Concerned: GW accounts can be cracked by simple Brute force attacks?

take_me

take_me

Furnace Stoker

Join Date: Mar 2006

Europe

Country Roads [HOME]

10 Mar 2008 at 19:24 - 1
UPDATE: Youtube finally removed the video: "This video is no longer available due to a copyright claim by NCSoft"
------------------------------------------------------------------------------------------------------------------------

Ok, I just saw something on Youtube which made me quite concerned about the Security of GuildWars accounts.

I was just browsing Youtube for all GuildWars videos that have been added this week.
I found a video showing how to crack GW-accounts by simple brute force attack (= trying all password combinations).
He is also linking to a Download for his program.

The uploader also states, that he get's the Email-adresses for the account from browsing Forums like GW Guru.

If accounts are that simple to crack, Anet should really react and add something like
- a 1-hour wait period after 5 wrong passwords in a row
- a Message about how many failed login attempts there were etc.


NOTE: If this thread violates the guidlines, please remove it.
I will not post the youtube-link or answer to Private Messages unless they come from Mods.

Quote:
Originally Posted by zwei2stein
All he needs is someone download his trojan with keyloger. Bingo, free account. Video is just ad to get people download it en masse
Ok, this sounds more reasonable.
But then I'd like to know, how to report Videos like that from being deleted from Youtube.

Quote:
Originally Posted by DarkWasp
It really is impossible to browse through over 100 million combinations 1 by 1 in GW. Atleast within a few months.
I know that. He states that cracking the account may take up to 2 months, or 2 minutes. He says something about using a dictionary attack and using the most common phrases at first, which means he could crack easy passwords quite fast...

Quote:
Originally Posted by Axel Zinfandel
Any account anywhere can be cracked like that. My guess is that this program he is offering will just link him with the password, or even worse.
Ye, I think so too now...... but those 500 Views of the Video might not know that.....
-----------------------------------------------------------------------------------------------------------------

Ok, it sounds a lot more reasonable, that he is offering a programm with a Trojan and a Keylogger.
But still... I'd like to know if Anet registers something like failed login attempts....

zwei2stein

zwei2stein

Grotto Attendant

Join Date: Jun 2006

Europe

The German Order [GER]

N/

10 Mar 2008 at 19:29 - 2
Yes, he is breaking into accounts. But not by brute force.

All he needs is someone download his trojan with keyloger. Bingo, free account. Video is just ad to get people download it en masse

Sir Pandra Pierva

Sir Pandra Pierva

Forge Runner

Join Date: Apr 2007

Sardelec yelling at Tenshi

Angels Of Strife

E/

10 Mar 2008 at 19:29 - 3
interesting and scary. one of the reasons why i never use the same email for anything.

Captain Miken

Captain Miken

Banned

Join Date: Jan 2008

10 Mar 2008 at 19:30 - 4
anet should add a way so that we can change pass without dealing with their bullshit support system, that way we can all add an alt code to our pass and render us safe.


þ¥~

however, that video is fake and the program it links to is trojan'd and keyloggered

DarkWasp

DarkWasp

Desert Nomad

Join Date: Mar 2005

Paradise

Agency Of Forbidden Fruits [Oot]

R/A

10 Mar 2008 at 19:31 - 5
It really is impossible to browse through over 100 million combinations 1 by 1 in GW.

Atleast within a few months. I'm sure Arena.Net would notice the insane amount of login tries and block the IP or have you change your email.

So all a 5 minute block after so many password tries would do is annoy people who have quit for a few months, then come back trying all of their passwords to find out which one they used.

Sirius-NZ

Sirius-NZ

Wilds Pathfinder

Join Date: Oct 2007

Bellevue, WA (I know ... but I moved out of NZ)

Xen of Onslaught

D/

10 Mar 2008 at 19:32 - 6
Brute-forcing passwords can easily take years if the internet is involved, and it's basically impossible not to get noticed by ArenaNet fast enough to be stopped. It is a good reason why you should use non-trivial passwords, though.

Axel Zinfandel

Axel Zinfandel

Desert Nomad

Join Date: Sep 2007

Northeastern Ohio

LaZy

P/W

10 Mar 2008 at 19:33 - 7
Any account anywhere can be cracked like that. My guess is that this program he is offering will just link him with the password, or even worse.

Captain Miken

Captain Miken

Banned

Join Date: Jan 2008

10 Mar 2008 at 19:33 - 8
guys, my password is password~


Quote:
Originally Posted by Axel Zinfandel
Any account anywhere can be cracked like that. My guess is that this program he is offering will just link him with the password, or even worse.
the program he is offering is keylogged and trojand.

Ctb

Desert Nomad

Join Date: Apr 2006

W/

10 Mar 2008 at 19:35 - 9
Quote:
that way we can all add an alt code to our pass and render us safe.
NO
Quote:
Originally Posted by SecurityFocus
For example, a five-character password made up of high-ASCII characters will require 25 keystrokes to complete. With 255 possible codes for each character and five characters, the total possible combinations are 255^5 (or 1,078,203,909,375). However, a 25-character password made up of only lower-case letters has 26^25 (or 236,773,830,007,968,000,000,000,000,000,000,000) possible combinations. Clearly, you are better off just making longer passwords.
Good article, and very relevant to this topic.

Captain Miken

Captain Miken

Banned

Join Date: Jan 2008

10 Mar 2008 at 19:37 - 10
http://www.securityfocus.com/infocus/1554

Quote:
A better approach is to be less predictable. Rather than replacing "o" with "0", try replacing "o" with two characters such as "()" as in "j()hn". And of course, making your password longer will make it even stronger.
Brute forces that the general public have do not even check for alt codes.

Quote:
Although they are useful in some situations, you should also consider the disadvantages. First of all, holding down the ALT key and typing on the numeric keypad is something that can easily be observed by others. Second, creating such a character requires five keystrokes that must be memorized and later typed every time the password is entered. Perhaps a more effective technique would be to make your password five characters longer, which would actually make your password much stronger for the same number of keystrokes.
Note that all of the drawbacks can easily be overcome by: not being a damn retard.

cosyfiep

cosyfiep

are we there yet?

Join Date: Dec 2005

in a land far far away

guild? I am supposed to have a guild?

Rt/

10 Mar 2008 at 19:56 - 11
we have been complaining about the lack of security on the password issue since well, I joined guru!! It simply does NOT make sense to allow unlimited password tries until you get it right---granted it would take a while to figure it out, but you have the time you can do anything I guess.

[Morkai]

[Morkai]

Jungle Guide

Join Date: Oct 2007

Heroes of Elonia [HE]

W/Rt

10 Mar 2008 at 20:03 - 12
Simple. Use personal passwords. Common phrases/words linked to something personal, so only you know it/them.

Anyone dumb enough to download something that says "Omfg luk 'ere 4 ul1mat hax" deserves everything they get.

Ctb

Desert Nomad

Join Date: Apr 2006

W/

10 Mar 2008 at 20:22 - 13
Quote:
Brute forces that the general public have do not even check for alt codes.
l0phtcrack certainly does check for "alt codes".

Quote:
Note that all of the drawbacks can easily be overcome by: not being a damn retard.
Making things more complicated does not equate to an increase in security. You can accomplish exactly the same thing - a non-dictionary password - by just doing what the article suggests: make the password a long phrase.

It's easy to remember, it is, in any practical sense, immune to a dictionary attack, and it's guaranteed to work in most applications that require a password.

Or, you could keep arguing with the successful author and security consultant who's made a good living out of knowing about this sort of thing. I mean, MAYBE he's full of crap, but if that's the case he's pretty damn good at tricking the people that have been paying him and publishing his books over the last few years....

Chthon

Grotto Attendant

Join Date: Apr 2007

10 Mar 2008 at 21:03 - 14
1. My money's on his program being a trojan.

2. Yes, GW accounts are VERY susceptible to brute force attacks. Once an attacker obtains your login, there's no limit to how many tries they can make consecutively, no notification that someone's hammering on your password, and, if your account is linkd to a PlayNC account, no way to change your login. To make matters worse, if your account is linked to a PlayNC account, you are forced to use a weak password.

3. I've posted these elsewhere, but I'm going to post them again for the heck of it. Best practices for keeping your GW account safe:
  • Create a new e-mail address for your GW login, and use it for nothing else. Ever.
    • Don't tell it to anybody.
    • Don't use it for anything. No e-mail. No signing up for forums. Nothing.
    • Make sure it's with an e-mail provider who is going to keep their domain indefinitely. ([email protected] is good; [email protected] is bad.)
    • Make sure it's with an e-mail provider you're able to keep a relationship with indefinitely. ([email protected] is good; [email protected] is bad.)
    • Make sure to write down the address and password and keep them with your GW key. You're likely to forget them since you never use the account for anything.
  • Use a strong password. That mean that:
    • It must be at least 10 char long (long is better)
    • It must contain at least one capital letter (A, B, C,...), at least one lowercase letter (a, b, c,...), at least one numeral (1, 2, 3,...), and at least one symbol (!, @, #,...).
    • It must not be any English or foreign word or name found in any dictionary (including slang/urban dictionary) or other reference guide.
    • It must not be any simple cipher of the above. ("!33t" is only trivially harder to guess than "leet.")
  • If your account is not linked to a PlayNC account, then change passwords regularly. If your account is linked to a PlayNC account, and your current password is relatively strong, then do NOT change passwords ever. If your account is linked to a PlayNC account, but your current password is weak, then change passwords regularly.
  • Do NOT link your account to a PlayNC account.
    • If you absolutely must link it, then make sure to switch to a secure e-mail address and strong password BEFORE linking your account, then never change them again.

IlikeGW

Jungle Guide

Join Date: Aug 2005

10 Mar 2008 at 21:08 - 15
This happened in the early days of GW when people had the same forum/game account email. The answer is pretty simple, don't ever use your game account email on a guild wars fan site.

slowerpoke

slowerpoke

Desert Nomad

Join Date: Jul 2007

Cuba

10 Mar 2008 at 21:11 - 16
lol what a scam

download the "account cracker", which steals your details and sends them to the douche

remember kids, its a trap

Ultimate Flash

Ultimate Flash

Ascalonian Squire

Join Date: Jan 2007

Kansas USA

The Makavelli Lords [TML]

A/

10 Mar 2008 at 21:20 - 17
Quote:
Originally Posted by slowerpoke
lol what a scam

download the "account cracker", which steals your details and sends them to the douche

remember kids, its a trap
Doesn't Youtube have a way to report this kind of malicious activity?

take_me

take_me

Furnace Stoker

Join Date: Mar 2006

Europe

Country Roads [HOME]

10 Mar 2008 at 21:24 - 18
Quote:
Originally Posted by Ultimate Flash
Doesn't Youtube have a way to report this kind of malicious activity?
Yes, I used the "Flag"-Feature, but I suppose there is more that 1 Flag needed to report the video and since I don't want to post the link here.......

Buddhaofwar

Buddhaofwar

Frost Gate Guardian

Join Date: Feb 2008

Flying Gophers

W/

10 Mar 2008 at 21:37 - 19
just don't use words for your passwords. I recommend mashing your keyboard and seeing what comes up, then write it down somewhere. it may take a few second more to type each time, but you are WAY safer, as dictionary attacks won't do shit, etc...

DarkFlame

Desert Nomad

Join Date: Feb 2005

Ascalon

E/

10 Mar 2008 at 21:37 - 20
Actually it was already posted here, likely by the same person who created the YouTube vid. The mods were rather quick in deleting it.

And like Chthon said, create an email account for GW and GW only. Change your forum account to something else or just don't display it, if its already the same as your game account. Also don't use that email for IM purposes, the Youtube vid also suggests gaining account names that way.

warcrap

Krytan Explorer

Join Date: Sep 2007

somewhere on earth!

E/Me

10 Mar 2008 at 22:14 - 21
he has to figure the account name also.

Dylananimus

Dylananimus

Lion's Arch Merchant

Join Date: Mar 2007

The Eternal Champions

W/Mo

10 Mar 2008 at 22:30 - 22
Try reporting it by more than flagging. YouTube basically don't really care if something offends you, but something like this should warrant investigation. The following is a link to report the user for breaching privacy (which is what he'll be doing by stealing your passwords with his keylogger)...

http://www.google.com/support/youtube/bin/answer.py?answer=78346&hl=en_US%3EHelp%20Center%3C/a%3E.%3C/li%3E%3Cli%3E%3Cb%3EInappropriate%20Content:%3C/b%3E%20To%20report%20an%20inappropriate%20video%20 on%20YouTube,%20please%20click%20the%20%22Flag%22% 20link%20under%20the%20video.%20For%20details,%20p lease%20%3Ca%20href=

Thats one hell of a long link I know, but YouTube doesn't want you complaining unless you're a big business, with lotsa money, and have copyright claims.

Scroll down to where it says "continue" (as a link), so you can tell them details about the video.

Master Knightfall

Banned

Join Date: Dec 2007

10 Mar 2008 at 22:39 - 23
my password is supercalifragilisticexpeialedocous spelled backwards.

take_me

take_me

Furnace Stoker

Join Date: Mar 2006

Europe

Country Roads [HOME]

10 Mar 2008 at 22:43 - 24
Ok, the video has been removed, but it had about 600 views in 2 days and I hope no one was stupid enough to try the program......

Two April Mornings

Two April Mornings

No Luck No Time No Money

Join Date: Nov 2005

Amherst College, MA

Scars Meadows [SMS]

Me/

10 Mar 2008 at 22:47 - 25
Quote:
Originally Posted by zwei2stein
Yes, he is breaking into accounts. But not by brute force.

All he needs is someone download his trojan with keyloger. Bingo, free account. Video is just ad to get people download it en masse

Totally true.

Numa Pompilius

Numa Pompilius

Grotto Attendant

Join Date: May 2005

At an Insit.. Intis... a house.

Live Forever Or Die Trying [GLHF]

W/Me

10 Mar 2008 at 22:57 - 26
I take it our resident ?chinese? "click this link for free Wii" keylogger-spammer has come up with a new way to get people to run his keylogger.

FeroxC

Krytan Explorer

Join Date: Mar 2006

EOA

P/W

10 Mar 2008 at 23:44 - 27
Dont underestimate Anet. If they can design the self updating system for GW, they can stop a brute force attack.

If this hacking program is legitimate(and not a trojan) The odds are anybody who uses that program is going to have their IP logged and the victims account frozen for 15 minutes. E.G. get nowhere

Ctb

Desert Nomad

Join Date: Apr 2006

W/

11 Mar 2008 at 00:04 - 28
Quote:
Ok, the video has been removed, but it had about 600 views in 2 days and I hope no one was stupid enough to try the program......
Trust me, they were.

Bluefeather

Bluefeather

Lion's Arch Merchant

Join Date: Dec 2005

Philippines

[PNOY]

W/R

11 Mar 2008 at 00:15 - 29
im noob but brute-forcing is not a possibility. most likely trojan and/or keylogger.

freaky naughty

Krytan Explorer

Join Date: Sep 2007

Mo/N

11 Mar 2008 at 00:57 - 30
Brute-forcing is simply not worth it, how could people be stupid enough to make their passwords four easy to guess characters? Like "leet" "rape" "sick". Once again shows that only complete retards can be brute-forced.

freaky naughty

Krytan Explorer

Join Date: Sep 2007

Mo/N

11 Mar 2008 at 00:57 - 31
Brute-forcing is simply not worth it, how could people be stupid enough to make their passwords four easy to guess characters? Like "leet" "rape" "sick". Once again shows that only complete retards can be brute-forced.

Ekelon

Ekelon

Jungle Guide

Join Date: Dec 2005

Rebel Rising [rawr]

A/W

11 Mar 2008 at 02:31 - 32
This is pretty epic fail.

Do you realize how many valid password combinations there are? Obviously, if you have a generic password like "123" or "cheese", then of course you'll get hacked. But let's say you use 8 letters in your password and use alpha-numeric lettering... then that's 8 to the power of (36), there being 36 people combinations. Yup, that comes up to roughly 3.25 times ten to the 32nd. Ouch.

So yes, you can brute-force an account with an easy password (one that might take under a decent amount of tries), but that would be your own fault for such an easy password.

RedStar

RedStar

Wilds Pathfinder

Join Date: Jul 2007

_____________________ (\__/) (\__/) (\__/)Help (='.'=)(='.'=)(='.'=)Bunny (")_(")(")_(")(")_(")

[Bomb]

E/

11 Mar 2008 at 02:37 - 33
There is 3125 possible combination if you use a 5 letter password and correct me I am wrong, the guild wars password is case sensitive.
And if you want to be safe, by yourself a french keyboard, that way he won't be able to reproduce the accent (well it will take him a lot more time if you can input accents).

Chthon

Grotto Attendant

Join Date: Apr 2007

11 Mar 2008 at 03:06 - 34
Quote:
Originally Posted by FeroxC
Dont underestimate Anet. If they can design the self updating system for GW, they can stop a brute force attack.
Nothing can stop a brute force attack. All you can ever hope to do is slow it down enough that the payoff isn't worth the effort.

enishicz

Pre-Searing Cadet

Join Date: Feb 2008

11 Mar 2008 at 03:13 - 35
Quote:
Originally Posted by Numa Pompilius
I take it our resident ?chinese? "click this link for free Wii" keylogger-spammer has come up with a new way to get people to run his keylogger.
not all bot runner/hacker/bad people are Chinese....

pamelf

pamelf

Forge Runner

Join Date: Aug 2006

Australia

Lost Templars [LoTe]

Me/Mo

11 Mar 2008 at 03:26 - 36
That's another reason we should be able to change our emails in the login screen...

Numa Pompilius

Numa Pompilius

Grotto Attendant

Join Date: May 2005

At an Insit.. Intis... a house.

Live Forever Or Die Trying [GLHF]

W/Me

11 Mar 2008 at 03:40 - 37
Quote:
Originally Posted by enishicz
not all bot runner/hacker/bad people are Chinese....
No, but this guy has his site hosted on a chinese site. That, of course, doesn't necessarily mean he's chinese himself, hence the "?".

Sirius-NZ

Sirius-NZ

Wilds Pathfinder

Join Date: Oct 2007

Bellevue, WA (I know ... but I moved out of NZ)

Xen of Onslaught

D/

11 Mar 2008 at 04:08 - 38
I suspect by far the best bang-for-buck method to break into accounts is to use modified dictionary attacks, rather than pure brute force; this being that quite a lot of people will use simple words, or sequences of words, possibly with some trivial character replacement, and think they're OK. While this gives only a modest probability of breaking into any one person's account, if you try enough you probably will get a few.

Chances are the number of tries will be large enough ArenaNet will still notice though. You're having to send requests to a server, so it'll still be a slow process, even if an order of magnitude faster than raw brute-force.

Saraphim

Saraphim

Jungle Guide

Join Date: Mar 2006

The Hand of Omega [WHO]

E/

11 Mar 2008 at 04:36 - 39
Quote:
Originally Posted by pamelf
That's another reason we should be able to change our emails in the login screen...
Agree, I find it bonkers that you can't change your game account login name but you can change your PlayNC account name.

For passwords I generally headbutt my keyboard and save it as a .txt file with a stupid unrelated name. Works for me !

Ace2001

Frost Gate Guardian

Join Date: Apr 2007

D/W

11 Mar 2008 at 05:49 - 40
Quote:
Originally Posted by Chthon
3.[*]Make sure it's with an e-mail provider you're able to keep a relationship with indefinitely. ([email protected] is good; [email protected] is bad.)
I'm going to be a real nit-picker here, but, a school's e-mail address is always .edu, not .com. (Well, every school me and my 'net friends have ever been to was.)

All you really have to do is put numbers in your password, and you're semi-safe. D:

Hell, my password uses both letters and numbers, AND the word(s) involved are not in the english dictionary.(Hell, it/they may not be in any dictionary.) I'm pretty frickin' secure, lol.