Curse

mqstout · Nov 28, 2006, 06:24 PM // 18:24

On a related note:

It's bad practice to have the client tell you whether the username or password specically is wrong (as Guild Wars currently does). It's always better to have it say generically "bad user name and password combination".

That way, people randomly trying things can't find an active email address first and then permute passwords to it.

Clawdius_Talonious · Nov 28, 2006, 07:17 PM // 19:17

Quote:

Originally Posted by Gaile Gray

Folks,

I need to know more information, from those of you reporting that you can try multiple times without a block on attempts to access the account. Is the account with which you are making this test linked, Guild Wars and PlayNC, or not? Are you putting in the correct user name and then using an incorrect password, or are you using an incorrect user name? If I can have the parameters of the testing, that will help, and thanks for that information.

Also, some time ago, there was a system whereby someone would receive an email if their account was being "pinged" for access beyond a reasonable number. Are any of you getting such an email with your testing?

The account I used was linked via the GW store to my PlayNC account, putting in the correct user name and an invalid password (40+ times) never resulted in any sort of timeout, or any sort of email to either my GW account email or my PlayNC account's email.

Str0b0 · Nov 28, 2006, 08:29 PM // 20:29

Quote:

Originally Posted by luinks

yes Str0b0 the thing is brute forcing a password could take even several weeks maybe months, but in the current state of the client, you can leave the brute force prog running wild every day and night until it would hit the nail, sure it will take a long time but is doable.

I'm just pointing this client side flaw is still there, and nothing has been done to fix it. However your suggestions are pretty useful and everyone should take into account next time they change their pass

Actually when I say astronomical I really mean astronomical. Even at current processing power a ten character password comprised of numbers and at least one capital and one lowercase letter would take an ungodly amount of time. http://geodsoft.com/howto/password/c...ds.htm#howlong
The table in that article, you can just jump to the how long section from the contents, demonstrates this. The table is based on 1.2million tries/second using just alphanumerics and no special characters. As you can see a ten character password, using both numbers and letters(not mixed case letters though and I'm not sure why) would take 1,160 years at current processing power levels to crack. That's longer than most hackers want to wait.

Those suggestions though apply to any password you make for any program or website. My only beef is that I can't link my biometrics to my guild wars client. That's the one and only 100% secure password protocol in existence, barring someone actually being able to lift and duplicate your fingerprints.

Clawdius_Talonious · Nov 28, 2006, 09:25 PM // 21:25

Quote:

Originally Posted by Str0b0

http://geodsoft.com/howto/password/c...ds.htm#howlong

I think that, after reading that article, I'm going to go ahead and add numbers to my password, as it will make it more than 30x harder to brute force crack

topdragon147 · Nov 28, 2006, 10:10 PM // 22:10

Quote:

Originally Posted by Str0b0

Actually when I say astronomical I really mean astronomical. Even at current processing power a ten character password comprised of numbers and at least one capital and one lowercase letter would take an ungodly amount of time. http://geodsoft.com/howto/password/c...ds.htm#howlong
The table in that article, you can just jump to the how long section from the contents, demonstrates this. The table is based on 1.2million tries/second using just alphanumerics and no special characters. As you can see a ten character password, using both numbers and letters(not mixed case letters though and I'm not sure why) would take 1,160 years at current processing power levels to crack. That's longer than most hackers want to wait.

Those suggestions though apply to any password you make for any program or website. My only beef is that I can't link my biometrics to my guild wars client. That's the one and only 100% secure password protocol in existence, barring someone actually being able to lift and duplicate your fingerprints.

A good hacker wouldn't use pure brute force to crack the password. Usually, the password would be just one word and letters. They could use a program like "John the Ripper" to attempt a dictionary scan, coupled with brute force. There have even been some suggestions that a completely random password might be less safe then something a human might come up with. Regardless, a good hacker will find SOME way in, so the best things to do are to keep changing your password often and never give out your email address. That said, I do think the acount name should be able to be changed. I'm sure there is some (Alpha)numeric string that is already in place to identify the accounts, so account name shouldn't be a problem

Russell.Crowe · Nov 28, 2006, 11:17 PM // 23:17

Quote:

Originally Posted by Loviatar

REALITY CHECK HERE

if a hacker is reading your email he is probally reading everything else as well.

in which case.......

GW IS THE LEAST OF YOUR PROBLEMS

<this has been a reality check>

Which is exactly why my email accounts are all worthless, except for the private one I keep for Guild Wars. I am just stating the truth.

/kthx

mqstout · Nov 28, 2006, 11:30 PM // 23:30

Quote:

Originally Posted by topdragon147

That said, I do think the acount name should be able to be changed. I'm sure there is some (Alpha)numeric string that is already in place to identify the accounts, so account name shouldn't be a problem

Those of us with multiple GW accounts attached to one PlayNC account?

Str0b0 · Nov 29, 2006, 01:42 AM // 01:42

Quote:

Originally Posted by topdragon147

A good hacker wouldn't use pure brute force to crack the password. Usually, the password would be just one word and letters. They could use a program like "John the Ripper" to attempt a dictionary scan, coupled with brute force. There have even been some suggestions that a completely random password might be less safe then something a human might come up with. Regardless, a good hacker will find SOME way in, so the best things to do are to keep changing your password often and never give out your email address. That said, I do think the acount name should be able to be changed. I'm sure there is some (Alpha)numeric string that is already in place to identify the accounts, so account name shouldn't be a problem

Dictionary scans are useless in the face of alpha numerics. You can't list a random number string with letters thrown in. The only thing you can do is try every possible permutation of the 62 possible characters in every single grouping from the minimum required password length to the maximum required password length. If you throw in the ASCII characters to make a total of 95 possible characters you begin to see the monumental undertaking that a hacker would have to go through just for an account. Couple that with the fact that all the hash information is server side and not client side and John the Ripper is useless, well provided you don't do something dumb like have the client remember your ID and password. I refuse to believe that ANet doesn't encrypt their hash info with ,at the very least, blowfish or better and I'm positive they have a full suite of NIDS and Behavioral monitoring software. Most modern networks encrypt their hash info with at least 128 blowfish comparable encryption, large companies or companies that depend on their networks heavily, like ANet, likely use a 256 or better encryption scheme.

One thing that amazes me though is how much credit people give hackers. Hackers prey upon stupidity. Common sense defeats them in most instances. It is a fallacy to think that you cannot create a secure system because a good hacker will always find a way in. I have been responsible for security managment on 5 9 networks and with the proper software you can create an airtight security layer around any network or system. It all depends on the software you choose to use and the password scheme you enforce on your network. My personal network is all based on biometrics, with a hardware NAT firewall, a software firewall, NIDS, and an inward facing software firewall for behavioral monitoring purposes. Now this is just me, a slightly above average user. Imagine what a company with an actual IT budget worth mentioning has on theirs. I think the worst we can expect from any hacker trying to crack your GW password is brute force techniques or pre-made dictionary lists. If you follow an alphanumeric scheme with a minimum of 10 characters then you should be more than fine.

Foe · Nov 29, 2006, 03:08 AM // 03:08

Quote:

Originally Posted by Str0b0

Dictionary scans are useless in the face of alpha numerics. You can't list a random number string with letters thrown in. The only thing you can do is try every possible permutation of the 62 possible characters in every single grouping from the minimum required password length to the maximum required password length. If you throw in the ASCII characters to make a total of 95 possible characters you begin to see the monumental undertaking that a hacker would have to go through just for an account. Couple that with the fact that all the hash information is server side and not client side and John the Ripper is useless, well provided you don't do something dumb like have the client remember your ID and password. I refuse to believe that ANet doesn't encrypt their hash info with ,at the very least, blowfish or better and I'm positive they have a full suite of NIDS and Behavioral monitoring software. Most modern networks encrypt their hash info with at least 128 blowfish comparable encryption, large companies or companies that depend on their networks heavily, like ANet, likely use a 256 or better encryption scheme.

One thing that amazes me though is how much credit people give hackers. Hackers prey upon stupidity. Common sense defeats them in most instances. It is a fallacy to think that you cannot create a secure system because a good hacker will always find a way in. I have been responsible for security managment on 5 9 networks and with the proper software you can create an airtight security layer around any network or system. It all depends on the software you choose to use and the password scheme you enforce on your network. My personal network is all based on biometrics, with a hardware NAT firewall, a software firewall, NIDS, and an inward facing software firewall for behavioral monitoring purposes. Now this is just me, a slightly above average user. Imagine what a company with an actual IT budget worth mentioning has on theirs. I think the worst we can expect from any hacker trying to crack your GW password is brute force techniques or pre-made dictionary lists. If you follow an alphanumeric scheme with a minimum of 10 characters then you should be more than fine.

/signed
The mythic army of crackers doesnt exsist...never has..noones "hacking" ur account. If someone made off w/ ur account its of your own doing. As for those who are in possesion of the tools needed to attack a modern net...well its unlikely all of your sub par GW account's are worth the risk regardless of # stolen

...With that said the army of bored quasi capable 14 yr olds does exsist and if u hand over enough info

....dont complain about the locks when u gave the thief a key to the front door eh?

luinks · Nov 29, 2006, 02:32 PM // 14:32

foe this is not a sign unsign thread, the main purpose is to adress this security flaw from the client, not to flame non-secure password users, nor blame users.

Keep it informative and flame-free please

i know many players have changed their passswords to something harder to hack (and to memorize) after reading this posts.

Eviance · Nov 30, 2006, 03:24 PM // 15:24

Indeed luinks...
Besides it really does help for some people to "know" that they have that added security even if their account is virtually hack proof. It's not as if these measures shouldn't be in place by a company anyways.

Those of you who have tested it, please PM your results (respectfully) to Gaile since she seems to be atm caught up with the recent update and other such things.

luinks · Dec 06, 2006, 04:45 PM // 16:45

I guess we are too bussy to pay attention to a minor issue like this right?

Markaedw · Dec 17, 2006, 06:36 AM // 06:36

The biggest problem with not being able to change the log-in name is the fact that the log-in name is an email address. One account has the email from my isp, what happens when I change ISPs? I no longer have access to that email address and therefore I can't get access to some of the services like forgot password.

Lucien Beaumont · Dec 17, 2006, 12:46 PM // 12:46

I agree with the person above me. I'm not so much concerned about getting hacked as I am that I will eventually have to move on to a different email address.