Menu
By:
Filters
What's new

GW2 Account Security

R

Rhia Aryx

New member
I'm sure that many of you know these already, but with the influx of hacking issues and Gaile Grey's post stating that they do not have the capacity at this time to roll back or restore accounts (https://forum-en.guildwars2.com/forum/support/account/CHARACTERS-DELETED), I thought I'd post a few security tips that I know of. I'd be interested to hear any others or alternate ways to do these.
  • Don't use the same e-mail address for login as you do for everything else. There're a few ways to accomplish this without having a bunch of different inboxes to check (I'm sure there are more than these two, but they're the ones I thought of for now):
    1. If you use gmail: if your current address is [email protected], any e-mail address of the form [email protected] will be redirected to [email protected]. So what that means is that you can set your gw2 account e-mail address to [email protected]. As normal, e-mails from ArenaNet will appear in your regular inbox (and you can even filter by to:[email protected] if you do stuff with filters).

      The benefit of this is that if someone has your e-mail address from a different site whose security was compromised etc, they can't log into your guild wars account.

      More info on the gmail stuff here: https://support.google.com/mail/bin/answer.py?hl=en&answer=12096
    2. Another option would be to create an e-mail address that is specifically for your guild wars 2 account and have mail from that forward to your regular e-mail (this is also easy to set up in gmail and should be easy to set up with other e-mail addresses as well).

  • Use a distinct password for guild wars 2 (i.e. a password that isn't used for anything else).
Obviously these sorts of things may become less useful over time (such as if they require a character name at log in like they did in GW1), but for any account that's linked to my credit card information I'm super careful. Yes, my credit card company might be able to do something about it. But that's annoying.
Hopefully they get the ability to roll back/restore accounts SOON. -bruceno-
 
Rhia Aryx said:
If you use gmail: if your current address is [email protected], any e-mail address of the form [email protected] will be redirected to [email protected]. So what that means is that you can set your gw2 account e-mail address to [email protected]. As normal, e-mails from ArenaNet will appear in your regular inbox (and you can even filter by to:[email protected] if you do stuff with filters).
Click to expand...
Some good points, I just really hope they get some sort of two-factor auth going soon (phone or keyfob thing), just for my peace of mind.

As for the gmail+somthing, that's pretty cool, I didn't know you could do that so thanks for sharing! However, if a hackers/keyloggers got addresses with the [email protected], they'd probably try something like [email protected] for your GW2 logon, so be sure to use something very unique if you use this for your login. :)
 
Nahku said:
Some good points, I just really hope they get some sort of two-factor auth going soon (phone or keyfob thing), just for my peace of mind.
Click to expand...

Agreed! Even just character name would be better.

Nahku said:
As for the gmail+somthing, that's pretty cool, I didn't know you could do that so thanks for sharing! However, if a hackers/keyloggers got addresses with the [email protected], they'd probably try something like [email protected] for your GW2 logon, so be sure to use something very unique if you use this for your login. :)
Click to expand...

Yeah, the more unique you make it the better. For instance, you could use the 4 numbers they append to your account (that'd be a bad option in my case, because my account name is my email address). I think for the moment I'm going to use a variation of +guildwars2 until I think of something better.
 
ThatOneGuy said:
test your password on how long a brute force hack would take to hack it.

http://howsecureismypassword.net/
Click to expand...
Purely numeric/symbolic, doesn't take into account human stupidity and repetition. "thisismypassword" would be cracked in 345 thousand years according to them... no. Also, I'm paranoid to feed my real password into ANY site that's not even encrypted, so I recommend against testing your "real" passwords there...... :D
 
Microsoft's "how to make strong passwords" is cute.

http://www.microsoft.com/security/online-privacy/passwords-create.aspx

They actually do something bad: the only numbers are at the end of the password and almost all of the words are dictionary words or misspellings of dictionary words.

I would probably do something more like this (starting with Nahku because he was the last post lol)

Nahku Ranger -> NahkuRanger -> Nahku_Ranger -> NahkU_RangeR -> N4hkU_R4n93R

Or mix languages. So I'll grab a random german word ("sprechen" which means speak) and a japanese word ("hanaseru" - I can speak):
sprechen hanaseru -> SpreCheN HanaSerU -> SpreCheN*HanaSerU& -> Spr3Ch3N*H4n4SerU&

Another password making guide that's a bit better: http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/

And another good way (I like this one, but it's more effort) http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/
 
Actually, part of the problem right now is ANet's website. Go to their website and put in an invalid e-mail (say an e-mail of yours that you didn't use for GW2). It will tell you that there is not an e-mail associated with that account.

So what the hackers are doing right now is spamming that login on the website to find valid e-mail addresses. Once they have a valid e-mail address, they're trying to log into that e-mail.

So, we have two lines of defense against this:
1) Use a unique e-mail. It can even be forwarded to your regular e-mail, as long as the login is unique.
2) Use a strong, unique password.

Why a unique password? Because hackers might have password lists from other websites. Such as Zappos--they had their db cracked and the crackers may have gotten some passwords (that was a few months ago). That's why I particularly like the last guide I linked: it encourages unique passwords for each website
 
Skywing said:
According to http://howsecureismypassword.net/ it would take 493 quattuordecillion years to crack one of my passwords, yet someone cracked it a few months back...
Click to expand...

As Nahku said, that's not a good test. It says it would take 9 hours to crack "pittsburgh" and 13 thousand years for "californication".

Microsoft's is better simply because it doesn't try to tell you how long it would take to crack. But it says "californication" and "thisismypassword" are strong passwords (all lowercase letters, popular "term", no numbers or symbols...).

I recall a BlackHat video where they cracked a list of passwords. I need to find it...
 
Rhia Aryx said:
I recall a BlackHat video where they cracked a list of passwords. I need to find it...
Click to expand...

This might be what I was thinking of: http://contest-2011.korelogic.com/ But that's from DEFCON and I remember there being a video showing how they did it. I'll see if I can find it...

What I did find was this. Which gives an idea of how password cracking is done (note, it's legal because they have permission to crack that password. It is NOT legal to try to crack passwords on, say, ANet's website).
 
Rhia Aryx said:
Microsoft's "how to make strong passwords" is cute.

http://www.microsoft.com/security/online-privacy/passwords-create.aspx

They actually do something bad: the only numbers are at the end of the password and almost all of the words are dictionary words or misspellings of dictionary words.

I would probably do something more like this (starting with Nahku because he was the last post lol)

Nahku Ranger -> NahkuRanger -> Nahku_Ranger -> NahkU_RangeR -> N4hkU_R4n93R

Or mix languages. So I'll grab a random german word ("sprechen" which means speak) and a japanese word ("hanaseru" - I can speak):
sprechen hanaseru -> SpreCheN HanaSerU -> SpreCheN*HanaSerU& -> Spr3Ch3N*H4n4SerU&

Another password making guide that's a bit better: http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/

And another good way (I like this one, but it's more effort) http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/
Click to expand...


I just... I'll just....... You know... ZmokU0x3/24^a1|- (Not an actual Password)

Random letters and numbers.
 
Nahku said:
Yeah, but most scammers will be masking/spoofing their IPs, so that process the OP did likely shut down some random innocent person's account. :(
Click to expand...
Unfortunately that's probably true. But there's a chance they were using their own account or the random innocent person now knows that their VPN was compromised.
 
We know customers also want a native implementation of two-factor authentication, and we want it too. This is an area where we should act faster as a company, and we’re going to. We had our own homegrown implementation of smartphone two-factor authenticator in testing, but we’re going to pull it back and instead integrate Guild Wars 2 with Google Authenticator, which already has robust authenticator implementations on most major smartphone platforms. We expect to roll this out in the next two weeks.
Click to expand...

we’ll take the safe approach and ask all existing customers to change their passwords, and blacklist everyone’s old password in the process.
Click to expand...


https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Check out the rest of the post too, it's very useful. But YAY! We're getting authenticators soon!
 
-brucethumbsup- Another good post by them, I love ArenaNet.

p.s. - whoever buys gold from those botters/farmers should be punched in the face... with a hammer... a big hammer. Hopefully they're tracking all the massive wealth transfers and banning those idiots that propagate the problem by buying gold online thus creating the demand for it.
 
Well when someone is trying to log into your account from a new IP address, AN asks you to confirm that you're the owner by email. And since gmail already has phone authentication (a code gets texted to you when you're trying to log in from another PC) you won't even need an Iphone/BlackBerry/Android phone to log into Guild Wars 2. And it's completely free!
 
Razulian said:
Well when someone is trying to log into your account from a new IP address, AN asks you to confirm that you're the owner by email. And since gmail already has phone authentication (a code gets texted to you when you're trying to log in from another PC) you won't even need an Iphone/BlackBerry/Android phone to log into Guild Wars 2. And it's completely free!
Click to expand...
But people who get access to an email account which is the same account as the person's GW2 account, with the same passwords shared (I'm willing to wager there are WAY too many people that fall into this category), they cut out that part of the auth chain. Not many people have txt authentication on their mail either, most likely. They need some sort of standalone (even google authenticator on a smartphone), IMO, which it looks like they're doing.

I'm not worried about my account too much, since it's pretty much locked down, I just want them to implement more security globally so the gold farmers get starved out of easy gold to steal. It pisses me off when the economy spirals out of control due to gold selling/buying.
 
Nahku said:
Not many people have txt authentication on their mail either, most likely. They need some sort of standalone (even google authenticator on a smartphone), IMO, which it looks like they're doing.
Click to expand...

That's my take on it as well. Those of us who are paying attention, using gmail, etc aren't going to be as easy to hack. But not everyone uses gmail and not everyone who uses gmail knows that there's an authentication feature (there is one problem with Google: they don't tend to advertise things. That's good and bad!) and not everyone who knows it's there has it enabled.

Having an authenticator app is a great additional security option and even though I use gmail with authentication, I'll use the app as well. But really it's great for everyone who doesn't spend as much time thinking about account security ;)
 
You must log in or register to reply here.
Top Bottom