Quote:
And if you want to be safe, by yourself a french keyboard, that way he won't be able to reproduce the accent (well it will take him a lot more time if you can input accents).
|
First off, you don't need a special keyboard to type those characters, it just makes it easier to do so. Secondly, if YOU can input the character, so can a dictionary attack tool. Finally, building and using a dictionary of French words (or any other language on Earth) is just as trivial as building and using a dictionary of English words.
Fifteen characters is the old windows LANMAN limit and those passwords are trivially defeated these days. It's still a common problem in XP and 200x, in fact, since the stupid OSes store a LANMAN hash of your password for compatibility, by default, if the password is short enough to be valid for LANMAN.
Anyway, my password is a "not a word". It sounds like a real word when you speak it, and it contains the elements of real words, but it's not a real word and it contains the usual mix of letters, numbers, and punctuation characters. As a result, my password "word" will very probably not be in any dictionary, and it still has a few of the "tricks" to try and keep it safe even if it is. I expect, however, that as attack tools get more sophisticated and computers more powerful this trick may not work as effectively in the future.
Regarding the risk of brute forcing, brute forcing is not a significant threat at all so far as the process of tossing passwords at the GW login prompt goes. That would be trivially detected and stopped. The real risk is that people do stupid things with their login credentials like use them on forums:
1. Attacker finds a vuln in the GuildWarsguru.com/forum software
2. Attacker exploits the flaw and gains access to either the database prompt or the actual storage files on disk
3. Attacker loads all that data to his own machine
4. Since logins and emails are typically not stored encrypted, attacker now has a ton of potential logins for people on Guild Wars
5. Attacker also knows that it's common for people to reuse passwords and email addresses, so he breaks the vulnerable encrypted passwords in the forum database
6. Attacker then takes those stolen credentials and tests each one in the Guild Wars client, likely getting at least a few accounts
Note that the risk of a brute force exists because the attacker actually stole a file and was able to pound at it on
his own systems where he didn't have to worry about detection.
Quote:
Sounds like a heuristic anti-virus suite to me, it's hard to see how it could do anything against keyloggers or even brute force password cracks. Also I've come to think of heuristic anti-virus software as "I like false positives" software. I don't know if anyone's ever detected an actual new threat with heuristic software, but everyone gets false positives.
|
Sounds to me like they might be looking to embed heuristic software into the client to detect illegal access of the program's memory space. That would detect anything interacting with the gw.exe client or it's loaded DLLs that doesn't have an "approved" footprint. Blizzard has a similar program for WoW that, as of its last major revision, is horribly obtrusive and, frankly, raises serious security concerns of its own, imho.
Generally, however, that sort of thing is used to detect and stop botters, not protect players...
/ my speculation, let me show you it