Guild Wars 2

This has bothered me for a long time, and I’ve mentioned it to many, many people in positions of high authority at software development only to be ignored. Why are we trying to create and remember horribly long, complex passwords that, with today’s technology, are really meaningless?

I write this now after I read the recently posted article on Account Security by Michael O’Brien. Why have a single password? Why not a passphrase? It is incredibly easy to memorize a random series of four, simple words, and that will be a much more effective password than an 18-character long, archaic password, no matter how many letters you switch to numerals. Honestly, this has bothered me for a long time. The strength of a passphrase, even one using simple common words, would be much greater than any current hacking software could reasonable break or solve. It would be a simple, easy fix and protect your gaming population. Also, it would be innovative and trend-setting (I hope).

Just a suggestion, but I see no reason why this would not want to be done. Thank you for your time. :-)

Because modern keyloggers can still get that text.

Gold sellers dont use “hacking software”. They simply use a keylogger which relays all info back to the host computer and inputs it into a database.

That database will probably have: Account name, Password, email. There can be multiple entries for password, email etc.

With your idea, they would simply have to add another field that says “random phrase”. When you click on the launcher, the keylogger activates and records everything entered into the login window. Even if you start hitting delete, to try and confuse it, it will simply record your keystrokes and give them to the gold seller.

The only reasonable ways to thwart an account compromisers attempts is to invest in better user system security, and have an authenticator.

Take wow for example. People though an authenticator made tehm immune to compromises, yet still blamed Blizzard when their credit cards and bank accounts were being fraudulently used. This was due to the keyloggers being set to record financial details as well as game details.

Keyloggers are incredibly easy to eliminate and bypass. Also, your theory of adding an extra field ignores the degrees of entropy a passphrase would have over a password. Having four separate fields, with four, random, simple words would defeat any brute force decrypting software for the next two decades, if not beyond…at least until quantum computers are available. Additionally, as the passphrase would be made of easily memorizable, simple words, it could easily be unique, even self-referencing, thus eliminating the possibility of password cross-pollination, so to speak.

Authenticators are nice, but ultimately unnecessary, wasteful and only serve to hamper easy access. They can be lost, or buggy. Apps are unable to be transferred to new devices sometimes. I appreciate having a Devil’s advocate, but “random phrase” ignores the depth of a passphrases strength. :-)

You overlook one thing. Nobody compromises video game accounts using a brute force algorithm.

They ALL use keyloggers which record anything at all that is entered into the game client or launcher.

My bank for instance uses 2 passphrases, and asks you for 3 random letters out of both in order to access your account. Even at the physical branch.

They’ve acknowledged recently that passphrases are not secure enough that they are issuing every account holder of a standard account and above with a handheld device. To access your account, you need the physical debit card, slot it into the device, and enter the number generated from it into the online window.

This is simply another form of token keyfob, and another reason why most companies dont use passphrases any more.

While I concede that keyloggers are the typical method of acquiring passwords, I still argue that they are easily defeatable/removed/bypassed and that password strength is still the end goal which we strive to achieve. The two- or more factor account authentication is an unimaginative, wasteful and hasty fix to the problem, and that it not only takes the power of privacy out of the user’s hands, it too readily becomes a nuisance and a hindrance to accessibility, and will soon be circumvented by the “clever hacker”.

The example of your bank leads me to think that the system was overly-complex, poorly implemented, and not easy grasped by their clientele, and it was not a factor of security. Hence, they went the easy route and simple added an additional, electronic factor for account access. I feel that rather than dumb down the user and distribute electronic toys that get lost or broken, we make the password system more amenable to the human thought processes and less amenable to brute-force cracking algorithms by using passphrases. Two birds, meet one stone. :-) Of course, you will still have keyloggers, and that will always be a threat, though a minimal one in my opinion. Then again, accounts will always be compromised in one fashion or another. It is my belief that a proper implementation of a passphrase system will much reduce these instances of account hacking…and vigilance against keloggers and other malware will only get better. How could this be a bad thing?

MikeLewis.7496:

The reality is that attackers are not using brute-force methods to obtain credentials. They already know the credentials, because they have them from other leaks and breaches from around the internet.

Can you explain this a little bit more? Are you saying people got keylogged on Mustang forums and a hacker is thinking, “Maybe he plays GW2”, and tries the username/pw?

Drakken.3427:

MikeLewis.7496:

The reality is that attackers are not using brute-force methods to obtain credentials. They already know the credentials, because they have them from other leaks and breaches from around the internet.

Can you explain this a little bit more? Are you saying people got keylogged on Mustang forums and a hacker is thinking, “Maybe he plays GW2”, and tries the username/pw?

They would be from related sites. For example, as embarrassing as this is, I almost had my account hacked for GW2 . In a complete lapse of judgement I used the same email and password for gw2guilds.org as I have for GW2. Because of that, I had someone try to sign into my GW2 account from China.Thankfully I had my email authorized so I got the email warning from ANet.

MikeLewis.7496:

Usually it goes something like this:

- Joe Example signs up for SketchyWebsite.com and uses his “standard” password
– SketchyWebsite gets hacked or otherwise leaks their password data
– Hackers take this and recover Joe’s “standard” password
– They then may sell this data to any number of additional parties
– Someone decides to attack GW2, and acquires a large number of stolen account passwords
– They then proceed to use every single one of them to see if any line up with a valid account

The thing to realize is that there is a very active black market for stolen account information. The original leak may have nothing to do with video games at all; but the accounts are valuable, and the data can change hands any number of times before it finds its way to someone who wants to specifically hit GW2 (or any other online service).

Simple fix: Don’t let them try more than X amount of logins within Y amount of time from 1 IP

I read through the article and saw where a two-factor authentication may come into play, while I like this idea I don’t know about the whole Google thing as my Gmail acct was getting flagged as having people trying to log in to it to use for spam mailing. This leads me to question just how safe google authentication really is, anyone have any ideas or opinions on this?

Hi Mike,
I’m sure this outrageous hacking has all been a frustrating experience for your side of the fence as well as the users that got hacked, and I’d like to make a suggestion.

No pointing fingers, this is strictly in the interest of better security, every time I make this suggestion the thread gets deleted (not locked out right deleted )

I really feel there is a flaw in using a person’s email as there account name, my email is the one gateway to my online presence I make (many make) public, and often is not encrypted in web site data bases.

So once I have a hacked data base from a game forum or Sony or Blizzard, all I have to do is get my own GW2 account and start changing my email address over and over again checking each one of the emails on my list until I get a hit telling me that the email is already in use.

Now I have a confirmed GW2 user name because I know it’s the same as the persons email address, half my work is done. Now if I’m a good hacker I have data bases from multiple sources and I have several passwords commonly used and associated with this email address now I just have to try them one by one until I get in.

So why not help users protect themselves by making sure there account can not be associated with any other game, fan site, or account they may have signed up to in the past.

When a user creates an account let them pick a user name as an example “Gw2Logun” now just like you did for the forum names randomly generate the rest for them as an example “Rv42” so now my User Name is Gw2Logun.Rv42.

Since the User Name “Gw2Logun.Rv42” never existed until “right now” it renders any data a hacker may have from other sources useless because neither the email nor the password from any of their lists can be associated to this new account name. You can still ask the user to authenticate the account with a valid email address but this does not associate the account name to previously used passwords unless ArenaNet themselves get hacked.

This would effectively reduce these attacks using stolen hack data to be as ineffective as brute force attack.

That’s a good idea, however I have seen cases where people with innapproriate names are suddenly changed to something random. You would never be able to login again cause you’d have no idea what your name was.

Also, Mike. Are you guys permanently black listing those IPs as you see them or waiting til they try all their passwords to add to your new password blacklist? I think taking out their botnets would be more effective than building a library of passwords that I hope to god you arent saving in plain text or that any of your employees can ever read

Renegadeimp.8439:

You overlook one thing. Nobody compromises video game accounts using a brute force algorithm.

They ALL use keyloggers which record anything at all that is entered into the game client or launcher.

snip

Just want to point out this isn’t entirely accurate, they do brute force still its just that better passwords stop it most of the time. My husbands WoW account was brute forced this was a cpl yrs ago because he used a ridiculously easy password. Luckily for him insomnia was alive and well for me and I changed his password fast and I dont think he lost anything but gold on one character which Blizzard fixed upon account rollback.

Masterpyro.4310:

I think taking out their botnets would be more effective than building a library of passwords that I hope to god you arent saving in plain text or that any of your employees can ever read

I’m sure it’s heavily protected, but even if it was posted on the front page of Google, what does it matter? It’s a list of passwords, not password-username combinations. It would be no more useful than a dictionary.

Masterpyro.4310:

That’s a good idea, however I have seen cases where people with innapproriate names are suddenly changed to something random. You would never be able to login again cause you’d have no idea what your name was.

Also, Mike. Are you guys permanently black listing those IPs as you see them or waiting til they try all their passwords to add to your new password blacklist? I think taking out their botnets would be more effective than building a library of passwords that I hope to god you arent saving in plain text or that any of your employees can ever read

I’m not suggesting your displayed forum name become your account name only the method for creating a unique forum name should be adopted for ensuring the user also creates a never before used account name.

@Logun: +1, our login should be our Account Name (What is their purpose otherwise?), not our mail address.
Edit: well actally it should be our Account Name… if it was not advertised to every one like on this forum. Or at least the 4 random number should be hidden on the forum.

@VooDooU: I highly doubt your husband password was “brute forced”. Much more likely it was a dictionnary attack: trying a list of “common” and other easy passwords, like 123456, password01, qwerty, including variations etc…

A pure brute force attack is way too slow. Suppose a trial takes 1 second, trying all combinations of numbers only from 0 to 999999 would take 11 days. And I didn’t included letters. A brute force attack is only viable on a local authentication, where you can perform thousands or millions of trials per seconds. With a remote authentication the latency before obtaining the result basically kills this technique.

Masterpyro.4310:

Also, Mike. Are you guys permanently black listing those IPs as you see them or waiting til they try all their passwords to add to your new password blacklist? I think taking out their botnets would be more effective than building a library of passwords that I hope to god you arent saving in plain text or that any of your employees can ever read

Infinite IP’s pretty much means infinite (though not literally) IP’s, one day it is an slave node for gold sellers or account hackers, the next it is someone completely unrelated.

IP’s are not infinite quite limited in fact, compared to the number of devices capable of connecting to the internet, which directly means that IP’s are anything but unique (right now, IP’s are kinda like the oil of internet. IPv6, call it the biofuel, is coming but it is ways away from replacing the predecessor completely). So right now the IP’s change a lot, depending on the particular network setup of the ISP.

If they block public facing IP’s they often risk blocking more than they want to. Besides there are myriad of ways to hide the IP’s that matter. The botnets you mention is one of those, you can’t track the person who commandeers a botnet that easily, and a well established botnet is like bacteria, you can fight it but it is not easy to wipe completely.

Though, in case of gold sellers (if we go by the stereotypical image, which is not smart) regional block on China could be a strong deterrent, but that is the nuclear option and hurts lot of potential future customers. Point being, generally every time you make a security related decision the first thing to consider is the benefit vs the cost to a legit user. Blacklist is a cost effective solution because it has hardly any impact on regular user after they choose their unique password, while hard IP blocking could have so it is probably not something they do very lightly, because that list of blocked IP’s would keep on inflating (at the very least if they do it, these blocks probably expire over time).

As for password storage, all things considered storing passwords in plain text is a fossil, there should be no compelling reasons for anyone to do so. For one using one way algorithm to store a ‘checksum’ of the actual password not only makes it harder to salvage data, in case of breaches, but also normalizes storage since each checksum has the same properties (f.ex. length) with each other.

Regarding brute forcing, is practical in a situation where a hacker has a database with password checksums and can identify the algorithm used (f.ex. hacked forum database of a popular forum software such as IPB for example), because it can be done in a local environment.

I think a lot of the problem is the use of email addresses as logins. All the hackers have to do is spam the top 10 email providers with a phishing email crafted to look like a GW2 authentication email request. Anet has already trained GW2 users to click on this link in the email. Once someone clicks on the link, the hackers have an email address that has a high probability of being a valid GW2 account name. (there would be some false positives, some folks will click on anything). Now all they have to do is what the blog posting said, try a set of common passwords. Years ago, a security study found that in a sufficiently large organization(~1000 IIRC), someone would have the password NCC1701. If the hackers get a large list of likely GW2 accounts, they only have to try a few passwords per account in order to successfully crack several. After all, they don’t care WHICH accounts they hack.

The login name should be something other than email address and also something that is NOT shown either in game or on the forums. This would minimize the chance that a breach of a 3rd party site would produce valid GW2 account names.

They could also do what they did in GW1 and force the use of one of the in game character names as an additional verification check.

The smartphone authenticator thing is fine for those that have smartphones but not everyone wants the monthly expense.

Renegadeimp.8439:

You overlook one thing. Nobody compromises video game accounts using a brute force algorithm.

They ALL use keyloggers which record anything at all that is entered into the game client or launcher.

I’m lazy. I don’t want to do any more work than I have to do. If I was going to look for login credentials to try at various sites, including gaming sites, I’d do one or 2 google searches, at most, and get myself lists of emails and passwords that both work at the site from which they were obtained and also at other sites. If someone else has gone to the effort of hacking into an account database and posting login credentials in plaintext files online, there’s no reason for me to try either brute force attacks (not practical for an online service) or keyloggers. Security programs will pick up most keyloggers, and even if I managed to get some installed, the chances that I’d get mmo account data is probably not that great. Besides, if I was going to try to use keyloggers, I’d be going for bigger data such as banking credentials.

Just to clarify, I’m NOT the kind of person who would try to get and use someone else’s credentials. Never have, never would. But I have seen many many many lists of login IDs and passwords posted online for various online services. They’re rather easy to get, and with people so reluctant to use different passwords, there isn’t much need for brute force attacks or keyloggers any more, at least not as much as there used to be.

Just my 2 cents.

You just have to go on pastebin to see that email→password associations are circulating, sometimes even with no money involved (twitter, facebook, etc.).

As Mike stated, if you use a unique password for your GW2 account you are basically safe. Even so if someone hacks your account no lasting damage can be done and ANet can fix you up.

The concern people should be having is much the other way around. Should your credentials be taken from the ANet servers and successfully used elsewhere, you could be in deep trouble. Again using a unique password protects you from this but hopefully ALL identifiable information is strongly encrypted/hashed and salted as required so no user identifiable information can be extracted from a database dump.

I’m talking email addresses, date of births, addresses, credit card numbers and obviously passwords. There is more value in the non-password data than people think – and it will go walkies; only takes a misgruntled admin or virus worm and it’s out in the wild.

Edit: for example should bill.gates@microsoft.com exist in a dump, I somehow doubt this will be the last credit card/password/expiry date they try to force.

Can we have an authenticator service then?

dotMCL.2165:

Can we have an authenticator service then?

You can and you will, if you read the recent article, they are working on one.

You could use SSH to authenticate with guild wars 2 login server and people would still find a way to get hacked.
Most people would find it too hard to generate a keypair, and would not do so if it’s not mandatory.
Some people are lazy and wouldn’t do it because of that
Some are just not that intelligent.

MikeLewis.7496:

We of course have such limitations in place. The difficulty with that is that hackers have access to a virtually unlimited supply of new IPs to try from.

I dont know if this has been mentioned.
But why not add a “Coin Lock” system like Rift did.

It works like this.

When you log into your account it will be locked.
With locked I mean that the only thing you can do is kill mobs and collect loot.
You cannot sell, delete or mail items in any way as long as the account is locked.
You cannot delete characters either when the account is locked.

In order to unlock your account, you have to enter a password which has been sent to the mail address that are registered to the account.
When you do that, the location(IP) that you are logging in from will be Whitelisted and you will not have to unlock it again unless you or someone else tries to access it from a different location(IP)

If you or anyone else tries to log in to your account from a different location, the account will immediately locked, and the “Hacker” cannot do anything harmful.

When rift added this system it seemed to be very effective, the number of compromised account was significantly reduced.

@Dragonlord

They already have email authentication… which when someone logs into your account from new IP sends an email with a link you have to use to authorize that log in attempt before it is completed.

In GW1 we had to type our account name + password + character name.

Wouldn’t it be viable for gw2 too (the character name field, unless the account has no characters created)

Well here’s another thought. Since most players log in from the same ISP 90% + of the time, can we atleast get some sort of ISP lock option? For instance I only want to be able to log in from this exact station + internet provider + country code. If I would want to change all this, simply allow me to log on the website and input my CD-Key in order to add a location.