Guild Wars 2

Okey everyone. It seems that my post started a little storm that I didn’t really want.
But he who seeds wind shall harvest storm, isn’t it?

@ShiningSquirrel
I have to admit, I made a lot of assumption. First of all was that they use MD5 which is mostly used encrypting method (no data here, correct me if I’m wrong). I know it’s old etc. but still is in use.
As you claim being security specialist I won’t argue with you at all. I’m not an security specialist therefore I’ve got no knowledge to start a proper constructive discussion with you. I’d probably just make a fool of me.
My general thought was that passwords are encrypted that even database owner cannot get to know actual password. If so, there is no possibility to compare and find similar passwords. They would have to be stored as plain text which would be pretty insecure and I wouldn’t feel fine knowing that database admin (or any third party person that see it) can see my password.
Password change system seems to work pretty random. At last 4th variation of my password got accepted so I’ve no idea how the system works.

I’m just curious now. What is another way of storing password than:
- plain text (insecure)
- hashed (pretty secure)

@Iruwen
Sure, I meant rainbow tables not labels, my fault

@ShiningSquirrel @Iruwen
I’d like to thank you both for constructive posts and not just raging at me.

@Gaile Gray
Thank you for your reply. I may seem like looking for an affair while there is none but I just wanted to know and it seemed odd that similar password got rejected by the system and felt like asking a question. There was no offence there, thank you for taking your time and being interested in this case.

@Michael
I understood the part of blocking passwords harvested from other sites. I also know what ANet is aiming for. When I said about “being hacked” I meant every website or game I’m in. I had never had any problems concerning my accounts’ security. So I can’t assume my password has been stolen.

My point is how they can blacklist my slightly changed old password while they SHOULDN’T have access to my old password in readable form (just hashed). Therefore they can’t ban it’s variations.
MD5 hash code doesn’t indicate what changed when you compare two passwords. It isn’t generated linearly. Let me give you some examples.

md5(“password1”) = “7c6a180b36896a0a8c02787eeafb0e4c”
md5(“password2”) = “6cb75f652a9b52798eb6cf2201057c73”

You can’t say these passwords are similar. Wait! You can’t even check how long they are as hash has always 32 chars (it’s 32 bit coding). Now, I ask ANet how they managed to do the impossible assuming they really hash our passwords. If they don’t it would be.. huge affair.

Hey!
I wonder how did exactly you made your blacklist as it’s not completely clear for me.
Passwords are supposed to be coded in MD5 so you cannot see the actual password. Due to this fact the only thing you can do is forbid changing the password to one that converted to MD5 hash already exists in your database. Here comes my question.
How can the system recognise me changing only one letter if you can’t see the true password? You can’t check it via MD5 hash how much it changed because it doesn’t work this way and it’s supposed to be unable to unhash it (you can do it hovewer using rainbow labels (not sure if it’s named the same in English)). I highly doubt my password was hacker-known, maybe because I’ve never ever been hacked and after changing that thing it’d be password I’ve never ever used?
The only thing I can come up is that passwords aren’t really hashed, but.. guys. I don’t believe you’d do something that stupid.

PS. I’ve changed my password tho, now I cannot login to my account using nor password your system accepted nor password that got rejected.