No Limit On Login Attempts

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: Oxe.6142

Oxe.6142

Currently, the website will not lock out an account if an incorrect password is entered multiple times. I have personally tested this multiple times since launch and have yet to have login stopped after 10-15 failed attempts. This is a basic security measure to prevent bots spamming your login servers attempting to break into accounts. Why is this not implemented?

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: Neuroticmic.3412

Neuroticmic.3412

I couldn’t agree more. I actually wondered the same thing.

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: Zeldain.5710

Zeldain.5710

I’d second this. I find it incredulous that in this day and age after watching so many MMOs and other services compromised, that security wasn’t taken seriously at launch.

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: DBZVelena.5186

DBZVelena.5186

This might even be a way to farm GW2 accounts by simply trying if the password they keylogged works.

Proud Medic of the Splinter Warband. PM me to know more.

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: Regina Buenaobra

Regina Buenaobra

Content Marketing Lead

Next

Our team already made some changes last week that should address your concern. Are you still seeing this issue?

Content Marketing Lead
Twitter: @ArenaNet, @GuildWars2
In-Game Name: Cm Regina Buenaobra

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: LittleBigAsura.6071

LittleBigAsura.6071

Also, there’s not ‘’Forgot password’’ button.

Fedd
Luxon [Lux]
Jade Quarry

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: CC Dalmarus.8397

Previous

CC Dalmarus.8397

Community Coordinator

Next

The “Forgot password” button has been temporarily disabled for additional security. If you need your password reset, please contact our support team for assistance (http://en.support.guildwars2.com/). Thank you!

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: Oxe.6142

Oxe.6142

Our team already made some changes last week that should address your concern. Are you still seeing this issue?

Yes, just before making this post I tested it. I didn’t want to ask the question only to have had it already been fixed. I purposely entered the wrong password more than 10 times, then entered the correct password and made this post.

Also, I wanted to say that I received an infraction for asking my question. I did not mean, nor do I think anything I said was rude. I simply want to know why this security vulnerability exists because my account is important to me. I apologize if someone has taken offense, but I honestly don’t understand how anyone could be offended by what I asked.

(edited by Oxe.6142)

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: slax.4357

slax.4357

I just tested myself and it has not been fixed. I typed in the wrong password 15 times.

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: CC Dalmarus.8397

Previous

CC Dalmarus.8397

Community Coordinator

Next

Thanks for not only bringing this to our attention but also taking the time to ensure it had not been corrected yet. This issue has been escalated to our security team for further investigation. Thanks again!

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: MikeLewis

Previous

MikeLewis

Lead Gameplay Programmer

Next

Hi all,

I’d like to clarify our position on this particular question.

First and foremost – there is a rate limiting mechanism in place, which severely impairs the ability of automated attackers to brute-force account logins. We have carefully balanced this mechanism so as not to inconvenience legitimate users, while still presenting a substantial impediment to unauthorized account access.

Second, it is correct that we do not currently lock out accounts for failed login attempts. The reasoning for this is that if an attacker knows your email address, he can basically deny you access to the forums/game indefinitely by just logging in with bogus passwords every few seconds – something trivial to automate. This form of attack would be much more difficult to stop and create a much larger burden on customer support for resolving “locked account” issues.

Last but not least – we take security very seriously and are making every effort to ensure that our game and associated services are as trustworthy and safe as possible. We appreciate your feedback on these issues and welcome further suggestions regarding how to improve our collective safety.

Thanks!

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: Oxe.6142

Oxe.6142

Thank you for your reply Mike. I have noticed the pause after a few attempts, but it is extremely short. It doesn’t seem like much of a deterrent to me. I feel there are better ways to handle this particular security matter out there. Some sites I’ve used bring up one of those squiggly line things that computers can’t read after so many attempts. This avoids your second point while still allowing the legitimate owner of the account access and thwarts bots running endless login attempts. Perhaps a system like that would be better served here.

No Limit On Login Attempts

in Forum and Website Bugs

Posted by: MikeLewis

Previous

MikeLewis

Lead Gameplay Programmer

The pause is deliberately short because we don’t want to interfere with people who legitimately need a minute to remember (or correctly type) their password. As I mentioned, we wanted to make sure that it doesn’t inconvenience people. So the rate at which you can “humanly” hit the login page won’t cause issues until you’re doing a substantial number of attempts.

Automated attempts generally have to be done at very high volume to be effective, though, and the rate limiting will hit those attackers much harder than it will ever hit someone who just retypes their password a few times on the login screen.

Obviously I can’t get too specific, but suffice it to say we are monitoring the rate of login attempts from various sources, and we have strong evidence that this system is hampering attackers precisely as we intended.

CAPTCHAs on logins are certainly an option, but creating one that is still human readable while being immune to computer cracking is extremely difficult. Even the best known methods are mostly broken, such as reCAPTCHA (which has an 80% crack rate at this point using a variety of attacks). Since we don’t have any experts to help create a strong CAPTCHA system internally, our general feeling is that we can do other things which have better bang for the buck so to speak.