Fed up with account "security"

To all the people here saying that you can't use symbols in your password, are you referring to the NCMA webpage, or the actual GW game log-in? You can use symbols in the game log-in password, and you can change your password in-game even if it's linked to the NCMA.

It does make you want to "hack" those people doesn't it.


@Yol:The issue is that you weren't able to change the pass in the past, that's where some of the confusion is coming from.

If what some people claim is true then there may be potential security issues with NCsoft and I wouldn't put it past them to lie about it so they dont lose customers. Maybe they cannot fix these security issues, NCsoft already can't do a lot of things because of the way they built their systems. All I have to say is if it is true I better not hear anything about it because I will never buy another arena net or NCsoft product. Not even GW2.

Well yes they do get a bit annoying at times but I was thinking more that they are cultivating players.

I recon someone calling support with I cannot access my account and think its been hacked.
Was last online yesterday my old email address is **** character name ***** live in this country bought the game 2 years ago etc.
Then they are on the way to convincing support to give them access to the account.

Seemingly innocent chat in the game could lead to someone gaining a surprising amount of information about you.
I hope I am wrong.

95% of problems are because of the user. Absolutely no one is getting their password randomly guessed unless you used 12345/password/etc.

That's how everyone thinks UNTIL they get hacked themselves.
I always thought people just had bad security or terrible password too, it's not the case.

Very true. I actually work in IS and deal with password breaches on a regular basis. Most issues are PEBCAK (problem between chair and keyboard) or ID-10-T errors. Phishing emails, questionable applications with trojans and keyloggers, and very simple passwords (1234/password). while minimum requirements do help prevent some of this, nothing ANYONE does will stop them from breaking into your account if you GIVE THEM the password.

However, when there is something where the inner workings aren't transparent, its very easy for the people in charge to deny any responsibility.

Just a suggestion, but it would help boost your account securities if you created an exclusive email account just for your GW and NCSoft logins. That way they cannot brute force your password since they don't know your email OR ncsoft login!

I tried two linked NC Soft accounts and the password was changeable, I could have swore it used to not be changeable through any other means than NC Soft website.

A consintancy could have very well been a possibility since there was someone in an alliance I was in before who had "Guild Wars" in their name. Now that has been blocked for years, but obviously at one point you could put that in your name. Though character name has nothing to do with changing your password, It's only an example.

Yes, one numeral certainly makes brute-forcing easier versus adding symbols, numerals, umlauts, etc. however, without a character name and e-mail they certainly won't do too much. Learn something about odds of chance. I don't see the point in this thread. If you're account hasn't been stolen, why are you complaining? I guarentee there are many trying to use a bot and someone that posted it said don't worry if the archive shows up as virus, it's a "false-positive" then wonder why their account was stolen. If you type your e-mail, password, and character name every time there is another good indication of jeopardizing security. If you really care about the account, never physically type the e-mail and character name, simple as that.


We have a winner

Nothing wrong with the OPs request but people need to understand that the GW hackers have not been brute forcing, ever.

They have been ripping website databases all these years, so the PW strength has been irrelevant to them.

Oh no you are completely right on this.I mean just to give you an example ,my guild mates know which country I live in, that's already more info to help them if they ever wanted to hack me (not saying they would,just the example). They obviously know my character names, or if they didn't remember they could just look in guild roster for it and same with people I friended they could just look in their friendslist.Now it wouldn't be easy for them to breach my password, which is not my cat which they might have heard me talk about or my mother or siblings or my address.My login mails are only for GW and I don't MSN email with them.But still you are right every little innocent information can hurt you.

I was "hacked" a while ago, you know what?I didn't go say that someone brute forced my password, which I think is a pretty decent password, I contacted support and talked to them, it turned out that the way I got "hacked" was by downloading a "harmless" but convenient program from the community works section of this very forum.They didn't destroy or take anything, but still it happened and password breach was not my first though.

Already done but thanks for the suggestions for others you haven't thought about that.

Its flat out impossible to have your password randomly guessed. There is a delay between password attempts that grows the more you try. It would take years (potentially decades/centuries/till the heat death of the universe, I have no idea how high the delay grows) to try just the numbers 00000-99999 without any other characters at all.

A thought just occurred to me, I know GW has that built in delay, but I don't think the site has or locks you out after X attempts I could be wrong but couldn't someone have an easier time using the website?

Then it's really nobody's fault if that is true, I guess Anet could have followed suit like other MMOs and made an aunthenticator, but I would hate to have to type a code in every time I log in.

This is a good question. I'd like the answer to it as well!

If you mean the master account page its after 5 or so tries and lasts i think 10 minutes but im not sure.

Ah if its like that it's not much better for a potential hacker.
I'm not worried then.

Its probably not a serious security problem But the hom calculator could be used to judge a characters material wealth.
You can enter any character name not just your own and see how well they are doing.

Anyway I am doing the best I can to prevent being hacked, antivirus antispyware and firewall all in place.

Running on a user account so if I am hacked they do not get full control of my computer.
Internet browser is fairly secure with active x and javascript not automatically turned on for every site.
Popup and adware blocked.
Don't ever click on links from emails or on websites unless I am certain of their origin.

Password is random not a name or birthday etc and the login email hasnt been valid for years.

Hopefully potential hackers will look for easier targets, anything that could be added is in the hom anyway.

When I play Aion they have added a pin code to the game, and it can only be clicked by using the mouse button. It seems way better than the current system that is out there. I don't know how secure it is but still a better solution than the current implementation they added.

NCMA still needs to be more secured, and NCSoft still needs to adress their security flaws.

Unless the number changed position every time, then it was pretty pointless, the same way keyloggers work for keyboard the same way a different program can track the mouse.


Bad solutions for this "problem" isn't a good thing IMO and pincodes when you login and pincodes when you use storage and pin codes when you want to delete, If the person already hacked into your account what makes you so sure he isn't going to be able to hack the pin too.The types of extra security you find in most Asian games are annoying more then anything , at least to me.

I'm all for A usb authenticator though and don't mind paying extra as long as there is a Non authenticator and a authenticator included box the included one obviously priced ~$5 more, I don't want to go trough extra steps to get it, like having to buy it from NCSoft or the in game store.

The easiest way to do it would have been if they had made it ( like it was suggested along time ago ) a way to put a lock on the char's for say xx days at at time, when the char is locked, you cannot salvage the armor from it, delete it, etc etc etc.

It will not be done in GW maybe better security in GW2 will allow for it, the main issue was around the NCMA website, there was a security issue with it, and they refused to admit it until it was to late, if the only way you could change your details was via the game itself, you would have alot less issues as soon as you give someone the ability to change details from 2 different sources, sooner or later something bad will happen.

But like its been stated, hopefully for GW2 they will do away with the NCMA completely and everything will be done via the game client.

For there to be a change in GW or GW2 the company has to believe there to be a problem.

At the moment the majority view seems to say its the players fault so I doubt any change will be made and gw2 will probably use the "tried and trusted method"

I would encourage all players of the upcoming game to leave them no excuse whatever to say its your fault.

My bank doesn't allow symbols in for my online banking account.

4-13 characters are more then enough if you dont get involved with gold buyers or use the same combination on anything else or play on a open network.

So either farm your own gold or change your password combination to something unique or stop getting free internet from the people living next to you.

This would be blatantly unfair to us drunks, so I protest.

When I've been drinking (which is most of the time) it takes me as many as 10 tries to get
my password right.

BTW I DO have symbols in my PW, and I've changed it since linking my account.

Drunks those with bad eyesight or badly controlled fingers like me could make a macro of their password.

Should make it less hit and miss to add the pw, unless you like the game of remember the pw of course

Everything under 8 characters isn't really a password at all. Also, those 8+ character passwords have to be complex and different passwords have to be used for different accounts and/or services.

Use the on-screen keyboard with accessibility options turned on. Buttons should prove hard to miss.

Or add the -email -password -character switches to your GW shortcut and you don't have to worry about typing it in at all.

Be sure no one you don't trust can access your PC before doing this of course.

I know you didn't meant your post to be a security hint, but your point reminds me that keyloggers are able to record the Windows built-in on-screen keyboard just like a real keyboard, so that's no security enhancement.

I know this because I once tested a professional computer monitoring application - that was even able to record clipboard actions, i.e. the text strings what were pasted from the clipboard into a password prompt.

There are virus scanner applications who also provide an on-screen keyboard, but I haven't tested them with the logging software. They may or may not be safer, I don't know. The best damage prevention is to never catch a keylogger in the first place by always having uptodate virus scanner software and not downloading/starting stuff from shady internet websites or given to you by other people.

I copy and paste mine from an encrypted database. I don't even know what that password is. Seems safe to me.
I'm sure I've seen someone mention 'keyloggers' that could take a screenshot on a mouse click.

As long as you're using a password of reasonable length with a mix of alphanumeric then making it longer and more complex really doesn't matter. As mentioned, no one is going to be brute forcing your GW account. They'd already need to know the email address and character name before they even started.

As is the case with any computer security, vigilant and sensible browsing and downloading is what keeps you safe more than the strength of a password or anti-virus software.

Don't go to dodgy sites or click on suspect links, don't enter your information from a link on an email be absolutely sure about what files you're downloading. Oh and use individual passwords/login information for important things or things you care about.

The length of the password is not the issue. The issue is (1) how many times and how fast you are allowed to try to guess them by brute force, or (2) how easy it is for the password to be guessed or found by others.

ATM cards have a very simple password (4 digits) because the ATMs have pretty harsh rules about wrong passwords, such as 3 consecutive mistakes and the card is blocked. As mentioned above, the GW client has a staggered penalty for mistaken passwords, so the minimum length of 6 characters is not that big a deal. Of course, if you use 123456 or aaaaaa or qwerty or 112233, that's pretty much asking for it...

For the second issue, it's about things you mentioned: using the same password in other places, writing it down (on a post-it on your desk or in a file on your computer), having malware sniff it off your keyboard or off the network etc.

While malware is harder to deal with, it's more likely than break-ins happen due to a very short or easily guessed password or using it on all the websites. And this is not just a problem with GW, when you use the same password everywhere bad people are likely to also be able to get into your online email accounts, Facebook etc. etc.

It's almost impossible to brute force a random password. I assure you that passwords are either taken off of other websites or via malware.

Or, as we have learned from Sony, they can be left in plain text on a publicly accessible platform

It wasn't exactly connect by FTP and there's everyone's information. The problem lies in the directory itself with the sensitive account information not being encrypted or secured at all.

Only if you have a hacker thats try to geuss your password starting with AAAA going up to 9999. lol. With keyloggers or using the same combination on other sites it wont matter if you have a 1 or 64 character password with numbers or even symbols.

If you keep your computer, firewall and antivirus software up-to-date and don't leave your username on the internet that brute-forcing attacker is the biggest threat you'll have. And he'll have a tough time breaking the password.

I agree with most of this. However, for a virus to be in an online database, it must be caught first. This is where there is room for error and scrutiny of security. There's a chance your or my antivirus could be slower to updating their virus definitions then other antivirus software.

Hi there.. I just about to start playing after about 1 year hiatus (I logged for 3 hours during Halloween though), and was welcomed by non friendly incident.

My friend just got hacked by his guildmate. He logged in after couple of months and found in the guild announcement that this one guy was swearing and claiming that he hacked many accounts of the users belong to that particular guild. Me and my friend panicked because he "borrowed" my stuffs like ectos, weapons, dyes, etc last year to play with his gf. I let him borrow because he's one of my best friend, eventhough I'm in Japan and he's in mexico. Never met him in person, but in the past 5 years (we met through GW), our relationship has been very close.

After a while, he gave me the bad news.. all's gone, including my ectos.. (not much, around 80, but I got it through legit hard work.) I was upset because he didn't return my items when he stopped playing, but also more upset seeing my friend's items had been salvaged/taken. He's the type of player that is very dedicated (rank 11, almost max for luxon allegiance title), and just playing what he love. He don't really have any money but never even asked for my money. Other than some titles, his other dedication that was ruined by the hacker was, his vabbi armor. He saved up for months through drops/quests, and was very proud of it. It was salvaged by a hacker..

He can logged in yesterday, and we even met and talked IG. Then after finding out about the incident, he got mad and emailed support. I don't know what triggers it, but today his account was blocked. The reply from Anet was:

"We appreciate your patience during our investigation. Your account was blocked because it was accessed by gold sellers in May of 2011. I recommend that you immediately scan your computer for viruses as this intrusion may have been caused by a keylogger being downloaded onto your computer. Make sure your anti-virus software is up to date before scanning, and then be sure to change the passwords to your NCsoft and Guild Wars accounts immediately after.

While I would like to replace your items, the Guild Wars Support Team does not have the capability to replace characters or items, whether they are lost through the actions of unfriendly players, deletion accidents, or through other means.

Here are some tips to help you protect your account and keep your computer secure."

So, we don't even know what happened here. Why is it that yesterday he can logged in? Why today his account was blocked?
Anyway.. I don't mean to complain, I just want to share story here that has little relation with this topic.

Maybe Anet can do Apple-like-solution by giving number of authorized PC. Like 2 PCs or something..

Oh well..

The only thing that annoys me is this :- if i'm on my lappy and then i log on with my main pc i get a code 007 on my lappy, nothing to say i'm logged on anywhere else, so i have no idea if code 007's are real d/c's or someone on my account. I'm no computer buff so i understand these things would be have to be coded etc, but it would be nice to see a different message IF the account suddenly became logged in at a different terminal.