Curse

shinta_himura · Jun 24, 2011, 09:37 PM // 21:37

Ok, you know what, I've had it!

If Arena Net cared about account security don't you think we'd have something a bit better than "8-13 Alpha Numeric Only" passwords? I mean what is the issue with these people?

I would love to have a secure password but your primitive password system DOESN'T ALLOW IT.

Plenty of other places allow MUCH MORE than 13 freaking characters, AND they allow symbols. WHAT is your problem?? All of that money you're raking in from your cash shop and you still can't afford to host passwords longer than 13 characters?

I'm tired of seeing these weekly security warnings, logging in to see if they've done anything legitimate to help the problem, and seeing NOTHING.

13 Characters, alpha-numeric only, give me a damn break.

Fay Vert · Jun 24, 2011, 09:48 PM // 21:48

13 character alpha numeric is not a problem compared to the real weaknesses in the system. Unfortunatley, the biggest weakness doesn't lie with ANet. What use is stonger passwords when many people choose 1234?

Having said that, ANet should do a lot more for account protection. Thye can start by allowing you to specify non-deletable (time locked) characters and items.

makosi · Jun 24, 2011, 09:51 PM // 21:51

A method of 'locking' your GW account to your own particular computer would be great. Also, a temporary account lock for frequent wrong password attempts would prevent brute forcing.

Aycee · Jun 24, 2011, 09:54 PM // 21:54

Oh gosh rager in the building. There is literally probably over a million different pass combinations you can make using 13 alpha numeric. Passwords aren't the problem.

subman247 · Jun 24, 2011, 10:23 PM // 22:23

Really?! Your crying because of password length? Dont use the same password for multiple things and be smart with what you do online. If your not stupid or terribly unlucky you have a much better chance of not being a target. Iv played 6 years and never had a single scare. In this day and age of major hacking if the right person really wanted you acRED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GO they would get it. If the FBI, CIA and Sony can be hacked there is nothing A-net can do to provide 100% security. Cross your fingers and hope for the best

lol I have no idea why that was RED ENGINED.

Del · Jun 24, 2011, 10:43 PM // 22:43

OP, you can make a strong password with alphanumeric and limited chars, the weekness generally comes from people using actual words in their passwords, which makes them easier for bruteforce programs. Randomizing lowercase and capital letters, aw well as mixing it all up with numbers alone is very strong. the problem is security breaches here and in ncsoft's sites. Many people use the same password for everything, so stealing info for this site generally helps hackers steal accounts more effectively than bruteforcing.

Quote:

Originally Posted by subman247

lol I have no idea why that was RED ENGINED.

You probably accidentally typed "acc unt"

LifeInfusion · Jun 24, 2011, 10:47 PM // 22:47

biggest problem always has been NCSoft Master accounts, fake account emails claiming to be from NCsoft, and people using crappy passwords (or ones they use EVERYWHERE).

It's not a bank you know, you don't need more than 13 alphanumeric with capitals and lowercase.

Not like you need something more than
SvCN2iTYeIN5Y
shOSN8HO85mpV
T36d84Rso51N6
ddL5djPoS7aC1
To6bHdQdGQ9eK
pj7kG1PIY24p9

I'd like ! or $ to be usable too, but that's wishful thinking.

Ironically a strong password is supposed to be 15+ characters and has symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ' ~ # | \ < , > . ? /

End · Jun 24, 2011, 11:09 PM // 23:09

Quote:

Originally Posted by Aycee

There is literally probably over a million different pass combinations you can make using 13 alpha numeric.

62^13 or 200,028,539,268,669,788,905,472

now take into account that after a few password attempts it starts taking longer and longer (assumed purposely) to check the password this last attempt took like 10 seconds...

Sooo because of this lets take 5 seconds and be nice... say that after the first few they can only make one attempt every 5 seconds that means it will take
277817415650930262368.7 hours or 11575725652122094265.4 days orrrr 31714316855129025.4 years

(just a thought I'd have better luck with a 4 number pin number that most debit/credit cards are bound to with only 10,000 possibilities)

feel free to correct me if my math was wrong I have a horribad headache atm.

Anet actually does a great job preventing this type of attack and I like the way the time keeps adding up each time you try to log in (btw this last fake attempt=30 seconds...all while my other account on the same pc is doing fine

.

Sooo yes while their allowed passwords may be limited. They have implemented shit to keep it from getting hit with a brute force attack.
There is ofc course the possibility of using a botnet for it...but that still won't be very efficient i dont believe.

The main issue is the ncmaster accounts.

deluxe · Jun 24, 2011, 11:26 PM // 23:26

I think all these account hacks have very little to do with brute force password cracking, but some kind of bug in the ncsoft website.
My account got hacked, my password got changed...
How in gods name is it possible to change a password without me getting a confirmation email about it?

Chrisworld · Jun 24, 2011, 11:30 PM // 23:30

I've rules out keyloggers too.

Lishy · Jun 24, 2011, 11:35 PM // 23:35

How can you even get hacked if you change your account to use a fresh email? Definitely a flaw with NCSoft, perhaps?

If not, then it must be keyloggers. But for those with protected systems, linux, and who don't use suspicious programs...????

Xenex Xclame · Jun 24, 2011, 11:41 PM // 23:41

So what's with all this whining, did OP use a simple password like "password" and got hacked?

Account security on the login side is good enough.Not only do you need the 13 digit password, which like end has posted is going to take along time to guess.

You also need the login name, so as long as your not stupid enough to use the same email for msn/forums will add another amazingly long time to guess.

You also need the character name, which in reality isn't hard to find, but you still have to find a login and password to fit with the character name.

So let's say I wanted to ai and attack one person, I might be able to find out his email since he uses it for MSN too and his character name because I played with him, or seen screens of his character,I would still need to break his password.

Yes having symbols added to possible character allowed in password would increase password security, but its not like the way it is now is a simple 1-2-3 step thing.

And all this is forgetting that the way most people get "hacked" is by giving the "hacker" info unknowingly or knowingly, thinking that person is trustworthy.No amount of character and symbols will help against people just being dumb.

Porkchop Sandwhiches · Jun 24, 2011, 11:48 PM // 23:48

I just want a different method than using my email address as my login, is that so hard to ask?

Xenex Xclame · Jun 24, 2011, 11:59 PM // 23:59

Quote:

Originally Posted by Porkchop Sandwhiches

I just want a different method than using my email address as my login, is that so hard to ask?

Ugh so do I.It seemed convenient when GW came out since I wouldn't have to remember another login, I dunno why, but even so I didn't use a email address that I used for something else.

Reverend Dr · Jun 25, 2011, 12:07 AM // 00:07

Quote:

Originally Posted by shinta_himura

"Alpha Numeric Only" passwords?

This is a terrible horrible thing. I laugh at every website that refuses to allow symbols in passwords.

Alpha Numeric for names is understandable but not allowing it for passwords only reduces security. There is a reason that strong password generators default to giving passwords with symbols included.

Now none of this is really seems like it is going to really affect the largest GW security issues (this is speculation), but there is still no reason for alpha numeric only passwords ever.

Reformed · Jun 25, 2011, 12:43 AM // 00:43

Quote:

Originally Posted by Lishy

How can you even get hacked if you change your account to use a fresh email? Definitely a flaw with NCSoft, perhaps?

If not, then it must be keyloggers. But for those with protected systems, linux, and who don't use suspicious programs...????

If I was selling gold through a website the very first thing I'd check to potentially compromise an account would be to throw in the same credentials they used during registration. In other words...a valid email address, a password (both of which may or may not have been reused) and a character name which they would need for delivery.

While I don't rule out NCSoft liability the simplest explanation is that the victim gave out the info to 'friends' and forgot or unwittingly revealed it to others by being careless.

Skyy High · Jun 25, 2011, 12:51 AM // 00:51

Quote:

Originally Posted by shinta_himura

Ok, you know what, I've had it!

If Arena Net cared about account security don't you think we'd have something a bit better than "8-13 Alpha Numeric Only" passwords? I mean what is the issue with these people?

lolwut?

My password isn't alpha numeric.

Quality thread.

Chthon · Jun 25, 2011, 02:25 AM // 02:25

Quote:

Originally Posted by Skyy High

lolwut?

My password isn't alpha numeric.

Quality thread.

Once bonded to a damned NCMA account, your GW password can only be changed through the NCMA account. While GW supports symbols in passwords, the NCMA feature to set the GW password only allows alpha-numeric. Just one more example of needlessly shitty "security" forced on GW by NCSoft.

Ximvotn · Jun 25, 2011, 02:34 AM // 02:34

I like a password I can actually remember, 1 numeral is fine, if you're that nervous about your account then use a virtual keyboard.

Verene · Jun 25, 2011, 02:36 AM // 02:36

Quote:

Originally Posted by Chthon

Once bonded to a damned NCMA account, your GW password can only be changed through the NCMA account. While GW supports symbols in passwords, the NCMA feature to set the GW password only allows alpha-numeric. Just one more example of needlessly shitty "security" forced on GW by NCSoft.

Really?

Cos my account is linked to a NCMA, and I've changed my password in the game itself before...

(and yes, it was after they were linked)