plaync website takes a step backward in security

Unless things like this get serious attention for GW2, This will be a big check in the 'reasons not to buy GW2' column

Martin: as others have stated, if an account rollback option is not instated for GW2, you will be in a serious competitive disadvantage

Holy crap! Someone from the CR department actually replied to us here on the lowly GW1Guru rather than GW2Guru? Shocking.

By the way, account support is terrifyingly bad. You guys should work on that.

You sure 'bout that? Gaile's support page has been pretty goddamn busy the last two weeks for "no increase" in stolen accounts.

Oh, and the accidental fraud blocks are back. NCSoft should seriously be ashamed. These are disgustingly blatant security problems and you're getting a bad rep for them. Go to any other game and Guild Wars is known as "that game with all the hacks and bots". No joke.

a rather large /FACEPALM is needed here.


WHY in the WORLD would you ever REMOVE a security feature??????????????? That is just plain asinine! You dont EVER downgrade security ....its one of the few places that its still really really....really needed!

oy (my reasons to not buy gw2 are quite a lot, but this would indeed add another to the list)

Please explain the following, then:

1) Why did the rash of hackings slow considerably after implementation of the character name security feature in the client?
2) Why did it stop entirely after the discovery on New Year's and the introduction of the feature you just removed?
3) What was the cause of the hackings? The explanation repeatedly advanced by CR's (social engineering) does not fully explain the observed pattern of hackings. Social engineering works on people that practice poor security habits. But people that practice good security habits also got hacked. Therefore, something else must also be at work.

I'm sorry to inform you that this is what the situation looks like from our side:

- You are experiencing a higher volume of Support cases due to the feature.
- This is costly, and you want it to stop.
- You also do not wish to assume responsibility for the hackings, because that would imply an obligation to correct the situation.
- Therefore, you are continuing to lie about the cause of the hackings in order to save money.

If this is not true, please provide the information that would conclusively demonstrate that you are being honest with us. If you continue to make assertions without evidence we can observe, as above, we will continue to infer that you are jerking us around. That is damaging your relationship with your players. We (OK, some of us) understand business decisions. We don't understand or accept being lied to.

The security of everyone's accounts should not be compromised because some find it inconveient to protect themselves or because the company does not want to be bothered with it. Martin hit it on the head. This really makes me start to question Anet's reasoning.

This is absolutely absurd. Both NCSoft and ANet act like amateurs.

Whoever thought of this, tell him he fails at the basic rule in software engineering: Nothing is 100% safe. Why do you think software and databases measure their services in terms of how many 9's they have? Because they know they'll never be 100% reliable and safe. The highest people get are 5 or so 9's: 99.999%. Whoever your lead programmer is, he should have came out and pointed this out. A freshman in college understands this, but a full blown game development company doesn't?
So many games fail because of terrible support like this. Examples have been laid out in front of you and you still don't learn from it? What's the point of playing your game if botters kill the economy and hackers trash my account?
NCSoft is a Korean publisher, Korean MMORPG's suck. They suck because all they offer are repetitive grindfests, security loopholes for botters and hackers, and terrible customer service. GW is turning into one of those.

are you serious??

so because some moron can't remember his GW login password, you're going to DECREASE EVERYONE ELSE'S security levels??????

i used to think ncsoft was the source of all the bullshit...now i'm starting to wonder.

btw, whoever the "team" is that decided it was reasonable to remove a security feature should be fired.

Which suggests two possibilities: Either the breaches didn't exist, or they exist(ed) but your security teams weren't good enough at their jobs to find them. Given that (1) the pattern of volume of reported account thefts was consistent with a security breach and no other theory (and certainly not the "its just social engineering" theory you've put forth), and (2) numerous credible individuals on these forums reported various security flaws in detail, I really have to conclude that the flaws exist(ed) and the problem is with your security team.

1. There is very strong evidence that this particular security feature works directly to stop whatever method was being used to steal accounts during the peak theft period.

2. Even if you are correct that there is currently no known security flaw that necessitates this feature, this feature goes a long way to protect against most conceivable but currently unknown security flaws. Why on earth would you open yourself up to suffering maximum damage from the next vulnerability uncovered (not to mention the previous vulnerability which I doubt you've fixed) when you know exactly how to avoid it?

I do not keep track of the volume on Gaile's talk page, but several folks here seem to disbelieve that claim. Care to provide hard numbers to back that up?

I'm going to have to concur with Martin Alvito's assessment of the situation: The rationale you provide for this decision is not convincing, at all. It only serves to feed my worst suspicions about NCSoft and a-net's competence, motivations, and priorities, and to reinforce my highly negative opinion about NCSoft and a-net that was created by the way the original theft outbreak was mishandled. I'd say that this is the sort of thing that might lead me to decide not to buy GW2, but that wouldn't be true -- I already made that decision when I saw how badly the original outbreak was handled. This merely strengthens my resolve not to depart from that decision, no matter how fancy the preview screenshots may look.

@Kerstein: Is this for real?

Wasn't there a security hole that allowed people to get into NCSoft Master Accounts of other users without knowing username and passwords?

It did not require an exceptional hacking skill. It required nothing at all, just accessing NCMA with your own credentials gave a small percentage to end up into someone else's Master Account.

Weren't there some RMTers who abused this security hole to take over some GW accounts just by "getting casually" into other people's NCMA, and then simply change the password?

How many people found their accounts hacked and to add insult to injury they have been blamed for being stupid/lax in security/botters/RMTers?

Sorry for being bitter, but if some people have problems finding their old passwords it is THEIR problem. You can't solve it by putting at risk all other people's accounts. Removing a security feature for everyone because some people fail to keep their passwords is simply unbelievable.

I'm sorry but I don't understand this either. Who cares where the security breach was at this point? I mean yeah, good job for investigating, finding out it wasn't you. But the feature worked. If the increase in account thefts came from keyloggers, social engineering, websites, stupidity, it didn't matter. You had fixed the problem. A much bigger problem than just "I can't remember my password".

Even more absurd is they need to drill a hole in their security system because they have no way to recover a password for the legitimate owner of an account.

This is epic bullshit. Shut the website down then if it's not safe, or shut Guild Wars down!

And to the people who don't remember their password or name after a couple years: ... WHAT THE [censored>go red]!? I can understand not knowing your character name since it was just added* but your ID or password!? How can you be such an idiot? You should have written that information down on a flash drive or in a book... hell stick it under your bed/in a safe/somewhere where it won't get lost. This is common sense 101. And make sure to back it up after too. Maybe this incident will teach them. Even Windows 7 has a built in password vault/storage system with handy backup feature!

*Although to solve this problem, they should just not check for a character name the first time somebody logs after it's been implemented and then have a popup telling them to remember from now on.

Banks are different, their profits are funded by the tax payer now so they can leave the vaults open all they want or even connected to a series tubes that takes the money straight to Vegas.

i have to say that something is just not right at NCSoft right now. since Wednesday last week, my account was hacked twice.

On the first hack, all my golds gone, and all my gears are salvaged.. totaling a lost to around 1 mil.

on the second hack, they removed my characters and replaced with their own.

this is very serious indeed. i might put the "immediate purchase" of GW2 on hold if this goes on...

Removing any security feature is just beyond idiocy. If Anet think that NCsoft is acting in the interest of the players by doing this, they need to have a long hard think about the message that this is sending out, and how it may impact on GW2 sales.....even worse if ncsoft master account is needed for transferring achievements via the HoM.

However, one thing that did occur to me is that there appears to be a correlation between a new rise in hacked accounts and the rise in the use of bots in pvp. Admittedly, correlation doesn't always prove cause-effect, but I wonder how many of the hacked accounts have downloaded the pvp bot programmes? http://www.guildwarsguru.com/forum/p...t10436129.html

Clearly Anet realizes GW is done for. They're now trying to rake in loads and loads of money by having everyone getting hacked, hoping they would buy new acounts.

On a more serious note, is it me, or the NCsoft support site down?

NCsoft/ANET Presenting the removal of the security feature as helping the players is pretty bad. It sounds all nice and like NCsoft/ANET cares about the players first, but be honest and say it, it costs less and is quicker to have players use the automated password reset feature.

The fact is that after the security features were implemented the rash of hacked accounts stopped. I cannot believe that this is being trumped by the extra inconvenience and extra time of going through support to reset a password.

Our security is being sacrificed because people are to stupid/lazy to remember their passwords, and their stupidity and laziness is costing NCsoft/ANET money to support these idiots.

Our security is more important than their inconvenience!!!!!!!!!!!!!

Now that support people have more time why is it that we have not seen a direct reduction of bots in the game???

@ANet: These security decisions and explanations thereof are just ludicrous. When you took away that extra password layer, you left us hanging by a thread instead of two threads. You can point the finger around all you want, but the fact is that you totally dropped the ball by not providing the basic and minimally acceptable security measures that are fully within your capabilities and control (such as character locking to prevent deletion, or any of the dozens of other strategies covered in depth in these forums.) Any number of these would be sufficient all by themselves to keep our accounts safe, despite the antics of NCSoft and RMT hackers or whatnot.

Heya guys,

We see that a lot of you have concerns about our changes to how you log into NCsoft.com to manage your Guild Wars account, so here’s an explanation that may help you understand exactly what we did a little better.

• To be clear (since I think some folks are mixing up a few different topics here), you still need to log into your NCsoft Master Account to manage your Guild Wars account. The change is that you now no longer need to enter your Guild Wars password after that to get into the game account management section. Here are some things to keep in mind:
  
  
  • The only things you can actually do from the Guild Wars account management screen on the NCsoft website is change your game password, add a serial key to your account, or download the client. So unless some nice hacker wants to buy you something and put it on your account for you, the main thing that people worry about here is the password angle.

• Let’s go worst case scenario and say a hacker does somehow know your NCsoft Master Account name and your NCMA password. They manage to get onto your account management page and change your Guild Wars password. What now? Well, if you guys remember:
  
  
  • You still need to know a character on your account to log into the game! So not only would this hacker need to know your NCMA credentials, but he would also have to know a character that’s on your account.
  
  
  • There’s no good way for a hacker to have this information…especially not from anything NCsoft related, since we don’t list that information anywhere. And your Guild Wars account name is even different than your master account name, so that’s a lot of information for someone to get in order to piece together a way to get in and mess with your characters

So, you can see here, that even though the second password requirement was removed, it doesn’t change the fact that there’s still a huge wall between you and any random hacker: the requirement to know a character name on your account.

We are not removing the character name requirement functionality in game, and (as we’ve stated in the past), as SOON as we implemented that measure, we noticed a phenomenal drop in account hacks and thefts.

I know that some of you may doubt us on this, but I’ve personally talked to Gaile and other members of the support team and have heard them say definitively that there was not an increase of account thefts or hacks since we removed the second log-in barrier. What we HAVE seen, though, are more players being able to get back in the game quicker when they forget their passwords and need to reset them.

Let's face it. When you want to log in and check out a game you paid for (but may not have played for a while), there’s nothing more frustrating than being locked out of your own account. And when you try to log into the game’s website to fix that issue, but are then being asked for the password you already know you forgot in the first place, that’s just annoying. Then you have to fill out a ticket and wait for someone to answer it to get help. We’ve all played games long enough to know that’s not the place you want to be, because when you want to play something, you want to play it now. You don’t want to sit and wait on a support ticket.

Anyway, I hope this helps you guys understand a little more about our reasoning behind the changes. I hope you understand that security is taken very seriously here. We want people to play our games, so why wouldn’t we care about people getting hacked and quitting? That doesn't make any sense. We all know that the rash of stolen accounts last year was bad news, and no one wants to see that happen again. But we're not going to keep a change that isn't really improving security just because it makes it look like things are more secure. That doesn't help anyone.

I’d also like to mention that we’re more than willing to answer questions about the topic, but you should keep a few things in mind:

• Security is a sensitive topic, so there may be things we can’t really go into detail about. For example, we didn't talk about requiring character names before we did it. If we'd said anything, that just would have tipped off account thieves about it.

• Phrase your questions and concerns in a constructive way that can help everyone in the discussion. We come to the forums to share information with you, not for flame wars or to give attention to trolls. A thread that's on topic lets us focus on getting you the information you need. Having a differing opinion is completely cool, but being aggressive and attacking us over things you’d like explained isn’t. We’re not asking you to be carebears, but come on now. You all know the difference between raising concerns and trolling. Don't be that guy.

Hopefully this helps a bit! If you're still confused or worried about anything, let us know and we’ll try to help!

Thanks Emily for that well-thought out and lengthy response. It alleviated my fears. I do have to mention though that an announcement like this beforehand would have done wonders rather than just waiting for the community to stumble across it. You can't fault us for being a bit up-in-arms when something like this is done with no explanation and it almost seems that the mentality of NCSoft/ArenaNet in this case was that they were hoping no one would notice. It could have prevented a lot of negativity. Regardless, I thought your explanation was top-notch so thanks again.

Emily, the NCsoft master account security is weak, to say the least. That's why we had such a rash of hacks.

It's also why the character name requirement worked - because that's the one thing a thief CAN'T get from the NCsoft master account, once they've glitched their way in.

Even better when the "enter old password" requirement was added, in order to change GW password using the NCsoft master account. We felt like we had something approaching decent security.

But now the "enter old password" requirement is gone... and our character names are our ONLY protection against attacks via the NCsoft master account. Character names are therefore to be guarded at all costs.

That sucks. Because now I do not dare to post my character name anywhere. I can't post screenshots without editing them. I can't arrange trades, parties etc on sites like this. I can't post in-game videos because its too difficult to remove all trace of my character name. I even have to hide my RL identity, email etc from my own guild-mates... since they can easily see my character names.

I actually had to pay to re-name every character whose name I had posted on forums in the past - because I can't risk thieves getting into my NCsoft account, and then somehow figuring out my forum ID (eg. using the email addresses and/or ID's that were stolen from sites like guru)... and then finding old posts containing my character names... in locked threads that I can't edit.

How can anybody think this is an acceptable state of affairs?

You compromise EVERYONE'S security, just because a TINY MINORITY of morons can't remember their own password.

The requirement to enter the old password, before setting a new one via the master account... needs to be put back.
Or at least - have new passwords randomly generated and emailed to the account owner.
(Password resets for the master account itself work like that - it's one of the few good things about it).

And that's as a bare minimum - NCsoft security still sucks even with that added. Ideally, we should be allowed to completely unlink our GW accounts from NCsoft.

And for the love of God - DON'T MAKE US LINK TO NCSOFT MASTER ACCOUNTS WHEN GW2 COMES OUT.

I dont post alot on this forum but after reading that wall of text i count resist posting ....
From that wall of text the only thing worth quoting was few lines and even that is laughable....
Character name is "HUGE WALL" ??? Yeah ..... NO

Since it really looks like this is not going to be changed back, are there any other security measures being looked at to replace it which would not slow down the password reset process too much for the forgetful people?

Would it be possible to rework the email notification procedure? Getting the email from the NMCA site stating that your account password has been changed is not useful. Being informed after the fact that your password has been changed does not help at all, since the accounts have been stripped of all valuables within the hour.

An email with a verification link would not slow down the process much at all and still provide security for people. This email should be sent any time passwords are requested to be changed at the NMCA site. The email would require the requesting person to click the link to certify that is what the person wants to accomplish. This email must go to the account that the person uses to log into Guild Wars and not a email address changed at the NMCA site.

This would slow down the reset process by the amount of time it takes someone to get and reply to the email.

Yes, this is another of my favorite should-have-done-long-ago items:

It just baffles me why you instead rely on a *character name* for security. Did it occur to you that we might want to actually publicize our character names from time to time, so that we could trade items, plan in-game gatherings, socialize, role-play and so forth? And $15 a pop for name changes, how convenient . Methinks the security team lost a bet to the marketing team.

I guess it's good that you're not seeing another account theft increase (yet) from this latest security lapse, but the theft rate is already way too high as it is. It's immature to argue that something's okay just because it's not getting worse. You could get the hacking down to practically zero with a few simple measures that have already been covered here many times, ya know.

I would like to point out the convenient fact you left out our personal information is visible such as Name, Address, Phone #, and other NCSoft games we play.

I think the previous poster summed this up nicely so I'll quote again.

And this is the most baffling of all:
How long and how hard did the community have to fight just to get an extra level of security in here. ArenaNet certainly had no plans to do this on our behalf. Only after we kicked, yelled, publicized and screamed did you guys put in extra security to protect us. Not to mention that for a long while you guys refused to even acknowledge there was a significant increase in hackings going on. Excuse me for saying it, but your track record here in this area is less than stellar. Now we just stand back and are supposed to believe you when you guys have continually shown you are not proactive but reactive? Even the announcements from Gaile and yourself show the players that nothing has changed, once again you are reactive. You will continually react and leave us in the dark and blind until we throw a temper tantrum before you lift a finger in the terms of account security.

Wrong again. Having your account stolen is more frustrating. Having your items stolen from your account is also more frustrating.

I apologize for doing the line dissection as things frequently get taken out of context that way but as serious as you guy's say you take our security, we take it with the same amount of serious. It's frustrating you would take a step backward. I appreciate that now you are being frank with the community but there is no way you can argue that this is not a step back. That you haven't lifted an additional security measure. That is what is confusing most of us. You have traded our security for convenience. And I don't think there's any of us who are buying it was done for the players. This was done to make support's job easier. To take a few more tickets off their hands is all.

I am having difficulty reconciling these two statements:

given that social engineering would have yielded IGNs along with e-mails, PlayNC IDs and passwords at the time the security measure was implemented.

Also, I spent a little time in a PlayNC account earlier and I see you have made changes! You've replaced the easily hacked birthday security question on password resets with a security question requiring an e-mail address for accounts opened on the website, and you are indeed sending out e-mails rather than permitting direct password resets on the site. These are quality improvements that I pushed for back in December, and I am glad to see that you listened. However, implementing them does tend to give the lie to:

since there is no reason to expend effort to close nonexistent security holes.

You still need to implement proper security questions for PlayNC accounts originally set-up through the client.

In short, I accept Emily's reasoning behind removing the protection on the reset mechanism given the update that e-mails passwords (good post, BTW), but some work remains and I still don't fully understand why ANet continues to stand behind a story that the evidence is not consistent with.

EDIT: As posters above, I would like the option to permanently hide personal information. Your site remains a treasure trove for identity thieves should someone use more advanced tactics to bypass authentication entirely.

I have another observation.

I am at the https://secure.ncsoft.com password reset portion for my guild wars account on the NMCA site and I am getting this notice:

Your password should be between 8 and 13 characters, beginning with a letter, and containing only numbers and letters. It must contain at least one number.

NMCA will not allow for special characters while the in game in the Guild Wars login password reset allows for special characters. This is another example of poor security on the NMCA site.

Can this be fixed please? We should not be limited to numbers and letters only on NMCA.


For users that do not want your name address and phone open for the world to see, I recommend using fake addresses and phone numbers. I have had bogus info in there since 2007 and have not have any issues.

Special characters are nice, but alphanumeric will get the job done. Using a random string of numbers, caps and lower case, we get 62^13 = 2 * 10^23 possible combinations. Restricting the first item to a letter still makes it 52 * 62^13. That's plenty.

All special characters do is let you be lazier about your passwords and get away with it.

Makes no sense having less options when it comes to security. ANET and NCsoft should be on the same page.

How many combos do you get adding in special characters? It is not less combinations. Right?

The sufficiency of a password protection system (or any encryption system, for that matter) is a math problem. Nothing is 100% secure. The more complex the authentication/encryption, the longer it is likely to take to break the system by guessing. We can calculate the odds of cracking a password by brute force in any given period by dividing the number of attempts possible in that period of time by the total number of possible combinations.

Suppose that a computer system can randomly attempt one forced entry per second. There are 60*60*24*365.25 seconds in the average year, or 31,557,600 attempts in a year. At 52 * 62^12 possible alphanumeric combinations, it would take 5,316,179,672,874,071 years to guarantee cracking the account given that rate.

It follows that a computer system would have to be able to conduct a quadrillion attempts per second to have a 20% shot in a single year at cracking a single truly random, 13 character alphanumeric password where caps are permissible. That's a lot of PCs.

Special characters do increase the total number of alternatives, but brute forcing a secure alphanumeric password is already impossible. So all those special characters do is let you get away with non-random, easier to remember passwords and confer the illusion of additional security. They aren't really necessary.

Further, the above assumes that NCSoft security is sufficiently incompetent (and that the server is sufficiently powerful) that no one would notice and react to such an upsurge in traffic. Given the nightmare that was logging in during the free storage pane promotion, I conclude that there is no way the second proposition is true.

One problem that the site used to have was that you did not have to get in through password authentication. You could use the password reset function (which had weak security protocols due to the use of birthdays as the security question) to get in without ever having to know the password or access the associated e-mail account. This permitted brute force access in very reasonable time frames without the need for ridiculous numbers of access attempts that would be noticed.

Here's a better idea: clean out the rootkit or keylogger trojan you obviously have and stop downloading bots (IE: simply having 1,000 plat in items proves you were bot farmin)

Quote:

Originally Posted by Martin Alvito The sufficiency of a password protection system (or any encryption system, for that matter) is a math problem. Nothing is 100% secure. The more complex the authentication/encryption, the longer it is likely to take to break the system by guessing. We can calculate the odds of cracking a password by brute force in any given period by dividing the number of attempts possible in that period of time by the total number of possible combinations. Suppose that a computer system can randomly attempt one forced entry per second. There are 60*60*24*365.25 seconds in the average year, or 31,557,600 attempts in a year. At 52 * 62^12 possible alphanumeric combinations, it would take 5,316,179,672,874,071 years to guarantee cracking the account given that rate.

That is assuming the password for any given account is purely random, which for most people it's not. As an example one might use the password "factions" on their spare accounts containing only the Factions expansion for either lack of creativity or for incomprehension of the vulnerability they leave their account in when doing so. This would lead experienced brute force hackers to try only the most likely choices of passwords on an account before moving to the next.

Even so, the time involved and the attention their IP would draw would make brute force hacking inefficient. Thus bringing many of us to the obvious conclusion that there was a security loophole in the NCSoft site whether or not NCSoft wants to admit it.

In the end I do agree that having the ability to change your GW PW from your PlayNC Master account is useful, heck I've had to use it multiple times and was shocked when the feature was removed. At the same time however, I understand the concern from those who feel NCSoft secruity is not reliable enough to entrust with this feature.

I think too many people are overlooking the alternative form of changing your PW that should be implemented. A direct reset option from the game client to your corresponding email address should be implemented for all accounts, not just ones unlinked to PlayNC Master accounts. By doing so only the owner of the email address directly associated with your GW account could reset your PW without having the original PW. Not only would this bypass the NCSoft security problem, but it would lower the amount of hackings based on my perception that few people try to hack emails, and those who do are either uninterested or unaware of the GW account they could retrieve as a result. (Of course with this Anet could also give us the option to change the email address linked with the account as well)

The truth is that Emily's explanation of why the extra prerequisite in changing the GW PW was removed is invalid under the assumption that someone comming back to GW after an extended break is equally likely to have forgotten the PW and/or account name of their GW account, as to of their PlayNC Master account that they logged onto once in 4 years to get their Extra Storage Pane.

Just my 2cents

You see, there hasn't been a lot of stolen accounts lately. Therefore, there is no need for extra security.

As much as an asinine statement that is, it's true. Once a lot of people talk about having stolen accounts or hacked information again, then certain security measures will be taken.

lol? 150 ectos worth? and he MUST be using bots to get 150 ectos (@ 7k a pop)

preventative actions > reactive actions

just because there are morons out there (like the ones that can't remember their password) doesnt mean EVERYONE is a moron. nor does it mean EVERYONE should be treated like one.

therefore, 1 moron not remembering his password shouldn't translate to EVERYONE losing security.

if all hotels that used keycards & latches on their doors all of a sudden said "we've had no breakins so we can safely remove the latches" and removed the latch on the inside of the room, would you feel as safe as before?

of course not.

especially given the "glitch" where a keycard could possibly randomly open up another persons door instead of your own.


but you have NO way of truly verifying that those people you're helping are actually the true original account owners.

don't you find it odd that players that "may not have played for a while" forget their passwords but NOT their character names?

we all know your general support is bad. i've also had to endure sitting and waiting on support tickets....

given the option between waiting on a password reset (which i brought upon myself for forgetting the password) while knowing everything on the account is still intact

OR

waiting to take back control after my account had been stolen (due to a "glitch" or hack) while wondering if everything had been deleted.....i dunno, that's tough.

you should check out some guild websites/forums, the wiki or, a quicker option, the screenshot section here on guildwarsguru. you'd quickly find this wall is scalable by even the minutest of midgets.

dont get me wrong, i love the wiki, and the other char databases are pretty neat as well. i would also love to see some sort of web-interfacing with guildwars2 so when you aren't actually able to play the game you can still be involved somehow. all these with the caveat that i dont have to worry about my account being stolen because your security is shit and i've put my in game name out there (for people to pm/trade/whatever).

to make it even simpler, look at all the personal information the War In Kryta @ Facebook endeavor puts out in the open.


---if what martin says is true (master resets requiring email validation) then that's not AS bad. but its still quite silly.

wowo.... stop making accusations and assumptions... having 1000plat through power trading and offering service over the course of 3 years playing is considered botting....? huh... some people... duh !

If you get owned by a dictionary attack, it's your own fault. Better passwords are better.

It was true as of about eight hours ago. I wanted to see if Support tickets (and therefore character names) were in the NCMA, and I decided to test a few things out while I was there.

As for 1,000 plat and botting - there have been periods when you could consistently generate that amount in five to ten hours by dungeon running. Any idiot can generate 1,000 plat by grinding raptors with a wiki build for 20 hours during an event that drops quality goodies, then selling the proceeds. Don't sling accusations if you're uninformed about the topic.

While people can talk about how people can see your in game character names, the thing some people seem to be forgetting is. the hacker would have to be able to associate that characters name to a persons e-mail address AND password and it is very rare from what I've seen that someone publicizes their in game characters game and GW e-mail address in the same place along with having a weak password that can be brute forced so it still makes it a rather hard to penetrate wall.

Not saying it's impossible, just saying it would be very rare for that all to happen ^

That said while I accept and understand the reasoning behinds Emily post, I do feel there could be other things that could be done to increase security

This is the most amazing thing NCSoft has ever done. And they have done some pretty fantastic things.

I CAN'T REMEMBER MY PASSWORD PLEASE REMOVE THE NEED FOR ME TO ENTER IT TO ACCESS MY ACCOUNT. SINCE I HAVE NEVER BEEN HACKED THERE IS NO REASON FOR ME TO NEED A PASSWORD IN THE FIRST PLACE. HAVING TO FIND OUT MY PASSWORD IS AN UNNECESSARY DELAY AND I SHOULD NOT HAVE TO SUFFER IT.

NO PASSWORDS.
NO CHARACTER NAMES.
EMAILS ONLY.
FINAL DESTINATION.

WE SHOULD USE OUR REAL NAMES TO LOG INTO GW/PLAYNC BECAUSE NOBODY HAS THO-- OH WAIT LOL