Guild Wars 2

While in whole this post was good and informative, there were a few things about it that really bothered me.
First of all, the ‘correct charged battery horse’ or whatever example he used to demonstrate what apparently Anet considers a ‘strong’ password. IT IS NOT.
Just set GW2 aside for a second and think generally. A password is a password. The only time you -should- use a weak password is for a website or forum you absolutely don’t care about. If there’s ANYthing important on an account though, especially anything that can be linked to another account of yours, you should use a truly strong password.

From a professional standpoint, there is only one way to keep a truly strong password.
1. do NOT use simple words or phrases that can be scanned, guessed, and/or found in a dictionary/database (such as in Anet’s example)
2. use different characters, not just letters and numbers. Caps and symbols.
3. a random string of these combined will always be the strongest.
4. change your password every so often.
5. DO NOT browse malicious websites or download torrents on the machine you access these accounts on. These can become infected with a keylogger, which even the strongest, longest, most random password in the world fails to immediately.

Other than the simple word example, Anet’s advice is sound. And I’m happy they’re rolling out a form of authentication. I just feel like the simple word example is ultimately giving the less learned player the wrong advice. Am I overthinking it? Yes, but I wouldn’t want someone to take this advice and, say, go make their bank/investment account just four simple words.

The only part I am unhappy with is that I have to change my password -again-.

I had a bit of a scare where someone tried to log in as me during the headstart access, so I changed and verified my email, enabled two step authentication -and- created a unique PW for GW2… and now I have to change it again? DX

I’ll treat it the way I treat facebook and wait for them to force me to change it.

@SwiftChocobo I actually checked that comic (and you should too!) and it does make some sense to me to use 4 common words as a (long) password instead of a (short) traditional password. If you want to see what other people are saying about the strip, you can also check the forums: http://forums.xkcd.com/viewtopic.php?f=7&t=73384

xkcd fans are usually pretty bright and do speak up when something like this makes sense (or not).

SwiftChocobo.3781:

First of all, the ‘correct charged battery horse’ or whatever example he used to demonstrate what apparently Anet considers a ‘strong’ password. IT IS NOT.

It is a strong password, what matters most in the event of an automated attack is password length. Only if the attacker is targeting a single individual and knows something of said individual does the meaning (or lack thereof) of the password matter.

To a computer a character is a character, whether it is a fancy symbol or not doesn’t matter. Even if we assume everyone followed ANet’s advice and created their password from words from the english dictionary and the attackers adjust their automated tool to check for it the following basic math applies.

Without getting into the problems of counting words in certain language, lets assume that there are at the very least 250 000 distinct English words. Then (250 000 choose 4) = 1.6275651 * 10^20. (if we were to assume each letter can begin with lower or uppercase letter then the number of actual combinations that need to be tested changes).

Now lets look at how a regular passwords compare to the above, regular password is assumed to be 8 or 12 characters in length. Before that, however, lets compare how a typical brute force attacker would approach the example given in the blog.

1. (63 choose 28) = 6.2930829 * 10^17 (ANet’s example password, when attacker knows what characters it can contain)
2. (95 choose 28) = 9.28986927 * 10^23 (ANet’s example password in a more typical scenario, using ASCII table)
3. (191 choose 8) = 3.78643234 * 10^13 (Typical, short, password, ISO-8859-1 charset)
4. (191 choose 12) = 3.45849632 * 10^18 (Typical, long, password)

So yes, in the event that the attacker knows that a certain persons password is composed only of English words and spaces and can thus limit the group of characters used for the search, then a 12 character password containing symbols is in theory stronger by comparison. However, keep in mind that if only “symbols” from the ASCII table are used or allowed then the above math changes because ASCII only has 95 printable characters total, thus (95 choose 12) = 5.46585073 * 10^14.

So it turns out that attackers working with words is actually counter productive for them, unless they can significantly limit the number of words used in the search.

tl;dr: Only an attacker that knows what words a certain user is likely to choose for their password would benefit from actually doing a word based dictionary search, for a standard automated brute force attack, length is the deciding factor.

MikeLewis.7496:

(versus “twilight” which is weak in about every sense of the word)

I see what you did there :P

Anyway, i thought out a password unique to GW2 now… i wasn’t too happy about it, but i can see why they decided with this.

Crise.9401:

SwiftChocobo.3781:

First of all, the ‘correct charged battery horse’ or whatever example he used to demonstrate what apparently Anet considers a ‘strong’ password. IT IS NOT.

It is a strong password, what matters most in the event of an automated attack is password length. Only if the attacker is targeting a single individual and knows something of said individual does the meaning (or lack thereof) of the password matter.

To a computer a character is a character, whether it is a fancy symbol or not doesn’t matter. Even if we assume everyone followed ANet’s advice and created their password from words from the english dictionary and the attackers adjust their automated tool to check for it the following basic math applies.

Without getting into the problems of counting words in certain language, lets assume that there are at the very least 250 000 distinct English words. Then (250 000 choose 4) = 1.6275651 * 10^20. (if we were to assume each letter can begin with lower or uppercase letter then the number of actual combinations that need to be tested changes).

Now lets look at how a regular passwords compare to the above, regular password is assumed to be 8 or 12 characters in length. Before that, however, lets compare how a typical brute force attacker would approach the example given in the blog.

1. (63 choose 28) = 6.2930829 * 10^17 (ANet’s example password, when attacker knows what characters it can contain)
2. (95 choose 28) = 9.28986927 * 10^23 (ANet’s example password in a more typical scenario, using ASCII table)
3. (191 choose = 3.78643234 * 10^13 (Typical, short, password, ISO-8859-1 charset)
4. (191 choose 12) = 3.45849632 * 10^18 (Typical, long, password)

So yes, in the event that the attacker knows that a certain persons password is composed only of English words and spaces and can thus limit the group of characters used for the search, then a 12 character password containing symbols is in theory stronger by comparison. However, keep in mind that if only “symbols” from the ASCII table are used or allowed then the above math changes because ASCII only has 95 printable characters total, thus (95 choose 12) = 5.46585073 * 10^14.

So it turns out that attackers working with words is actually counter productive for them, unless they can significantly limit the number of words used in the search.

tl;dr: Only an attacker that knows what words a certain user is likely to choose for their password would benefit from actually doing a word based dictionary search, for a standard automated brute force attack, length is the deciding factor.

That isn’t true. Rather, it’s only trivially true. Let me describe three reasons why:

1)Modern password cracking software developers use an existing corpus of millions of existing passwords to determine common password generation techniques, including “string of unrelated but extant words in a given language”. This means that the software isn’t brute-forcing each character. It’s making much more sophisticated attempts than that, which invalidates the guesses per second metric, and modifies the impact of the entropy as calculated in the comic. Schneier wrote extensively on this in 2007.

2)Yes, the password example in the xkcd comic has roughly 44 bits of entropy, based on the assumptions present in the xkcd comic. However, his estimate of guesses/sec necessary to crack it is woefully low when using cracking software coded to today’s GPU APIs. It’s off by several orders of magnitude. To be blunt: he’s assuming the software being used is much slower than it actually is.

3) Furthermore, any linguist would be quick to point out that computing the bits of entropy based solely on the number of possible symbols in a given position (H=L[logN/log2]) is naive, because of the decrease in entropy caused by symbol use frequency in isolation, and in various n-grams, in a given language (English, in this case). This invalidates the claim of roughly 44 bits of entropy in the “strong” password shown in the comic.

This is why the poster above you, myself, and others repeatedly point out that using common words in a password, regardless of length, doesn’t buy you the amount of security you think it buys you. The bits of entropy in the xkcd comic are miscalculated, as are the guesses per second necessary to find the password. It’s better than nothing, but it’s nowhere near as good as a long, truly random (i.e., generated by a properly-seeded PRNG, not by a human thinking they’re being random by picking symbols) password.

I have a couple of questions relating to this recent article.

1. Will ALL passwords be required to be changed, even if they have not come up in the database of passwords being checked? This seems a little extreme to force people to get rid of passwords that are not compromised, and it means adding perfectly good passwords to a dataset of compromised passwords, ruining the usefulness of the dataset you have created.

2. My Guild Wars 2 username and password are the same as my Guild Wars 1 username and password due to account linking. Will changing my password effect both games, or are the accounts now fully seperated?

3. When we are forced to change our password, could you create a form that automatically checks the password against the database of compromised passwords, ‘before’ submitting (AJAX-style). That way we could use the database you have collected to quickly cycle through weaker passwords we might use elsewhere and quickly see if they flag up as compromised.

I understand the concern people raise because dictionary attacks are a very real threat and are becoming increasingly common. However, most dictionary attacks have previously known data to narrow the search down including the most common word for passwords (password, qwerty, dragon, football, etc.). As Anet pointed out in the article, most attempts try a specific password and then a variation or two before moving on. The metrics Anet has collected clearly show the attempts are backed up with other information.

Also, comparing a regular brute force versus a dictionary attack is a little bit more of an apples to oranges kind of deal but we can pretty easily see that dictionary attacks would take longer as there are more words to choose from than characters (hundreds of thousands versus hundreds) even if the respective passwords have fewer words than characters (eg. a 4 word password versus a 12 character password).

Does that make the password completely secure? No. If someone wants to hack your account, they’ll be able to do it. But I don’t think Anet ever said it would be completely secure or there wouldn’t be attempts. However, while the tech is available, it is easier and more worth the time of the people trying to compromise the accounts to just skip the multiple random word passwords and hit the targets that have an easy/common password or try accounts they already have a likely password (usually mined from another site or from phising).

Modern common-level security isn’t so much making it impossible for hackers, but instead to make you a less desirable target by making it not worth their time and I think Anet’s advice will help people with that.

Mcl is right, such a password is not as strong as it may seem, because the words came from the english dictionnary. (You know, as in “dictionnary attack”).
And even if hackers don’t use such efficient multiple dictionnary attacks for now, that’s just because not many people use such password. But they can addapt very easily.

However, a minor trick will make it strong: replace some of the letters with symbols, like
corr3ct horse ba|tery 5taple

Now you password is really solid, and easy to remember. (It was actually discussed in the forum thread of XKCD)

Cheers

Kethryes.5712:

Mcl is right, such a password is not as strong as it may seem, because the words came from the english dictionnary. (You know, as in “dictionnary attack”).
And even if hackers don’t use such efficient multiple dictionnary attacks for now, that’s just because not many people use such password. But they can addapt very easily.

However, a minor trick will make it strong: replace some of the letters with symbols, like
corr3ct horse ba|tery 5taple

Now you password is really solid, and easy to remember. (It was actually discussed in the forum thread of XKCD)

Cheers

No, simple substitutions like that are not any more secure, and are easily guessed at. Almost any pattern-substitution or symbol-substitution currently used for password creation has been discovered, analyzed, and incorporated into modern day password-cracking software. Again, Schneier wrote about this in 2007.

That means things like:

• 1337-5p34|< substitutions
• spatial pattern usage (e.g., !qAz@wSx#eDc)
• any known substitution cypher (and there are many)
• spatially-shifted symbol substitution (e.g., “yjododsyrdy” for “thisisatest”)
• omission-based passwords (e.g., “thsstst” for “thisisatest”)
• reordering-based passwords (e.g., “tsetasisiht”)
• simple symbol appending or prepending (e.g., 123thisisatest123)
  …and so on, and so on.

If you can think of it, it’s almost certainly already been used ad nauseam, analyzed extensively, and incorporated into cracking software. Humans simply aren’t good at generating randomness, i.e., true, high Shannon entropy.

TO be honest, i seriously doubt hackers are brute forcing accounts. Its not worth the time investment per account. They use a list of common passwords, try a few variations then move on to the next account.

Or they got your login information from some other site that isn’t secure.

A password consisting of 4 random words would take a LONG time to brute force.

Even with the BEST brute force options available it would take YEARS to brute force a password that has roughly 16characters in random word format.

Oddzball.4280:

Even with the BEST brute force options available it would take YEARS to brute force a password that has roughly 16characters in random word format.

Yes, if it were simply brute-forcing.

The point I’m trying to make is that nobody with half an ounce of sense is going to use straight brute-force attacks these days. There’s just too much known about too many aspects of password selection, word choice, human memory, cryptography, and so on to resort to the caveman equivalent of password cracking.

Word-frequency analysis would narrow the search space considerably. Again, humans are horrible at randomness. You may pick a word that you think is random; it isn’t. It’s n-gram occurrence frequency with surrounding words may be very low, but the occurrence frequency of the word itself is likely quite high. And given priming effects in human memory, the n-gram occurrence frequency of the adjacent words will be much higher than random.

No, simple substitutions like that are not any more secure, and are easily guessed at. Almost any pattern-substitution or symbol-substitution currently used for password creation has been discovered, analyzed, and incorporated into modern day password-cracking software. Again, Schneier wrote about this in 2007.

That means things like:

1337-5p34|< substitutions
spatial pattern usage (e.g., !qAz@wSx#eDc)
any known substitution cypher (and there are many)
spatially-shifted symbol substitution (e.g., “yjododsyrdy” for “thisisatest”)
omission-based passwords (e.g., “thsstst” for “thisisatest”)
reordering-based passwords (e.g., “tsetasisiht”)
simple symbol appending or prepending (e.g., 123thisisatest123)
…and so on, and so on.

If you can think of it, it’s almost certainly already been used ad nauseam, analyzed extensively, and incorporated into cracking software. Humans simply aren’t good at generating randomness, i.e., true, high Shannon entropy.

@Mcl: of course you are right, it is not as good as a true random password, but the point in doing this is that it basically transform a “simple” dictionnary attack into a “kind of” brute force attack, because for each word you have to try all the possible substitutions, omission, reordering etc…

And a brute force attack can’t succeed on a remote autentication with high latency like it is the case for GW2.

Kethryes.5712:

@Mcl: of course you are right, it is not as good as a true random password, but the point in doing this is that it basically transform a “simple” dictionnary attack into a “kind of” brute force attack, because for each word you have to try all the possible substitutions, omission, reordering etc…

And a brute force attack can’t succeed on a remote autentication with high latency like it is the case for GW2.

I agree with your last statement. I even agree with the intent behind trying to get people to use something akin to the xkcd example for password selection as an improvement to the general techniques people tend to use now.

My main quibble here is that many people will read that, and go about their lives thinking that since they’ve used the xkcd example here (and incorporated it into all their other passwords), they’re suddenly much more secure. Which is true, but only to a point.

They’re much more secure in the specific scenario that the current attacks against GW2 accounts present.

But they’re woefully insecure should the hashed or, as is sometimes the case, plaintext password database of some company the person in question has an account with gets compromised. Once those hashes are in the wild, a “random”-string-of-words password will fall significantly faster than is stated by xkcd, for the reasons I’ve discussed above.

It leaves the average person with a sense of security that they’ll carry over into other situations where it mismatches the actual security risk significantly. This wouldn’t be the case if everyone studiously used truly unique (and by that, I mean the passwords aren’t simply variants of each other) passwords for each and every account they have everywhere, but you and I both know they don’t. So someone will use the random-string-of-words password here, and on some fansite somewhere. That fansite will get hacked, their password database stolen, quickly cracked, and then that random-string-of-words password is suddenly totally insecure, because the entropy wasn’t what the xkcd comic said it was, because they used a very naive and inappropriate entropy computation. Actual words are inherently low-entropy. Strings of them even lower still.

I just don’t want people thinking strings-of-words passwords are somehow inherently strong in all situations. They aren’t. They’re adequate in this case, but should that password be used somewhere else where the likelihood of their hashes being stolen are higher, it’ll quickly end up on the list of known passwords those hackers are using against GW2. And then people will feel betrayed, because they were told that strings-of-words passwords were supposed to be really, really impossible to guess.

They’re not.

TBH in the end if it helps make hacking someone’s account that little bit harder or makes someone think that P@ssw0rd is not a very good password after all then it’s done its purpose. I think this issue is being far to over thought. No-one ever said in the article that making your password stronger would save the day only that it would be less likely to end in doom.

@mlc

Well, we are not holding a security seminar, or suggesting people to use it as their bank password model. Like you said yourself an improvement to the general practices.

There was a reason why I kept my post trivial, and that’s the same reason why the blog post did the same, the comic strip can be understood by even young kid. If they just put the blacklist in place, people would just start appending few characters to their old password when forced to change it, a practice they probably have used on other sites on occasion.

There is no need to overwhelm people, no one here or at ANet is capable of fixing the worlds insecure passwords, no matter how much we educate, but they can improve it from the “twilight” level of bad. You start throwing words like entropy around and you loose people. Besides the article reiterates many times that passwords should be unique on all sites, so if that person still starts throwing the same strings-of-words password at other sites then they do not know how to read. The whole article is about unique passwords more than its about hard to guess passwords.

Reality check needed here. From a computer security perspective we can debate password complexity all day (and we really do) but in the end it’s a balancing act between what the user can handle and the threat.

1. The threat here is a list of known passwords and the usual easily guessed passwords. It’s not hackers with an offline copy of ArenaNet’s password files with endless time to crack them (if that ever happens the best defense is simply a mass forced password change).

2. The users are just gamers, of all ages, regular people just trying to have some fun. Yes, a small percentage have the ability and willingness to use high-complexity passwords (overkill for the threat). But for the threat, most probably just need to come up with something that’s NOT on the known list, not used anywhere else, and can’t easily be guessed.

LeCreaux.3087:

Reality check needed here. From a computer security perspective we can debate password complexity all day (and we really do) but in the end it’s a balancing act between what the user can handle and the threat.

1. The threat here is a list of known passwords and the usual easily guessed passwords. It’s not hackers with an offline copy of ArenaNet’s password files with endless time to crack them (if that ever happens the best defense is simply a mass forced password change).

2. The users are just gamers, of all ages, regular people just trying to have some fun. Yes, a small percentage have the ability and willingness to use high-complexity passwords (overkill for the threat). But for the threat, most probably just need to come up with something that’s NOT on the known list, not used anywhere else, and can’t easily be guessed.

Couldn’t have said it better.

Don’t know what that +1 button does next to your post, but past experience says probably something positive.

Crise.9401:

@mlc

Well, we are not holding a security seminar, or suggesting people to use it as their bank password model. Like you said yourself an improvement to the general practices.

There was a reason why I kept my post trivial, and that’s the same reason why the blog post did the same, the comic strip can be understood by even young kid. If they just put the blacklist in place, people would just start appending few characters to their old password when forced to change it, a practice they probably have used on other sites on occasion.

There is no need to overwhelm people, no one here or at ANet is capable of fixing the worlds insecure passwords, no matter how much we educate, but they can improve it from the “twilight” level of bad. You start throwing words like entropy around and you loose people. Besides the article reiterates many times that passwords should be unique on all sites, so if that person still starts throwing the same strings-of-words password at other sites then they do not know how to read. The whole article is about unique passwords more than its about hard to guess passwords.

I agree, and I would feel better about that sentiment had there not been a post in this forum just this morning, directly referencing the blog post, asking what to do about the fact that they use the password on other sites.

People are inherently lazy. From a security perspective, I work from the (realistic) assumption that people are going to use that password elsewhere. Given that, I’d rather not leave them with a false sense of security.

That’s all. I’m just trying to make plain the fact that what works in this specific instance is not secure in general, and it’s the general case that got us in this mess in the first place.

Another factor is the ability of folks to correct type the password. I would guess the average person has a really poor chance of correctly typing MA4n4%$&7854kkn4q32kl2$(24cb in to a blind password field. They will have a better chance with #blindhorsestompskittens! but many will still miss it a lot. Too high a frustration level and they will use an easy to type(and guess) phrase or just give up.

Dead Parrot.1973:

Another factor is the ability of folks to correct type the password. I would guess the average person has a really poor chance of correctly typing MA4n4%$&7854kkn4q32kl2$(24cb in to a blind password field. They will have a better chance with #blindhorsestompskittens! but many will still miss it a lot. Too high a frustration level and they will use an easy to type(and guess) phrase or just give up.

That’s why programs like LastPass and 1Password exist. You can simply cut and paste. Also defeats keyloggers, for those who worry about them.

Cutting & pasting doesn’t always defeat keyloggers. Plenty of them can capture data from the clipboard, so it’s not completely safe to just cut & paste unfortunately.

I use Kaspersky Internet Security 2013 http://www.kaspersky.com/
And i found keylogger from my computer and it tried to take GW2 password from me but Kaspersky noticed it and deleted it instantly. Then i used Kaspersky Virtual Keyboard to change password so no logger etc could take it from pressing my keyboard. Then i used remember the password so it is secure all the time. I trust Kaspersky since 2006. I know it is expensive security but it is always helped me greatly. So what do we learn from this. Don’t go torrent sites. Use only original programs and pay for them. Then you stay secure and life is much easier.

I’m not fully convinced that the whole problem is to do with passwords. My son’s account was hacked (restored now). His account was taken because the email address on his account was changed. He didn’t change it and there was absolutely no communication from Arenanet prior to an email that arrived and said “A request to change your email address has been made – hopefully you! – …” That was it. He tried to log onto his account and couldn’t, presumably because someone was able to change the email address of his account without warning. How? Think about it. If a hacker is able to change the address associated with an account just like that the password is pretty useless as the next step is to reset the password to whatever they like and they can authenticate etc etc… Clearly there is something somewhere that is very wrong with the way security has been implemented in GW2 and Arenanet are not being entirely up front about this for the obvious reasons.

In your case the only feasible explanation is that the hacker got access to your son’s account and proceeded to change password and email from there.

The first thing to check is, was your son using the same password for the email account associated with the game account as he was for GW2 itself? That or the hacker was able to analytically generate the link that authorizes the email change (which I find unlikely).

I’m not the only one to see this happen.

His email is a different pw to the game.

I don’t know how it was done. But it clearly was done and others have posted that this is how they knew that their account got hacked because they receive emails saying the email address associated with their account had been changed. The point is this, the security of the associated email address should be improved so that even if a hacker somehow log into an account they can’t change the email address without 2-step authentication (txt a one time pass code to account owners mobile) as being able to change the email address completely undermines the so called 2-step logon authentication… correct me if I’m wrong?

skysong.9053:

The point is this, the security of the associated email address should be improved so that even if a hacker somehow log into an account they can’t change the email address without 2-step authentication (txt a one time pass code to account owners mobile) as being able to change the email address completely undermines the so called 2-step logon authentication… correct me if I’m wrong?

Yeah I am with you on this one, somehow I assumed they already require email based confirmation (from the old email) on email changes, but apparently that is not the case and they think that their email authentication is enough, to stop someone from even getting that far and only require verification on the new email.

I’m not going to address security of English words vs symbols – I don’t have the programming savvy to feel comfortable doing so. However, I am a linguist and can point out that “four words that appear in an English dictionary” and “four words that a native English speaker feels comfortable using and remembering” are NOT the same thing. Some non-dictionary terms even come with symbols that are easy to remember as “attachments.” Consider a password such as (apologies for some borrowing) batterycorrectbangstaple – 4 words that can theoretically be found in an English dictionary – turned into batteryecorrectbiff!staple. The password is just as easy for a certain English speaker (in this case, probably a comics reader) to remember, but outside of the capacity of a simple dictionary attack.

Whether that is actually safer than four regular dictionary words, I will have to bow to others’ knowledge of the situation.

Honestly the easiest solution to this whole thing is to allow users the ability to purchase a simple authenticator; this would mean their dictionary based password doesn’t matter much. It wouldn’t take much code to add the second phase to the login process as we have done this at work. This would make the account much more secure than creating larger passwords and requiring passwords to change on some frequency of lunar rotations.

I know I would feel much better having an authenticator on my account as a second level of security.

harvard comma.5197:

Whether that is actually safer than four regular dictionary words, I will have to bow to others’ knowledge of the situation.

Exclamation mark (or any common punctuation symbol) is not the best kind of symbol to add. If you want to add a symbol for security then it should be something like µ, û, ü, ä, ö, å,™ or pretty much anything that is not commonly part of the language itself (ie. not found so simply/universally on the qwerty-keyboard) because people tend to usually avoid these kind of symbols in their passwords so any tools will not check for ‘words’ containing them first… or at all, simply to save time.

Alternatively, using things like obsolete words, or old fashioned words would help to a degree, or use words like “gladium” (of course that is a bad example, because they could predict that someone may use that word as a part of their password for gw2).

Earlier posts in this topic covers several aspects symbols or the lack of them in relation to passwords, and lot of it goes way beyond what ArenaNet is trying to remedy with their article.

Kingslayer.1784:

Honestly the easiest solution to this whole thing is to allow users the ability to purchase a simple authenticator; this would mean their dictionary based password doesn’t matter much. It wouldn’t take much code to add the second phase to the login process as we have done this at work. This would make the account much more secure than creating larger passwords and requiring passwords to change on some frequency of lunar rotations.

I know I would feel much better having an authenticator on my account as a second level of security.

The problem with authenticator, especially a physical one that comes with an added cost. You can not enforce the use of it, unless it is provided with and included in the price of the original purchase. Even one like google auth, has this problem since not everyone has a smartphone (yeah gmail has the sms thing, I know, but that is not the point).

Just as ANet has most likely not been able to get 100% of their users to use the email authentication system. You simply can’t enforce an added level of security that complicates users login on everyone or has other requirements. So the possibility of a two tier authentication does not make strong passwords any less relevant in the bigger picture.

Actually, it does make strong passwords less relevant as it’s not the only point of failure.

I am fine with an optional solution not a required one. Also, I am willing to pay a small fee for an authenticator even if others are not. I do have a smart phone and a free app could be released for that which would also work.

You can do it with World of Warcraft already. I played the game for several years with my wife’s name as my password and an authenticator linked to my account. I never got hacked and never was worried I would.

Kingslayer.1784:

Actually, it does make strong passwords less relevant as it’s not the only point of failure.

It does make a strong password less relevant for you, but that does not mean they should not encourage users to use strong(er) passwords still. Because not everyone will be in the same situation as you.

Personally I would use authenticator in a heartbeat, but when I have the option, to use the one they are working on, I won’t be changing my password to “qwerty” just because I have an authenticator.

If you want the most secure password you would use the maximum allow amount of characters in a very random order using techniques on this site: https://www.grc.com/passwords.htm

I prefer something that is easy to remember with an authenticator as it is even more secure.

Kingslayer.1784:

I prefer something that is easy to remember with an authenticator as it is even more secure.

And if they ever needed to take the authenticator offline for one reason or another, you would be prime target for someone to get to during that time.

The two tier authentication is two tier for two reasons, not everybody uses it and secondly because if one of those fails the second will prevent intrusion.

Your link btw is totally useless, passwords are intended to be memorized not written down or stored in a browser, most people will not memorize even one password of that kind let alone multiple.

Mcl is spot on. And people do remember stringing words and substituting letters is not secure either.

But a forcing of a single account won’t take on many attempts, maybe just a known password and several variants before moving on – pinging a single account won’t get you far as I would assume ANet will throttle such attempts. as mentioned before this kind of attack can only really be done at a local level. Thus most attacks on games like this are from first/second/third attempts before getting a hit.

My password and email address is unique to GW2, if it somehow got compromised then the problem is with me/virus etc. Also I wouldn’t care as I know ANet can just rollback the changes. This isn’t a bank where someone can just transfer all my savings out and screw me over.

On the other hand I would care if the GW2 database got dumped as I would likely lose personally identifiable data along with it, so I would hope and assume email addresses, addresses, credit card numbers and the like remain securely encrypted/hashed as required.

Because such a leak isn’t an if, this day and age it’s a when. Just think of the value a list of all GW2 account email addresses would be to gold spammers, MMO advertisers etc.
Actually I haven’t read the privacy policy (in memorable detail if I signed I did..) but maybe ANet already have permission to sell that list.

Crise.9401:

And if they ever needed to take the authenticator offline for one reason or another,
you would be prime target for someone to get to during that time.

The two tier authentication is two tier for two reasons, not everybody uses it and secondly because if one of those fails
the second will prevent intrusion.

Since we do use this at work, I can say we have never had a failure in the second tier resulting in having to
only use password authentication. So I don’t buy into your argument.

Crise.9401:

Your link btw is totally useless, passwords are intended to be memorized not written down or stored in a browser, most people will not memorize even one password of that length let alone multiple.

This is not accurate we are discussing passwords that are the safest to use. If you use a different password for
every site you login into and they are not variations of a primary password after a while you won’t
remember all of them.

So you will need a password program to remember them and then these passwords do make sense.
Here is an example of this time of program: http://keepass.info/

Also, storing your password in a browser in the worst thing you could ever do.

Crise.9401:

Exclamation mark (or any common punctuation symbol) is not the best kind of symbol to add.

That wasn’t really the point of my post, but thank you for adding this to the overall input. I was simply considering symbol types that might be easily associated with a particular word in a four-word password, and therefore as easily remembered as the other words themselves. I doubt it can hurt to add these types of symbols, even if one shouldn’t count on them as a first line of defense. My main point, which we seem to be in agreement upon, is that obsolete, user-created, or “slang” terminology may slide past a hacking program that is scanning the English dictionary, while remaining far more easily-memorized by an individual user than the random collection of numbers, letters, and symbols that most sites recommend as a “strong” password.

Kingslayer.1784:

Since we do use this at work, I can say we have never had a failure in the second tier resulting in having to
only use password authentication. So I don’t buy into your argument.

No offense, but considering ANet’s track record with things like the trading post or account security features, I am very much willing to by into my own argument even though I won’t necessary think of it as a likely scenario.

Kingslayer.1784:

This is not accurate we are discussing passwords that are the safest to use. If you use a different password for
every site you login into and they are not variations of a primary password after a while you won’t
remember all of them.

The thing is, I and most users will not care about every site we log into or register on as much as we do about others. I do have several throwaway passwords myself, but for everything that matters I do have unique memorized (and if I have problem remembering I will simply reset those passwords create a new ones).

Kingslayer.1784:

So you will need a password program to remember them and then these passwords do make sense. Here is an example of this time of program: http://keepass.info/

Yes and such programs are known, and thus their storage and operating mechanics are a constant target, even very high level encryption can be broken, it is a constant race.. and people won’t stop trying even if it seems theoretically impossible or impractical, just as people have been trying to crack the human genetic code for ages.

Persistent password storage is not a solution, for example… a program that turns a humanly memorizable password into a strong password on input is much better (of course only as good as the algorithms it uses are obviously).