Guild Wars 2

The game has started refusing my login because I haven’t changed my password since you updated the blacklist. I think this is a questionable policy—the entire reason those blacklisted passwords are dangerous is that an attacker might use it to discover my password via guess-and-check, which means that ArenaNet should ALSO have been able to discover whether my password is on the list via guess-and-check sometime in the past 4 months (if it’s truly a practical attack), but that’s not why I’m posting.

Since I’m fairly confident that my password is NOT on the blacklist, and I have never used it for anything other than my Guild Wars 2 account, and I’ve already memorized it, I attempted to “change” my password to its current value. This produces the following error message:

“Unavailable password. You or someone else has used it before, or it’s on a known list of passwords stolen from other games or websites. Please use a new, unique password for your Guild Wars 2 account.” (emphasis added)

This concerns me for several reasons:

1) Refusing to let someone re-use a password generally does NOT improve security. Studies have shown that users either work around such restrictions (e.g. by rapidly changing their password to exhaust the buffer and return to the original), or they react to being forced to memorize more passwords by choosing easier-to-remember (and thus, usually less secure) passwords. So I think it is very unlikely that this restriction is doing your users any favors.

2) This message implies that I can find out whether someone else in your system has used a certain password by attempting to change my password to it. If true, then not only are you allowing me to guess the passwords for all your users simultaneously (probably a security weakness), but you must somehow be checking the new password I’ve entered against ALL the other passwords—which ought to be ridiculously expensive (computationally) if you are following good security practices and storing only expensive, uniquely-salted hashes of passwords. Which makes me pretty sure that either this message is inaccurate, or you’re storing the list of passwords “someone has used before” very insecurely.

3) You’re not even going to present different messages depending on whether the password is blacklisted or previously-used? The entire reason the blacklist is dangerous is because the bad guys already have it; if someone is trying to use a password off of that list, it would be courteous (and not meaningfully less secure) to inform them that it’s on the list, so that if they’re using the same password somewhere else (an unfortunate but common occurrence) they will realize that’s a problem and can do something about it.

So: why do password changes work this way?

its been 3 hours since I updated my ticket on this same issue it feels like they are saying pfff you no play no more ever!!

To the comment about its been used before: They are referring to when they originally put in the change. They don’t keep checking it to all the new passwords. Considering how often people were getting hacked, it’s pretty good that they are doing this. And your point for number 3, most people should be using different passwords everywhere and should be changing them often. Doesn’t matter what list it’s on.

Ellieanna is right. Usually within security alert companies you are forced to change to a new password al least every 90 days and old passwords are off limit too.

If there are any questions about security with Anet, I recommend to read the relevant stickies and articles. It is a good read and it explains why they are doing what they are doing now.
Some may not need a mandatory change, but how will Anet know. Their blacklist is only part of the problem, because it only has the KNOWN hacked passwords. What about the recycled passwords that were not hacked yet. Anet has no chance to check against the list of unknown recycled passwords. THAT is why everybody is forced to take part.

Hi,

The grace period for the password change ended last Friday.

Michael and Ellieanna’s posts gave proper clarification. If you wish to have an official statement about the mandatory password change, please read this article here.

The topic is now locked, thanks for your contribution