used by someone else, that don’t explain why I can’t change it =/

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Kadyn.4510

Kadyn.4510

As for their password, that could be the case. But I think it was just a suggestion since they haven’t received an email for authorization elsewhere. I’ve had that on my log in before because it’s always there. But yeah, I’d still change it to be safe xD

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Unpredictability.4086

Unpredictability.4086

I did some digging and found out my hunch was correct – my system is secure, it just wants me to choose a longer password for the sake of being a longer password. To me, this is coming off like the FOV excuses (not legitimage). I guess 8 characters with numbers too is not good enough? It’s not a common word or something either. Guess I’ll change it but not happy at all, why change passwords for no good reason? This was one of the easiest ones I had.

(edited by Unpredictability.4086)

"Please consider changing your password" ???

in Account & Technical Support

Posted by: RoyHarmon.5398

RoyHarmon.5398

I did some digging and found out my hunch was correct – my system is secure, it just wants me to choose a longer password for the sake of being a longer password. To me, this is coming off like the FOV excuses (not legitimage). I guess 8 characters with numbers too is not good enough? It’s not a common word or something either. Guess I’ll change it but not happy at all, why change passwords for no good reason? This was one of the easiest ones I had.

What “digging” did you do? I don’t think it’s anything about password length; I started getting the message after the latest “maintenance” patch (Monday, I think?), but my password is unique, >16 characters, and is complex enough to take several quadrillion years to crack by brute force.

“It is the stupidest children who are the most childish
and the stupidest grown-ups who are the most grown-up.”
- C. S. Lewis

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Gaile Gray

Gaile Gray

ArenaNet Communications Manager

Next

Actually, I believe you are mistaken about what prompted this request.

The actual verbiage that is displayed at the top, and the “Must be at least 8 character long” it below. Perhaps you missed the first message, but it reads:

Change Password

That password is not available. Either you’ve used it before, someone else has used it before, or it’s known to have been hacked from another game or web site. Please choose a new, unique password for your Guild Wars account.

It then goes in to suggest the use of four random, unrelated words.

I think this is what you’re running into, and not a glitch with a password that is or exceeds 8 characters, when that is exactly what is requested.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Rajani Isa.6294

Rajani Isa.6294

Looks like the bit under “Password Blacklisting” under :

https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

"Please consider changing your password" ???

in Account & Technical Support

Posted by: RoyHarmon.5398

RoyHarmon.5398

Actually, I believe you are mistaken about what prompted this request.

The actual verbiage that is displayed at the top, and the “Must be at least 8 character long” it below. Perhaps you missed the first message, but it reads:

Change Password

That password is not available. Either you’ve used it before, someone else has used it before, or it’s known to have been hacked from another game or web site. Please choose a new, unique password for your Guild Wars account.

It then goes in to suggest the use of four random, unrelated words.

I think this is what you’re running into, and not a glitch with a password that is or exceeds 8 characters, when that is exactly what is requested.

That’s exactly what I did several weeks ago, before the password blacklist came into effect (as far as I know). Four random, unrelated words. And then I added a number or two, just to be on the safe side. But after the patch on Monday, I started getting the message in the attached screenshot.

If this message is due to the password blacklisting system, does that mean my password can be flagged when another user randomly chooses the same (formerly secure) password? With millions of accounts (and more created every day), is this considered a practical means of password security? And is a password insecure simply because another user tries it on a different account? I’m very confused.

Attachments:

“It is the stupidest children who are the most childish
and the stupidest grown-ups who are the most grown-up.”
- C. S. Lewis

"Please consider changing your password" ???

in Account & Technical Support

Posted by: MikeLewis

Previous

MikeLewis

Lead Gameplay Programmer

Next

This is simply a precautionary measure; since, as you stated, you changed your password before the blacklist came into effect, there is a chance that it is already on the blacklist as a known vulnerable password. In this particular case, that sounds exceedingly unlikely, since you used what seems like a strong password selection method.

Here’s the wrinkle: we can’t see your password (which is good for everyone). We have no way to find out how long it is, how complex it is, or anything else about it. All we know is the last date and time at which you changed your password.

This message simply checks that date/time, and compares it to the effective date of the password blacklist. If your last password change was prior to blacklisting coming into effect, you might see this message.

It’s only a suggestion, but if you have any concerns whatsoever about your password, we recommend changing it to be safe. The blacklist will ensure that nobody else knows that password (assuming you don’t use it anywhere else on the internet/etc.).

"Please consider changing your password" ???

in Account & Technical Support

Posted by: RoyHarmon.5398

RoyHarmon.5398

Awesome, thanks for the reply! It all makes sense now.

I had assumed as much when the message appeared, since it’s not a very forceful suggestion; still, it’s reassuring to know that there isn’t reason to suspect a more serious issue.

“It is the stupidest children who are the most childish
and the stupidest grown-ups who are the most grown-up.”
- C. S. Lewis

"Please consider changing your password" ???

in Account & Technical Support

Posted by: NeHoMaR.9812

NeHoMaR.9812

I changed my password BEFORE this “blacklist” thing to a very strong one, now I am getting the “change password” message even when I don’t have ANY plan of changing my password again. I suppose/hope the message will be removed someday.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: RoyHarmon.5398

RoyHarmon.5398

I changed my password BEFORE this “blacklist” thing to a very strong one, now I am getting the “change password” message even when I don’t have ANY plan of changing my password again. I suppose/hope the message will be removed someday.

I also changed my password to a very strong one before the blacklist went into effect, as mentioned above; I’m considering adding an extra word or two, just to make the message go away…

“It is the stupidest children who are the most childish
and the stupidest grown-ups who are the most grown-up.”
- C. S. Lewis

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

Next

I changed my password BEFORE this “blacklist” thing to a very strong one, now I am getting the “change password” message even when I don’t have ANY plan of changing my password again. I suppose/hope the message will be removed someday.

I also changed my password to a very strong one before the blacklist went into effect, as mentioned above; I’m considering adding an extra word or two, just to make the message go away…

I think that’s a great idea because it accomplishes two things: Stops the reminder messages and, more importantly, increases your account security.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Baldovin.1392

Baldovin.1392

LOL, ok, I got the same message and go right ahead and change it. My last password that I used before for GW2 was: “76O8z#T5$!nnaR3LnQ0e”, dunno why they told me to change it (thought it was pretty solid). But now I have new one also randomly generated and just to be more sure I added the mobile authenticator. =)

I’m an engineer in Aeronautics and they always taught us SAFETY FIRST !

"Please consider changing your password" ???

in Account & Technical Support

Posted by: RoyHarmon.5398

RoyHarmon.5398

LOL, ok, I got the same message and go right ahead and change it. My last password that I used before for GW2 was: “76O8z#T5$!nnaR3LnQ0e”, dunno why they told me to change it (thought it was pretty solid). But now I have new one also randomly generated and just to be more sure I added the mobile authenticator. =)

I’m an engineer in Aeronautics and they always taught us SAFETY FIRST !

I’m pretty sure it wasn’t about your password as much as it was about when you changed it last. From what I gather from this thread, the message was for people who hadn’t changed their passwords since the blacklist was put into effect, so they don’t know for sure whether your password is on it or not. They’re just playing it safe and suggesting the change anyway, since changing it to something more secure isn’t a bad idea regardless of its current level of security.

“It is the stupidest children who are the most childish
and the stupidest grown-ups who are the most grown-up.”
- C. S. Lewis

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Mighteous.9281

Mighteous.9281

Hello there,

I saw a thread the other day similar to my problem, but wasn’t able to find an answer that I thought was satisfactory.

The other day, I get an email indicating that an individual from China tried to log into my account, and that I needed to validate the log in attempt. I go to click on whatever the button was to deny the log in attempt, and it brought me to a page, which brought me to a dead end.

Few days later, there’s a prompt on the game launcher saying “Please consider changing your password” or something to that effect. I click it, go to change my password, and it leads me to ANOTHER dead end.

Now, just being suspicious jerk by nature has me thinking that

-The original email wasn’t legitimate
-The spies have hacked into the game launcher

Not really, but what’s the deal here? Why is everything I click on a dead end? The email leads me to a page where I either deny or approve access, and when I click deny it says "Failure

An error occurred with your request."

The launcher leads me to a similar message. I don’t feel comfortable changing my password when I keep getting messages like that.

I look forward to killing you soon.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: MrYgve.4629

MrYgve.4629

Why does it say this? is it just a advice or are someone doing something with my account? (its says this in the laucher)

"Please consider changing your password" ???

in Account & Technical Support

Posted by: DarkShadow.1308

DarkShadow.1308

Yeah, would be nice if they gave us a reason rather than just say that. I have a great pw.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Twinlanceblack.1450

Twinlanceblack.1450

I think everyone is getting this. I just added mobile auth, because I had wanted to anyways and I am still getting this.

I understand being proactive but making people jumpy is a bit much can we get some kinda answer for this?

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Tweek.3190

Tweek.3190

I see more people have this ‘problem’. My guess is that they show you that message after a certain amount of time because changing your password regularly makes your account safer.

Well I hope they remove that message soon, it is already annoying me after seeing it 2 times.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Kain Francois.4328

Kain Francois.4328

Hello. I am having this problem too where it tells me “Please consider changing your password.”

However, I had no login attempts whatsoever from any other IPs, nor’ any emails or whatever. So should I be worried? Or is everyone else having this?

Please address this ANET. Thank you!

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Witch of Doom.5739

Witch of Doom.5739

I just got this message too. It must just be a standard message going out to people. I’ve had the same pw for GW for years and yeah, I probably should change it.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

Next

I am sorry that you are having these difficulties. I suggest that you contact Support — support.guildwars2.com — using “Ask a Question” to submit a ticket. An agent will help you figure this out.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

Next

This is a standard message that a random 40% of our players are shown on launching the game. This number will rise to 100% soon. This means if you haven’t changed your password since we added a “blacklist” of known/stolen credentials in mid-September, you’ll be asked to change not because you’re necessarily at risk, but because changing is a good thing in case your password was on the blacklist. (To say that a different way, it’s a proactive security measure and not a sign that you’ve been hacked.)

Please read this article about account security for more information and valuable insight into good account security.

Also note that this is not a sign that your account is at risk and not an indication that the Guild Wars 2 servers are being attacked. (Getting emails from us listing suspicious access attempts is of greater concern.)

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

(edited by Gaile Gray.6029)

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Mighteous.9281

Mighteous.9281

Thanks. Have a good one.

I look forward to killing you soon.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Okomi.8693

Okomi.8693

That’s fine and all, but let us turn the warning off. My password is unique to my gw2 account, 20 characters long, and if it gets compromised, so will any password I change it to.

I run my own mail provider, and I do my own intrusion detection there. I have unique passwords for everything. The last thing I need is an application crying wolf at me.

If you want to improve security, change your website so that the password is never sent, even via https, but rather a javascript-generated response to a challenge/response is sent. And do the same thing in the game client. Then the only way it will be intercepted is if the local (user’s) system is hacked. After that the next thing to do would be to make the client avaialble on Linux where the local system isn’t so easily hacked.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Okomi.8693

Okomi.8693

I think that’s a great idea because it accomplishes two things: Stops the reminder messages and, more importantly, increases your account security.

To be honest, this is security theatre. Changing your password one single time does not increase account security. It might even reduce it. Telling people that changing their password one single time will increase their security is mis-training people about security, which decreases security.

Moreover, a warning that I know is wrong also decreases security, because I know that your warnings aren’t worth following, so it decreases your ablity to convey security issues accurately in the future.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Okomi.8693

Okomi.8693

This would be more acceptable if you let users set their password to the same value as before, while having it checked against the blacklist.

Of course, as Mike has claimed you have no access to passwords, you shouldn’t be able to even check it against a blacklist unless you provide the blacklist to us (in software running our our systems). Therefore, you could just provide the blacklist in plaintext, so we could evaluate if you are correct and then just clear the message.

Or you could provide a hashdb of the password blacklist.

Or you can retract the claim that you have no access to our passwords if you check them server-side.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Kieser Soze.4716

Kieser Soze.4716

Its a “nice” to attempt to suggest a precaution of changing your password.
But they failed on securing the unique aspect of the password criteria / entries.

If you are privileged to have access to two accounts with two different email addresses. You will not be able to use the same password from account A on account B. It will tell you basically. The password is not unique and you will have to choose a different password.

That is a very bad thing to suggest. they are telling me that password I want to enter on account “B” is not unique.

Basically, The shady people can now start entering there own passwords and get results on what is valid in the arena net network.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Detective Rawr Rawr.3951

Detective Rawr Rawr.3951

AreaNet, why should I change? Did someone broke into the database or just for my safety? Just wondering. :o

- Thank you for your time.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: FACE.6792

FACE.6792

yea got the same message….wondering as well.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Jurrien.2617

Jurrien.2617

As the title said i was suddenly advised to change my password. There wasn’t given a reason for it, just before starting up the game there was this sentence in a red bar ‘’Please change your password’’. Ofcourse i changed my password but i would like to know why i had to change it.

Thanks

Desolation

"Please consider changing your password" ???

in Account & Technical Support

Posted by: dani.1956

dani.1956

Maybe your password gonna die ! got the same message but I’m keeping my old one :P

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Psychrome.9281

Psychrome.9281

i am also getting this, i wish the message would go away after the first log in after recieving it. great patch, but this kind of thing is a QOL issue and needs to be fixed

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

Next

No need for alarm. We’re just asking folks to change their password if they haven’t done it since the big Password Blacklist went into effect in September. This will help increase your account security, so why not?

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Cribbage.2056

Cribbage.2056

Gaile, you may not be aware of this, but unnecessarily changing your password actually marginally REDUCES your account security. I can explain why if you like but it would require quite a detailed step through of risks and mitigations.

I am currently being prompted by the launcher to change my password redundantly. Now, I understand network security well enough not to do so, but thousands of users won’t and will faithfully follow the advice unnecessarily and thus add to the risk to their accounts.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

Next

Gaile, you may not be aware of this, but unnecessarily changing your password actually marginally REDUCES your account security. I can explain why if you like but it would require quite a detailed step through of risks and mitigations.

I am currently being prompted by the launcher to change my password redundantly. Now, I understand network security well enough not to do so, but thousands of users won’t and will faithfully follow the advice unnecessarily and thus add to the risk to their accounts.

With all due respect, I trust our Security Team implicitly. If they are recommending this, I’ll take their advice, and I’ll encourage our players to do the same.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Khristophoros.7194

Khristophoros.7194

I would like to get rid of the message without changing my password please.

I have considered your advice and decided against it.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

Next

I would like to get rid of the message without changing my password please.

I have considered your advice and decided against it.

Simply click “cancel” and you’ll be fine.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Cribbage.2056

Cribbage.2056

Gaile Gray

With all due respect, I trust our Security Team implicitly. If they are recommending this, I’ll take their advice, and I’ll encourage our players to do the same.

Very wise, given that I am just a random GW2 player and you have no reason to place any faith in my knowledge of security.

However, while I am sure your trust in your security advisors is well placed, noone is infallible. It might well be worth taking this question to them explicitly.

If it helps, here is the simplest exaplanation I can give as to why redundant password changing is a security risk.

Assumption – if my GW2 account has been compromised, the hacker will ransack it in such a way that I would know I had been hacked. I’m assuming therefore scenario in question relates to uncompromised accounts.

Risks to my security relating specifically to hackers getting my password:

1) Brute Force
An attacker tries all permutations of valid characters. Eventually the attack will find my password.

Mitigations:
- Most defences against brute force should be server side (i.e. not allow loads of failed log in attempts against my account consequetively in a short space of time.
- Password strength. The GW2 advice on password strength is solid and should be followed.
- Mobile authenticator. This should make brute force attacks so hard as to be effectively impossible.

Impact of changing my password from valid to valid:
- None. I have no way of knowing whether a given new password would be cracked sooner or not because I do not know what they have already tried or what order their algorithm works in.

2) Man in the Middle
A server routing my information from my computer to Anet has been compromised and sniffs my password data.

Impact of changing my password from valid to valid?
None. It is equally probable that they will sniff my new password as my old.

3) Local system infected with key logger
If my machine is infected with a key logger, everything I type can be logged and sent to the hacker, including my password (if I type it!)

Mitigations
- Type my password only when absolutely necessary. Use the “remember my password” option provided by GW2. I should point out that GW2 is one of the very few games offering this feature, making it a more secure game than most.
- Local virus checker and malware detection. Frequent scans.
- Mobile authenticator. This effectively makes key logged passwords useless and protects entirely against this form of attack (unless your phone is also infected by the same hacker).

Impact of changing my password from valid to valid?
WORSE security, because I will have typed my new password when setting it rather than using the “remember my password” option.

I’m going to finish by saying that obviously this is just my personal view and I recommend all players follow the advice from Anet rather than myself. I’m writing this just because it is relevant and perhaps when reviewing it, it can constructively contribute to Anet’s approach.

"Please consider changing your password" ???

in Account & Technical Support

Posted by: Gaile Gray

Previous

Gaile Gray

ArenaNet Communications Manager

We’ve just posted a more-detailed forum postabout why we’re asking that players reset their passwords.

Gaile Gray
Communications Manager
Guild & Fansite Relations; In-Game Events
ArenaNet