Account Security and password advice

Account security is important, getting your password guessed is terrible. So let's not have that happen.

First, make sure you have working antivirus and firewall. No matter how good your passwords are you it won't matter if you have a keylogger running. You will never notice a modern virus running on your computer.

I STRONGLY recommend disabling the Java plugin in all browsers. There is currently an exploit in the wild that allows arbitrary code, such as a keylogger, to infect your machine. The fix is not planned until October. If you don't need it for some reason, uninstall Java entirely. If you do need it, disable the plugin in your main browser, then install a second browser with the plugin enabled to use only on the website where you need Java.

Due to various evidence* I believe passwords are likely securely stored by ArenaNet. Even if they are hacked it should take a long time to guess any sufficiently secure password.

DO NOT MAKE UP A PASSWORD BY THINKING OF "RANDOM" WORDS/CHARACTERS. Humans are very, very bad at randomness, and passwords need randomness. Happily, almost everyone has a good secure source of randomness easily available: dice.

Step 1: Open http://world.std.com/~reinhold/diceware.wordlist.asc
Step 2: Roll 5 dice (or one die 5 times) and record the resulting number.
Step 3: Find the number from step 2 above in the wordlist. Record the corresponding word.
Step 4: Repeat steps 2-3 five (or more) times. The resulting five words are your passphrase. Write this down.**

This passphrase is your new password to log into GW2. Repeat the above for your e-mail, since if that password can be guessed the GW2 password can be reset. (Likely along with other more important passwords, such as online banking. Or did you think your mother's maiden name and favorite color were actually secret?)

You now have 2 secure, reasonably easy-to-remember passwords. But you likely have a lot more games/sites that are important, and memorizing tons of passphrases is still hard. After all, they all need to be different! KeePass Password Safe is a good way to store passwords. Chose a good, strong passphrase (5 or more words, I use ten but that's severe overkill) for the password safe, and store all your passwords in there. It even has a password generation function for secure short passwords on sites with a password length limit.*** I recommend at least 64 bits in the "quality" field.

Why 5 words?
Four words are breakable with a hundred or so PCs. Or by paying for about $10-15 of time on Amazon's EC2 service.
Five words are only breakable by an organization with a large budget.
Six words appear unbreakable for the near future, but may be within the range of large organizations by around 2014.
Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.
Eight words should be completely secure through 2050.
The NSA/CIA are not likely to be stealing GW2 accounts. It's thus long enough to be secure against the expected attackers, yet short enough to be memorable.

*Log-in sessions are SSL encrypted, passwords are likely stored hashed due to chroma-key indicating the ANet devs know about hashing. I'd like to confirm with the devs that a secure password hashing function was used, such as PBKDF2 or Bcrypt, instead of a non-password hashing algorithm, such as SHA.

**Contrary to what some people say writing down passwords is not always bad. In your home only people you trust to have physical access to your computer will be able to find the written-down password. Anyone with physical access to your computer can get the password anyway (by installing a keylogger, for example) so writing it down doesn't significantly decrease security.

***Any site with a short (under 1000 characters) password length limit should be considered to be publishing that password to the world. It's such an elementary security mistake that anyone who makes it should be considered incompetent, and so the bits that are harder to get right (secure storage, etc) are probably also done wrong.

Excellent post, putting all the tips together in one place.

Please follow this advice guys. You never know when something like what's happened with GW2 can happen, and for me it was a real eye opener that I've been being lazy when it comes to keeping my gaming accounts safe.

Chose a good, strong passphrase (5 or more words, I use ten but that's severe overkill) You might think it's overkill but, (and I quote) "Only a few weeks ago a 16 character password was brute forced in only 18.12 hours using 10 GPU's."

» Edited on: 2012-08-31 14:45:57

My husband uses lastpass for almost all of his passwords. Is this secure enough? Also if I were to do this, you are saying my literal password would "word1 word2 word3 word4 word5" and so on? Seems awfully long. Thanks for the info. It was really eye opening.

Xyreasa, doing it like that, does make a password long, which makes it harder to bruteforce. But if you are using an easy phrase, say "pleaseexcusemydearauntsally" or "nevereatsoggywheaties" it makes them easier to remember. I'm actually doing a mix of phrases and numbers now. Something along the lines of "never1eat2soggy3wheaties4"

Although my passwords were OK, I've now installed KeePass on a USB stick and I have to say, after 5 minutes setting it up I think it rocks. You can generate lovely random hash passwords and just copy/paste the fields over.

Lastpass should be secure enough. Your password would indeed be that long. EG "ElvenValetFuzzyAnvilMammal" @Sylva What's the source on that? The current top end for GPU is about 5 billion guesses per second, but that's only with a permuting dictionary, not a brute force. Brute force is close to 1 billion guesses/second, mostly constrained by memory. Assuming the password was randomly chosen from all ASCII printable characters, there are 95 possible symbols * 16 characters = 16*(Log(95)/Log(2))=105.2 bits of entropy = 2^105 operations to exhaust the keyspace (average to brute force as well) = 4.4x10^31. Divide by 50 billion gives 8.8x10^20. Which would take an average of 3x10^13 (30,000,000,000,000) YEARS to brute force with such a setup. Brute force is very, very different from a modern dictionary attack. An example of such a password is "AccCnWzzlM\{CE0W". That would be about equivalent to a 9 word Diceware passphrase. Adding a tenth word multiplies the time needed by 2^7776. And that's ignoring the 5868800 round PBKDF2 cycle needed to generate the actual database key, which takes a modern CPU (Core i7 930 @ 3.3ghz) about 1 second. Thus turning from 5 billion guesses per second to 1 (possibly 2-3 for a GPU). But that aspect is more on the password-storage side, not password generation. Something for app/website authors to care about, not as much for end users.

Dirgir, picking a phrase is exactly what not to do. It's almost invariably going to have a low amount of randomness (such as every phrase you listed). People are really, REALLY bad at picking random sequences. The complexity/length of the password isn't what's important it's the amount of randomness (technically this is called entropy) contained in the password. Longer passwords can simply contain more randomness than shorter passwords.

Keep in mind that a decent system should not allow brute force attempts like described (gajillion guesses/second). Proper security systems should only allow a small number of attempts per minute/hour/whatever before an account is locked. So if they're cable of doing 1 billion guesses/second they can only realistically make 10 guesses per minute or whatever the security system in place has. I would hope that GW2 is set up so that hackers can't use brute force attempts. I'm not saying you SHOULDN'T have a secure password, of course. A five word passphrase is much easier to remember than kh38@Hk1(% that someone might use as a "secure" password not to mention more secure. Unfortunately too many people use a single easily guessed word with a couple easily guessed numbers if even that complex. Sorry, your dog's name and your year of birth aren't terribly secure.. hehe. The dictionary attacks are what will get most people. Combined with the fact that people tend to use the same e-mail address for every forum and game, not to mention the same password. Remember that funny picture website you registered at 3 years ago? Or those 5 different gaming sites and sweepstakes entries you've put information into over the last couple months? Hackers grab all that info and sell it on the black market as big databases. A new game comes along (Diabo 3, GW2) and hackers know people are going to use the same e-mail and password. So even if they can only do 10 guesses an hour or whatever they will eventually nab accounts. So you might want to add to the first post that it's also important to change emails for games. Even creating a separate e-mail for games and placing that game into the e-mail is better than using your 15 year old hotmail e-mail. kalizaarsgroovyGW2intermail@whatever.com, kalizaarsgroovyDiablointermail@whatever.com, etc. makes having multiple e-mails more secure and also easy to remember. You can also incorporate that into your 5 word passphrase. sillyrabbitsGW2oysterfluffs, sillyrabbitsDiablo3oysterfluffs, sillyrabbitsRiftoysterfluffs. So now you have separate e-mails, and separate passwords for every game AND they're all easy to remember.

I would like to integrate Keepass with Chrome. Do you think the plugins are safe to use?

@Kalizaar: True they shouldn't allow tons of guesses per second, but game companies (among others) are notoriously bad at password security. I'm reasonably sure Anet hashes passwords, I'm not certain about salt, and have no idea if they're using a password hashing function or a data hashing function (eg bCrypt vs SHA-256). This only really matters if the password database is leaked, but we should always assume the password database will be leaked. And yes, having different e-mail addresses for different accounts is a good idea. In general, assume that whoever you're interacting with has the minimum security they can get away with. EG Banks need "2-factor" authentication, but the courts allow both factors to be passwords, so there's no security increase. Make sure both passwords are secure, even if one is called "Mother's Maiden Name" and not "Password". @Baine, ChromeIPass looks fine, though I've not done a full audit or anything.

Thanks for the post, a little too late for me, as not only was i hacked earlier today, but i was online when it happened. I was kicked off of the server, at before i could send in a report, my inventory and money had been wiped out. Additionally, my email reported an unauthorized login attempt. Currently, i'm in the process of changing all of my passwords, (after deciding between using either lastpass, or keepass password software to try to prevent this from happening again. please be wary of any emails you get from me today, or any posts - i am working to fix this problem as fast as i can, but i had a mountain of work to do before this problem started, and my deadline is today. hope to be able to return to the game soon,

Oh no, not another victim. This is terrible. I'm liking KeePass, having to have it on every device is a bit of a pain, but worth it for piece of mind.

On the other side of the coin, I generated a random password that included symbols (good). Unfortunately, either I wrote it down wrong and managed to mistype it incorrectly AND confirm it incorrectly or ANet didn't like either the period or the exclamation mark I had in there and now I can't log into my account to change it. The result? With the reset password feature down for the foreseeable future, I'm left with an effective ban (albeit self-imposed) longer than the ban given to those who exploited the game since Monday is a holiday and priority is given (rightfully so, let me hastily add) to hacked accounts. The lesson of the day? Stick to alphanumerics and type your password into Notepad or something then copy/paste it. *sigh* I'm going through withdrawals already.

Yes, that's why I like KeePass. Store your passwords there, use copy/paste.

Sai, has any research been done on the strength between a string of random dictionary words against things like random strings, hashes etc? Why is everyone suddenly pushing for a string of random words. Is it just because they are easier to remember. Surely a 50 char random string is more secure than a 50 char string made up of random words? Also does adding in the odd ascii character to a string of dictionary words made it any more secure?

» Edited on: 2012-09-02 18:11:45

The research is actually really easy, but involves some math, so I skipped it above. Password strength is measured by information entropy, measured in bits. A password with 16 bits of entropy has 2^16 = 65536 possible values, and so on average takes (2^16)/2 = 32768 guesses to find using a brute force search. Now, assuming we're randomly choosing symbols we can calculate the entropy of a password from its length and the number of possible symbols. Entropy = log_2(N^L) Where log_2 is the base 2 logarithm, N is the number of possible symbols, and L is the length of the password. To make that easier to calculate we can rewrite it as Entropy = L*(ln(N)/ln(2)) via the change of base formula and properties of logarithms. ln is found on most pocket calculators, so should be easy to use. There are 95 easily-typeable characters on a (non-international) keyboard. Thus there are (ln(95)/ln(2)) ~= 6.5699 bits of entropy per character. Your 50-character random string thus has 50*6.5699 = 328.5 bits of entropy. VERY secure, but VERY hard to remember. There are 7776 words in the diceware list, with an average length of about 4.2 characters. 50/4.2 ~= 12 words for the passphrase. 12*(ln(7776)/ln(2)) = 155 bits of entropy. Not nearly as secure, but MUCH easier to remember. And still far, far more secure than needed for almost any realistic purpose. With the cost of current computational resources brute-forcing such a passphrase (even assuming the diceware list, and not any additional characters) would be less expensive than simply declaring war on whoever had the information and sending in troops to torture the password out of them. Or just carpet-bomb their city, it's still cheaper. If you want to add another character, it's best to do so randomly. From the diceware page: For extra security without adding another word, insert one special character or digit chosen at random into your passphrase. Here is how to do this securely: Roll one die to choose a word in your passphrase, roll again to choose a letter in that word. Roll a third and fourth time to pick the added character from the following table: . Third Roll . 1 2 3 4 5 6 F 1 ~ ! # $ % ^ o 2 & * ( ) - = u 3 + [ ] \ { } r 4 : ; " ' < > t 5 ? / 0 1 2 3 h 6 4 5 6 7 8 9 Lots more info that isn't needed just to use this can be found at the diceware faq: http://world.std.com/~reinhold/dicewarefaq.html

Thanks for clarifying. There has been a lot of conflicting information flying around the interwebs in the last few months!

A lot of that is because of old info, and some because bad ideas got popularized early on, eg changing passwords often actually tends to decrease security, since it makes people chose easier-to-remember and weaker passwords. http://arstechnica.com/security/2012/08/passwords-under-assault/ is a pretty good article if you're interested in such things. It leaves out some things (such as "never use an e-mail address as a username, unless it's an e-mail account") that many people (including ArenaNet) get wrong, but is otherwise a good article.

Great Info, lol three days in and I get four emails informing me of login attempts, so Im going with lastpass *sigh*

Thanks for the link Sai. I actually used to know quite a bit about this, but have fallen behind the times since leaving IT. I'm one of those freaky people that actually has a keypair. ;)

good post, ive alwaysused hex codes for passwords lol

While I am sure there are "brute force" attempts, I still believe the vast majority of compromises are from having an infected computer or more likely a web site that is compromised where a person then uses the same web site email/password for GW2. The bad guys collect thousands of these email/passwords from the compromised sites (especially if the site topic is related to a game) and then start trying them in the game after it launches. Still, better safe than sorry.

You are correct that the vast majority of attacks are due to keylogging/other compromised sites. That said, if you use strong passwords having a website's password database compromised won't matter (unless it's plaintext). And, of course, use different passwords for each site/service.