Guild Wars 2 Accounts Hacked Immediately After Launch
Hackers began breaking into Guild Wars 2 accounts just one day after the MMOG went live.
Me and my sidekick Weenie.Guild Wars 2 is seemingly off to a great start, racking in positive reviews and pushing players into overflow shards due to the high volume of traffic. The latter is simply GW2 speak for the queuing system which tosses players into an overflow server when the primary map or world has reached its peak capacity.
In other words, Guild Wars 2 seems rather popular.
That said, that popularity rings like a dinner bell for hackers and scammers, drawing them in like flies to a picnic table. On a personal note, the account used for a hands-on evaluation of Guild Wars 2 saw a hacking attempt, so the latest report from Ars Technica isn't all that surprising. The site claims that several unknown websites – one of which is a Guild Wars 2 fan site – were recently hacked, thus spilling sensitive information leading to the compromise of more than 11,000 Guild Wars 2 accounts in mere days.
This is nothing new, however. Account hacking became somewhat of a nuisance with the original Guild Wars, forcing NCsoft to take extra precautions like forcing long passwords and setting up multiple security questions. Even my own Guild Wars account was somehow broken into and used to sell virtual goods – proving my identity and regaining access to the account was a nightmare (putting it nicely).
However according to the Ars Technica report, NCsoft officials claimed to have received around 8,500 support requests related to hacked accounts from Friday to Sunday. The publisher then received an additional 2,574 related requests on Monday. Naturally the company suggests that users not use the same password with multiple accounts.
"If you don't want your account hacked, don't use the same email address and password for Guild Wars 2 that you've used for another game or web site," officials wrote over the weekend. "Hackers have big lists of email addresses and passwords that they've harvested from malware and from security vulnerabilities in other games and web sites, and they're systematically testing Guild Wars 2 looking for matching accounts."
One of the newer security measures offered by Guild Wars 2 and developer ArenaNet is an email-based confirmation. Served up as an optional feature, users must confirm by email when they try to log into a Guild Wars 2 account. If they don't respond to the email, then they're denied access. It's definitely an annoying procedure (like using Battle.net's authenticator or Google's 2-step phone-based confirmation method), but it seemingly prevents anyone from hacking into the account unless the user's email account is compromised as well.
ArenaNet's confirmation arrives after "a wealth of anecdotal evidence" surfaced in the MMOG's first week pointing to a possible Chinese group of hackers trying to gain unauthorized access to player accounts. Even one employee of Norway-based security firm Norman ASA said she received an e-mail warning that someone used her details to attempt to log in to her Guild Wars 2 account just one day after it was created.
"It's been just over a week since the game launched, and I’ve now had 10 e-mails detailing attempts to access my account from China," the unnamed Norman employee wrote. "I live in Europe. Thankfully, creators ArenaNet make players confirm login locations via e-mail, so all these hacking attempts have failed."
Guild Wars 2 players wanting to avoid the headaches of a hacked account should use a password that's exclusive to the service. Gamers should also use the email authentication method to help secure the account.
I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybread
Was worth a try
These password tactics are very, very, very easy to implement... few lines of code in most cases....
Oh right, ID10T errors.
I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybread
Was worth a try
Hahaha. He does use Angry Joe for everything.
I don't know how they handle things but I hope they tighten up security... I also made my account password over 12 chars just to be more secure but if companies can't secure their end, it makes everything I do pointless.
Everyone knew GW2 would be popular, and authenticators have been being asked for for well over a year and the devs have talked about adding them in. They should have been there for launch.
Short password is brute force safe if you allow only 3 failed attempts per 5 minutes for example and shut off the account after , say, 20 failed attempts.
Should have tried toastersdonttoastsoggybread123 :-)
Uhhh...what?
No one (sane) brute forces a password on a live website. What people do is hack websites and steal the information in their database.
If the site's owner is a complete and utter moron, these passwords will be plaintext or maybe encrypted (which isn't effective because you'd have to store the key, so the hackers will likely get it as well). Obviously, there's no brute forcing necessary with that, they simply know your password.
If the owner is just stupid, they'll have unsalted MD5 or one of the SHAs, which will take almost no time to brute force. That isn't to say SHA is bad (it's perfectly secure to use in many cases)... it's just that it doesn't help you much in the case of passwords.
Ideally, you use PBKDF2 with either bcrypt or scrypt as a function... with enough rounds/iterations, even a relatively weak password would befuddle those hackers.
In fact, this shows strong passwords aren't the answer. The answer is for website owners to use good practices on password storage/authentication. Since that's never going to happen, use keepass or lastpass to generate completely random 16-character passwords and just have your secure/strong password keeping your password database safe.
I am afraid you are incorrect here sir! a Dictionary only password no matter what length will be faster to "Brute Force Hack" than a Strong password using a combination of Case/Letter/ Number and Symbol.
It will take less time going through 26 letters up to 28 characters than 26 letters x2 for upper and lower case + 10 numbers and 30 standard symbols using an 8 character password!
Now the password you have given as well would be quite easy to compare to known has files as it is made up entirely of Dictionary words which is the biggest point of fail, a script kiddie will knock the hash file on the head with that in no time at all.!
Had you used random letters that would have increased the strength. Hackers are also getting smart, and using heuristic principles to hack passwords.
They know we like to use Strong passwords. So they already use rules of s=5, a=4, e=3, o=0, 1=l, as well as they know we mostly include a single symbol at the end of the password such as !. They also know we still use dictionary words in these passwords, so part of the hash file will already match what they know, and the rest becomes much easier to solve as you have half the Hash file figured out already.
I give you now an 8 character password that is way stronger than your massive letter password.
h^;X}4~l
Random, Case sensitive, Letters, Numbers and Symbols. This will take a far longer time to brute force or Hash compare than 100 dictionary words strung together!