Curse

Ctb · May 12, 2008, 05:43 PM // 17:43

Quote:

I am confident enough in my password.

Quote:

Typically, on a site like this I use a simple password, but in game and on my email and other important accounts my passwords are longer and more complex.

This isn't about YOU though, it's about people who were attacked and lost their accounts. Sadly, many people still use "password" as a password. Most people don't think about the danger inherent in using the same email address for multiple logins.

In fact, ANET didn't, and they're supposed to be professionals.

Quote:

True, but most sites have such a high level of encryption that it becomes a full time job if you want to hack site accounts.

There's no reason someone couldn't set up a "fan site" or something similar and claim to be encrypting passwords, but really just be collecting the plain text copies.

Inde · May 12, 2008, 05:58 PM // 17:58

Quote:

Originally Posted by Zahr Dalsk

Go to website control panel (not forum admin control panel; the site itself) go to databases, find the forum's database, (default is vbulletin for this forum software, I believe) look around, find encrypted passwords in table, record them, decrypt them (requires knowing what format they're in and finding an online or downloaded decryption tool). Voila, you have passwords. Compare to user ID to find out which is which.

So, yeah, if you enter a password when making an account on most forums, the site admins (NOT forum admins) can get it if they really want it.

I addressed this all ready in the other thread, but vb encryption is only 1 way Zahr.

bamm bamm bamm · May 12, 2008, 06:19 PM // 18:19

It was my understanding that only password hashes are ever stored on any system that requires authentication. It would literally take an extra layer written by the admins to catch passwords on signup, if that's even possible.

**cosyfiep** · May 12, 2008, 06:24 PM // 18:24

my 2cents.
guildwars has been out for 3 years.
In those three years many people have come and gone.
Many of those people have gotten BORED with the game.
Some of them have moved on while others are finding 'new' ways to 'play' the game......anything that has been around for some time will start to get attacked from hackers. Now that the rmt thing is closed up, this will also lead those people to find new avenues of making money---not saying its those people doing the hacking, but geez, they are already doing one illegal thing to make money, why not another???

So we have a lot of bored people with time on their hands and a security system that allows unlimited password attempts to get logged in.....sounds like a recipe for disaster if you ask me.

and that queezy feeling returns to my stomach.....thanks.

Ctb · May 12, 2008, 07:05 PM // 19:05

Quote:

It would literally take an extra layer written by the admins to catch passwords on signup, if that's even possible.

Eh? No, they just wouldn't implement any encryption at all and say they did.

1. Use open source board software
2. Replace signup code with your own code and don't tell anybody
3. Steal logins
4. Profit!!!

/ missing has been found

Fril Estelin · May 12, 2008, 08:37 PM // 20:37

Quote:

Originally Posted by Malice Black

Fansite admins/mods have no access to such information. They can only see what information you provide when you sign up.

You can access the mysql database behind vBulletin, thus you can have everything (but the password is hashed, thus unreadable; it's not encrypted because there's no need to, a hash function is one-way, you can't get the input from the output). You only need an account on the hosting server and the forum privileges, which are usually given only to the very few trustworthy people (and generally those accountable for the site).

Bruteforce attack on hashed password is extremely improbable, unless you control a large cluster of computer dedicated to the task, in other words you're a professional hacker. But then you wouldn't be cracking a GW account for the few bucks that it could give you...

Yeah, I agree Ctb, Anet like 100% of IT companies should pass-crack their pwddb, but they don't because this is not common practice and there are legal consequences. And this is bad.

DarkFlame · May 12, 2008, 09:55 PM // 21:55

Quote:

Originally Posted by Bryant Again

How come so many of the scams involve a person simply asking for your e-mail address? See what Lyra mentioned up above, being that passwords aren't locked after failed entries. Getting the e-mail is the hard(er) part.

Quote:

Originally Posted by Gaile Gray

There is brute force protection, it's just subtle. Rather than locking out an account, the system slows the login rate so that it would be difficult to brute force the password. Try logging into your account over and over with a bad password; after about half a dozen attempts, you'll start being "throttled" and login attempts will take an increasingly long time.

http://guildwars.incgamers.com/showp...&postcount=123

Brute force isn't feasible. And like toast said, the word hacked is thrown around far too much. Its far more likely something else(keyloggers, trojans, phishing, easy to guess pws that too many people know about) then a hacking issue.

Age · May 12, 2008, 10:03 PM // 22:03

Quote:

Originally Posted by TheRaven

There have been numerous threads here recently with tales of hacked accounts. Why is this? Well here are a few possibilities.

1. You downloaded a program from a disreputable site. This happens all the time. Kids see advertisements for free gold farming bots and other instant cheats and think Wow!! Cool!!! I can have more gold than anyone else in my guild and instantly beat all campaigns with this cheat!!!!! Such programs are just scams to get your account. If you were "hacked" this way then personally I feel that you got what you deserved.

2. You gave your account e-mail and password to the hacker. This happens when you let your cousin use your account. Your little brother. Your girlfriend. Maybe your cousin has a keylogger on his computer or maybe he got mad at you and this is his way of getting even.

3. You aren't careful with your e-mail and password. You use the same password on every site. The admins on most forums can see the password you used for the forum. If it's the same as your guildwars password then you better be darn sure that you trust your forum admins. If you've been hacked and others in your guild have also been hacked then I'd start looking at your guild forum for possible suspects or possibly a new guildie that you've been overly friendly with on TS or Vent. Someone that has asked for your e-mail address a few times.

4. Here is a possibility that has not yet been brought up on this forum (as far as I know anyways). There was a recent article about The Geek Squad being sued for stealing personal info. The Geek Squad is in most Best Buy stores and they basically are techies that can help you with computer problems. They can troubleshoot and repair most computer issues and also install new hardware/software for you. Most major electronic stores have some techies on hand that can do this. You drop off your computer at the store and they fix it up for you. However while they have your computer they also have free unlimited access to your hard drive and personal information. I'm sure most are honest, but there is also the possibility that they can steal your account info. Especially if you have your GW password stored with the shortcut. A lot of these "geeks" are gamers themselves and might take the opportunity to grab an unprotected account.

If you've been hacked, ask yourself this: Has your computer been out of your possession recently? Did a Geek Squad member or other techie use it or come to your house to troubleshoot a problem?

5. How tough is your password? A guildie of mine was recently hacked. It turns out that her password was "guildwars". Not the best choice. She learned her lesson the hard way and now has a stronger password.

No#3 is wrong maybe for TS and Vent but Board Admins can't see passwords as they are encrypted(sp).There is no way this can happen don't and with TS it is the server admin who gives you the password.

Turbobusa · May 12, 2008, 10:17 PM // 22:17

I'll throw a bone, you're free to discuss.

I was "hacked". Or as this word seems to be misused lets just say someone entered my account. Money gone, some valuable weapons gone, inventory messed up. That was not me not remembering that I did, I did not.

My ex password contained signs SUCH AS +. It contains both upper case and lower case characters, not only at the beginning. It was unique, meaning that I only used it for Guild Wars. It was not a word. It is rated very high security on most website which the feature that test your password (note: I only tested AFTER "someone entered my account").

Noone knows it. I never told anyone, and you can still try remembering it, it took me 2 weeks.

Now that you know that you can't guess it:

After "someone entered my account", I checked for viruses and keyloggers and such. Both MC Afee and Ad-Aware did not detect anything, and they are up to date, none cracked version. They were running all the time. Ho and I changed my computer in January.
When I told that on GWG, people went into an antivirus comparison flamefest. So I checked with other free and cracked antiviruses. Nothing was found.

So what stays:

- Unknown trojan/keylogger whatever that can be removed at will without any protection noticing.
- Vista failure somewhere.
- Mystery.

Discuss.

Alex the Great · May 12, 2008, 10:21 PM // 22:21

why do i care? I'm not stupid enough to get hacked, so when others are hacked it makes me comparably better.

jkjkjkjkjkjk

i know how it feels to be hacked (my runescape account got hacked 6 years ago when i was in 5th grade, and i cried, it was level 90). Please take all precations to keep your account safe