Curse

Chthon · Mar 11, 2008, 05:25 PM // 17:25

Quote:

Originally Posted by Shanaeri Rynale

This has been an issue for years now, with zero sign of improvement. Tbh it's pretty shameful it's not been resolved since it requires such simple changes.

Cannot change Username(as mentioned above).
You might be able to use symbols for your GW password, but you cant if you link it to PLAYNC.
The max password length is limited to 13 chars, which is too low. 15 should be minimum
No wrong password lockout
Use of email as a user ID

These are BASIC security measures.

Other features people have been crying out for would be very simple to put in, and yet save people so much frustration and headache if they are hacked.
Things like

Being able to lock a character to prevent deletion
Marking some items in game as undroppable/untrashable/untradeable.

Computer security is TWO sided. We might have all the anti virus, firewalls, right behavour all we want, but if the server side security is weak then it does us no good at all.

I realise the PlayNC side is NCSoft and not Anet, but it should not take two years for such a basic system to be put into place. It's almost bordering on the negligent to have such things outstanding for so long.

As the game gets older and peoples time investment in their chars gets more and more, this issue becomes ever more serious for them.

Come on Anet/NCSoft, Sort it..

I could not agree more.

Loviatar · Mar 11, 2008, 08:21 PM // 20:21

http://www.guildwarsguru.com/forum/s...3&postcount=40

there is the answer

your login email is your strongest security if done right

every account i have follows this form

1. only use is to create account and not used anywhere else.

2. how many people even KNOW how long an email addy can be?

find out the max characters allowed and set a good random password generator to that and you wind up with something like this.

dURufN3feHnBALZb!Jmr%f @ my ISP. COM which is just over 128 bit strength

auto login (make sure you have lots of safe copies of that) makes login a snap

3. max your password with the same random generator

4 do that for each account

5. if it is store locked so what there will be much easier nuts to crack than this

6. get the best anti spyware/keylogger and pay for it *spyware doctor was tested a bit higher than spysweeper and is much faster and update daily

Numa Pompilius · Mar 11, 2008, 09:02 PM // 21:02

That is IMO over the top for pretty much every account except perhaps credit card/bank access. It's bad enough having to remember 70+ passwords, having to remember 70+ random emails is even worse, and just results in people writing their PW and username on a post-it next to the computer screen - and where's your security then?

As long as you don't use an easily guessable password (username: MCHammer, password: MCHammer for example) and you don't give out your password to other people or other sites, you're extremely unlikely to get hacked, even if you've got a pretty normal password.

The exception is if you get infected with a keylogger, and then you're equally screwed no matter how complex your password is, and how secret your email.
Keyloggers, on the other hand, rarely materialize by themselves on your computer, they're pretty much always the result of downloading and running dodgy software (e.g. hacks is a classic when it comes to games).

My suggestion is instead to have a layered approach:
* a low security set with junk account and junk password for places like forums and Fileplanet. You use this everywhere where it doesn't really matter.
* a moderate security set with moderate security password for places where you care if people can access your account, e.g. Guild Wars account.
* a high-security set-up with unique and very random password for each site, for use where there's money on the line, e.g. banking, credit cards, paypal...

Loviatar · Mar 11, 2008, 09:15 PM // 21:15

[QUOTE]

Quote:

Originally Posted by Numa Pompilius

That is IMO over the top for pretty much every account except perhaps credit card/bank access. It's bad enough having to remember 70+ passwords, having to remember 70+ random emails is even worse, and just results in people writing their PW and username on a post-it next to the computer screen - and where's your security then?

my bad on that.

every GW account has that.

and i have a use everywhere email with only 12-15 character random pass on the rest.

and i dont do the dodgie

bank and bill pay by phone with people i know at my local branch.

do that for everything and i might have it easier death leveling

Nude Nira · Mar 11, 2008, 09:17 PM // 21:17

Using Brute Force on a GW account would be stupid, the longer your password is, and the mor numbers in it, makes it 100x harder to crack. If I remember correctly, a password of 8 characters could take millions/billions of years to figure it out.

DarkFlame · Mar 11, 2008, 09:50 PM // 21:50

Quote:

Originally Posted by Numa Pompilius

My suggestion is instead to have a layered approach:
* a low security set with junk account and junk password for places like forums and Fileplanet. You use this everywhere where it doesn't really matter.
* a moderate security set with moderate security password for places where you care if people can access your account, e.g. Guild Wars account.
* a high-security set-up with unique and very random password for each site, for use where there's money on the line, e.g. banking, credit cards, paypal...

Well, you did pay for GW and most of us have spent an inordinate amount of time in game, so in that sense there is money on the line. But I do agree with the layered approach.

*Low security spam account for anything you have to sign-up for but is of little importance, like forums, surveys, websites, etc.

*Medium security for your personal email with friends, family, co-workers, etc.

*High security for your game accounts, banking, important work stuff, etc. And no, you don't have to create a new email for each of the things mentioned, but be sure to not give it out or use it for anything that presents a security risk.

FeroxC · Mar 11, 2008, 11:13 PM // 23:13

Quote:

Originally Posted by Ctb

Steal the list of encrypted passwords and you've defeated every one of those "protections". Very few systems are so insecure anymore that you can just hit them repeatedly with passwords and not get noticed, so dictionary attacks are mostly limited to files in the possession of the attacker (an especially dangerous risk is your own employees).

There are plenty of other options as well, yes, but that one in particular would be dangerous.

First it requires you to have write access to the code, and one would hope that the GWG account, the webserver, and the db server are running as sufficiently unprivileged users that this would be prevented. Failing that basic security step, it would still require obviously funny looking SMTP calls that should be picked up in basic daily log monitoring. Simply stealing the DB outright could be covered up effectively for days, weeks, or even forver on a typical website security setup, and you don't have to worry about creating new footprints later.

It all depends on the sophistication of the attacker and particulars of the victim, in the end.

Very true but your circumventing protection by finding another flaw. The point is: a standard brute force attack on the Guild Wars login prompt isn't going to be effective(unless your passwords: abba or aardvark). The video by the OP is probably just a trojan.

freaky naughty · Mar 12, 2008, 12:57 AM // 00:57

Quote:

Originally Posted by FeroxC

Very true but your circumventing protection by finding another flaw. The point is: a standard brute force attack on the Guild Wars login prompt isn't going to be effective(unless your passwords: abba or aardvark). The video by the OP is probably just a trojan.

Haha the person whose password is aardvark is probably thinking no one would guess that. Unfortunately it's one of the first words in the dictionary lol.