Curse

take_me · Mar 10, 2008, 07:24 PM // 19:24

UPDATE: Youtube finally removed the video: "This video is no longer available due to a copyright claim by NCSoft"
------------------------------------------------------------------------------------------------------------------------

Ok, I just saw something on Youtube which made me quite concerned about the Security of GuildWars accounts.

I was just browsing Youtube for all GuildWars videos that have been added this week.
I found a video showing how to crack GW-accounts by simple brute force attack (= trying all password combinations).
He is also linking to a Download for his program.

The uploader also states, that he get's the Email-adresses for the account from browsing Forums like GW Guru.

If accounts are that simple to crack, Anet should really react and add something like
- a 1-hour wait period after 5 wrong passwords in a row
- a Message about how many failed login attempts there were etc.

NOTE: If this thread violates the guidlines, please remove it.
I will not post the youtube-link or answer to Private Messages unless they come from Mods.

Quote:

Originally Posted by zwei2stein

All he needs is someone download his trojan with keyloger. Bingo, free account. Video is just ad to get people download it en masse

Ok, this sounds more reasonable.
But then I'd like to know, how to report Videos like that from being deleted from Youtube.

Quote:

Originally Posted by DarkWasp

It really is impossible to browse through over 100 million combinations 1 by 1 in GW. Atleast within a few months.

I know that. He states that cracking the account may take up to 2 months, or 2 minutes. He says something about using a dictionary attack and using the most common phrases at first, which means he could crack easy passwords quite fast...

Quote:

Originally Posted by Axel Zinfandel

Any account anywhere can be cracked like that. My guess is that this program he is offering will just link him with the password, or even worse.

Ye, I think so too now...... but those 500 Views of the Video might not know that.....
-----------------------------------------------------------------------------------------------------------------

Ok, it sounds a lot more reasonable, that he is offering a programm with a Trojan and a Keylogger.
But still... I'd like to know if Anet registers something like failed login attempts....

zwei2stein · Mar 10, 2008, 07:29 PM // 19:29

Yes, he is breaking into accounts. But not by brute force.

All he needs is someone download his trojan with keyloger. Bingo, free account. Video is just ad to get people download it en masse

Sir Pandra Pierva · Mar 10, 2008, 07:29 PM // 19:29

interesting and scary. one of the reasons why i never use the same email for anything.

Captain Miken · Mar 10, 2008, 07:30 PM // 19:30

anet should add a way so that we can change pass without dealing with their bullshit support system, that way we can all add an alt code to our pass and render us safe.

þ¥~

however, that video is fake and the program it links to is trojan'd and keyloggered

DarkWasp · Mar 10, 2008, 07:31 PM // 19:31

It really is impossible to browse through over 100 million combinations 1 by 1 in GW.

Atleast within a few months. I'm sure Arena.Net would notice the insane amount of login tries and block the IP or have you change your email.

So all a 5 minute block after so many password tries would do is annoy people who have quit for a few months, then come back trying all of their passwords to find out which one they used.

Sirius-NZ · Mar 10, 2008, 07:32 PM // 19:32

Brute-forcing passwords can easily take years if the internet is involved, and it's basically impossible not to get noticed by ArenaNet fast enough to be stopped. It is a good reason why you should use non-trivial passwords, though.

Axel Zinfandel · Mar 10, 2008, 07:33 PM // 19:33

Any account anywhere can be cracked like that. My guess is that this program he is offering will just link him with the password, or even worse.

Captain Miken · Mar 10, 2008, 07:33 PM // 19:33

guys, my password is password~

Quote:

Originally Posted by Axel Zinfandel

Any account anywhere can be cracked like that. My guess is that this program he is offering will just link him with the password, or even worse.

the program he is offering is keylogged and trojand.

Ctb · Mar 10, 2008, 07:35 PM // 19:35

Quote:

that way we can all add an alt code to our pass and render us safe.

NO

Quote:

Originally Posted by SecurityFocus

For example, a five-character password made up of high-ASCII characters will require 25 keystrokes to complete. With 255 possible codes for each character and five characters, the total possible combinations are 255^5 (or 1,078,203,909,375). However, a 25-character password made up of only lower-case letters has 26^25 (or 236,773,830,007,968,000,000,000,000,000,000,000) possible combinations. Clearly, you are better off just making longer passwords.

Good article, and very relevant to this topic.

Captain Miken · Mar 10, 2008, 07:37 PM // 19:37

http://www.securityfocus.com/infocus/1554

Quote:

A better approach is to be less predictable. Rather than replacing "o" with "0", try replacing "o" with two characters such as "()" as in "j()hn". And of course, making your password longer will make it even stronger.

Brute forces that the general public have do not even check for alt codes.

Quote:

Although they are useful in some situations, you should also consider the disadvantages. First of all, holding down the ALT key and typing on the numeric keypad is something that can easily be observed by others. Second, creating such a character requires five keystrokes that must be memorized and later typed every time the password is entered. Perhaps a more effective technique would be to make your password five characters longer, which would actually make your password much stronger for the same number of keystrokes.

Note that all of the drawbacks can easily be overcome by: not being a damn retard.

**cosyfiep** · Mar 10, 2008, 07:56 PM // 19:56

we have been complaining about the lack of security on the password issue since well, I joined guru!! It simply does NOT make sense to allow unlimited password tries until you get it right---granted it would take a while to figure it out, but you have the time you can do anything I guess.

[Morkai] · Mar 10, 2008, 08:03 PM // 20:03

Simple. Use personal passwords. Common phrases/words linked to something personal, so only you know it/them.

Anyone dumb enough to download something that says "Omfg luk 'ere 4 ul1mat hax" deserves everything they get.

Ctb · Mar 10, 2008, 08:22 PM // 20:22

Quote:

Brute forces that the general public have do not even check for alt codes.

l0phtcrack certainly does check for "alt codes".

Quote:

Note that all of the drawbacks can easily be overcome by: not being a damn retard.

Making things more complicated does not equate to an increase in security. You can accomplish exactly the same thing - a non-dictionary password - by just doing what the article suggests: make the password a long phrase.

It's easy to remember, it is, in any practical sense, immune to a dictionary attack, and it's guaranteed to work in most applications that require a password.

Or, you could keep arguing with the successful author and security consultant who's made a good living out of knowing about this sort of thing. I mean, MAYBE he's full of crap, but if that's the case he's pretty damn good at tricking the people that have been paying him and publishing his books over the last few years....

Chthon · Mar 10, 2008, 09:03 PM // 21:03

1. My money's on his program being a trojan.

2. Yes, GW accounts are VERY susceptible to brute force attacks. Once an attacker obtains your login, there's no limit to how many tries they can make consecutively, no notification that someone's hammering on your password, and, if your account is linkd to a PlayNC account, no way to change your login. To make matters worse, if your account is linked to a PlayNC account, you are forced to use a weak password.

3. I've posted these elsewhere, but I'm going to post them again for the heck of it. Best practices for keeping your GW account safe:

Create a new e-mail address for your GW login, and use it for nothing else. Ever.
- Don't tell it to anybody.
- Don't use it for anything. No e-mail. No signing up for forums. Nothing.
- Make sure it's with an e-mail provider who is going to keep their domain indefinitely. ([email protected] is good; [email protected] is bad.)
- Make sure it's with an e-mail provider you're able to keep a relationship with indefinitely. ([email protected] is good; [email protected] is bad.)
- Make sure to write down the address and password and keep them with your GW key. You're likely to forget them since you never use the account for anything.
Use a strong password. That mean that:
- It must be at least 10 char long (long is better)
- It must contain at least one capital letter (A, B, C,...), at least one lowercase letter (a, b, c,...), at least one numeral (1, 2, 3,...), and at least one symbol (!, @, #,...).
- It must not be any English or foreign word or name found in any dictionary (including slang/urban dictionary) or other reference guide.
- It must not be any simple cipher of the above. ("!33t" is only trivially harder to guess than "leet.")
If your account is not linked to a PlayNC account, then change passwords regularly. If your account is linked to a PlayNC account, and your current password is relatively strong, then do NOT change passwords ever. If your account is linked to a PlayNC account, but your current password is weak, then change passwords regularly.
Do NOT link your account to a PlayNC account.
- If you absolutely must link it, then make sure to switch to a secure e-mail address and strong password BEFORE linking your account, then never change them again.

IlikeGW · Mar 10, 2008, 09:08 PM // 21:08

This happened in the early days of GW when people had the same forum/game account email. The answer is pretty simple, don't ever use your game account email on a guild wars fan site.

slowerpoke · Mar 10, 2008, 09:11 PM // 21:11

lol what a scam

download the "account cracker", which steals your details and sends them to the douche

remember kids, its a trap

Ultimate Flash · Mar 10, 2008, 09:20 PM // 21:20

Quote:

Originally Posted by slowerpoke

lol what a scam

download the "account cracker", which steals your details and sends them to the douche

remember kids, its a trap

Doesn't Youtube have a way to report this kind of malicious activity?

take_me · Mar 10, 2008, 09:24 PM // 21:24

Quote:

Originally Posted by Ultimate Flash

Doesn't Youtube have a way to report this kind of malicious activity?

Yes, I used the "Flag"-Feature, but I suppose there is more that 1 Flag needed to report the video and since I don't want to post the link here.......

Buddhaofwar · Mar 10, 2008, 09:37 PM // 21:37

just don't use words for your passwords. I recommend mashing your keyboard and seeing what comes up, then write it down somewhere. it may take a few second more to type each time, but you are WAY safer, as dictionary attacks won't do shit, etc...

DarkFlame · Mar 10, 2008, 09:37 PM // 21:37

Actually it was already posted here, likely by the same person who created the YouTube vid. The mods were rather quick in deleting it.

And like Chthon said, create an email account for GW and GW only. Change your forum account to something else or just don't display it, if its already the same as your game account. Also don't use that email for IM purposes, the Youtube vid also suggests gaining account names that way.