I think that linking your gw account with a masters account compromises your security account by not allowing you to change your login screen name, i remember this being adressed before, and commented by the RP employee that wanders around this forum, but never updated. I mean they should let us change the login and passwords from inside the nc master account, hackers have plenty of time to brute force passwords if they manage to get our e-mail adress.
Another point I'd like to adress is that when linking to master account i don't remember any visual confirmation or warning about what the proccess implied (ie not being able to change your screen name anymore)
Well what do you think?
Edit: I tried to change plaync account and they only allow up to 13 characters, alphabet and numbers only... that makes it even easier target to hackers
I think Ncsoft compromises the security of accounts
luinks
Knightsaber Sith
I've seen a thread or two enumerating the ways it compromises security.
Here's a good one http://www.guildwarsguru.com/forum/s...2&referrerid=&
You can change the password from the plaync master account; but still not the accountname.
When will everyone learn the difference between Public Relations and Community Relations >_<
Here's a good one http://www.guildwarsguru.com/forum/s...2&referrerid=&
You can change the password from the plaync master account; but still not the accountname.
When will everyone learn the difference between Public Relations and Community Relations >_<
Antheus
No game I can remember allows you to change your login/username. Actually, I can't even remember any online service that would allow you to do that.
Knightsaber Sith
^Well GW used to let you change it.
Ritualistic Spankin
Quote:
|
Originally Posted by Knightsaber Sith
When will everyone learn the difference between Public Relations and Community Relations >_<
|
Back on topic, I agree, it is a HUGE security risk to have everyone tied down to one login e-mail. All it takes is time for people to hack into the accounts, I used to work at a wireless internet company, we had two guys there that would spend a few minutes throwing together a really simple program that would just randomize possible passwords to try to get into our own servers. It is no laughing matter at how easy it can be to get into someone's, anyone's account.
I am the type of person that likes to change my password and account e-mail on all my games at least once every 2 months. With this PlayNC "account lockdown" all I can change is my password. Which isn't enough, once someone has figured out the account e-mail, it is just a matter of time.
This Needs To Be Changed!
lyra_song
I wish there was a way to UNLINK the accounts, after purchasing my extra slots....
MelechRic
It's true that you can't change your account name and I was thinking about why this is so...
I believe it's there to prevent or severely discourage people from selling/trading accounts. Since most account names were originally created with an email address it means that the email address has to go along with any account sold. That's fairly inconvenient for people that just want to re-sell their account after getting tired of the game.
So it locks in sales by preventing re-sale by the casual player. It also compromises security because if someone knows/guesses your e-mail then they are half way there to gaining access to your account. Now they have unlimited attempts at password guessing because as far as I can tell the client doesn't lock itself after any number of failed password attempts.
I believe it's there to prevent or severely discourage people from selling/trading accounts. Since most account names were originally created with an email address it means that the email address has to go along with any account sold. That's fairly inconvenient for people that just want to re-sell their account after getting tired of the game.
So it locks in sales by preventing re-sale by the casual player. It also compromises security because if someone knows/guesses your e-mail then they are half way there to gaining access to your account. Now they have unlimited attempts at password guessing because as far as I can tell the client doesn't lock itself after any number of failed password attempts.
Hip Stroke
Quote:
|
Originally Posted by Ritualistic Spankin
once someone has figured out the account e-mail, it is just a matter of time.
This Needs To Be Changed! |
obviously having a user name other than the email account would be cooler
luinks
Quote:
|
Originally Posted by MelechRic
...Now they have unlimited attempts at password guessing because as far as I can tell the client doesn't lock itself after any number of failed password attempts.
|
Interesting link and thanks for diggin' it up knightsaber
lyra_song
Quote:
|
Originally Posted by luinks
And that is the main concern of this humble player. If this is client side, then should be adresses by anet right?, client should be programmed to deny too many attempts, i mean how many of us fail to write the pass more than 4 times in a row?
Interesting link and thanks for diggin' it up knightsaber |
Heck, some forums i go to lock up after 5 failed tries. Some lock up at 3. Online banking locks up and logs your IP and requires reactivation.
.-.
Inde
From Gaile Gray about 2 months ago on the multiple login's that can be attempted. It sounded like they changed this but I haven't checked to be sure:
EDIT: Found something more relevant to this thread as well:
EDIT: Found something more relevant to this thread as well:
Quote:
|
Originally Posted by Gaile Gray
Quote:
-- the instances really cannot be totally or fairly laid at our feet.Quote:
|
Quote:
|
Originally Posted by Gaile Gray
A few days ago, GWG forum members made us aware of a possible problem with PlayNC account security. It seems that a few accounts were stolen, and the concern was raised that the thefts may have resulted because of a shortfall in security through the PlayNC system.
I don't want to get into the mechanics or the details, but I want to thank the forum members who reported this problem, and I want to apologize if any of you felt that you weren't helped as immediately nor as thoroughly as you might have been in the initial stages. I want to express thanks to one member in particular (whom I won't name right now, but you know who you are!) who provided very helpful and detailed information which we used to track down the matter. And you will be interested to know that the appropriate action has been taken on more than one of the accounts of those responsible. I am not at liberty to reveal what that was, but knowing action was taken, and the accounts identified, is probably of some interest to you. As a matter of fact, these thefts were made possible through a combination of errors. I know that GWG has made a change that will prevent the acquisition of information. And you will be pleased to know that there is a major change in the PlayNC system coming within a matter of days. Protocols are being put in place that will greatly reduce--perhaps even make impossible--this particular kind of account theft. That is not to say that all account thefts will be rendered impossible--we could only wish! But the three or four that we know of which were a result of this recent situation will be far less likely to happen in the future. Here are some tips I'd like to share with you:
|
The truth is, there are usually only 6 or 8 answers to that colour question, so someone could "hack" that one pretty simply by just going through the Red-Orange-Yellow song. For your security question, come up with something obscure and something hard to guess.
luinks
thanks Inde, that was the lines i was refering to.
I tried to bad log-in twenty times and it seems no matter how many times i fail to log, it seems you can keep doing it forever...
I tried to bad log-in twenty times and it seems no matter how many times i fail to log, it seems you can keep doing it forever...
Str0b0
Quote:
|
Originally Posted by luinks
I think that linking your gw account with a masters account compromises your security account by not allowing you to change your login screen name, i remember this being adressed before, and commented by the RP employee that wanders around this forum, but never updated. I mean they should let us change the login and passwords from inside the nc master account, hackers have plenty of time to brute force passwords if they manage to get our e-mail adress.
Another point I'd like to adress is that when linking to master account i don't remember any visual confirmation or warning about what the proccess implied (ie not being able to change your screen name anymore) Well what do you think? Edit: I tried to change plaync account and they only allow up to 13 characters, alphabet and numbers only... that makes it even easier target to hackers |
Major no nos for passwords and for accounts on this game in general. Do not use the same email address you use on the forums for your account email. Forum databases are pretty easy to hack and your email once placed here is not inviolable. Do not use familiar objects or names for your pasword. Scarier than a brute forcer is social engineering. Yeah remember that nice guy that you were talking to about your pet that one day? Pet names are commonly used as passwords and while you might have been enjoying the conversation about your dear cat Mr. Snugglebutt he was taking down information to try to hack your account. This applies to boyfriend names, girlfriend names, your type of car, just about anything that you would discuss in the course of a normal conversation.
The bottom line is when it comes to security you are the one upon who the majority of the responsibility falls. Make use of good common sense and the tools available to you and you should never have a problem.
luinks
yes Str0b0 the thing is brute forcing a password could take even several weeks maybe months, but in the current state of the client, you can leave the brute force prog running wild every day and night until it would hit the nail, sure it will take a long time but is doable.
I'm just pointing this client side flaw is still there, and nothing has been done to fix it. However your suggestions are pretty useful and everyone should take into account next time they change their pass
I'm just pointing this client side flaw is still there, and nothing has been done to fix it. However your suggestions are pretty useful and everyone should take into account next time they change their pass
Ailyrr Merlena
Quote:
|
Originally Posted by Hip Stroke
this usually happens when choosing passwords like "password" or "mypass" etc try adding complexity and casual "hackers" like your co-workers are SOL
obviously having a user name other than the email account would be cooler |
As an example, my brother works for a large company, he's the systems security designer. One day, for whatever reason, the finance dept decided to lock him out of the system. Its now gotten to be a matter of how fast he can break into their own system. I believe he said, most recently, that the longest its taken him is about 12 minutes.
So to actually "hack" a password, it would only be a matter of time. No matter how complex you make it. Phishing, again, a matter of time.
~p.s.~ I have no clue how any of its done. My brother wrote my basic programs for me when I was in college and had to "write" them for my psych computer program class. He was 13 yrs old at the time. I'm a "plug-n-play" kind of girl.
Matsumi
Kind of reminds me why I never started a plaync account. I think the most I gave them was an e-mail address once a long time ago. I remember hearing about how a lot of people had their accounts jacked from a different country after registering with plaync. Sure enough, from the e-mail address I gave them, somebody tried to reset the password on it, so that kind of confirmed it for me. Not sure if it's from their end or not really, but it just seemed like too much of a coincidence.
Clawdius_Talonious
My email address that is used for my account isn't used anywhere else, I barely log into the thing and have had it for many years. The email address I use online now is my cellphone email addy, so there's no way to make the connection between the two.
My password isn't composed of letters and numbers, I've been considering changing it to something along those lines though, but the bottom line is you could know the Password and it would do you no good without the accounts email addy.
I was once asked for my password by a guildie (jokingly) and I said sure, you can have the password, but you don't know the email address that the account is attached to. He sat there awhile and tried to spin ways to conceivably aquire the addy, but none of them had any merit considering that the only thing that account is used for now is my GW account and to occassionally send myself emails so that I can read/edit documents on my Sidekick II.
I agree that you should be able to both remove/unlink your PlayNC account and your GW account, and change your email address for your account as you desire. However, every thing I've read here suggests that most of these stolen accounts are due to negligence on the part of the account holder (downloading and executing a file containing a virus without scanning it, or even after scanning it can be considered negligence since many keyloggers can be nigh undetectable as they aren't widespread, I personally don't download anything that doesn't come from a site I know to be reputable).
My password isn't composed of letters and numbers, I've been considering changing it to something along those lines though, but the bottom line is you could know the Password and it would do you no good without the accounts email addy.
I was once asked for my password by a guildie (jokingly) and I said sure, you can have the password, but you don't know the email address that the account is attached to. He sat there awhile and tried to spin ways to conceivably aquire the addy, but none of them had any merit considering that the only thing that account is used for now is my GW account and to occassionally send myself emails so that I can read/edit documents on my Sidekick II.
I agree that you should be able to both remove/unlink your PlayNC account and your GW account, and change your email address for your account as you desire. However, every thing I've read here suggests that most of these stolen accounts are due to negligence on the part of the account holder (downloading and executing a file containing a virus without scanning it, or even after scanning it can be considered negligence since many keyloggers can be nigh undetectable as they aren't widespread, I personally don't download anything that doesn't come from a site I know to be reputable).
Gaile Gray
Quote:
|
Originally Posted by luinks
I tried to bad log-in twenty times and it seems no matter how many times i fail to log, it seems you can keep doing it forever...
|
To the others in this thread, using a unique PlayNC user name is more secure than having an email address as entry. The linking of Guild Wars account to PlayNC increases your account security. Coupled with a complex password and an obsure question, this protocol is considered one of the most secure in the security field. Now, if you use "How do you spell red?" as your question, and ABC123 as your password, obviously that's a user failure, not a system shortcoming.
I understand that PlayNC will be offering the option of changing that user name, but not for a while. In the meantime, I have asked about this, repeatedly, and our most knowledgable programmer has stated, repeatedly, that any shortcomings in the system lie with the user, not the system. Stop and think about it -- changing user name matters not if you use your IGN for your user name! Please keep in mind, we cannot and should not be asked for a dozen different protocols to protect someone from his own failure to choose a password, user name, and security question that are well and truly secure. If he does that, all is well. If he does not do that, no multiple layers of "security" will work in any way, shape, or form.
LumpOfCole
But what about us users who don't know how to spell rehd?
Avatara
I think that it's a really really bad thing that you can't change your account name ones you merged it. I'm going to loose my e-mailaddress at december 1st. And it's really scary that someone will be able to take my old address and do some kinky stuff with it. 
luinks
Quote:
|
Originally Posted by Gaile Gray
...Both PlayNC and Guild Wars prevent bruty force attempts with a "time out" with a small number of failed attempts.
|
Can anyone else test it? my client is up to date and should be the same as everyone's... so the behaviour should be the same.
Eviance
Linking to PlayNC from the getgo is a pretty safe bet if you do it right. As of right now because I didn't link from the start and only recently linked I run the risk of getting hacked...
Btw Gaile I feel sorry for the 5 different people who had to help me with my issue -_- 12 key codes, 3 different people, 5 different accounts, no clue who owns what x_x To boot I had given a false birthday from the start (always do it as a safety precaution) and up and forgot what I had entered. But for now its been sorted and we are just hoping my email hasn't been compromised due to that stupid keylogger.
And yes I am also still waiting to see if plaync blocks because I keep trying a fake password on my account and it keeps attempting (6 times in a row) then I logged in as normal... not to mention I'm not getting any email warnings about failed attempts o_O
And I just tested the GW Client and it allowed me to do it about 20+ times and never once stopped me.
Btw Gaile I feel sorry for the 5 different people who had to help me with my issue -_- 12 key codes, 3 different people, 5 different accounts, no clue who owns what x_x To boot I had given a false birthday from the start (always do it as a safety precaution) and up and forgot what I had entered. But for now its been sorted and we are just hoping my email hasn't been compromised due to that stupid keylogger.
And yes I am also still waiting to see if plaync blocks because I keep trying a fake password on my account and it keeps attempting (6 times in a row) then I logged in as normal... not to mention I'm not getting any email warnings about failed attempts o_O
And I just tested the GW Client and it allowed me to do it about 20+ times and never once stopped me.
Clawdius_Talonious
Yeah, I tried 40+ times in the GW client and got no time out sort of message. However if I was really drunk and kept punching the wrong keys and accidently turning on caps lock etc, and GW locked me out for failed password attempts I think I would be frustrated. However, to my own recollection, I have never successfully gotten that drunk (not that I would be able to recall if I had).
Eviance
*rolls eyes @ Clawdius* goober =P
Loviatar
OK
how many of you who have tried it have done what Gaile asked and sent in that information?
possibly even (Gaile forgive me) sent her a POLITE PM confirmation the lockout is not working
how many of you who have tried it have done what Gaile asked and sent in that information?
possibly even (Gaile forgive me) sent her a POLITE PM confirmation the lockout is not working
Xenex Xclame
Ok it either seems they misinformed you (Gaile) about the timeout issue since apparently it is not working, or its broken and nobody at Anet and NCSoft knows about it, which makes you wonder how much they try to protect our privacy.
The option of changing your account name is a good one.
Gaile its not that we are asking for you guys to put 12 walls before you can get in its that you make the ones that are available now good.
-Allow you to change your user name
-Allow you to unlink your account.*
-Allow to use symbols in password**
-Lock down the account for either 2 hours or until you contact Anet with info to make sure its you ,as soon as you get 5 failed attempts***
-Allow us to use something else besides email adresses as account names****
*I know this is a way for you guys to track down people that have sold their account , but it also dissalows us to take our own risk,if peopel think that NCSoft security is not good then let them choose not to handle with.
**The ability to use symbols also increases security so please point this out at plaync with a FDS in your hand.
***Same as my bank pass i know the pin pretty well, sometimes i forget it, i try to use the ones i think it is if i fail twice i stop trying and either ask my mom ( she knows my pin) or go home and when i remember it try it again, the reason i do this?Cause i know it will the machine will swallow my card at try 3.If i do try 3 times and fail the machine will swallow my card and i will have to id myself at bank to get a new card.
****This is a simple one, especially for the people that have linked to plaync this one is good since the people that have linked to plaync can get breached tru the plaync site.
If you have linked to plaync your main account will have the @plaync attached to it, which means the people trying to get into your account have less they have to fish out.
The option of changing your account name is a good one.
Gaile its not that we are asking for you guys to put 12 walls before you can get in its that you make the ones that are available now good.
-Allow you to change your user name
-Allow you to unlink your account.*
-Allow to use symbols in password**
-Lock down the account for either 2 hours or until you contact Anet with info to make sure its you ,as soon as you get 5 failed attempts***
-Allow us to use something else besides email adresses as account names****
*I know this is a way for you guys to track down people that have sold their account , but it also dissalows us to take our own risk,if peopel think that NCSoft security is not good then let them choose not to handle with.
**The ability to use symbols also increases security so please point this out at plaync with a FDS in your hand.
***Same as my bank pass i know the pin pretty well, sometimes i forget it, i try to use the ones i think it is if i fail twice i stop trying and either ask my mom ( she knows my pin) or go home and when i remember it try it again, the reason i do this?Cause i know it will the machine will swallow my card at try 3.If i do try 3 times and fail the machine will swallow my card and i will have to id myself at bank to get a new card.
****This is a simple one, especially for the people that have linked to plaync this one is good since the people that have linked to plaync can get breached tru the plaync site.
If you have linked to plaync your main account will have the @plaync attached to it, which means the people trying to get into your account have less they have to fish out.
Eviance
*sighs* Loviator you silly, her post didn't say to PM her =P But I did and gave her the results anyways and I dirrected her back to this thread - hopefully whatever the issue is, it gets resolved!
Lord Sojar
NCSoft's security is lacking. Without the ability to change passwords on the fly or loginnames, it puts up a nice red flag for brute force hackers to come on in.
Scutilla
Quote:
|
Originally Posted by Gaile Gray
I have asked about this, repeatedly, and our most knowledgable programmer has stated, repeatedly, that any shortcomings in the system lie with the user, not the system.
|
(NOTE: That's not a snide remark at Gaile, the ANet devs, or their account security whatsoever, just a humorous off-topic anecdote- I have confidence that ANet's servers are extremely safe. We now return you to your regularly scheduled discussion
)
Gaile Gray
Folks,
I need to know more information, from those of you reporting that you can try multiple times without a block on attempts to access the account. Is the account with which you are making this test linked, Guild Wars and PlayNC, or not? Are you putting in the correct user name and then using an incorrect password, or are you using an incorrect user name? If I can have the parameters of the testing, that will help, and thanks for that information.
Also, some time ago, there was a system whereby someone would receive an email if their account was being "pinged" for access beyond a reasonable number. Are any of you getting such an email with your testing?
I need to know more information, from those of you reporting that you can try multiple times without a block on attempts to access the account. Is the account with which you are making this test linked, Guild Wars and PlayNC, or not? Are you putting in the correct user name and then using an incorrect password, or are you using an incorrect user name? If I can have the parameters of the testing, that will help, and thanks for that information.
Also, some time ago, there was a system whereby someone would receive an email if their account was being "pinged" for access beyond a reasonable number. Are any of you getting such an email with your testing?
WetWookie
I am also concerned about not being able to change the email address that I use to log on GW with. What happens if i change ISP and I no longer have access to that email address. 
Eviance
No Gaile I did not get ANY emails this time when I tested the PlayNC account. It was the correct user name but the passwords I tried over and over again were random, I got no lock out and no warning emails.
As for the GW Client I was testing, it is linked to PlayNC but its with an email addy and not the @plaync. It was the correct email address, but I kept punching in random letters and numbers for the password and it just kept letting me. No emails were sent about that either (not really sure if they would, but just throwing it out there in case its supposed to be).
I have a GW client @plaync account if you would like me to test it as well? Meaning it was originally linked when created and not after the fact like the other one I tested.
(And for the record all tested accounts were indeed my own or my husbands which yes he is well aware of.)
As for the GW Client I was testing, it is linked to PlayNC but its with an email addy and not the @plaync. It was the correct email address, but I kept punching in random letters and numbers for the password and it just kept letting me. No emails were sent about that either (not really sure if they would, but just throwing it out there in case its supposed to be).
I have a GW client @plaync account if you would like me to test it as well? Meaning it was originally linked when created and not after the fact like the other one I tested.
(And for the record all tested accounts were indeed my own or my husbands which yes he is well aware of.)
Wtf Its A Monk
why not just give us the option to unlink our account.....it is our account and in my personal opinion we should be able to have it linked/unlinked as we please....or at the very least give us the option to change the email address that we use to login to our account.
i think 5 attempts at a login is fair....then mabey a 5min cool down time for the users ip address
i think 5 attempts at a login is fair....then mabey a 5min cool down time for the users ip address
Avarre
Quote:
|
Originally Posted by Wtf Its A Monk
it is our account and in my personal opinion we should be able to have it linked/unlinked as we please....
|
luinks
Quote:
|
Originally Posted by Eviance
No Gaile I did not get ANY emails this time when I tested the PlayNC account. It was the correct user name but the passwords I tried over and over again were random, I got no lock out and no warning emails.
As for the GW Client I was testing, it is linked to PlayNC but its with an email addy and not the @plaync. It was the correct email address, but I kept punching in random letters and numbers for the password and it just kept letting me. No emails were sent about that either (not really sure if they would, but just throwing it out there in case its supposed to be). |
9th Requiem
"The government put a chip in my brain to steal my GW password! They're after my ectos!"
Eviance
Quote:
|
Originally Posted by Wtf Its A Monk
why not just give us the option to unlink our account.....it is our account and in my personal opinion we should be able to have it linked/unlinked as we please....or at the very least give us the option to change the email address that we use to login to our account.
i think 5 attempts at a login is fair....then mabey a 5min cool down time for the users ip address |
luinks did you check your bulk/junk mail just in case they got filtered? I only had emails in my inbox and none of them were from PlayNC or had any relavence at all to GW and PlayNC - just thought I would check before Gaile asks XD
Russell.Crowe
I agree that it compromises security. Another thing that compromises the security of accounts is the password recovery process. Has anyone actually checked it? I think it is ridiculous that all you have to do is type in your email account to get the password on the account reset. You should at least have to answer some sort of security question along with supplying the email (most other services do this, improves account security). Most other services make you choose a question and answer that only you would know. Under the current system, if your email account was hacked, this person could take over your GW account. IMO this needs to be changed. I have sent emails about this before, and I still see it hasn't been changed.
Loviatar
Quote:
|
Originally Posted by Russell.Crowe
Under the current system, if your email account was hacked, this person could take over your GW account. IMO this needs to be changed. I have sent emails about this before, and I still see it hasn't been changed.
|
if a hacker is reading your email he is probally reading everything else as well.
in which case.......
GW IS THE LEAST OF YOUR PROBLEMS
<this has been a reality check>
luinks
nope nothing in junk mail eviance :3