Guild Wars 2

After downloading the latest patch, there is red message at the top of the launcher telling me to change my password. Have there been login attempts from a Chinese IP? Has ArenaNet determined that my password isn’t strong enough? If I keep the same password for too long, will a veteran destroyer troll rise from the depths to destroy my town?

I don’t know because ArenaNet has chosen not to provide any useful information with the message. Anyone know what the deal is?

Upon starting the launcher, I saw this: http://imageshack.us/a/img442/2166/91453144.png

Never had password problems in the past, and my computer is secure. Is this showing up because there were 2 other connections going on at the same time? I noticed under account management my IP is showing as having being connected 3 times… like it shows up 2 minutes ago, 1 minute, and then currently. When I click disconnect I get the generic browser 404 page but they are disconnected too. I really don’t want to have to change the password, as I already have so many I need to remember. I’m hoping this is just related to the disconnect issue and not really necessary.

Not sure why it says that but I would seriously consider doing so if I were you. I just found out my account was being logged in from Chengdu China…..however I myself can’t change the password because it’s bugged or something, so not sure how that works….But yeah it don’t let me change it and I definitely need to if someone in China already has the account and password….so I’d consider it if I were you and try changing the pass

Weird, cause I haven’t received a single authentication email besides the ones I’m responsible for (like resetting my router than logging in). Did you get an email alerting you to the china one though?

That’s a good thing, for you it’s just suggesting to update with a new password to keep it on the safe side. If I remember correctly, that’s always there on the log in. And yes I got an email authorization for that and immediately refused it and blocked but yeah trying to be safer…if they know the account they can always get the password….and eventually they’ll find a way to bypass security….usually do. That’s why I’m trying to change it asap to prevent that. Luckily for you it was just suggesting xD

Hm, I doubt that it’s remotely close to commonly used or used by hackers. I had just come up with it with this game and it’s far more complex than any I’ve ever used. Took 4 words, cut em in half to make one big word with really randomized lettering. It’s still a word just not one in a dictionary xP

And even if it was used by someone else, that don’t explain why I can’t change it =/

As for their password, that could be the case. But I think it was just a suggestion since they haven’t received an email for authorization elsewhere. I’ve had that on my log in before because it’s always there. But yeah, I’d still change it to be safe xD

I did some digging and found out my hunch was correct – my system is secure, it just wants me to choose a longer password for the sake of being a longer password. To me, this is coming off like the FOV excuses (not legitimage). I guess 8 characters with numbers too is not good enough? It’s not a common word or something either. Guess I’ll change it but not happy at all, why change passwords for no good reason? This was one of the easiest ones I had.

Unpredictability.4086:

I did some digging and found out my hunch was correct – my system is secure, it just wants me to choose a longer password for the sake of being a longer password. To me, this is coming off like the FOV excuses (not legitimage). I guess 8 characters with numbers too is not good enough? It’s not a common word or something either. Guess I’ll change it but not happy at all, why change passwords for no good reason? This was one of the easiest ones I had.

What “digging” did you do? I don’t think it’s anything about password length; I started getting the message after the latest “maintenance” patch (Monday, I think?), but my password is unique, >16 characters, and is complex enough to take several quadrillion years to crack by brute force.

Looks like the bit under “Password Blacklisting” under :

https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Gaile Gray.6028:

Actually, I believe you are mistaken about what prompted this request.

The actual verbiage that is displayed at the top, and the “Must be at least 8 character long” it below. Perhaps you missed the first message, but it reads:

Change Password

That password is not available. Either you’ve used it before, someone else has used it before, or it’s known to have been hacked from another game or web site. Please choose a new, unique password for your Guild Wars account.

It then goes in to suggest the use of four random, unrelated words.

I think this is what you’re running into, and not a glitch with a password that is or exceeds 8 characters, when that is exactly what is requested.

That’s exactly what I did several weeks ago, before the password blacklist came into effect (as far as I know). Four random, unrelated words. And then I added a number or two, just to be on the safe side. But after the patch on Monday, I started getting the message in the attached screenshot.

If this message is due to the password blacklisting system, does that mean my password can be flagged when another user randomly chooses the same (formerly secure) password? With millions of accounts (and more created every day), is this considered a practical means of password security? And is a password insecure simply because another user tries it on a different account? I’m very confused.

Awesome, thanks for the reply! It all makes sense now.

I had assumed as much when the message appeared, since it’s not a very forceful suggestion; still, it’s reassuring to know that there isn’t reason to suspect a more serious issue.

I changed my password BEFORE this “blacklist” thing to a very strong one, now I am getting the “change password” message even when I don’t have ANY plan of changing my password again. I suppose/hope the message will be removed someday.

NeHoMaR.9812:

I changed my password BEFORE this “blacklist” thing to a very strong one, now I am getting the “change password” message even when I don’t have ANY plan of changing my password again. I suppose/hope the message will be removed someday.

I also changed my password to a very strong one before the blacklist went into effect, as mentioned above; I’m considering adding an extra word or two, just to make the message go away…

LOL, ok, I got the same message and go right ahead and change it. My last password that I used before for GW2 was: “76O8z#T5$!nnaR3LnQ0e”, dunno why they told me to change it (thought it was pretty solid). But now I have new one also randomly generated and just to be more sure I added the mobile authenticator. =)

I’m an engineer in Aeronautics and they always taught us SAFETY FIRST !

Baldovin.1392:

LOL, ok, I got the same message and go right ahead and change it. My last password that I used before for GW2 was: “76O8z#T5$!nnaR3LnQ0e”, dunno why they told me to change it (thought it was pretty solid). But now I have new one also randomly generated and just to be more sure I added the mobile authenticator. =)

I’m an engineer in Aeronautics and they always taught us SAFETY FIRST !

I’m pretty sure it wasn’t about your password as much as it was about when you changed it last. From what I gather from this thread, the message was for people who hadn’t changed their passwords since the blacklist was put into effect, so they don’t know for sure whether your password is on it or not. They’re just playing it safe and suggesting the change anyway, since changing it to something more secure isn’t a bad idea regardless of its current level of security.

Hello there,

I saw a thread the other day similar to my problem, but wasn’t able to find an answer that I thought was satisfactory.

The other day, I get an email indicating that an individual from China tried to log into my account, and that I needed to validate the log in attempt. I go to click on whatever the button was to deny the log in attempt, and it brought me to a page, which brought me to a dead end.

Few days later, there’s a prompt on the game launcher saying “Please consider changing your password” or something to that effect. I click it, go to change my password, and it leads me to ANOTHER dead end.

Now, just being suspicious jerk by nature has me thinking that

-The original email wasn’t legitimate
-The spies have hacked into the game launcher

Not really, but what’s the deal here? Why is everything I click on a dead end? The email leads me to a page where I either deny or approve access, and when I click deny it says "Failure

An error occurred with your request."

The launcher leads me to a similar message. I don’t feel comfortable changing my password when I keep getting messages like that.

Why does it say this? is it just a advice or are someone doing something with my account? (its says this in the laucher)

Yeah, would be nice if they gave us a reason rather than just say that. I have a great pw.

I think everyone is getting this. I just added mobile auth, because I had wanted to anyways and I am still getting this.

I understand being proactive but making people jumpy is a bit much can we get some kinda answer for this?

I see more people have this ‘problem’. My guess is that they show you that message after a certain amount of time because changing your password regularly makes your account safer.

Well I hope they remove that message soon, it is already annoying me after seeing it 2 times.

Hello. I am having this problem too where it tells me “Please consider changing your password.”

However, I had no login attempts whatsoever from any other IPs, nor’ any emails or whatever. So should I be worried? Or is everyone else having this?

Please address this ANET. Thank you!

I just got this message too. It must just be a standard message going out to people. I’ve had the same pw for GW for years and yeah, I probably should change it.

Thanks. Have a good one.

That’s fine and all, but let us turn the warning off. My password is unique to my gw2 account, 20 characters long, and if it gets compromised, so will any password I change it to.

I run my own mail provider, and I do my own intrusion detection there. I have unique passwords for everything. The last thing I need is an application crying wolf at me.

If you want to improve security, change your website so that the password is never sent, even via https, but rather a javascript-generated response to a challenge/response is sent. And do the same thing in the game client. Then the only way it will be intercepted is if the local (user’s) system is hacked. After that the next thing to do would be to make the client avaialble on Linux where the local system isn’t so easily hacked.

Gaile Gray.6028:

I think that’s a great idea because it accomplishes two things: Stops the reminder messages and, more importantly, increases your account security.

To be honest, this is security theatre. Changing your password one single time does not increase account security. It might even reduce it. Telling people that changing their password one single time will increase their security is mis-training people about security, which decreases security.

Moreover, a warning that I know is wrong also decreases security, because I know that your warnings aren’t worth following, so it decreases your ablity to convey security issues accurately in the future.

This would be more acceptable if you let users set their password to the same value as before, while having it checked against the blacklist.

Of course, as Mike has claimed you have no access to passwords, you shouldn’t be able to even check it against a blacklist unless you provide the blacklist to us (in software running our our systems). Therefore, you could just provide the blacklist in plaintext, so we could evaluate if you are correct and then just clear the message.

Or you could provide a hashdb of the password blacklist.

Or you can retract the claim that you have no access to our passwords if you check them server-side.

Its a “nice” to attempt to suggest a precaution of changing your password.
But they failed on securing the unique aspect of the password criteria / entries.

If you are privileged to have access to two accounts with two different email addresses. You will not be able to use the same password from account A on account B. It will tell you basically. The password is not unique and you will have to choose a different password.

That is a very bad thing to suggest. they are telling me that password I want to enter on account “B” is not unique.

Basically, The shady people can now start entering there own passwords and get results on what is valid in the arena net network.

AreaNet, why should I change? Did someone broke into the database or just for my safety? Just wondering. :o

- Thank you for your time.

yea got the same message….wondering as well.

As the title said i was suddenly advised to change my password. There wasn’t given a reason for it, just before starting up the game there was this sentence in a red bar ‘’Please change your password’’. Ofcourse i changed my password but i would like to know why i had to change it.

Thanks

Maybe your password gonna die ! got the same message but I’m keeping my old one :P

i am also getting this, i wish the message would go away after the first log in after recieving it. great patch, but this kind of thing is a QOL issue and needs to be fixed

Gaile, you may not be aware of this, but unnecessarily changing your password actually marginally REDUCES your account security. I can explain why if you like but it would require quite a detailed step through of risks and mitigations.

I am currently being prompted by the launcher to change my password redundantly. Now, I understand network security well enough not to do so, but thousands of users won’t and will faithfully follow the advice unnecessarily and thus add to the risk to their accounts.

I would like to get rid of the message without changing my password please.

I have considered your advice and decided against it.

Gaile Gray

With all due respect, I trust our Security Team implicitly. If they are recommending this, I’ll take their advice, and I’ll encourage our players to do the same.

Very wise, given that I am just a random GW2 player and you have no reason to place any faith in my knowledge of security.

However, while I am sure your trust in your security advisors is well placed, noone is infallible. It might well be worth taking this question to them explicitly.

If it helps, here is the simplest exaplanation I can give as to why redundant password changing is a security risk.

Assumption – if my GW2 account has been compromised, the hacker will ransack it in such a way that I would know I had been hacked. I’m assuming therefore scenario in question relates to uncompromised accounts.

Risks to my security relating specifically to hackers getting my password:

1) Brute Force
An attacker tries all permutations of valid characters. Eventually the attack will find my password.

Mitigations:
- Most defences against brute force should be server side (i.e. not allow loads of failed log in attempts against my account consequetively in a short space of time.
- Password strength. The GW2 advice on password strength is solid and should be followed.
- Mobile authenticator. This should make brute force attacks so hard as to be effectively impossible.

Impact of changing my password from valid to valid:
- None. I have no way of knowing whether a given new password would be cracked sooner or not because I do not know what they have already tried or what order their algorithm works in.

2) Man in the Middle
A server routing my information from my computer to Anet has been compromised and sniffs my password data.

Impact of changing my password from valid to valid?
None. It is equally probable that they will sniff my new password as my old.

3) Local system infected with key logger
If my machine is infected with a key logger, everything I type can be logged and sent to the hacker, including my password (if I type it!)

Mitigations
- Type my password only when absolutely necessary. Use the “remember my password” option provided by GW2. I should point out that GW2 is one of the very few games offering this feature, making it a more secure game than most.
- Local virus checker and malware detection. Frequent scans.
- Mobile authenticator. This effectively makes key logged passwords useless and protects entirely against this form of attack (unless your phone is also infected by the same hacker).

Impact of changing my password from valid to valid?
WORSE security, because I will have typed my new password when setting it rather than using the “remember my password” option.

I’m going to finish by saying that obviously this is just my personal view and I recommend all players follow the advice from Anet rather than myself. I’m writing this just because it is relevant and perhaps when reviewing it, it can constructively contribute to Anet’s approach.