Guild Wars 2

While I generally do not go overboard with my password security, after seeing the penny-arcade comic mentioning how Gabe’s account had been hacked (again), remembering my good friend’s hacked account experience in GW1 and then seeing this recent article about security, I decided to lock down this account with the strongest password I could possibly use: random 100 characters, upper, lower, numbers, symbols. I wasn’t even sure it would accept it, since it doesn’t say anwyhere exactly what is allowed or not, but it took it without a hitch. I’m very impressed by that.

But now I can’t log into GW2. Or GW1, for that matter. I can log into the forum, obviously, so clearly I’m not entering in the password wrong. I plan on logging a support ticket immediately, to make sure that this gets in front of the right people as soon as possible, but I figured I would post this as a cautionary tale to other people considering the same thing, and perhaps see if anybody else has suffered anything similar.

As a side note, this is all kind of ironic due to how I’ve been working on integrating web applications for the last couple weeks and seeing stuff like this. Work is just following me home, it seems.

At a guess, it’s probably accepting passwords of any length when you set them, but truncating passwords when it prompts you to enter one. For example, it accepted your 100-length password, but may only (I do not know; I’m guessing) process the first 64 characters when you subsequently use it to log in. Bingo, your saved password and the one the system thinks you entered don’t match.

I agree: It would be good for ArenaNet to make known the maximum acceptable password length, and limit the creation of passwords to that length.

(note: this is just supposition, based on similar behavior I’ve seen elsewhere in the past that matches what you describe).

Maybe the password is just too secure.

If you can login here, go to ‘My Account’ and change the password from there. Maybe something shorter but with equal complexity will suffice.

Well, I based the 100 character length on the update in GW1 a while back that said they now allowed characters up to 100 characters in length. I figured if it were too long or had invalid characters, it wouldn’t let me, and if it truncated the password upon creation, it would not be letting me into the forums with it now. Unless of course it’s truncating it every time I enter it into the forum…

Well, if it’s doing that it’s some number other than 64 characters, tried it, didn’t work. With the blacklisting policy in effect, it would seem like a waste of a perfectly good 100 random characters. Besides, I like having a password that could probably double as an RSA key. Good luck to any keylogger in picking that mess up.

It’s possible the game client is truncating the password, but the backend system handling the forums and official website, and their password forms, aren’t.

I was thinking something very similar to that as well. Another thought is that the combination username and password together is too long for the encoding method used to verify it (since they probably use a hash value or something similar to verify it), and there is some sort of overthrow exception that is causing it to halt early, causing it to not match up. We could come up with theories all day, but we can’t say for sure without looking at it. But the password is definitely in there, and definitely not readable by either game.

As mcl mentioned, using a password which is longer than allowed can cause such issues. You’ll likely need to contact customer support to rectify the situation.

Already had. Since I hadn’t heard from them for a while, I guessed that it was due to them using URL encoding extending the length beyond what the programs could handle for whatever reason. When I changed it to a version that had enough characters lobbed off the end to fit, it worked fine. Doesn’t mean that’s why it didn’t work, but it very well could be.

When they did send me a response, it looked like some canned email that they probably send everyone who got their account hacked or lost their password. And they changed the title to “Account Lost.” with the period and everything. So I replied with a message of what the problem actually is, what I did to solve my own issue, and what they could do to prevent this from happening.

I’ve worked as support previously, and I’m sure they’re completely swamped right now, so they have my sympathies. At the same time, it’s their job to read these things, and I don’t feel like mine really was. If I even get a further response back, I’ll be impressed.

Since hackers do not use brute force attempts with every letter combination a 100 character password is unnecessary – 8-10 characters would be just fine, ideally using a mix of case, numbers and a special character. That is over 5000 billion combinations so if it took then 10 ms per attempt it will still take over 2000 years to test every combination.

Just make sure you use a unique password not used before and you will be fine (unless you have keylogging software virus in which case your 100 character password would not help anyway).