Guild Wars 2 Accounts Hacked Immediately After Launch

Status
Not open for further replies.

schnitter

Distinguished
Mar 9, 2010
210
0
18,710
Well, when tons of hacking attempts occur that means the product is worth their time... so I guess Guild Wars 2 is off to a great start.
 

memadmax

Distinguished
Mar 25, 2011
2,492
0
19,960
There's an easy way to stop list bruteforce tactics: 30 minute timeout with an email enforced password change after 3 failed login attempts... also, forced password change after first time login, with previous passwords cached for non-use later(if the user attempts to use a previous password again, it fails)...

These password tactics are very, very, very easy to implement... few lines of code in most cases....
 

samwelaye

Distinguished
Apr 24, 2010
284
0
18,790
these are ALL user errors. If the fansite gets hacked, and you use the SAME email and password for that and your gw2 account, that isnt gw2 accounts being hacked. That is you being stupid.
 

samwelaye

Distinguished
Apr 24, 2010
284
0
18,790
also, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.
 

cmcghee358

Distinguished
[citation][nom]samwelaye[/nom]also, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.[/citation]

I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybread

Was worth a try
 

Kami3k

Distinguished
Jan 17, 2008
990
0
18,980
[citation][nom]master_chen[/nom]Hmmmm...I wonder if Angry Joe's account would get hacked? Probably not...[/citation]

Hahaha. He does use Angry Joe for everything.
 
My account was hacked, took 5 days to get it back with all my items gone. It was not phishing since I just got the game and I did not visit any guild wars 2 fan sites. Although my password would have been easy to bruteforce, the hacker bypassed email conformation somehow. The fact that that was the case made me think arenanet is to blame. I did not have the same password for my email as for my guildwars 2 account. The emails conformations were also unread, just 2 emails saying request password change and the last one, request email change. Someone would have to have fooled the authentication process.

I don't know how they handle things but I hope they tighten up security... I also made my account password over 12 chars just to be more secure but if companies can't secure their end, it makes everything I do pointless.
 

wildkitten

Distinguished
May 29, 2008
816
0
18,980
While I agree with these being user errors such as using the same email and passwords on fan sites, as well as going to gold selling sites (and yes, the spam is already rampant in chat and the game mail system), one of the few things Anet has not done properly was not having authenticators ready for launch.

Everyone knew GW2 would be popular, and authenticators have been being asked for for well over a year and the devs have talked about adding them in. They should have been there for launch.
 

freggo

Distinguished
Nov 22, 2008
2,019
0
19,780
[citation][nom]samwelaye[/nom]also, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.[/citation]

Short password is brute force safe if you allow only 3 failed attempts per 5 minutes for example and shut off the account after , say, 20 failed attempts.
 

freggo

Distinguished
Nov 22, 2008
2,019
0
19,780
[citation][nom]cmcghee358[/nom]I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybreadWas worth a try[/citation]

Should have tried toastersdonttoastsoggybread123 :)
 

shahrooz

Distinguished
Jul 1, 2009
311
0
18,790
title is misleading it suggests GW2 user/pass database have been hacked and hackers have the accounts but it's not the case and the one who we should blame are the users.
 

infernocy

Distinguished
Oct 1, 2010
174
0
18,690
this is not news - hackers are more advance that the current state of tech in companies - every single is hacked -- every single one --
 
G

Guest

Guest
same here: Not on any fansites / pw of gw2 and email are not the same ... Just received 2 emails saying password change requested and after that email change requested.. Both emails were not read so they have not even been in my email.. so no just user faults here
 
G

Guest

Guest
toastersdonttoastsoggybread is good for brute force but not for dictionary attacks
 

zshazz

Distinguished
Oct 23, 2011
14
0
18,510
[citation][nom]freggo[/nom]Short password is brute force safe if you allow only 3 failed attempts per 5 minutes for example and shut off the account after , say, 20 failed attempts.[/citation]

No one (sane) brute forces a password on a live website. What people do is hack websites and steal the information in their database.

If the site's owner is a complete and utter moron, these passwords will be plaintext or maybe encrypted (which isn't effective because you'd have to store the key, so the hackers will likely get it as well). Obviously, there's no brute forcing necessary with that, they simply know your password.

If the owner is just stupid, they'll have unsalted MD5 or one of the SHAs, which will take almost no time to brute force. That isn't to say SHA is bad (it's perfectly secure to use in many cases)... it's just that it doesn't help you much in the case of passwords.

Ideally, you use PBKDF2 with either bcrypt or scrypt as a function... with enough rounds/iterations, even a relatively weak password would befuddle those hackers.

In fact, this shows strong passwords aren't the answer. The answer is for website owners to use good practices on password storage/authentication. Since that's never going to happen, use keepass or lastpass to generate completely random 16-character passwords and just have your secure/strong password keeping your password database safe.
 
G

Guest

Guest
GW2 is all its hyped up to be.. Personally I find the two step e-mail log on quite easy to use and definitely more secure. Always use Different Strong passwords and change them regularly! Make sure you always run an AV on your PC and check your firewall is set up correctly. Also every month before your password changes make sure you scan with secondary AV such as malwarebytes and do a root-kit scan as well. Never been hacked, always followed this procedure!

[citation][nom]samwelaye[/nom]also, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.[/citation]

I am afraid you are incorrect here sir! a Dictionary only password no matter what length will be faster to "Brute Force Hack" than a Strong password using a combination of Case/Letter/ Number and Symbol.

It will take less time going through 26 letters up to 28 characters than 26 letters x2 for upper and lower case + 10 numbers and 30 standard symbols using an 8 character password!

Now the password you have given as well would be quite easy to compare to known has files as it is made up entirely of Dictionary words which is the biggest point of fail, a script kiddie will knock the hash file on the head with that in no time at all.!

Had you used random letters that would have increased the strength. Hackers are also getting smart, and using heuristic principles to hack passwords.

They know we like to use Strong passwords. So they already use rules of s=5, a=4, e=3, o=0, 1=l, as well as they know we mostly include a single symbol at the end of the password such as !. They also know we still use dictionary words in these passwords, so part of the hash file will already match what they know, and the rest becomes much easier to solve as you have half the Hash file figured out already.


I give you now an 8 character password that is way stronger than your massive letter password.

h^;X}4~l

Random, Case sensitive, Letters, Numbers and Symbols. This will take a far longer time to brute force or Hash compare than 100 dictionary words strung together!
 

nacos

Honorable
Mar 24, 2012
301
0
10,780
^I don't think so. Most cases bruteforce attacks cover capital letters and symbols anyways. Even if it were the scenario you describe I can guarantee you that 26^100 is much higher than x^8 with X=I don't know many usable password symbols there are and I don't feel like going to my computer to check.
 

zshazz

Distinguished
Oct 23, 2011
14
0
18,510
[citation][nom]moricon[/nom]This will take a far longer time to brute force or Hash compare than 100 dictionary words strung together![/citation]

Nope, sorry. The number of characters (including upper, lower, and "special" characters like you showed ... including space) is a little over 90 from what I remember. Let's be generous and say 100, though.

Let's also assume the attacker knows your password is 8 characters long, so he doesn't waste time trying 1, 2, 3, ... , and 7 character passwords.

That's 100^8 different choices. ... or 10,000,000,000,000,000. Not bad.

How about dictionary words? Well, let's just be simple and say that everyone picks from the top 1000 most common words (though, trust me, the dictionary I'm randomly selecting from isn't this small). And let's say the hacker again knows the user has selected a 100 dictionary word password.

That's a total of 1000^100 different possibilities. I hope you don't expect me to write that huge number out here.

In fact, choosing as little as 5 (truly at random) dictionary words gives you 1000^5 = 1,000,000,000,000,000 choices, which is pretty close to your 8 character nonsense password. But the hacker has to also store that dictionary, so with looking up the dictionary words, it'd probably take 10x+ longer to do each check, so it's actually just about as secure at that point.

If we start talking about pulling from more realistic dictionaries, the difference becomes significantly more extreme.
 
G

Guest

Guest
[citation][nom]nacos[/nom]^I don't think so. Most cases bruteforce attacks cover capital letters and symbols anyways. Even if it were the scenario you describe I can guarantee you that 26^100 is much higher than x^8 with X=I don't know many usable password symbols there are and I don't feel like going to my computer to check.[/citation]

Sir you are totally correct, 26^100 is greater than 8^92, by several factors! What you fail to read is I Mentioned DICTIONARY WORDS!

I also said " Had you used random letters that would have increased the strength."

using 100 Dictionary words of 8 letters each will be faster to compare against a hash file than 8 random letters/symbols and passwords!

http://www.passwordmeter.com/ Go paste my 8 letter password into it and check the score, and then type 100 random letters into it and check the results!

Now paste the password toastersdonttoastsoggybread into it and check that.... Now paste that password 4 times into it and check again.. Surprised!

 
Status
Not open for further replies.