Concerned: GW accounts can be cracked by simple Brute force attacks?

UPDATE: Youtube finally removed the video: "This video is no longer available due to a copyright claim by NCSoft"
------------------------------------------------------------------------------------------------------------------------

Ok, I just saw something on Youtube which made me quite concerned about the Security of GuildWars accounts.

I was just browsing Youtube for all GuildWars videos that have been added this week.
I found a video showing how to crack GW-accounts by simple brute force attack (= trying all password combinations).
He is also linking to a Download for his program.

The uploader also states, that he get's the Email-adresses for the account from browsing Forums like GW Guru.

If accounts are that simple to crack, Anet should really react and add something like
- a 1-hour wait period after 5 wrong passwords in a row
- a Message about how many failed login attempts there were etc.


NOTE: If this thread violates the guidlines, please remove it.
I will not post the youtube-link or answer to Private Messages unless they come from Mods.

Ok, this sounds more reasonable.
But then I'd like to know, how to report Videos like that from being deleted from Youtube.

I know that. He states that cracking the account may take up to 2 months, or 2 minutes. He says something about using a dictionary attack and using the most common phrases at first, which means he could crack easy passwords quite fast...

Ye, I think so too now...... but those 500 Views of the Video might not know that.....
-----------------------------------------------------------------------------------------------------------------

Ok, it sounds a lot more reasonable, that he is offering a programm with a Trojan and a Keylogger.
But still... I'd like to know if Anet registers something like failed login attempts....

Yes, he is breaking into accounts. But not by brute force.

All he needs is someone download his trojan with keyloger. Bingo, free account. Video is just ad to get people download it en masse

interesting and scary. one of the reasons why i never use the same email for anything.

anet should add a way so that we can change pass without dealing with their bullshit support system, that way we can all add an alt code to our pass and render us safe.


þ¥~

however, that video is fake and the program it links to is trojan'd and keyloggered

It really is impossible to browse through over 100 million combinations 1 by 1 in GW.

Atleast within a few months. I'm sure Arena.Net would notice the insane amount of login tries and block the IP or have you change your email.

So all a 5 minute block after so many password tries would do is annoy people who have quit for a few months, then come back trying all of their passwords to find out which one they used.

Brute-forcing passwords can easily take years if the internet is involved, and it's basically impossible not to get noticed by ArenaNet fast enough to be stopped. It is a good reason why you should use non-trivial passwords, though.

Any account anywhere can be cracked like that. My guess is that this program he is offering will just link him with the password, or even worse.

guys, my password is password~


the program he is offering is keylogged and trojand.

NO
Good article, and very relevant to this topic.

http://www.securityfocus.com/infocus/1554

Brute forces that the general public have do not even check for alt codes.

Note that all of the drawbacks can easily be overcome by: not being a damn retard.

we have been complaining about the lack of security on the password issue since well, I joined guru!! It simply does NOT make sense to allow unlimited password tries until you get it right---granted it would take a while to figure it out, but you have the time you can do anything I guess.

Simple. Use personal passwords. Common phrases/words linked to something personal, so only you know it/them.

Anyone dumb enough to download something that says "Omfg luk 'ere 4 ul1mat hax" deserves everything they get.

l0phtcrack certainly does check for "alt codes".

Making things more complicated does not equate to an increase in security. You can accomplish exactly the same thing - a non-dictionary password - by just doing what the article suggests: make the password a long phrase.

It's easy to remember, it is, in any practical sense, immune to a dictionary attack, and it's guaranteed to work in most applications that require a password.

Or, you could keep arguing with the successful author and security consultant who's made a good living out of knowing about this sort of thing. I mean, MAYBE he's full of crap, but if that's the case he's pretty damn good at tricking the people that have been paying him and publishing his books over the last few years....

1. My money's on his program being a trojan.

2. Yes, GW accounts are VERY susceptible to brute force attacks. Once an attacker obtains your login, there's no limit to how many tries they can make consecutively, no notification that someone's hammering on your password, and, if your account is linkd to a PlayNC account, no way to change your login. To make matters worse, if your account is linked to a PlayNC account, you are forced to use a weak password.

3. I've posted these elsewhere, but I'm going to post them again for the heck of it. Best practices for keeping your GW account safe:

• Create a new e-mail address for your GW login, and use it for nothing else. Ever.
  • Don't tell it to anybody.
  • Don't use it for anything. No e-mail. No signing up for forums. Nothing.
  • Make sure it's with an e-mail provider who is going to keep their domain indefinitely. ([email protected] is good; [email protected] is bad.)
  • Make sure it's with an e-mail provider you're able to keep a relationship with indefinitely. ([email protected] is good; [email protected] is bad.)
  • Make sure to write down the address and password and keep them with your GW key. You're likely to forget them since you never use the account for anything.
• Use a strong password. That mean that:
  • It must be at least 10 char long (long is better)
  • It must contain at least one capital letter (A, B, C,...), at least one lowercase letter (a, b, c,...), at least one numeral (1, 2, 3,...), and at least one symbol (!, @, #,...).
  • It must not be any English or foreign word or name found in any dictionary (including slang/urban dictionary) or other reference guide.
  • It must not be any simple cipher of the above. ("!33t" is only trivially harder to guess than "leet.")
• If your account is not linked to a PlayNC account, then change passwords regularly. If your account is linked to a PlayNC account, and your current password is relatively strong, then do NOT change passwords ever. If your account is linked to a PlayNC account, but your current password is weak, then change passwords regularly.
• Do NOT link your account to a PlayNC account.
  • If you absolutely must link it, then make sure to switch to a secure e-mail address and strong password BEFORE linking your account, then never change them again.

This happened in the early days of GW when people had the same forum/game account email. The answer is pretty simple, don't ever use your game account email on a guild wars fan site.

lol what a scam

download the "account cracker", which steals your details and sends them to the douche

remember kids, its a trap

Doesn't Youtube have a way to report this kind of malicious activity?

Yes, I used the "Flag"-Feature, but I suppose there is more that 1 Flag needed to report the video and since I don't want to post the link here.......

just don't use words for your passwords. I recommend mashing your keyboard and seeing what comes up, then write it down somewhere. it may take a few second more to type each time, but you are WAY safer, as dictionary attacks won't do shit, etc...

Actually it was already posted here, likely by the same person who created the YouTube vid. The mods were rather quick in deleting it.

And like Chthon said, create an email account for GW and GW only. Change your forum account to something else or just don't display it, if its already the same as your game account. Also don't use that email for IM purposes, the Youtube vid also suggests gaining account names that way.