What do you think of logging in XTH with your real GW account?

What do you think of logging in XTH with your real GW account?

"Players will now log in to the Xunlai Tournament House with their Guild Wars username and password."

Personally, I am very upset about this. Not only do I feel like it makes my account insecure, despite their claims of it being secure.

But, what about those of us that set up XTH accounts for friends and vote for them because they don't understand it, don't play PvP, can't be bothered or similar? Before we could do this, or let someone do this for us, with the security knowing that our account info was safe because different login information is used. This is no longer true.

I really don't like this part of the update....

Voting for friends... Doesn't that fall in the lines of account sharing? I thought account sharing was against the EULA. Ah well probably wrong.

I for one am happy for the change, less passwords to remember.

I think it is a half-baken solution.

I agree that using your account name and pw to log in the XTH in a web browser is an additional security risk. But the old solution with the extra pw was not the best either.

-> A better idea would be to do the whole betting process ingame.

I do not see this happen in GW1, unfortunately.
Maybe they will do this in GW2. They do not seem to be willing to make ANY effort to do this, everyone busy working on GW2 and so on, as usual. The usual excuse is that it would take as much time, effort and money as building all the pyramids in Gizeh. This would delay Guild Wars 2 until the sun has already burned out.


I also use the accounts of two WoW playing friends to get stuff from the XTH, but as I know their account passwords I can continue this practice (note that I do not recommend this practice, they just do not care at all about GW, to my disappointment).

I think it's fine, it's 100x easier than dealing with anet's support.

How would you like dealing with anet's support when everything on your account gets jacked (and they have a strict no replacement policy)? That's the entire point...

I don't feel safe anymore.

This, basically.

Oh crap!
MY Fifefox had the password saved and now I'll need to change it!?!??!
WTH!??!?!

Man one QQ thread after another every time something changes. Personally it doesn't really matter to me. Saves me from having to remember yet another id and password.

I liked the old XTH log-in system better.

^that for me too. I just don't like the feeling of having to spread/share my account name and PW on the interwebz.

I assume you people haven't heard of things like single sign-on's...

If you don't trust the website (that's using a secure connection with the game servers) than you should probably stop logging on the game as well, since the "vulnerabilities" are quite similar...

This^ , i agree , i dont feel safe using my ingame pass to log into the XTH ,atm im considering just not taking part in it for a couple of months , if there hasn't been any issues by then i will probably start doing it again .Personally i think that Longasc has the best idea in that it should be handled ingame by a NPC.

It is a very good thing, not in itself, but with the added security of the XTH. They're putting back the security of your account in your hands, rather than asking you to create a new account (I mean XTH account vs. GW account). Technically speaking, we call that "minimizing the security surface".

Your feeling of insecurity is unfounded, do not think emotionally but rationaly. So let's look at the various points:

Ok so you don't trust them. Explain.

This actually is not related to security, but "convenience", with even a feature that is your sole responsibility, Anet shouldn't have to deal with this situation at all, you should. It actually shows something important: security comes before convience for XTH. Or else wait for the (possible) next version of the automatic voter software.

Very true. But I think they've realised that around December (maybe before) and we now have a brand new, reshaped, more secure website.

(having it ingame is clearly possible, but maybe too much work for them? or they want to promote the website or move some of the load from GW server to webservers?)

This has absolutely nothing to do with XTH. The tales of GW being hacked are wrong, in the sense of this happening in the wider sense. GW is a very secure piece of software. Hacked accounts mostly happen via typical social engineering techniques, such as guessing passwords (say, from your Guru profile or posts for example...), and having XTH doesn't make one inch of difference here.

I resonally dont like this change, people could trust my XTH aid more in past (stolen account info for xth was worthless). Now they are more vulnurelable to my evil side (bwahaha) and to impostors that would tinker with code.

Regardless of that, this brings serious risk of exposing account info to XSS attacks; bigger sufrace exposed to attack attempts is not desirable.

I'll reply separately to this post because it's interesting:

It's a matter of trust, trust in pieces of software that we barely understand, because most of it is handled on a server to which we don't have access to. People distrust internet for XTH but trust it for buying stuff on amazon? The security misperception may come from stories read on Guru, and these stories may well be due to the old form of the XTH, while the new one fixes them.

It's quite rational to wait a few month until voting. But me, who's worked a lot in security, won't be doing that, UNTIL (and not BEFORE) I see evidence that it's insecure. I use Firefox with NoScript (an extension which by itself would require an entire discussion on the matter of trust, see their recent affair...), AV, firewall and antispys with fully update softwares, always checking the address of the websites.

What I see in this thread is "fear" because of change, not completely irrational, but not founded on actual solid pieces of evidence. This happens all the time in RL, I'm not blaming anyone for that (I could tell you how I was aggressed by a guy this morning who went totally berserk on me for touching his car with mine without any damage, the epitome of irrationality, but I wont ). Just trying to help here.

That xunlai house thing is a real pain in the ass, I did everything it said and I get no rewards and yes I have checked the faqs on it. It just seems like anet wants to make everything as difficult as possible and I can't be bothered with there crap anymore, they failed in this and then they failed at the free storage and now they want people to give out there real details?
I feel that it would definitely put people's accounts at risk because nothing is 100% secure and I don't see any reason whatsoever why anet should have our account names as well as our passwords, it's none of there business what our passwords are and they even say not to give them out so now there contradicting themselves.
I would avoid this at all costs, it's not worth getting your account hacked.

i wander what would happen if someone hijack/hack into GW webpage and get all the passwords...... or if that is even possible???

I always thought we are not suppose to use same passwords and name for different webpage/games/accounts... etc.

infact didn't the webpage ask us not to use the same passwords as our game account when we sign up for security purposes???????

You've a good point, i guess i'd probably just quit GW anyway.

I only really log on to help noobies, do the odd GvG at 4am anyways.

Considering NOBODY would make the effort to hack a single person through SSL and having to do it all over again (I'm talking about needing 30 PCs or a similar amount and probably about a week non-stop for one person) for another person, this is actually more safe. I think the old system didn't use SSL no?

This crying is understandable, but this new system doesn't make your game account more vulnerable than it was before.

So, stop not feeling safe. If you're being hacked it's probably your fault anyway for logging on to that odd porn website with your email and pass.

I had mine always bookmarked as https. So I guess it had? :S

Thats right, seems rather ironic huh?

I just hope anet have made the security in the XTH stronger than fort knox now, because if theres someone out there who can hack it. You can bet your ass they will.

how about just not using it if your worried about it?

Its always been the same login for me. QQ.

I don't care. Seriously this thread is just grasping at straws for something else to whine about.

All of this assumes that a., the people running the website are completely inept, b., that someone would care enough to actually steal accounts, and c., that yours would be one of the ones affected.

I can sort of see the problem that you want to help your friend enter picks, but he doesn't want to give you his private password. So use this as a trust-building exercise with your friends, or take a screenshot of your picks and have them enter them themselves, or let them think for themselves. It's pretty much a non-issue.

I understand your security concerns but the new XTH is really alot more secure than the old one. It uses the same authentication technology as Guild Wars uses ingame, that is, the client and server each chose a seed/token to initialize the key that changes between each packet, and on top of that the site uses a secure connection.
The old site used to have a few flaws so ArenaNet decided to completely revamp it which greatly improved the security for every player.

As for the person asking about logging in to their friends XTH account, you aren't supposed to share your friends account anyway, each player is supposed to vote on their own to get their XTH rewards.

Doesn't bother me more than that.

--> Hacked Accounts

I'm sure ANet know's what their doing and can "secure" their website, and wouldn't be making this change if they didn't. Besides, I'm pretty sure 99% of accounts are "hacked" because the user fails to secure their own computer and not download off of suspicious website, use a good password and keep it secret (not let people on their accout), buy accounts, etc...

Although I'm not sure if I'll keep using the reward points predictor.

Its just funny because when you sign up (prior to update) for the Xunlani house Anet said SPECIFICALLY "DO NOT use you're in-game account login/password" or however it was worded.

I guess its fine, but there was nothing wrong with the old login method, PERHAPS so many people forgot their pass that their automated password recovery system can now be retired or whatever I dont know how this would be beneficial.

So what happend to our old login email/pass for the xunlai house, disguarded?

If you don't visit the in-game store, you can change your email address login for GW. Once you've bought something from the store, you can't, it's fixed. Will using my login details for the new XTH work the same way - will my login address for GW be fixed if I use it?

As much as I like the game, I really don't think ArenaNet knows what they're doing in terms of security.

Maybe you haven't noticed/weren't around. But one of the updates to the game was that they added login timeouts. That is, the more times you get your password wrong, the longer it takes to verify. Does the website have something similar, or could someone take my email address and just hammer away at my XTH account? I don't know, the details aren't listed.

One of the other updates was changing the login error. If you mistyped your email, it said "oh hey, we don't know that email." If you mistyped your password, it said "password incorrect." This is really really basic in terms of logins. Don't give the person information that would help them narrow it down. If they try an email address and get a hit, then they can focus on password. If they try an email and it fails, no need to bother with the password. As I've said, this has since changed. But it changed after years of being just as I described.

As stand alone issues, these are pretty small. But they're big indicators that ArenaNet doesn't focus much on account security, until someone else pokes them and says "hey, this isn't a good idea."
How is logging into the XTH for a friend any different than saying just "vote for these guilds"? That's not account sharing, the only thing was that a step was being skipped where the actual account holder moved the names to the little boxes.

That said, I agree with pinguinius' second paragraph on the subject (in other words, I wouldn't call it account sharing, but I also wouldn't call it a significant problem).
Missed the point. My Guild Wars login details are now web accessible. Whether I use the Xunlai Tournament House or not, my login and password now have another way to be compromised.

Do I think that someone would target my account specifically? Probably not. But if someone can automate the process to break into random accounts, it's possible. Especially since the items I have in game can be sold for real world money.

This is just a game, so if my account was broken into and everything traded off to another account, I wouldn't lose anything tangible. But it'd still make me a very sad panda.

Yep, interesting that.
I don't use the same things for games, websites, etc. in any case. This will be easier to remember, but still it's weird they would say that then change it.

Damn, well just gave that a try and there doesn't seem to be a limit for password attempts, but at least it doesn't tell you whether it's the password or e-mail that's wrong.

Way too insecure to use it anymore. I won't be risking a few zaishen keys for my whole account anymore...

Erm, if it's secure thats fine. I'm worried about another 'hacking' incident where someone hacks 1 site and gets the pw, then brute forces them against gw to hack your account. That's what happened last time, and I'd prefer to keep all my pw different now.

i like this update to XTH.

This.
It isnt the first game to use account pw's on a website and it wont be the last.
Move along please.

Wow there is a lot of QQ conspiracy theory going on in here. ArenaNET provides a great layer of security for your account, just as much as any other game or bank provides, and anything above and beyond that is your own responsibility.

Of course all of your accounts are already compromised with the NCsoft account everyone got to get their free pane, so who cares?

http://www.guildwars.com/gameplay/pv...ment_house.php

"Using the Guild Wars authentication technology, we have increased the security on the site so that logging into the Xunlai Tournament House is now as fast and secure as logging into the game. At the login screen, simply enter your existing Guild Wars account name and password—no need to register separately. Remember, you should only enter your Guild Wars account name and password at a site that shows HTTPS://www.guildwars.com/ in your browser's address bar."

HTTPS:// is a plus. I wonder if this was in response to the double point thing or that hacked account issue from a few months back?


I do like XTH V2 though - Good Job ANET!