I think Ncsoft compromises the security of accounts

I think that linking your gw account with a masters account compromises your security account by not allowing you to change your login screen name, i remember this being adressed before, and commented by the RP employee that wanders around this forum, but never updated. I mean they should let us change the login and passwords from inside the nc master account, hackers have plenty of time to brute force passwords if they manage to get our e-mail adress.

Another point I'd like to adress is that when linking to master account i don't remember any visual confirmation or warning about what the proccess implied (ie not being able to change your screen name anymore)

Well what do you think?

Edit: I tried to change plaync account and they only allow up to 13 characters, alphabet and numbers only... that makes it even easier target to hackers

I've seen a thread or two enumerating the ways it compromises security.
Here's a good one http://www.guildwarsguru.com/forum/s...2&referrerid=&
You can change the password from the plaync master account; but still not the accountname.

When will everyone learn the difference between Public Relations and Community Relations >_<

No game I can remember allows you to change your login/username. Actually, I can't even remember any online service that would allow you to do that.

^Well GW used to let you change it.

My guess is that will happen about the sametime as the Gwen questline ties up.....never.


Back on topic, I agree, it is a HUGE security risk to have everyone tied down to one login e-mail. All it takes is time for people to hack into the accounts, I used to work at a wireless internet company, we had two guys there that would spend a few minutes throwing together a really simple program that would just randomize possible passwords to try to get into our own servers. It is no laughing matter at how easy it can be to get into someone's, anyone's account.

I am the type of person that likes to change my password and account e-mail on all my games at least once every 2 months. With this PlayNC "account lockdown" all I can change is my password. Which isn't enough, once someone has figured out the account e-mail, it is just a matter of time.

This Needs To Be Changed!

I wish there was a way to UNLINK the accounts, after purchasing my extra slots....

It's true that you can't change your account name and I was thinking about why this is so...

I believe it's there to prevent or severely discourage people from selling/trading accounts. Since most account names were originally created with an email address it means that the email address has to go along with any account sold. That's fairly inconvenient for people that just want to re-sell their account after getting tired of the game.

So it locks in sales by preventing re-sale by the casual player. It also compromises security because if someone knows/guesses your e-mail then they are half way there to gaining access to your account. Now they have unlimited attempts at password guessing because as far as I can tell the client doesn't lock itself after any number of failed password attempts.

this usually happens when choosing passwords like "password" or "mypass" etc try adding complexity and casual "hackers" like your co-workers are SOL

obviously having a user name other than the email account would be cooler

And that is the main concern of this humble player. If this is client side, then should be adresses by anet right?, client should be programmed to deny too many attempts, i mean how many of us fail to write the pass more than 4 times in a row?

Interesting link and thanks for diggin' it up knightsaber

Yes bruteforce protection is a MAJOR concern with NCsoft and the GW accounts.

Heck, some forums i go to lock up after 5 failed tries. Some lock up at 3. Online banking locks up and logs your IP and requires reactivation.

.-.

From Gaile Gray about 2 months ago on the multiple login's that can be attempted. It sounded like they changed this but I haven't checked to be sure:

EDIT: Found something more relevant to this thread as well:

thanks Inde, that was the lines i was refering to.
I tried to bad log-in twenty times and it seems no matter how many times i fail to log, it seems you can keep doing it forever...

To address both your concern and your edit I have this to say. While NCSoft is responsible to a certain degree for your account security you can't dump all of it on them. Your main concern seems to be brute forcers. Well brute forcers are either number generators or dictionary lists. The simple solution? Use a password comprised of both letters, capital and lowercase, and numbers. It's still possible to brute force a password like that but the amount of time required is astronomically high, and that's giving them the chance to hit it about halfway through the sequence. If your password is a secure type then you have no worries. My password is 12 characters long and comprised of a random number string with capital and lowercase letters thrown in the mix.

Major no nos for passwords and for accounts on this game in general. Do not use the same email address you use on the forums for your account email. Forum databases are pretty easy to hack and your email once placed here is not inviolable. Do not use familiar objects or names for your pasword. Scarier than a brute forcer is social engineering. Yeah remember that nice guy that you were talking to about your pet that one day? Pet names are commonly used as passwords and while you might have been enjoying the conversation about your dear cat Mr. Snugglebutt he was taking down information to try to hack your account. This applies to boyfriend names, girlfriend names, your type of car, just about anything that you would discuss in the course of a normal conversation.

The bottom line is when it comes to security you are the one upon who the majority of the responsibility falls. Make use of good common sense and the tools available to you and you should never have a problem.

yes Str0b0 the thing is brute forcing a password could take even several weeks maybe months, but in the current state of the client, you can leave the brute force prog running wild every day and night until it would hit the nail, sure it will take a long time but is doable.

I'm just pointing this client side flaw is still there, and nothing has been done to fix it. However your suggestions are pretty useful and everyone should take into account next time they change their pass

yes, this will help with the phishers, but a true hacker, nope, not at all.

As an example, my brother works for a large company, he's the systems security designer. One day, for whatever reason, the finance dept decided to lock him out of the system. Its now gotten to be a matter of how fast he can break into their own system. I believe he said, most recently, that the longest its taken him is about 12 minutes.
So to actually "hack" a password, it would only be a matter of time. No matter how complex you make it. Phishing, again, a matter of time.

~p.s.~ I have no clue how any of its done. My brother wrote my basic programs for me when I was in college and had to "write" them for my psych computer program class. He was 13 yrs old at the time. I'm a "plug-n-play" kind of girl.

Kind of reminds me why I never started a plaync account. I think the most I gave them was an e-mail address once a long time ago. I remember hearing about how a lot of people had their accounts jacked from a different country after registering with plaync. Sure enough, from the e-mail address I gave them, somebody tried to reset the password on it, so that kind of confirmed it for me. Not sure if it's from their end or not really, but it just seemed like too much of a coincidence.

My email address that is used for my account isn't used anywhere else, I barely log into the thing and have had it for many years. The email address I use online now is my cellphone email addy, so there's no way to make the connection between the two.

My password isn't composed of letters and numbers, I've been considering changing it to something along those lines though, but the bottom line is you could know the Password and it would do you no good without the accounts email addy.

I was once asked for my password by a guildie (jokingly) and I said sure, you can have the password, but you don't know the email address that the account is attached to. He sat there awhile and tried to spin ways to conceivably aquire the addy, but none of them had any merit considering that the only thing that account is used for now is my GW account and to occassionally send myself emails so that I can read/edit documents on my Sidekick II.

I agree that you should be able to both remove/unlink your PlayNC account and your GW account, and change your email address for your account as you desire. However, every thing I've read here suggests that most of these stolen accounts are due to negligence on the part of the account holder (downloading and executing a file containing a virus without scanning it, or even after scanning it can be considered negligence since many keyloggers can be nigh undetectable as they aren't widespread, I personally don't download anything that doesn't come from a site I know to be reputable).

Both PlayNC and Guild Wars prevent bruty force attempts with a "time out" with a small number of failed attempts. Could you define if you're experiencing this with PlayNC or Guild Wars? We can test it, but we need that information. Also, in order to allow our team to address valid bugs and glitches, I would like to ask that you retest yourself, provide the answer to the PlayNC or Guild Wars question, and verify that the experience that you write about is still valid. Since yours is the only report, I believe you may be in error, or may be reporting based on old information, and I am hesitant to ask QA to test without more information from you. Thank you.

To the others in this thread, using a unique PlayNC user name is more secure than having an email address as entry. The linking of Guild Wars account to PlayNC increases your account security. Coupled with a complex password and an obsure question, this protocol is considered one of the most secure in the security field. Now, if you use "How do you spell red?" as your question, and ABC123 as your password, obviously that's a user failure, not a system shortcoming.

I understand that PlayNC will be offering the option of changing that user name, but not for a while. In the meantime, I have asked about this, repeatedly, and our most knowledgable programmer has stated, repeatedly, that any shortcomings in the system lie with the user, not the system. Stop and think about it -- changing user name matters not if you use your IGN for your user name! Please keep in mind, we cannot and should not be asked for a dozen different protocols to protect someone from his own failure to choose a password, user name, and security question that are well and truly secure. If he does that, all is well. If he does not do that, no multiple layers of "security" will work in any way, shape, or form.

But what about us users who don't know how to spell rehd?

I think that it's a really really bad thing that you can't change your account name ones you merged it. I'm going to loose my e-mailaddress at december 1st. And it's really scary that someone will be able to take my old address and do some kinky stuff with it.