What do you think of logging in XTH with your real GW account?

I didn't say it wasn't good common sense. It is. But that mere fact that they have to emphasize it now says, in not too subtle a fashion, that they themselves recognize the additional exposure to the game accounts.

I'm not happy with the change.
"I feel like it makes my account insecure, despite their claims of it being secure."
Same here. More risk. Why on earth did they change something that was fine?

If it ain't broke, don't fix it!

Good way for hackers to get into unsuspecting users' accounts. Simply send a "reminder email" a week before the mAT linking them to the fake site, and a good portion of people will click it and enter their info.

Sure the smart ones will just go to the website directly, but from keen observation, I have concluded over half of the computer users, and even more of GW users are not that intelligent.

Which has nothing to do with the game. The update to the Xunlai House was to benefit the game, not this website.

I do have a question for the people against using your Guild Wars information to log on. Do you play any other online games? The SSL Encryption that Guild Wars.com uses is the industry standard. How is that any less safe than logging unto World of Warcraft.com or EVEOnline.com?

Because previously, any attack on a game account was pretty much limited to using the GW client itself. While there are certainly ways to automate that, it's not even in the same ballpark as far as exposure as having those login credentials available on a public website. A whole new array of attacks is now available, ranging from simple brute force to phishing, xss, dns poisoning, sql injection, and whatever else, none of which have anything to do with the effectiveness of SSL or Anet's backend servers. Everyone's account is now exposed to a myriad of new attacks, whether you use the XTH or not. It doesn't matter what precautions they've put in place, or think they've put in place - they have substantially increased the options available for compromising game accounts.

It's a question of risk mitigation, plain and simple. Do you use the same login for your bank that you use for guru? No, that'd be pretty stupid, right? Do you use the same login for GW as you do for your gmail account? No, that's pretty dumb too. Same principle here...

I'm a big fan of GW and Anet, but this is just Grade A stupid.

Thats a very poor example.
When I log on to GuildWars.com or Warcraft.com as I used in my example, it directly ties in with my in game account.

Of course my online banking account and eBay account passwords are completely different. They don't relate at all. (Both also use SSL encryption as well, go figure.) ArenaNet isn't telling you to use you Guild Wars information for various unrelated sites, they expect you to use it on THEIR site.

You're either not reading, or you're being intentionally obtuse. None of those attacks have anything to do with SSL, I don't know why you're hung up on that. It also doesn't matter that it's their server - the number and type of possible attacks on game accounts is now significantly larger than before. The simple fact that we have an Anet rep on this board saying "don't go to that page from anywhere other that our home page" testifies to that. Interesting, isn't it, that they never felt the need to issue such warnings before, when the logins were different?

Seems a simple solution would be to allow the option of either separate or linked logins. That way, those that prefer security can be happy and safe, and those that prefer convenience can post phishing threads on guru in a few weeks... ;-)

This thread sounds more like a complaint against internet security than Guild Wars itself. Folks, NOTHING you do on the internet will be 100% secure. To single out Guild Wars, but use online banking, email, shopping, play other games, or do your taxes, is incredibly hypocritical.

eht123, you make a few good points, but it sounds like you are refusing to acknowledge that security is just as much your responsibility as a company's.

No, I'm more than happy to look out for myself online, thank you, don't assume otherwise. I'm simply trying to point out that they have, with this change, increased the exposure to everyone's account. I mean really, just count the attack options with the GW client only, and compare that to the options you have with GW client plus a website using the same credentials.

Again, it's a question of risk mitigation. Of course anything done online is subject to some risk. But why increase it if you don't have to? Just because some people can't remember two different logins? That's not really a good reason.

I'm really surprised that more people don't seem to be able to understand this.
No actually, the problem is that my added security (of having separate passwords) has been reduced by a company decision. It wasn't my choice to reduce the security, it was theirs.

The most dangerous part of them using same login information is browsers will store the login and password for sites if someone allows them too. Recovering those passwords either remotely or by directly accessing the computer is extremely easy. A lot people are just going to allow the browser to remember the login information probably just from being lazy, out of habit, or just not believing that it would be easy to retrieve. All it would have taken is for them to add ' autocomplete="off" ' to the form for password...

I love the update, my accounts werent accessible but now I can predict again.

gogo anet

Just tried it and I like the new look page.

I like the new one better...I'd forgotten the log in for one of my accounts on the XTH site earlier and anet support is ghey. This solves my problem nicely.

I'm not an idiot when it comes to computer safety, but then again, I wouldn't take a chance on a three year old account for some zaishen keys.

So far the only people I see in this thread who think this is a positive move are the people who forgot their login information.

You would think that.

Refer earlier posts regd how basic common sense = not getting hacked.

Using your account was a great idea. If you think it means your account is less safe then use a better password and a more secure browser aswell as set up security measures on your router / computer.

I could never use it before. I forgot the account name and password for whatever account I created. It was the account that my actual in-game account was tied to so i could not just make a new account. I could not retrieve my original account as I didn't know the username and password and the e-mail it used was inactive so i couldn't exactly request my username / a new pass. Now i can. Great.

I think it's a bloody terrible idea.

1. Makes Phishing for GW accounts easier.

2. Assurances of security aside, NCSOft has shown in the past that they have problems writing a secure site. Anyone remember the cross-site scripting vulnerability that Pablo had to beat them over the head with in order to get fixed?

3. SSL is itself broken. Even if the NCSoft site itself is perfectly secure, we're still at risk. To respond to an earlier post, no, no one is going to go through the effort of breaking SSL to get one single person's GW login info; but they sure as hell are going to think about creating a fake SSL Cert to collect thousands of logins.

I would much, much, much rather have a totally separate login for XHL.

NCSoft doesn't equal ArenaNet.

Also if SSL is broken why is it the industry standard for websites?
If its safe enough for online banking (which is much for important), it is fine for a freakin' video game.

NCSoft runs the site.

Because no one can be assed to fix it. Creating a new crytographical standard is not exactly easy. Neither is convincing the entire farquing internet to upgrade to the new standard. Especially when upgrading costs money, it's just sooo much easier to do nothing, pretend it's not a problem, and hope the well-organized, well-funded attack that's eventually coming hits someone else. Moreover, since it's so easy to convince people (such as yourself) that SSL is "good enough," it's easy to place all the blame on the hacker when something does happen.

Newsflash: Internet banking is not safe.

All these claims of insecurity...lol.

Well for me, I like it a LOT because I forgot the ID and pass that was linked to my main account. I forgot pretty much all the details and now I can use it again.

http://www.guildwars.com - ArenaNet
http://us.ncsoft.com/en/guild-wars/ - NCSoft

Now which one features the Xunlai House?

Again, if you are paranoid of everything internet related you have no place to complain.

Yeah. Its a wonder how some of these people even manage to check their email without hyperventilating.

I reckon there should be an option, just simply two log in boxes side by side, your choice which one you use. Straight info for me for convenience, ncsoft account for those with security issues

I'm coming after all of your accounts! Not really but if it's so insecure and you all have ideas of exploits, why haven't any accounts here been stolen yet? Or for that matter, on any other sites?

Just been onto XTH after a while away - noticed the completely redesigned site (which i really liked - i can now select a player/team from the top of the list and place them in position 8!!!) then noticed that you now log in with your GW account details.

Checked it was encrypted (padlock sign) and carried on.

Thought - bound to be a thread in Riverside (i hate it / i love it / why they take so long ) - and look what I found.!!

[QUOTE=tigros;4624298]I assume you people haven't heard of things like single sign-on's...

This has nothing to do with 'single sign on' - (something I am very familiar with). If you signed onto your GW account - then was able to go to XTH without logging in again it would be single sign on - but you can't - so it's not.

This is standard internet security - it's not 'extra precautions' - it's what you should be doing anyway!!!!

ANY scheme that asks you for there same profile and password you use for somethin gelse is less secure. Stands to reason.

A public website is, simply because it is a website, is more prone to attacks and various skullduggery (technical term!!) to get profiles and passwords.
That they have 'upgraded' the site security (hopefully to minimum basic 128 bit SSL entcryption) IS good enough.
Your log on credentials are more likely to be stolen from a website as opposed from your client side log in to the game itself.

It is 'unlikely' a secure website will allow xss or any of the other nasties out there. Obviously the black hats are always working on ways to break any security on any website. It's always the new stuff that causes problems.

These points stop over 90% of internet related hacks:

A 'strong' password - include a number/character/capital(s) - should stop any brute force attempts.
Dont tell anyone your account details - ever.
Dont click on a link in an email or unknown website page - go to XTH from the main website or type in the url yourself.

Before this change - if you did get hacked - you would lose your armour and Ninja blind fold.
After this change - you would lose your armour etc and then they might do some really really bad predictions for you so you dont get ANY points!!!!
'OUTRAGEOUS!!!!!'

OK - I agree - it is less secure to have the same log in credentials as there are now more ways for those credentials to be mined.
If the website is as secure as they say then I can't see the problem. - it all depends on what your perception is on internet security.
Internet Banking, amazon, ebay, etc - all far more likely to be a concern - and these sites, to a large degree, dont have problems - so why be concerned about XTH?

Change your password and make your predictions.

Enjoy!!!!

I don't know if this has anything to do with the change of logging in xth with the real gw accounts users name and passwords but my account which i have been very careful with for 4 years, I even use the onscreen keyboard to login , and i do not save my account info on the web browser but I cannot access 3 of my accounts anymore today. for 4 years I never have a problem and now this. this is very distressing.


Do you know what is the most idiotic things that comes with the merge? since now you need to use the same info to login to access the ncsoft support page, something like this happens you cannot login to the ncsoft support page to open a ticket.

hence i use the email support to send the support ticket, and the email reply direct me to update my support ticket on the ncsoft support page which I cannot access in the first place.

how about that. moronic. huh.