I have a program that stores my passwords, so it's just a simple copy + paste with my passwords and I'm in. Nothing to worry about for me.
I like this update anyways, makes it much easier to log in now.
What do you think of logging in XTH with your real GW account?
DoomFrost
Rift
Wow.. so much mis-information about internet security in this thread.
At first glance this is a huge improvement on the security front. The old way had severe security issues, and it seems they've delt with them nicely.
Having a single sign-on and better integration with the game is definitly the way to go. I'm hoping they'll build on this vision for the future so we see more web integration and more Web 2.0 features in GW2.
At first glance this is a huge improvement on the security front. The old way had severe security issues, and it seems they've delt with them nicely.
Having a single sign-on and better integration with the game is definitly the way to go. I'm hoping they'll build on this vision for the future so we see more web integration and more Web 2.0 features in GW2.
Empress Amarox
Quote:
|
Originally Posted by Lonesamurai
how about just not using it if your worried about it?
|
Shadowfox1125
What was Anet's reasoning in changing this? Was there a problem with the previous method? I share your sentiments, Amarox.
BenjZee
atleast i dont need to remember passwords for my:
NCSoft
GW
-XTH
i honestly don't mind...but what kinda worries me was i beleive you could veiw the source and see th details clearly visable.
NCSoft
GW
-XTH
i honestly don't mind...but what kinda worries me was i beleive you could veiw the source and see th details clearly visable.
Fril Estelin
Quote:
|
Originally Posted by SmithyBen
you could veiw the source and see th details clearly visable.
|
Anyway, this is no longer the case when I checked.
nkuvu
Quote:
|
Originally Posted by kunt0r
just as much as any other game or bank provides
|
I'm not saying that the XTH needs to be as secure as a bank account, but there are a whole lot of things that a bank should be doing to ensure security (things like two stage logins, security questions, whitelisting specific computers for login, and so on).
Quote:
|
Originally Posted by Rift
Wow.. so much mis-information about internet security in this thread.
|
deyond driven
Im not worried about this one bit
Longasc
Quote:
|
Originally Posted by Fril Estelin
It is a very good thing, not in itself, but with the added security of the XTH. They're putting back the security of your account in your hands, rather than asking you to create a new account (I mean XTH account vs. GW account). Technically speaking, we call that "minimizing the security surface".
|
How did this "minimize" or reduce the security surface, people now can attack your account over the browser, too.
Empress Amarox
Quote:
|
Originally Posted by Fril Estelin
Even with that, you'd need some kind of man-in-the-middle attack to snoop the information. the webpage you see is only sent from the server to your computer, no one else normally can see it.
Anyway, this is no longer the case when I checked. |
My understand it's something a bit like this:
The way the internet works isn't your computer and the server directly connected, but when you send information it has to jump through several hubs before it gets to the server and back (that's the entire reason it works in the first place) and what I'm worried about isn't so much something from MY PC -> GW SERVER, it's the "->" and "<-" that I'm worried about.
Someone intercepting the packets during the trip from one destination to the other.
I know similar is possible because the devs for a project called L2J rip packets from Lineage II, crack them and then do whatever it is they do to copy their work without technically "copying" it. Really underhanded and shady, but technically legal in my understanding? Anywho, beyond the point...
The point is, the website has proved to be less secure than the GW client in the past, and I don't see why we should now suddenly have a profound trust for it when after all of this time it has not only been a potential danger, but even recommended against by the company itself.
To illustrate the jumps, here's a traceroute to the GW server I'm connected to right now:
Code:
TraceRoute to 216.107.245.97 [216-107-245-97.plaync.com] Hop (ms) (ms) (ms) IP Address Host name 1 11 6 9 72.249.0.65 - 2 8 6 14 8.9.232.73 xe-5-3-0.edge3.dallas1.level3.net 3 18 15 26 4.68.19.76 ae-2-79.edge2.dallas3.level3.net 4 23 13 14 4.68.111.174 - 5 9 17 14 152.63.96.182 0.ge-2-0-0.xl3.dfw7.alter.net 6 50 53 61 152.63.57.73 0.so-4-0-0.xl1.lax1.alter.net 7 73 67 54 152.63.53.57 pos6-0.gw4.lax1.alter.net
Code:
TraceRoute to 206.127.153.151 [www.guildwars.com] Hop (ms) (ms) (ms) IP Address Host name 1 17 14 13 72.249.0.65 - 2 10 7 7 8.9.232.73 xe-5-3-0.edge3.dallas1.level3.net 3 12 16 10 4.68.19.204 ae-4-99.edge2.dallas3.level3.net 4 10 13 20 4.68.111.174 - 5 20 19 13 152.63.96.86 0.ge-1-1-0.xl4.dfw7.alter.net 6 55 47 50 152.63.32.66 0.so-5-0-0.xl2.tco4.alter.net 7 51 49 46 152.63.35.69 pos7-0.gw3.tco4.alter.net
Anyways, that's just my understanding. I'm by no means an expert.
It doesn't so much worry me that there are jumps in between, because there are of course the same amount of jumps in between for both. What worries me is that where as originally we were only entering our information on GW, now we are entering it on a web browser as well and thus subjecting ourselves to possibilities web vulnerabilities, and you'd have to just be naive to think those don't exist. I mean, just look at Firefox's security updates, that alone should prove my point. We may not know of them, but they're definitely there. It's an added risk that makes me feel my account is now less secure than it was before.
The Little Viking
Always from day one we have been told to not use the same password for all log in crap. Always saying never give your password for the game. Even have a "be safe" warning on the log in screen sometimes. NOW all the sudden they want us to use our log in name and password for just about everything..Well maybe not everything...but its beginning to seem like it. I dont like it at all. So much for account safety. I dont care how secure the site is suppose to be, things happen that are unexpected. I dont believe its a good thing they did here.
zwei2stein
Quote:
|
Originally Posted by Fril Estelin
Even with that, you'd need some kind of man-in-the-middle attack to snoop the information. he webpage you see is only sent from the server to your computer, no one else normally can see it.
Anyway, this is no longer the case when I checked. |
And impostors - if before "log in here to get gw2 beta" or "give here your login details for 100k" was clear scam that caught stupid and greedy, modifying xth wiki article to link to rip of version of XTH is not easily detected and can have much worse impact. People could check https cert info or url, but thats not how real world works.
We were solving similar issues at my job. We ended up separating employee accounts to "critical business" (financial oprations, only) and "everything else" (email, intranet, computer, anythink that we can afford to give access to random stranger for 10 minutes without causing too much trouble) )
Hyaon
Would like to have the option to do it the old way tbh...name and pw on that is totally different to account, I didnt feel worried at all but now I do :/
Ġ ō Đ??
if your worried about your web security just set up a virtual PC with some AV Firewall and only go to GuilWars.com (google chrome of course )lol would probably be safe 
)lol would probably be safe
Rift
Quote:
|
Originally Posted by nkuvu
Such as?
|
- That using credentials linked to your game account will make it easier (than it used to be) for hackers to gain access to your account
- That people will sniff out your packets and obtain your credentials over SSL
People need to understand that these are not how hackers gain access to your account through the web. What people should be worried about are things like Cross-Site Scripting flaws, Cross-Site Forgery flaws, Virus/Trojans/Keyloggers, Phishing, and Password sharing. And as others have mentioned, this update does address some critical flaws the old XTH used to expose, which in turn improved the overall security of the site.
Inde
Quote:
|
Originally Posted by The Little Viking
Always from day one we have been told to not use the same password for all log in crap. Always saying never give your password for the game. Even have a "be safe" warning on the log in screen sometimes. NOW all the sudden they want us to use our log in name and password for just about everything..Well maybe not everything...but its beginning to seem like it. I dont like it at all. So much for account safety. I dont care how secure the site is suppose to be, things happen that are unexpected. I dont believe its a good thing they did here.
|
I do have to say though that it is nice. I like this format a lot better. Props to the people who revamped it.
Chico
It sure feels less secure. People could brute-force game accounts in the website. Validate accounts without logging into the game. Site is susceptible to phishing attacks, etc. It *felt* more secure having individual accounts (maybe just an illusion anyway).
nkuvu
Quote:
|
Originally Posted by Rift
- That the old authentication system was safer than this one
|
Disassociating the XTH account from the actual game account does seem safer to me. Are you saying it isn't? Do you use one login/password pair for every site you visit? If not, why not?
Quote:
| - That using credentials linked to your game account will make it easier (than it used to be) for hackers to gain access to your account |
Quote:
| - That people will sniff out your packets and obtain your credentials over SSL |
Quote:
| People need to understand that these are not how hackers gain access to your account through the web. What people should be worried about are things like Cross-Site Scripting flaws, Cross-Site Forgery flaws, Virus/Trojans/Keyloggers, Phishing, and Password sharing. And as others have mentioned, this update does address some critical flaws the old XTH used to expose, which in turn improved the overall security of the site. |
Fril Estelin
Quote:
|
Originally Posted by zwei2stein
We were solving similar issues at my job. We ended up separating employee accounts to "critical business" (financial oprations, only) and "everything else" (email, intranet, computer, anythink that we can afford to give access to random stranger for 10 minutes without causing too much trouble) )
|
I'm convinced that the attack surface was higher before, not because of application exposure, but because of exposure to social engineering via complexity. Add an account and you're pushing people to reuse passwords, which is apparently what happened (cf. Regina).
I can perfectly understand that people are worried, as I said it's not completely irrational. Some will not do anything by default here and wait to hear people saying it's ok. I'll do the contrary and continue using it, with caution, until I hear otherwise. I don't believe Anet would make such a move and not think of the holistic security. (but I can't understand that Regina and Martin are not all over the place on this)
Alleji
I like it. It's convenient.
I also like the interface improvements.
However, on the importance scale this is very, very low. I don't understand why anet manages their manpower the way they do... it probably took a designer and a programmer at least a day whole to redo the thing. Couldn't they have done something about fixing the game instead?
I also like the interface improvements.
However, on the importance scale this is very, very low. I don't understand why anet manages their manpower the way they do... it probably took a designer and a programmer at least a day whole to redo the thing. Couldn't they have done something about fixing the game instead?
Martin Kerstein
There is a very simple thing that can be done personally to be safe:
Only visit the XTH via the link on the official website. Or you might want to talk to Kun Shao ingame, he can take you there as well.
Never Never Ever blindly click on a link someone sends you.
Only visit the XTH via the link on the official website. Or you might want to talk to Kun Shao ingame, he can take you there as well.
Never Never Ever blindly click on a link someone sends you.
Fril Estelin
Quote:
|
Originally Posted by Empress Amarox
Anyways, that's just my understanding. I'm by no means an expert.
|
Quote:
| me is that where as originally we were only entering our information on GW, now we are entering it on a web browser as well and thus subjecting ourselves to possibilities web vulnerabilities, and you'd have to just be naive to think those don't exist. |
http://www.owasp.org/index.php/Top_10_2007
Security is never, ever an absolute, it's a constant arms' race. As we say, it's not a product, it's a process. You can't be secure by just the property of your software (actually not true in a few cases, the costly EAL7 for critical applications). As illustrated by:
Quote:
| I mean, just look at Firefox's security updates, that alone should prove my point. We may not know of them, but they're definitely there. It's an added risk that makes me feel my account is now less secure than it was before. |
Apollo Smile
Hey guys, look out. If somebody hacks your email they have your Guild Wars login information as well.
Empress Amarox
Which is why you don't use your GW e-mail for anything else whatsoever (until now apparently?)...
fusa
Quote:
|
Originally Posted by Martin Kerstein
There is a very simple thing that can be done personally to be safe:
Only visit the XTH via the link on the official website. Or you might want to talk to Kun Shao ingame, he can take you there as well. Never Never Ever blindly click on a link someone sends you. |
What about people who are unable to access your web sites without using a proxy? Its bad enough you ban whole ISP's from accessing your site, but now you force them to login using your game account information over a proxy. Anet/NCSoft has made some really RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOing stupid decisions over the past year, and this is one of the worst.
Miss Puddles
I'd be more concerned about making my password secure/hard to guess than worrying about someone hacking into the XTH site and retrieving my login information. It's way more likely that you have a bad password that is frequently used than anything else. Just to be extra safe if you feel threatened, go and change your GW password to something new.
I'm not terribly concerned.
I'm not terribly concerned.
pumpkin pie
I actually wanted to ask something and forgot after seeing the not so perfect webpage, sorry.
my question are,
1) Will this change of using our account name and password correct the problem of some of my account not getting any torunaments rewards for 4 months in a row?
2) Why is it, although I've made sure i use the exact same prediction for all of my accounts, some how the rewards points comes out different every time?
Security aside, you think Arena Net could use better rendered pictures/screenshot/whatever on the new XTH page? they are all blurry and pixelated and the XTH logo on the top of the page ..... no comment lol.
eeeeps
see for yourself. https://www.guildwars.com/competitiv...se/default.php
my question are,
1) Will this change of using our account name and password correct the problem of some of my account not getting any torunaments rewards for 4 months in a row?
2) Why is it, although I've made sure i use the exact same prediction for all of my accounts, some how the rewards points comes out different every time?
Security aside, you think Arena Net could use better rendered pictures/screenshot/whatever on the new XTH page? they are all blurry and pixelated and the XTH logo on the top of the page ..... no comment lol.
eeeeps
see for yourself. https://www.guildwars.com/competitiv...se/default.php
Longasc
They should copy some ideas for account security from the upcoming Champions Online.
It is not my kind of game, but just create a user account for the game, and you will see how the game is much more advanced at least in regards to account security.
E.g. the game encourages you to chose a different user/account name than your char name and also does not use your email address as account name.
The ways how you can recover your account data are also much better than the often rather easy to solve preset "secret" questions and more customer friendly than having to contact the dreaded NCSoft support.
It is not my kind of game, but just create a user account for the game, and you will see how the game is much more advanced at least in regards to account security.
E.g. the game encourages you to chose a different user/account name than your char name and also does not use your email address as account name.
The ways how you can recover your account data are also much better than the often rather easy to solve preset "secret" questions and more customer friendly than having to contact the dreaded NCSoft support.
KrisNaga
Quote:
|
Originally Posted by Professor K
The amount of paranoid people in this thread is hilarious. I wonder how many of you even get by on the internet.
|
The internet is not for people who don't know what there doing and your attitude will eventually get you in trouble.
1337 H4X
After forgetting my passwords (yeah I manage) and losing acces to the email accounts my accounts are linked to, the remodel on guildwars.com lets me do my predictions hassle free, and after 6 months I can finally get some zkeys ><
Anyone who had trouble should check out the site,
kudos to anet and the remodel
thank you ^^
Anyone who had trouble should check out the site,
kudos to anet and the remodel
thank you ^^
Wish Swiftdeath
People send you spam mail away, either get a decent filter or spend five minutes a day deleting it.
It's not like the game has your credit card info on it, who is going to go through all that effort to get into ONE person's account which may not even have anything in it.
I sometimes wonder how you guys step out of the front door knowing that you could get killed anytime.
It's not like the game has your credit card info on it, who is going to go through all that effort to get into ONE person's account which may not even have anything in it.
I sometimes wonder how you guys step out of the front door knowing that you could get killed anytime.
Fril Estelin
Quote:
|
Originally Posted by Wish Swiftdeath
It's not like the game has your credit card info on it, who is going to go through all that effort to get into ONE person's account which may not even have anything in it.
|
What annoys me is that people present the case of "your 4-year-old account being hacked" as the reason why you'd get angry, BUT they don't say that for 4 years their account wasn't hacked and that this makes them happy. Security works when nothing happens, so no need to say it?
And, again, security is never, ever, perfect. There's been GW accounts hacked before and there'll in the future, what really matters is Anet/NCsoft's swift response to these acts. And people trusting them (at the same time, I guess some Guru trolls make this more difficult).
riktw
my little bro did /dance to
so if you see a female rit dancing its my little bro, with his z-keys next month.
i dont care, site is secure enough, password is secure enough.
so if you see a female rit dancing its my little bro, with his z-keys next month.
i dont care, site is secure enough, password is secure enough.
refer
Quote:
|
Originally Posted by Empress Amarox
But, what about those of us that set up XTH accounts for friends and vote for them because they don't understand it, don't play PvP, can't be bothered or similar.
|
Quote:
|
Originally Posted by PowerRAV
Voting for friends... Doesn't that fall in the lines of account sharing? I thought account sharing was against the EULA. Ah well probably wrong.
|
Quote:
|
Originally Posted by Alleji
Couldn't they have done something about fixing the game instead?
|
Anyways back on topic. If your account wasn't hacked by now I think you're safe. If you don't trust the new site then don't ever shop online either. You'll probably have a heart attack.
Professor K
Quote:
|
Originally Posted by KrisNaga
Lets see you say that when you get your account of 4 years hacked and lose everything you have worked for and then have your details spread over the net and your email sold to unknown company's who then send you spam mail.
The internet is not for people who don't know what there doing and your attitude will eventually get you in trouble. |
I'm well educated on the dangers and precautions to be used on the internet.
Not everyone is stupid enough to fall for a phishing site or not change their passwords regularly. Do you even realize Guild Wars.com uses encryption, Secure Socket Layers, off-site backup, security testing, and password protection? At least know your facts before trying to scare everyone.
Also, fire off an email here if this truly concerns you so much: [email protected]
Toxic OnyX
Quote:
|
Originally Posted by riktw
i dont care, site is secure enough, password is secure enough.
|
Apollo Smile
Quote:
|
Originally Posted by Toxic OnyX
Remains to be seen
|
eht123
Quote:
|
Originally Posted by Martin Kerstein
There is a very simple thing that can be done personally to be safe:
Only visit the XTH via the link on the official website. Or you might want to talk to Kun Shao ingame, he can take you there as well. Never Never Ever blindly click on a link someone sends you. |
Fril Estelin
Quote:
|
Originally Posted by eht123
The fact that we now have to take extra precautions of this nature pretty well shouts that the new scheme is less secure than before...
|
Internet technologies are seen as an incredibly huge convenience, to the point where most people won't check where they're clicking. It's very difficult to put back some sense into this because it's difficult to explain what is right and what is wrong, without ending up describing the strict habit of checking everything we do. It is seen as a bigger inconvenience than the perceived risk of ending up on a phishing website.
(it's actually more complicated that it seems: most emails nowadays are html and the text of the link you see in an email may have nothing to do with the actual destination of the link, which you may discover by hovering over the link on most clients; so even looking at this text is not enough, once you've clicked you have to look at the address bar)
eht123
Quote:
|
Originally Posted by 1337 H4X
After forgetting my passwords (yeah I manage) and losing acces to the email accounts my accounts are linked to, the remodel on guildwars.com lets me do my predictions hassle free, and after 6 months I can finally get some zkeys ><
Anyone who had trouble should check out the site, kudos to anet and the remodel thank you ^^ |