65 replies to this topic

[Khalija]

Martin Kerstein has written a new blog article stating that there will be a mandatory password change coming soon. As mentioned in a previous article by Mike O'Brien, ArenaNet has created a blacklist of passwords that have been previously used by hackers for new accounts. Since the system has been rather successful for newly created accounts, they will be forcing existing account owners to change their old passwords.

If you still have the red banner at the top of your launcher, it means your password precedes the blacklist and you will eventually be forced to change it. You can go ahead and change your password at your leisure, but if you wait, you will be forced to change it on February 7th.

[Azure Skye]

I think a few people are going to get mad over this but i think its a good idea with people that are using crummy passwords. >.<

[Bohya]

This is *ing retarded. I'm not the type of person who's password is ''1234'', but I have to fall victim to this. I've never been hacked nor will I ever be, but because of those idiots that essentially let themselves get hacked, I have to pay the price. I like to have a constant password for everything, because I can remember it. I don't want to have five different passwords floating around in my head and more forgotten because of ArenaNet thinking that we are all twelve year olds. I've been a devoted fan since Prophecies, but they have lost my respect by forcing this change.

[Raagar Deathclaw]

[quote name='Bohya' timestamp='1359676272' post='2155634']
This is *ing retarded. I'm not the type of person who's password is ''1234'', but I have to fall victim to this. I've never been hacked nor will I ever be, but because of those idiots that essentially let themselves get hacked, I have to pay the price. I like to have a constant password for everything, because I can remember it. I don't want to have five different passwords floating around in my head and more forgotten because of ArenaNet thinking that we are all twelve year olds. I've been a devoted fan since Prophecies, but they have lost my respect by forcing this change.
[/quote]

if this is all it takes for anet to lose your respect than it obviously isn't worth much to begin with, having said that i agree with the rest of your post i just think this is a bit of an overreaction

[beadnbutter32]

Wait are is the series of slickly produced videos with paid 'spokes people' portraying themselves as young hip developers hyperventilating about the new "Living Security Adventure" to be released February 7th?

I can hear their melodious voices now waxing ecstatic over how you will be able to choose any combination of characters for a list of over 256 and arrange them in any order before you test them against the super boss known as "Password Validity Checker."

Oh I can't wait, Anet knocks another one out of the sandlot.

[Dosearius]

[quote name='Bohya' timestamp='1359676272' post='2155634']I like to have a constant password for everything[/quote]


Wait...wut?  Are you basically saying that you would use the same password you use for your guild wars account with say, your email account and your guru account??


If so then THAT is exactly why Anet feels the need to do this.

[Omega X]

This is a very good idea. You get 'hacked' often because of weak passwords. Criminals are very good at using common terms to get into accounts.

The great service hackfest that went on in the past couple of years forced me to use a new method for passwords at every site I used.

[Featherman]

I think there's something to be said about how ANet has to enforce this. I mean, how hard is it to change passwords every now and then?

[Bohya]

[quote name='Dosearius' timestamp='1359676804' post='2155640']
Wait...wut?  Are you basically saying that you would use the same password you use for your guild wars account with say, your email account and your guru account??


If so then THAT is exactly why Anet feels the need to do this.
[/quote]

Are you implying that I am careless with my password? Having used my particular password for over a decade, I have not once been hacked. I have always been overly cautious. Also, who ever said that I use my password for those programmes? I have many of my accounts set up to never require a password anyway, as there are far more security options which work even better than just a simple catchphrase. The people who are being hacked in Guild Wars 2 are those who have never heard of authentication. This is an authentication issue, not nessisarily the fact that people are careless with their passwords. ArenaNet should force authentication, not a password change which just becomes inconvenient to everyone else.

[whodini]

[quote name='Bohya' timestamp='1359676272' post='2155634']
This is *ing retarded. I'm not the type of person who's password is ''1234'', but I have to fall victim to this. I've never been hacked nor will I ever be, but because of those idiots that essentially let themselves get hacked, I have to pay the price. I like to have a constant password for everything, because I can remember it. I don't want to have five different passwords floating around in my head and more forgotten because of ArenaNet thinking that we are all twelve year olds. I've been a devoted fan since Prophecies, but they have lost my respect by forcing this change.
[/quote]agreed to some respect unfortunately there seems to be 13 year old players out there

[Darkobra]

[quote name='Bohya' timestamp='1359676272' post='2155634']
This is *ing retarded. I'm not the type of person who's password is ''1234'', but I have to fall victim to this. I've never been hacked nor will I ever be, but because of those idiots that essentially let themselves get hacked, I have to pay the price. I like to have a constant password for everything, because I can remember it. I don't want to have five different passwords floating around in my head and more forgotten because of ArenaNet thinking that we are all twelve year olds. I've been a devoted fan since Prophecies, but they have lost my respect by forcing this change.
[/quote]

Number 1. Using the same password for everything? THAT ALONE will mean when you get hacked, you will lose every single thing that one password is connected to. That's a rookie mistake. Especially with fansites being hacked and passwords being stripped from those. They essentially already have your password now.

Number 2. In the time it took you to type that entire post, I've managed to change my password and read your reply. It's not a time-consuming task.

Number 3. How fickle is your respect that when they look out for their player base and their product, you suddenly "lose respect" for them?

You have made a LOT of mistakes. You've been lucky. It was a matter of time before you DID get hacked. You should have MORE respect for them protecting your account.

[Bohya]

[quote name='Darkobra' timestamp='1359678527' post='2155662']
Number 1. Using the same password for everything? THAT ALONE will mean when you get hacked, you will lose every single thing that one password is connected to. That's a rookie mistake. Especially with fansites being hacked and passwords being stripped from those. They essentially already have your password now.

Number 2. In the time it took you to type that entire post, I've managed to change my password and read your reply. It's not a time-consuming task.

Number 3. How fickle is your respect that when they look out for their player base and their product, you suddenly "lose respect" for them?

You have made a LOT of mistakes. You've been lucky. It was a matter of time before you DID get hacked. You should have MORE respect for them protecting your account.
[/quote]

1) All my programmes can only be accessed under certain circumstances, password or not.
2) It's not about how easy it is to change your password. It's about the fact that I find it convenient to carry around only one password.
3) Because they are pushing account protection the wrong way and just meddling around with that which does not matter, making it inconvenient for the reasons stated in ''2)''.

Don't call me lucky. I have never been hacked and I never will, because I will it. Don't go around thinking that I am not actively protecting my information. That's insulting...

[Darkobra]

You have ONE password. You're not. And the fact that you've done it for "over a decade" at the age of 22 means nothing. How good was your password when you were 10 years old?

[whodini]

Yes. It is always a good idea to use different pw's but if your confident enough and strictly should be the right to the player to know that there same pw won't be hacked.  All mine never have been for over 20 yrs now

[Digilodger]

[quote name='Bohya' timestamp='1359678411' post='2155659']
Are you implying that I am careless with my password? Having used my particular password for over a decade, I have not once been hacked. I have always been overly cautious.
[/quote]

To add to what [url="http://www.guildwars2guru.com/topic/79969-mandatory-password-change-is-coming/#entry2155662"]Darkobra has said[/url], sometimes it isn't your carelessness; it's the webmaster's carelessness . . . that happens to affect you.  


For example, let's say that you use the same password for your email, Guild wars2 Guru, Xbox Live, and some other sites.  Then suddenly, one of these sites' database got hacked by someone.  If the site doesn't salt and encrypt your password but instead transfers and stores it in plain text, then the cracker now has access to everyone of your accounts.

Also, besides other people's carelessness, you could also be unlucky.  For example, if you're on a non-secure WiFi  such as a public library or coffee shop, someone could "sidejack" you and steal your cookie session.

Edited by Digilodger, 01 February 2013 - 12:43 AM.

[whodini]

[quote name='Darkobra' timestamp='1359678978' post='2155665']
You have ONE password. You're not. And the fact that you've done it for "over a decade" at the age of 22 means nothing. How good was your password when you were 10 years old?
[/quote]LOL they didn't even have atari, commadore 64 out when I was 10

[Auenwing]

Thanks for the heads up.

Nothing is hackable-safe, however, I know my password (unique to this game) is strong enough.

I'll change it. Then change it back.


PS: Dear ANet, it would help if you would allow at least spaces, if not non-alphabetic, non-numeric characters in the passwords (e.g. special characters.) Unless that has changed since release?

Edited by Auenwing, 01 February 2013 - 12:57 AM.

[whodini]

All I'm saying if the Guy or gale  feels strong about it let them do it there way. Thy didn't ask for help and was clear there not taking advice.  That situation just let it go

[Danael]

They also wrote that you [b]have [/b]to change the password [b]if[/b] yours is blacklisted. Which you see by a notice in the launcher. If it's not there I think it's safe to assume that you won't be [b]forced [/b]to change it.

[quote name='Auenwing' timestamp='1359679624' post='2155677']
I'll change it. Then change it back.
PS: Dear ANet, it would help if you would allow at least spaces, if not non-alphabetic, non-numeric characters in the passwords.
[/quote]

Please read the blog post again: they wrote quite deliberately that you can't use old passwords. Also, mine has non-alphabetic and non-numeric characters. It should therefore be possible for you as well.

[jazzbrownie]

Fantastic.  I have a 16 character password (uppercase, lowercase, numbers, special characters) that I only use for GW2, which is tied to an email address used only for GW2 (and requires an authenticated log in) . . . and they're telling me that my password made a blacklist?

I call bullshit.

I've ignored their insistence that I create a new password for a reason: my account is not in jeopardy.

I know this is a silly thing to get upset over, and I still generally feel that people complain about anet and the game way too much, but it's annoying that I'm going to have to learn yet another password after all of my precautions.

[NuclearDonut]

I just changed my password and I quite like it, do I still have to change again?

[Tellia]

i dont get why everyone should be punished for SOME players bad luck, carelessness or stupidity. and yes it is a punishment, i dont WANT to change my damn password. i like the one i am using now, i invented it for gw2 specifically and it took me a while to memorize it, and it is secure, so its only being changed for changes sake and not because it is a bad password or compromised password.

well now i got what, 6 days to make yet another password for no frigging reason.

Edited by Tellia, 01 February 2013 - 02:43 AM.

[pumpkin pie]

The thing is , if ArenaNet is going to force me to change password, ArenaNet better have a secure enough way to do it, because mass amount of players doing the same thing is field trips for hackers, otherwise DO NOT  force me to do it. because the last time i do something you ask me to - linking account, I got hacked!!!!!!!!

Beside your click here to update email address function isn't even working properly,!! i did it twice and I am still being asked to update it. because you never provided a working link, how am i suppose to trust you with this email update? HUH? how?

[Beale]

Bohya, on 01 February 2013 - 12:26 AM, said:

Are you implying that I am careless with my password? Having used my particular password for over a decade, I have not once been hacked. I have always been overly cautious. Also, who ever said that I use my password for those programmes? I have many of my accounts set up to never require a password anyway, as there are far more security options which work even better than just a simple catchphrase. The people who are being hacked in Guild Wars 2 are those who have never heard of authentication. This is an authentication issue, not nessisarily the fact that people are careless with their passwords. ArenaNet should force authentication, not a password change which just becomes inconvenient to everyone else.

You are very trusting.

There was at least one security incident in the last year where the password file was stored in plaintext on the server, and a hacker was able to obtain a copy.  That would be bad, because they would then have your userid and password combination.

Further, the normal way of storing password files on Unix servers for the longest time was a file with the userid and then a one way hash of the password.  I suspect there is a lot of this still out in the world.  In this case a hacker who gets this file can attempt a dictionary crack of every ID-password pair in the file, and then for the passwords which are cracked use that same id-password pair on all the high value sites they can find (PayPal and Amazon come to mind).  This is actually the attack which ArenaNet is trying to defend against by enforcing password strength (minimize the chances of the dictionary attack getting anywhere).

So it's fine if you have an authenticator on your GW2 account.  But if you've used the same userid password pair anywhere else, which doesn't use an authenticator type device, you're quite exposed.  Good luck.

[Reverse Ghost]

KeePass

Use a program to generate and "remember" very complex and secure passwords. It has auto-type!

Edited by Reverse Ghost, 01 February 2013 - 04:40 AM.

[Kaiarra]

I'm not using my GW2 password anywhere else and I really see no reason why I should be forced to change it... especially not on top of the inconvenience of them locking me out of my account every time my IP changes (aka, every time my router is reset).

Seems like they're forcing everyone to change if you made an account before Sept 12th, regardless of if your password is even on their blacklist... I don't get why unless they know they got compromised? If our passwords aren't on the black list why on earth do we need to change them? Because it was just easier to just force everyone to do it?

Seriously not amused...

[typographie]

NuclearDonut, on 01 February 2013 - 01:32 AM, said:

I just changed my password and I quite like it, do I still have to change again?

Read the article..

"Thus, if you are still using a password that was chosen before the introduction of password blacklisting on September 12, 2012, you will need to choose a new password."

[caballo_oscuro]

While periodically changing your passwords for every account you have and not using the same password for everything is good password practice, what surprises me is how anet has a list of passwords at all...

does anet not use a hashed password and simply store the hash? if they're storing and sending passwords for the game in clear text no effing wonder so many accounts are being hacked...

[Enchanted Krystal]

Darkobra, on 01 February 2013 - 12:28 AM, said:

..Number 2. In the time it took you to type that entire post, I've managed to change my password and read your reply. It's not a time-consuming task..

The problem is not the "time it takes", but the annoyance of having to remember yet another changed password, when my old one was elite already.  With a wife & 3 young kids, I have much more important things to remember than "Oh snap, now what did I change that password to?"

I can see how this can be a problem, but why do I have to pay for other people's lack of "Commor Sence"?  I have had the same password for about 6 years now & I have never been hacked, obviously it worked just fine & it is unique to my GW account's only.

Not happy jan.....

Spoiler

[Strawberry Nubcake]

I don't understand why the people that used what they consider the most awesome password ever for 5-10 years don't just add an additional letter or number to it instead of getting pissed off.  How hard could that possibly be to remember?

Edited by Khalija, 01 February 2013 - 04:56 PM.
removed the insult