Guild Wars 2

Because that in itself is a massive security risk.
Consider this: people are not security-conscious. Probably a lot more than 1.5% of your users right now use a password they share with something else.
Okay, you force them to change it (which could easily turn into a big PR CF, if the things I’ve read in my guild’s chat etc. are any indication), and add their old password to your blacklist. Now, you have a list of passwords that contains ones that are known to hackers, and ones that normal people use in other places.

WHAT IF THAT LIST LEAKS?
How many people will get screwed over on other sites because you had a perfectly fine password on a random list of passwords?

Yeah, it won’t affect your game or the game’s accounts. It will affect your customers. Seriously, you cannot enforce security in this manner – because if we consider the 1.5% hacking rate, then with this move, you are endangering the remaining 98.5%!

So please, reconsider the adding of old passwords to that blacklist. Have it store hacked passwords, sure. That makes sense. Do NOT, please, do NOT add valid passwords in there!

XDeuxEliah.5926:

WHAT IF THAT LIST LEAKS?
How many people will get screwed over on other sites because you had a perfectly fine password on a random list of passwords?

Please, read the blog more carefully, even if that list leaks, it is just a random list of passwords not tied to any kind of account name/info, ergo nearly useless unless they go though the trouble of matching every password on said leaked list to every registered gw2 account, but oh wait they can’t verify the link (between account name and passsword) even by doing that because those passwords are not in use.

Edit: also, do you really think they would persistently store millions of passwords in plain text, used or not. Any self respecting company that claims to care about security will not do that… and no signs indicate that ANet is doing that.

If you need a password reset by CS staff, they don’t give you your old password because they most likely can’t, they generate a new one for you.

The main thing that annoyed (This is too strong a work – irked maybe) about the post is simply, they want me to reset my password. After I’ve gone to the trouble of having an email account only linked with Guild wars. A unique password for the email. Two factor authentication. And a unique password of a silly length for Guild Wars.

I’d rather not have to go through the process of changing password (an inconvenience at best, but still I hate being forced to do something after I’ve taken every precaution myself) because some one thinks that my password needs to be changed. I do agree that some people need to be prompted to change their password to something unique to the game but for those of us who have already thought carefully about this it should be opt in, not making me think up and remember yet another new password.

I know I’m mostly whining, and I know it’s a minor inconvenience at best, but it does really irk me.

You know what would be an irritating but great fix to this situation( there are two actually) Authenticator ooooo I know of two games at least that have these and hey they work! change your password every other day using a personal list not kept on your machine that way you aren’t giving away your account if you happen to have a keylogger, I guess you could always pull a sweep before and after you log on the game….that’s a last resort type of thing but would probably help with protecting ourselves.

I think he mentions in the post they have been working to make their own authenticator but have decided to go with google authenticate

XDeuxEliah.5926:

Because that in itself is a massive security risk.
Consider this: people are not security-conscious. Probably a lot more than 1.5% of your users right now use a password they share with something else.
Okay, you force them to change it (which could easily turn into a big PR CF, if the things I’ve read in my guild’s chat etc. are any indication), and add their old password to your blacklist. Now, you have a list of passwords that contains ones that are known to hackers, and ones that normal people use in other places.

WHAT IF THAT LIST LEAKS?
How many people will get screwed over on other sites because you had a perfectly fine password on a random list of passwords?

Yeah, it won’t affect your game or the game’s accounts. It will affect your customers. Seriously, you cannot enforce security in this manner – because if we consider the 1.5% hacking rate, then with this move, you are endangering the remaining 98.5%!

So please, reconsider the adding of old passwords to that blacklist. Have it store hacked passwords, sure. That makes sense. Do NOT, please, do NOT add valid passwords in there!

Don’t use a password that you use on any other site or game or …well, anywhere.