Guild Wars 2

Why can I not keep my old password that has proven to be secure? I can’t even use some other frequently used passwords of mine. I do not want to remember a new password. Please let me change my password back to what it was originally. I tried just changing it and then changing it back, but it won’t let me because its someone else’s password? That seems a bit too much. I understand it is more secure to have a stronger password and to change it often, but as this is just a game and this password solely used for entertainment purposes, I should be able to accept the consequences of whatever password I want (especially if it has worked fine for me for the past year).

Thank you for your time

They ‘Black Listed’ all the current/old passwords … so you’ll never be able to use the old one again … I think it was a ‘blanket blacklist’ so no one (without exception) can reuse their old password …

Although I understand the principle behind this particular case (they found a huge list of GW/GW2 passwords on the net, or something similar)

I think the blacklist was more expansive than you believe. My password was not used for any other game or site, was randomly generated and contains a mix of upper and lower case letters and numbers.

I have a second account that used a different password, with similar characteristics. With the mandatory password change coming up, I decided to swap the passwords for the two accounts, so I wouldn’t have to learn new, complex passwords.

Each password was blacklisted.

So, I generated a new password, intending to just use the same password for both accounts. The new password worked with the first account, but when trying to apply it as the new password for the second account, it came up as blacklisted.

Apparently, in addition to a blacklist of “hacker compromised” passwords obtained from online sources, you guys also blacklisted all existing GW2 passwords, whether they were on “hackers lists” or not, plus are also instantly adding new passwords to the black list, so that no two accounts can contain the same password.

To me, that’s going way too far and doesn’t make much sense unless someone at Arenanet was concerned that stored GW2 passwords had been compromised at some point in the past.

Fiontar.4695:

I think the blacklist was more expansive than you believe. My password was not used for any other game or site, was randomly generated and contains a mix of upper and lower case letters and numbers.

I have a second account that used a different password, with similar characteristics. With the mandatory password change coming up, I decided to swap the passwords for the two accounts, so I wouldn’t have to learn new, complex passwords.

Each password was blacklisted.

So, I generated a new password, intending to just use the same password for both accounts. The new password worked with the first account, but when trying to apply it as the new password for the second account, it came up as blacklisted.

Apparently, in addition to a blacklist of “hacker compromised” passwords obtained from online sources, you guys also blacklisted all existing GW2 passwords, whether they were on “hackers lists” or not, plus are also instantly adding new passwords to the black list, so that no two accounts can contain the same password.

To me, that’s going way too far and doesn’t make much sense unless someone at Arenanet was concerned that stored GW2 passwords had been compromised at some point in the past.

It could be the extra security measures kicking in. See this post for details. It’s referring to attempted password changes for a single account, but maybe (and I obviously don’t know, just guessing) there’s something triggering because you’re changing two passwords in a relatively short amount of time from the same location, much like a gold seller (read: account thief) would. No offense intended.

However, now that I read through your post again, I seem to recall something about old passwords going on the blacklist. I would recommend adding a word somewhere in the passwords. It could be a short word, like “the” or something, inserted where it wouldn’t be hard to remember. Maybe a number or two, whichever is easiest for you to remember. Or possibly some shift in capitalization (no pun intended).

They only know the passwords from sites that have been attacked. They DON’T know the passwords used on numerous other sites. By blacklisting ALL existing passwords, they attempt to get NEW and UNIQUE passwords for every GW2 player. If some of them recycled passwords on several sites, they are now forced to change to a new one. It IS a healthy movement, but it won’t help those that had unique passwords already.

So, I guess they will have to ask all new players to do the same too. Somewher in the future. Maybe after they played it for 2 or 3 months.

Fiontar.4695:

To me, that’s going way too far and doesn’t make much sense unless someone at Arenanet was concerned that stored GW2 passwords had been compromised at some point in the past.

Here’s the reason for this behavio:
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/
and specific quote:

Because this has been so successful at protecting new accounts, we want to extend it to protect existing accounts too. But it’s harder for us to know whether passwords of existing accounts are known to hackers: it’s difficult to distinguish between a login attempt by the real customer and a login attempt by a hacker. So we’ll take the safe approach and ask all existing customers to change their passwords, and blacklist everyone’s old password in the process.

My accounts security is my business, and I use specific passwords for specific things, now you’ve blocked about 5 of the ones I use and are forcing me to use passwords that I do not wish to use.

Stop it.

The force password change is broken.

I did exactly as you requested I do, and now I can’t log into the game. At all.

Apparently the new password I picked doesn’t work, and yes, to forestall being asked, I am 100% certain I’m typing it in correctly.

Come on Anet, this can’t be this hard. First you ruin dungeons, and now this?!

And to top it off I can’t even create a support ticket because that system is broken too.
facepalm

yup, i did it, tried one of my old passwords which it said i could no longer use.
then picked a different one, it accepted, tried to log in, and the accepted one did nto work, but i can log in using the rejected one..

Account security is Anet’s business when you get hacked, and have to respond to your tickets. Unless you agree to not request help with any account recoveries, I think the current policy with password changes is ok.

I can’t even log in using the rejected one.
I created a new support profile and submitted a ticket, and I’m hoping for a quick resolution. As is, I’m fuming.

and I disagree.

I just wanted to reply to the post from Gaile to point out that the blacklist is actually more extensive than was outlined in her post.

Gaile Gray.6028:

Fiontar.4695:

I just wanted to reply to the post from Gaile to point out that the blacklist is actually more extensive than was outlined in her post.

I understand, and that seems to be true. There are a nearly-infinite number of potential passwords, so hopefully everyone can choose one that suits him or her and all will be well — and more secure — in the future.

Armon.1620:

And to top it off I can’t even create a support ticket because that system is broken too.

The system is operating just fine. If anyone is having difficulty setting a new password, please Go here and submit a ticket through the “Ask a Question” tab on that linked page.

I had to create an entirely different support account in order to submit a ticket, and I’ve gotten no response.
So instead of spending a few minutes playing GW2, I spent a half an hour getting progressively more upset.
Any chance that this issue can be resolved soon, because if I have to wait till Thursday to hear from someone I’m probably going to flip.

The system is not operating just fine. I’ve tried to change my password 15 to 20 times since they announced this change, My password doesn’t change and I am still using the old one to log into game. Further more I take exception to the fact you are treating your entire player base like children. It has been know for years people use the same password on game,email, messenger, etc. You are “discovering” something that NCSoft/PlayNC has known for years and years. All my passwords are secure and I change them regularly. I can not change my password now. I haven’t been able to change it for a while. I can’t change my email which was suppose to be another security feature. But according to Anet I do not understand how to secure my account and must be forced to do it their way. A way that doesn’t work for a number of people but “it works just fine”.

Gaile Gray.6028:

I understand, and that seems to be true. There are a nearly-infinite number of potential passwords, so hopefully everyone can choose one that suits him or her and all will be well — and more secure — in the future.

Near infinite you say?

I couldn’t find the exact password rules so I assumed the following:

• 100 characters max
• non-space printable ASCII characters only

Given these assumptions the number of potential passwords can be easily calculated as 94^100 – (blacklist size)

or approximately

205487477052359885945235685067246572
845424635839739738959838742603457313
014037104010284943436279326671344387
862112146511720036208770768568795279
366314788216602099004251084292188536
525947528204517376 possibilities.

However near infinite is at least 3 time more than that. ;D

@Avani Silver: password and email change can be done using support if the normal ways don’t work. That it is not working, is not a general problem. I did my password change successfully several days ago.
If people put there valuable belongings behind a smoke screen of same passwords? IMHO that is really childish. All that Anet tries to do is to secure our lazy bottoms. That Persons that are shouting now “I don’t need it” will be the ones that are crying loudest “help me” when they are trapped. Nothing is 100% secure. Anybody should know that. Trying to improve security is never bad, but it is always additional work.

Uh I tried changing my password and it keeps saying next to my old password ‘You have not changed your password, it needs to be changed blah, blah, blah.’ And even if I put a new pass in to try and change it.. it still does it, yet doesn’t change my pass. I don’t understand what the hell is wrong with this new pass bullcrap. My password has been fine, nobody has hacked me EVER. And now I can’t even log on to GW2 because of it. :/

I have also changed my password, and now it just won’t let me log in. Works just fine on the website.

Okay mine’s working now. It must just take a little while.

Fiontar.4695:

… I decided to swap the passwords for the two accounts…

….

So, I generated a new password, intending to just use the same password for both accounts.

This is exactly what you should not do: use the same password for multiple accounts. This is exactly why ANet is forcing everyone to change passwords at least once.

• Use an easily remembered password, but include at least one number, one upper case, one lower case, and one symbol.
• Longer is better (all other things equal).
• Use a unique combination for every site, so that if one site is compromised, you will protect the others.

This won’t make it impossible to brute-force your password (there are better ways to do that), but it will make it much more difficult for people to guess or get in knowing your credentials elsewhere. And you can still use an easy-to-remember set of words.

Hey!
I wonder how did exactly you made your blacklist as it’s not completely clear for me.
Passwords are supposed to be coded in MD5 so you cannot see the actual password. Due to this fact the only thing you can do is forbid changing the password to one that converted to MD5 hash already exists in your database. Here comes my question.
How can the system recognise me changing only one letter if you can’t see the true password? You can’t check it via MD5 hash how much it changed because it doesn’t work this way and it’s supposed to be unable to unhash it (you can do it hovewer using rainbow labels (not sure if it’s named the same in English)). I highly doubt my password was hacker-known, maybe because I’ve never ever been hacked and after changing that thing it’d be password I’ve never ever used?
The only thing I can come up is that passwords aren’t really hashed, but.. guys. I don’t believe you’d do something that stupid.

PS. I’ve changed my password tho, now I cannot login to my account using nor password your system accepted nor password that got rejected.

@Narholt
It is not you who has been hacked (not in the real meaning of that term), it has been other websites that have been hacked and lots of emails and passwords have been harvested. As explained by Brian those looted details have been used to gain access to GW2 accounts – even if those never existed yet. When there have been numericals in it, they might have tried one number up and one number down, if that didn’t work, they tried the next email / password combination. No brute force attack. The attackers simply KNEW the necessary combination.
So, Anet blacklisted those combinations and maybe some small variants from it (just like I explained). But this approach only covers the spilled or harvested known websites and combinations. What this did show, was that to many people used email and passwords for almost anything they do in games or accounts. THIS is the group that Anet is targetting now. By forcing anybody to change their passwords they hope to unlink GW2 accounts from those combinations that have NOT been harvested from other websites yet.
That don’t change the situation for any NEW customer of GW2, but it improves security for most that are playing GW2 already. For some people – like me – it would not have been necessary, because I had a unique combination for GW2 already, but that is something that Anet cannot know. To be on a safe side Anet could not do something else.

Attention: But Anet will have to FORCE any new player to change the password at least once. Otherwise the new players may fall victim to the same “reuse mail and password” trap too.

@Michael
I understood the part of blocking passwords harvested from other sites. I also know what ANet is aiming for. When I said about “being hacked” I meant every website or game I’m in. I had never had any problems concerning my accounts’ security. So I can’t assume my password has been stolen.

My point is how they can blacklist my slightly changed old password while they SHOULDN’T have access to my old password in readable form (just hashed). Therefore they can’t ban it’s variations.
MD5 hash code doesn’t indicate what changed when you compare two passwords. It isn’t generated linearly. Let me give you some examples.

md5(“password1”) = “7c6a180b36896a0a8c02787eeafb0e4c”
md5(“password2”) = “6cb75f652a9b52798eb6cf2201057c73”

You can’t say these passwords are similar. Wait! You can’t even check how long they are as hash has always 32 chars (it’s 32 bit coding). Now, I ask ANet how they managed to do the impossible assuming they really hash our passwords. If they don’t it would be.. huge affair.

Do you really believe, they would answer such security related question? If they would do that, they would open the door to any would-be-attacker.
So, I guess that you won’t get a satisfying answer.

BTW I would think, that the information is available in clear form. Believing that it might be stored in hash-form is an idea, that I have found nowhere. When it is about security most sites using passwords don’t tell much. So, anything is possible.

For me it is insignificant, how the passwords are saved or compared. There is only one thing that matters: is the procedure safe and are the stored informations safe.

Narholt.9023:

@Michael
I understood the part of blocking passwords harvested from other sites. I also know what ANet is aiming for. When I said about “being hacked” I meant every website or game I’m in. I had never had any problems concerning my accounts’ security. So I can’t assume my password has been stolen.

My point is how they can blacklist my slightly changed old password while they SHOULDN’T have access to my old password in readable form (just hashed). Therefore they can’t ban it’s variations.
MD5 hash code doesn’t indicate what changed when you compare two passwords. It isn’t generated linearly. Let me give you some examples.

md5(“password1”) = “7c6a180b36896a0a8c02787eeafb0e4c”
md5(“password2”) = “6cb75f652a9b52798eb6cf2201057c73”

You can’t say these passwords are similar. Wait! You can’t even check how long they are as hash has always 32 chars (it’s 32 bit coding). Now, I ask ANet how they managed to do the impossible assuming they really hash our passwords. If they don’t it would be.. huge affair.

Narholt, you are making a lot of assumptions, and unfortunetly, most of them are incorrect.
There are many ways to encrypt a password, MD5 is only one, and not even one of the best . It is common practice to check previously used passwords or partials of, and there is no reason to have access to the unencrypted password to do it so what encryption method used is irrelevent. It’s a very old process, almost as old as Windows itself, very common and easily implimented. It is not something I will discuss in any forum because, and please don’t take this the wrong way, you then have people like yourself who only partially understand security jumping to conclusions and creating more confusion.

Sure bet they aren’t using MD5 because it’s insecure (not considering HMACs). And a rainbow table (not lable, it’s simply a table that contains all relevant password->hash combinations) aren’t relevant any more because all storage space existing on earth combined wouldn’t be sufficient to hold it. Simple example using the following assumptions:
- simple MD5 (16 bytes)
- 8 character password (8 bytes)
- password may contain all 77 printable ASCII-characters
This results in 1.24×10^15 (77^8) possible permutations, at the 24 bytes per row given,this requires ~29.7 petabytes of storage (29,700 terabytes).
Now good luck doing that for 50 character passwords and SHA-2 with 512 bit hashes, which results in a total data volume of 1.19×10^79 exabytes – estimated total storage capacity on earth was 500 exabytes in 2011 iirc.
Any brute forcing attempt with a HPC grid is far more likely to be successful. That would just be the “figuring out the password for a given hash” part though, which requires access to the password database in the first place. As ANet’s password database is safe (hopefully), all passwords used are not found in any password dictionary, and ANet locks you on too many authentication attempts, all accounts can be considered safe unless somebody gains access to their internal authentication systems – or your computer, intercepting the password in the first place. Which is very likely, and which is why you should always use two-factor authentication with an external component (like the authenticator, not mail).

PS: correct me if I miscalculated something, I sometimes mix up those SI prefixes.

/e: Narholt.9023 actually raised a valid question. If they’re actually checking for similar passwords (as opposed to previously used ones), this isn’t possible with a proper hash, no matter how insecure. Which would mean their blacklist contains all passwords in plain text form – which means that if ANet is ever hacked, that’s probably one of the largest password dictionaries in existence, containing both known weak passwords as well as unknown and safe (until then) passwords. That would freak me out too.

The question is not “what is in the blacklist” but more “is it sufficiently protected”?
If I would do a design of something like that, I would never put the blacklist or it’s access on the frontline – that is on a server, that can be reached via the internet. I would put it behind any kind of security walls and the question would be passed from their own server to the blacklist system. That system would check and it would only give few possible answers:

• ok
• not ok – maybe with an error code

Even the question could be coded. So their would never be a password flowing forward and backward all the time. Only when a new password will be choosen, is any need to get access for writing the new password. There is no need to read the password AND send it to the public server. Just one way – getting a password in. Anything else for outward bound is either yes or no. No clear text necessary.

Guys don’t freak out… nobody from ANet said anything about similar passwords.
Check yourself…

Stop kitten gossiping!!!

Michael.4791 said

Michael.4791:

So, Anet blacklisted those combinations and maybe some small variants from it (just like I explained).

latter:

Narholt.9023:

MD5 hash code doesn’t indicate what changed when you compare two passwords. It isn’t generated linearly. Let me give you some examples.

md5(“password1”) = “7c6a180b36896a0a8c02787eeafb0e4c”
md5(“password2”) = “6cb75f652a9b52798eb6cf2201057c73”

You can’t say these passwords are similar. Wait! You can’t even check how long they are as hash has always 32 chars (it’s 32 bit coding). Now, I ask ANet how they managed to do the impossible assuming they really hash our passwords. If they don’t it would be.. huge affair.

Oh… so last couple of posts are… a big pile of gossiped bullkitten

Edit:
p.s.
Michael.4791 STOP
please stop….
Stop theorizing.

Michael.4791:

The question is not “what is in the blacklist” but more “is it sufficiently protected”?

It boils down to what’s in it though, because if it’s secure in the first place, it can be stolen with no harm done. You can’t rule out human failure, like a database dump being stored in an insecure location.

Iruwen.3164:

/e: Narholt.9023 actually raised a valid question. If they’re actually checking for similar passwords (as opposed to previously used ones), this isn’t possible with a proper hash, no matter how insecure. Which would mean their blacklist contains all passwords in plain text form – which means that if ANet is ever hacked, that’s probably one of the largest password dictionaries in existence, containing both known weak passwords as well as unknown and safe (until then) passwords. That would freak me out too.

There is no reason to have a password list in plain text to compare it, maybe in something like phpbb or phpnuke, but those are not secure by any stretch of the imagination.
It is actually a moot point. If the passwords are not allowed, you could freely post them to all the world to see and give them to all of the hackers. If no one is allowed to use them, who has access to them is irrelevent. Think about it, a hacker has a password, that no one is allowed to use, so it will not access any account, does it really make any differance? I deal with people complaining about changing thier passwords all the time. We force a password change every 30 days. They are given 6 warnings that thier password will expire soon, to change it. After the password expires, they are locked out and get a new password of my choosing. They will NOT like the passwords I will assign them and they know it. Do we force a password change to be nasty? No, we force a password change because we are required by law to do it. While anet may not be required to do it, it’s only good practice when you have so many accounts hacked.

ShiningSquirrel.3751:

There is no reason to have a password list in plain text to compare it

Read again. To compare for similar, not identical, passwords you need it. Because this cannot be done with hashes.

If the passwords are not allowed, you could freely post them to all the world to see and give them to all of the hackers.

No. Because users use the same passwords for various services, no matter how often you tell them that they shouldn’t. So a leak of a plain text password blacklist would actually reveal a huge list of valid passwords to the hacker. And saying “we told you to use a unique password” doesn’t make this legal. Maybe in the US, seems you can regulate anything in EULAs there, German data protection acts are stricter.

Iruwen.3164:

ShiningSquirrel.3751:

There is no reason to have a password list in plain text to compare it

Read again. To compare for similar, not identical, passwords you need it. Because this cannot be done with hashes.

And who says they are hashed? Your making assumptions again. Until you can state for a fact that you know exectly how the passwords are or are not encrypted, all you are doing is speculating. I do security for a living, just what are your credentials?

Just a little humor to lighten everyone up… seriously

Okey everyone. It seems that my post started a little storm that I didn’t really want.
But he who seeds wind shall harvest storm, isn’t it?

@ShiningSquirrel
I have to admit, I made a lot of assumption. First of all was that they use MD5 which is mostly used encrypting method (no data here, correct me if I’m wrong). I know it’s old etc. but still is in use.
As you claim being security specialist I won’t argue with you at all. I’m not an security specialist therefore I’ve got no knowledge to start a proper constructive discussion with you. I’d probably just make a fool of me.
My general thought was that passwords are encrypted that even database owner cannot get to know actual password. If so, there is no possibility to compare and find similar passwords. They would have to be stored as plain text which would be pretty insecure and I wouldn’t feel fine knowing that database admin (or any third party person that see it) can see my password.
Password change system seems to work pretty random. At last 4th variation of my password got accepted so I’ve no idea how the system works.

I’m just curious now. What is another way of storing password than:
- plain text (insecure)
- hashed (pretty secure)

@Iruwen
Sure, I meant rainbow tables not labels, my fault

@ShiningSquirrel @Iruwen
I’d like to thank you both for constructive posts and not just raging at me.

@Gaile Gray
Thank you for your reply. I may seem like looking for an affair while there is none but I just wanted to know and it seemed odd that similar password got rejected by the system and felt like asking a question. There was no offence there, thank you for taking your time and being interested in this case.

@Qnopsik El Qox
A bit of theory which came out of years of practice. As Gaile said, I don’t need to know how the sausage is made, I just eat it. Although there are lot of ways to do things, I strongly believe, that a designer for security features will try his best to keep the data safe. And he will always check for improvements, because the bad guys are not sleeping either.

I signed into my account and it required me to change my password. I attempted to change my password and it would not allow me to do so and now I am locked out of my account. I would enjoy to play this fine game but I am not currently able to do so in my predicament. Please help me resolve this issue and I will be eternally grateful. Thank you for your time.

FMPEvo.8350:

Just a little humor to lighten everyone up… seriously

Could be worse…

ShiningSquirrel.3751:

And who says they are hashed? Your making assumptions again. Until you can state for a fact that you know exectly how the passwords are or are not encrypted, all you are doing is speculating. I do security for a living, just what are your credentials?

I do security for a living. Any reversible encryption used in places where it doesn’t have to be used is insecure by defintion because it can be – guess what – reversed. The security tradeoff in a password storage scenario would be unjustifiable.

PS: of course I’m making assumptions. Because we don’t have that information (and we shouldn’t). It’s just a response to the legitimate worries of another customer. If there was a check for similar passwords, I don’t know of a way to do this safely. But I’m always willing to learn, I’m not a developer.

PPS: “you’re”

Michael.4791:

@Qnopsik El Qox
A bit of theory which came out of years of practice. As Gaile said, I don’t need to know how the sausage is made, I just eat it.

@Michael.4791:
Yep you don’t need to know, but when you start shouting:
“Maybe they add rats, nuclear and some other waste in our food” (your post about blacklisting similar passes)
And later others start:
“Oh Gosh, oh gosh, nuclear waste in my sausage is bad” (post about MD5 of similar passes)

Then i say: Stop bullkitten gossiping.

@Rajani Isa.6294
You could warn Us a week ago… ;-)

Iruwen.3164:

ShiningSquirrel.3751:

There is no reason to have a password list in plain text to compare it

Read again. To compare for similar, not identical, passwords you need it. Because this cannot be done with hashes.

If the passwords are not allowed, you could freely post them to all the world to see and give them to all of the hackers.

No. Because users use the same passwords for various services, no matter how often you tell them that they shouldn’t. So a leak of a plain text password blacklist would actually reveal a huge list of valid passwords to the hacker. And saying “we told you to use a unique password” doesn’t make this legal. Maybe in the US, seems you can regulate anything in EULAs there, German data protection acts are stricter.

I thought the whole point of the blacklist was that the hackers already have those passwords?