Guild Wars 2

@Qnopsik El Qox
Read Brian’s text about the hacked sites again. He is the one to say which kind of variation is used by the hackers. It is not far off to assume that Anet added the same kind of variety to their way of checking against the blacklist.

@RoyHarmon
The blacklist – as I understood the information about the mandatory change – contains the list of passwords from hacked sites plus the passwords that have been in use with GW2.
In fact it seems to be 2 lists – one blacklist plus one list of used passwords. I don’t like to call the old passwords to be part of a blacklist, just because many passwords there have been ok.

Gaile Gray.6028:

I’m sorry that you’re upset about the password change, but believe me, changing passwords, even just a bit, is worth doing and it definitely beats the alternative: a hacked account.

If you like your previous password, may I suggest you simply alter a small amount of components? For instance, if your password was d0gandCat, maybe you could use DoGandCat or something like that?

We’re sorry if you feel this is an inconvenience, but the passwords you’re trying are being refused, which means you’re trying ones that appear on “known/stolen password” lists. That puts you at quite a bit of risk of an account compromise. Being allowed to keep that password, or use the risky one, just isn’t worth it when you balance it against the pain and loss of an account theft!

Oops, I messed up and split my post.

The unfortunate nature of your post is the fundamental misunderstanding of how to provide better Customer-focused service. Rather than over zealous security policy.

A known password list is almost entirely useless, as it is unlikely you have any context of pairing that to users/emails that are a member of your audience. A known password list is only good against Brute Force style attacks, and frankly that is a very unlikely way in which hackers operate. In fact, if/when a hacker gets access to the database of blacklist passwords you store there is an increase in the risk to all user accounts. Long term your strategy is flawed.

Given what I understood from the launcher you cannot use anything in your blacklist, any password you have used, nor any password used by others at any time in the past. This sounds horrible and incredibly painful to work with as a customer.

I’ve played many games with online accounts over the years and not ever had a hack happen (knock on wood). However, I take means to seperate forum and other third parties from my other common creditials. This is a great idea to suggest to your players, but taking overbearing measures to force some policy that is not very well setup is poor customer service.

I’ve had a hard time trying to overcome dislike of many of the externalized processes your company has put in place in GW2. It continuosly drive me away from your product, even though I enjoy much of the other gameplay centered aspects. Oh well, back onto other games for me.

Gaile Gray.6028:

Changing a password is a tiny thing that takes just a couple of minutes, at most, and it can make all the difference.

Actually, it’s only trivial like that for those who don’t take their password security seriously, for those of us that do it’s a PITA.

I have a way of deriving a site’s password based on the name of the site and a small pool of 4-digit numbers which I combine with a special character is a deterministic way so I don’t have to remember it; I can derive it from first principles.

I have two GW2 accounts so I have now to have two different passwords: a pain.

This means I need to derive two passwords using these rules and the remember which I attached to which account: a pain.

So I have to use a password manager, because otherwise I’ll likely get locked out of an account if I use the ‘wrong’ password more than a couple of times: a pain.

If you really must pander to those too inept to secure themselves, at least provide an option to those of us who DO know what they’re doing and provide a opt-out.

That article by O’Brien is long on waffle, light on real content and well-argued security aspects: as Bruce Schneier says (and if you don’t know who he is perhaps it’d be worth researching him) about many things in the security world, it’s largely “security theater”.

Oh, BTW, a company that uses e-mail addresses as login names to web forums and on-line games really shouldn’t be lecturing others on the subject of account security.

Given an e-mail address is the key to account security, forcing users to enter it every time they log in (thus providing keyloggers and wire sniffers more opportunities to grab them) isn’t a great idea, is it?

Just saying.

What about you have unique emails AND unique passwords. There are many email providers that offer to produce many alias email adresses.
BTW That email account has a unique password as well.

If you have problems remembering all those data (I have too), I show you my perfect password manager: a piece of paper and a pencil.
That should not be left on the table, if you are not living alone (but that is a different kind of security).

Kraggy.4169:

I have a way of deriving a site’s password based on the name of the site and a small pool of 4-digit numbers which I combine with a special character is a deterministic way so I don’t have to remember it; I can derive it from first principles.

That is probably the easiest way to create passwords that are completely insecure. Many of the passwords discovered during the LinkedIn hack were discovered that way, tools like Hashcat offer simple mechanisms to do that automatically (not to mention advanced pattern recognition algorithms).
If you really want to be secure (as far as this is possible) use KeePass and passwords with more than 30 characters, you also don’t have to remember the passphrases that way.

PS: the only way to make GW2 really secure would be a requirement of at least 30 characters (the longest LinkedIn password hacked was a 29 character bible quote, the last.fm hack revealed over 30 variations of “supercalifragilisticexpialidocious”) and any form of two-factor authentication not based on e-mail.
With dictionaries of more than 500 million entries and our limited vocabulary, it gets increasingly unlikely that you’ll invent a shorter password which hasn’t been used before or can’t be created by an algorithm.

I understand where companies come from making us change our PW, but its tiring. I now cannot login in to play, nor can I change it because I don’t know my old one and/or can’t think of one that “fits the requirements”. Now my account is locked and I can’t contact customer service…faaaaantastic. Gaming has become harder and harder these days.

elmstterror.1028:

I understand where companies come from making us change our PW, but its tiring. I now cannot login in to play, nor can I change it because I don’t know my old one and/or can’t think of one that “fits the requirements”. Now my account is locked and I can’t contact customer service…faaaaantastic. Gaming has become harder and harder these days.

You can contact customer service via “support” on top of this page and then continue with “ask a question”. And as the answers are send via email you can update and answer through the same way.
Game account and support account are not the same!

i personnaly find this whole thing a joke due to arenanet’s poor security we have to make changes and getting supports help that a joke in and of itself not to mention i had to drop my unique password but it let me use a very famous movies catchphrase you guys at arenanet better learn about security before trying to release any expansion or your gonna go down the tubes like all the other mmo’s with no support