Curse

MoriaOrc · Mar 11, 2008, 06:28 AM // 06:28

Quote:

Originally Posted by Ekelon

This is pretty epic fail.

Do you realize how many valid password combinations there are? Obviously, if you have a generic password like "123" or "cheese", then of course you'll get hacked. But let's say you use 8 letters in your password and use alpha-numeric lettering... then that's 8 to the power of (36), there being 36 people combinations. Yup, that comes up to roughly 3.25 times ten to the 32nd. Ouch.

So yes, you can brute-force an account with an easy password (one that might take under a decent amount of tries), but that would be your own fault for such an easy password.

It's actually more then that. Passwords are case sensitive, and whats more GuildWars allows symbols (like periods and dashes). So you get the following total possible values for each character of the password for GW:
26 (all lowercase letters)
26 (all uppercase letters)
10 (all numerics, 0-9)
32 (all symbols on a standard keyboard)
--
94 (total possible values for any given character)

A password that is 8 characters and uses at least one of each of these 4 categories (assuming that's all we know about it) will have about 6e15 possible passwords. This improves by about 1e14 if you have to check all 7 character passwords first (don't know the length), but drops dramatically if you can eliminate one or more of the categories (for example, alpha-numeric passwords only have 2e14 possible 7 or 8 character passwords).

Unfortunately, your math was wrong earlier. It's 94^8, rather than 8^94, so I lied at the begging when I said it's actually more.

Shanaeri Rynale · Mar 11, 2008, 08:31 AM // 08:31

This has been an issue for years now, with zero sign of improvement. Tbh it's pretty shameful it's not been resolved since it requires such simple changes.

Cannot change Username(as mentioned above).
You might be able to use symbols for your GW password, but you cant if you link it to PLAYNC.
The max password length is limited to 13 chars, which is too low. 15 should be minimum
No wrong password lockout
Use of email as a user ID

These are BASIC security measures.

Other features people have been crying out for would be very simple to put in, and yet save people so much frustration and headache if they are hacked.
Things like

Being able to lock a character to prevent deletion
Marking some items in game as undroppable/untrashable/untradeable.

Computer security is TWO sided. We might have all the anti virus, firewalls, right behavour all we want, but if the server side security is weak then it does us no good at all.

I realise the PlayNC side is NCSoft and not Anet, but it should not take two years for such a basic system to be put into place. It's almost bordering on the negligent to have such things outstanding for so long.

As the game gets older and peoples time investment in their chars gets more and more, this issue becomes ever more serious for them.

Come on Anet/NCSoft, Sort it..

Iuris · Mar 11, 2008, 08:35 AM // 08:35

Um, a 5 letter password using 25 possible characters means:
25*25*25*25*25 combinations, or: 9765625.

So, 50% chance at 5 milion attempts.

Brute forcing like that would be noticed, simply because it would severely burden the server.

Now, 10 letters, 25 characters (guaranteed on all keyboards, so lacking čšž and similar ones) in lower and upper case (GW does distinguish case with passwords) + 10 letters, means:
604661760000000000 combinations.

Not a real thing to crack.

What one must avoid is using meaningful combinations. A brute force attacker will be smart enough not to start with 0000000000 and end with zzzzzzzzzz, but rather with 01010001 and working to 31122008, just to check for any people using birthdays. After all, checking the 365 birthday possibilites, "just in case", is a valuable time saver.

Also, note one thing:
If you limit "X failed attempts mean an Y hour lockout", this means that the brute force attacker won't be able to get your password before the sun burns out - but your account will be useless, as you won't be able to enter your own password

FrAnt1c² · Mar 11, 2008, 09:45 AM // 09:45

*Goes changing his password to something more complicated*

Rushin Roulette · Mar 11, 2008, 10:17 AM // 10:17

Making a secure Password shouldnt be too hard for people to remember.
Start off with a simple phrase like;

I am a Guild Wars PvP immortal god

Take the first letters from every word (makes the password slightly more secure)

IaaGWPvPig (lol at Player v Pig here

)

change a few letters to 1337speek

[email protected]\/Pi9

you have a pretty good length 9 password with smallcaps, largecaps, numbers and symbols.

Note; this isnt anything similar to my PW and was just meant as an example.

Remember, the longer a Password is the harder it is to crack.

Mangione · Mar 11, 2008, 11:29 AM // 11:29

Quote:

Originally Posted by Shanaeri Rynale

Other features people have been crying out for would be very simple to put in, and yet save people so much frustration and headache if they are hacked.
Things like

Being able to lock a character to prevent deletion
Marking some items in game as undroppable/untrashable/untradeable.

[...]
As the game gets older and peoples time investment in their chars gets more and more, this issue becomes ever more serious for them.

Come on Anet/NCSoft, Sort it..

There's a suggestion about this issue in Sardelac:
http://www.guildwarsguru.com/forum/s...php?t=10248665

Gaile Gray answered the thread, and the only point so far is that if we are willing to pay for such protection they might think to implement it.

azzer20 · Mar 11, 2008, 11:34 AM // 11:34

if you have 6+ letters or numbers it takes a password finder 30 years to find your password, i say it's pretty safe

fenix · Mar 11, 2008, 11:47 AM // 11:47

No no no, you guys have it slightly wrong. You don't brute force the GW account, you brute force the Play NC account. If you get that, you can change anything you want. Also, the Play NC account has almost NO security...so yeah, gg NC Soft.

Shanaeri Rynale · Mar 11, 2008, 12:54 PM // 12:54

Yup, the main issue is with and at PlayNC. Alas the only thing we can do is keep on at Anet to put pressure on NCSoft. As mentioned before these issues have been outstanding for 2 years or more and have not been resolved.

How hard is it on the plaync side to change the password checker to allow more characters or remove the code that refuses symbols in a password? Not something that takes a year to code thats for sure.

I also note on the plaync there's this annoucement. http://eu.plaync.com/eu/about/pressr...sana_security/

Anyone know what this is about?

If it's just another anti spyware program it's kinda meh. I would rather see the issues outlined above addressed as well as the anti malware stuff.

All the talk about permutations etc is kinda moot. Password hacks dont happen by systems starting at A and ending up at ZZZZZZZZZZZZ, they use intelligence in guessing, social factors and all sorts of tricks.

And yes i'd willingy pay something in the online store that protected my characters from deletion/trashing.

Numa Pompilius · Mar 11, 2008, 01:17 PM // 13:17

Quote:

Originally Posted by Shanaeri Rynale

I also note on the plaync there's this annoucement. http://eu.plaync.com/eu/about/pressr...sana_security/

Anyone know what this is about?

Sounds like a heuristic anti-virus suite to me, it's hard to see how it could do anything against keyloggers or even brute force password cracks. Also I've come to think of heuristic anti-virus software as "I like false positives" software. I don't know if anyone's ever detected an actual new threat with heuristic software, but everyone gets false positives.

Quote:

All the talk about permutations etc is kinda moot. Password hacks dont happen by systems starting at A and ending up at ZZZZZZZZZZZZ, they use intelligence in guessing, social factors and all sorts of tricks.

I'm guessing pretty much all account hacks are done through social engineering (phishing mails, or by setting up sites where users have to register and then trying the same user emails & passwords at NCSoft), or by keyloggers. I doubt brute forcing is much of an issue.

Ctb · Mar 11, 2008, 01:34 PM // 13:34

Quote:

And if you want to be safe, by yourself a french keyboard, that way he won't be able to reproduce the accent (well it will take him a lot more time if you can input accents).

First off, you don't need a special keyboard to type those characters, it just makes it easier to do so. Secondly, if YOU can input the character, so can a dictionary attack tool. Finally, building and using a dictionary of French words (or any other language on Earth) is just as trivial as building and using a dictionary of English words.

Quote:

15 should be minimum

Fifteen characters is the old windows LANMAN limit and those passwords are trivially defeated these days. It's still a common problem in XP and 200x, in fact, since the stupid OSes store a LANMAN hash of your password for compatibility, by default, if the password is short enough to be valid for LANMAN.

Anyway, my password is a "not a word". It sounds like a real word when you speak it, and it contains the elements of real words, but it's not a real word and it contains the usual mix of letters, numbers, and punctuation characters. As a result, my password "word" will very probably not be in any dictionary, and it still has a few of the "tricks" to try and keep it safe even if it is. I expect, however, that as attack tools get more sophisticated and computers more powerful this trick may not work as effectively in the future.

Regarding the risk of brute forcing, brute forcing is not a significant threat at all so far as the process of tossing passwords at the GW login prompt goes. That would be trivially detected and stopped. The real risk is that people do stupid things with their login credentials like use them on forums:

1. Attacker finds a vuln in the GuildWarsguru.com/forum software

2. Attacker exploits the flaw and gains access to either the database prompt or the actual storage files on disk

3. Attacker loads all that data to his own machine

4. Since logins and emails are typically not stored encrypted, attacker now has a ton of potential logins for people on Guild Wars

5. Attacker also knows that it's common for people to reuse passwords and email addresses, so he breaks the vulnerable encrypted passwords in the forum database

6. Attacker then takes those stolen credentials and tests each one in the Guild Wars client, likely getting at least a few accounts

Note that the risk of a brute force exists because the attacker actually stole a file and was able to pound at it on his own systems where he didn't have to worry about detection.

Quote:

Sounds like a heuristic anti-virus suite to me, it's hard to see how it could do anything against keyloggers or even brute force password cracks. Also I've come to think of heuristic anti-virus software as "I like false positives" software. I don't know if anyone's ever detected an actual new threat with heuristic software, but everyone gets false positives.

Sounds to me like they might be looking to embed heuristic software into the client to detect illegal access of the program's memory space. That would detect anything interacting with the gw.exe client or it's loaded DLLs that doesn't have an "approved" footprint. Blizzard has a similar program for WoW that, as of its last major revision, is horribly obtrusive and, frankly, raises serious security concerns of its own, imho.

Generally, however, that sort of thing is used to detect and stop botters, not protect players...

/ my speculation, let me show you it

FeroxC · Mar 11, 2008, 01:44 PM // 13:44

Brute force is totally not feasible, a real brute force will take thousands of attempts, a modified dictionary hundreds.

Ive brute forced a .zip file id lost the 7 letter password to. It took a hours and this wasn't even across the net !

The guy who said brute force cant be stopped is plain wrong. I.P bans,locking the account, forcing a captcha after a certain amount of failed attemptsm, would all stop one.

Kattar · Mar 11, 2008, 01:45 PM // 13:45

Quote:

Originally Posted by FeroxC

Brute force is totally not feasible, a real brute force will take thousands of attempts, a modified dictionary hundreds.

Ive brute forced a .zip file id lost the 7 letter password to. It took a hours and this wasn't even across the net !

The guy who said brute force cant be stopped is plain wrong. I.P bans,locking the account, forcing a captcha after a certain amount of failed attemptsm, would all stop one.

Herd of Zombie army netz?

Apparently not.

FeroxC · Mar 11, 2008, 01:47 PM // 13:47

I think you mean botnets.
CAPTCHA, account freezing. Read please.

Surena · Mar 11, 2008, 01:50 PM // 13:50

Quote:

Originally Posted by fenix

No no no, you guys have it slightly wrong. You don't brute force the GW account, you brute force the Play NC account. If you get that, you can change anything you want. Also, the Play NC account has almost NO security...so yeah, gg NC Soft.

PlayNC blocks you for a while after a few failed login tries.

zwei2stein · Mar 11, 2008, 01:52 PM // 13:52

Quote:

Originally Posted by Ctb

...

1. Attacker finds a vuln in the GuildWarsguru.com/forum software

2. Attacker exploits the flaw and gains access to either the database prompt or the actual storage files on disk

...

3. Attacked modifies log-in code to send raw password + username + email to him.

Its trivial to do and kiddies have lots of kits that do that for popular board software without any need to really know what is going on. All you need is exploitable vulnerability. And all that takes is to monitor security boards.

fenix · Mar 11, 2008, 01:54 PM // 13:54

Quote:

I don't know if anyone's ever detected an actual new threat with heuristic software, but everyone gets false positives.

NOD32 does

So they added a block thing if you get it wrong? Must be only new, because I remember when Tsunami Rain got hacked through a brute force....and that wasn't too long ago.

Kattar · Mar 11, 2008, 01:59 PM // 13:59

Quote:

Originally Posted by FeroxC

I think you mean botnets.
CAPTCHA, account freezing. Read please.

Well done. Musta missed that one earlier.

Ctb · Mar 11, 2008, 02:24 PM // 14:24

Quote:

The guy who said brute force cant be stopped is plain wrong. I.P bans,locking the account, forcing a captcha after a certain amount of failed attemptsm, would all stop one.

Steal the list of encrypted passwords and you've defeated every one of those "protections". Very few systems are so insecure anymore that you can just hit them repeatedly with passwords and not get noticed, so dictionary attacks are mostly limited to files in the possession of the attacker (an especially dangerous risk is your own employees).

Quote:

Attacked modifies log-in code to send raw password + username + email to him.

There are plenty of other options as well, yes, but that one in particular would be dangerous.

First it requires you to have write access to the code, and one would hope that the GWG account, the webserver, and the db server are running as sufficiently unprivileged users that this would be prevented. Failing that basic security step, it would still require obviously funny looking SMTP calls that should be picked up in basic daily log monitoring. Simply stealing the DB outright could be covered up effectively for days, weeks, or even forver on a typical website security setup, and you don't have to worry about creating new footprints later.

It all depends on the sophistication of the attacker and particulars of the victim, in the end.

lakatz · Mar 11, 2008, 04:14 PM // 16:14

Quote:

Originally Posted by FeroxC

Brute force is totally not feasible, a real brute force will take thousands of attempts, a modified dictionary hundreds.

Ive brute forced a .zip file id lost the 7 letter password to. It took a hours and this wasn't even across the net !

The guy who said brute force cant be stopped is plain wrong. I.P bans,locking the account, forcing a captcha after a certain amount of failed attemptsm, would all stop one.

Password recovery programs abound for applications such as Word, Excel, Zip or anything else that can be password protected by the user. If you'd started with a google search, you would have had the file open within about five minutes. These programs are legal btw.