17 replies to this topic

[RAD]

https://www.guildwar...count-security/

Looks like they are doing something about this despite what the vocal minority have been saying.

The blacklist system seems to be particularly effective and I suggest we all heed to Mr. O'Brien and do what he says about changing passwords.

Edited by RAD, 21 September 2012 - 02:06 AM.

[Ritualist]

So, where are character/items restorations?

[Eon Lilu]

Thats a pretty awesome announcement they made, shows there taking security seriously and tackling the problem.

3 things they really need to sort out fast though.

In game admins to insta ban spammers and sellers in the chats and towns. Its taking them too long to do this.

Replacing lost items due to bugs and hacked accounts. They promised this as a feature, they need to get it working.

Mail blocking system in game that filters out spam mails that are gold selling.

Edited by Eon Lilu, 21 September 2012 - 08:27 AM.

[viespea]

Very nice attitude from a company, that is how you respect your customers. I`m curious about authenticator.

[Neato]

Hopefully they actually get key fob authenticators for those of us that either don't have cell phones, or don't want our account linked to our cell / home phones.

[Senatic]

This is all great and all, but two things.

• My brother got hacked, he had set up a completely brand new email address for Guild Wars 2, with a unique password he had never used before, he then created his guild wars 2 account with a brand new nickname and password combination also unique, never used anywhere before.
  
  
• I worked really hard to come up with a new secure password for Guild Wars 2 that I had never used anywhere, now you're gonna force me to change it?

Edited by Senatic, 21 September 2012 - 09:16 AM.

[Sevens]

Senatic, on 21 September 2012 - 09:14 AM, said:

This is all great and all, but two things.

• My brother got hacked, he had set up a completely brand new email address for Guild Wars 2, with a unique password he had never used before, he then created his guild wars 2 account with a brand new nickname and password combination also unique, never used anywhere before.
  
  
• I worked really hard to come up with a new secure password for Guild Wars 2 that I had never used anywhere, now you're gonna force me to change it?

Sounds like your brother might have a key logger?

[Senatic]

Sevens, on 21 September 2012 - 09:45 AM, said:

Sounds like your brother might have a key logger?

Shouldn't have mattered even if that was the case, he was also using the email authentication protection.

[Sevens]

So are you saying that it was obtained from Anet? that their database was compromised?
if that were the case then by law they would be required to inform the public, its not something they can keep secret
And if (this is just an if) they got it from a key logger then they could have easily got his email addy too?
I dont know, Im not a hacker or really that up on computers....I was able to load and run GW2 and thats about my extent of computer savvy tbh. And its funny, i have been on MMOs since the launch of Everquest 1 in 1999 and have played most major MMOs with the exception of WoW and I have never once got hacked Thank the six!

[Righteous]

RAD, on 21 September 2012 - 02:05 AM, said:

The blacklist system seems to be particularly effective and I suggest we all heed to Mr. O'Brien and do what he says about changing passwords.

Oh boy! *waits for threads about how all the good names passwords are taken*

And are they really saying that ONLY PEOPLE WITH SMARTPHONES will get two-factor authentication?!

I wouldn't mind paying one-time for a hardware authenticator... but a smartphone that costs orders of magnitude more? That I have no other use for? Plus the monthly bills for it? No way.

I seriously hope A-net has more in the pipeline than Google Authenticator.

Edited by Righteous, 21 September 2012 - 01:02 PM.

[BrettM]

I would be impressed with their passion for security except for two things:

1. When I created my GW2 account, it forced me to use a real email address as a user ID, replacing the fake one (an "@ncsoft" address that wasn't even real email) I used for GW1. Even worse, it forced me to change it for GW1 at the same time. Forcing the use of real email addresses for IDs is just plain idiotic. Anyone who can get your email address has a head start on hacking your account. At the very least they should have given us clear advanced warning so that we would know to create a new email address somewhere just for GW2.

2. The random-words idea is great. Too bad the only instructions on the screen to change your password are "minimum of eight characters", which would make most users assume that it will only accept the type of password still in common use everywhere on the net. Eight characters, no spaces, etc. How much effort would it take to add a few lines of text to that screen to make people aware of a better method for creating a long, strong password?

Edited by BrettM, 21 September 2012 - 01:15 PM.

[MisterB]

This is a good reason to change my password and take advantage of the new 100 character limit.

Righteous, on 21 September 2012 - 12:59 PM, said:

Oh boy! *waits for threads about how all the good names passwords are taken*

And are they really saying that ONLY PEOPLE WITH SMARTPHONES will get two-factor authentication?!

I wouldn't mind paying one-time for a hardware authenticator... but a smartphone that costs orders of magnitude more? That I have no other use for? Plus the monthly bills for it? No way.

I seriously hope A-net has more in the pipeline than Google Authenticator.

Quote

Several third party implementations are available.

http://en.wikipedia....#Implementation

My mobile was US $40, but it is now $30, and it can run one of those(the J2ME version). I also have no contract or monthly fee at all (Net10).

[Senatic]

Sevens, on 21 September 2012 - 10:42 AM, said:

So are you saying that it was obtained from Anet? that their database was compromised?
if that were the case then by law they would be required to inform the public, its not something they can keep secret
And if (this is just an if) they got it from a key logger then they could have easily got his email addy too?
I dont know, Im not a hacker or really that up on computers....I was able to load and run GW2 and thats about my extent of computer savvy tbh. And its funny, i have been on MMOs since the launch of Everquest 1 in 1999 and have played most major MMOs with the exception of WoW and I have never once got hacked Thank the six!

No that's not what I'm saying, I'm not quite sure how my brother got hacked quite frankly, but what I'm saying is that it's not always as simple as "You were being an idiot and used the same PW/username on multiple sites".

[Aveneo]

All I want is a physical authenticator like this:

[Righteous]

MisterB, on 21 September 2012 - 03:41 PM, said:

My mobile was US $40, but it is now $30, and it can run one of those(the J2ME version). I also have no contract or monthly fee at all (Net10).

Good for you :-P

But I already have a mobile phone. It's simple, and does everything I need (just phone calls, text messages - and being so simple, it has long battery life). It was free from my service provider, who give me more free airtime and text messages than I can ever use, for peanuts - because it's part of a cheap bundle deal for mobile, landline, cable TV and cable internet.

If I switch to a new (smart)phone my bundle is messed up and I will pay more. If I buy a smartphone separately instead - I will have an extra phone that is useless to me except for one purpose: GW2 authentication, and likely cost monthly too.

I live in the UK, so whatever cheap deals you get in America are unfortunately no use to me.

What I really want is a hardware authenticator like Aveneo posted above - simple, cheap, you only pay one time, and they work.

[Righteous]

There may be hope for people who do not have (or want) smartphones or Apple products!
It seems there is Google Authenticator for Windows PCs: https://code.google.com/p/gauth4win/

I would still rather have a hardware authenticator though :-P

[Doctor Overlord]

Great post from Mike O.   This is the kind of thing that makes me glad to be a customer of a company like ArenaNet.   The comic about passwords was very amusing too.

Aveneo, on 21 September 2012 - 04:09 PM, said:

All I want is a physical authenticator like this:

That would be kind of cool.

[Kendil]

This was a really well written post, and is one of the many reasons why I really like Anet (and the fact that they make amazing games). *goes to change my password, even though it's unique and have never been used anywhere else, just because Mike asked me to do it*