Account security should be the number one concern for players in any MMO game, Guild Wars 2 is definitely no exclusion. Your account is your license to play the game and storage for your characters, loot, and achievements. If its security is breached then you’re going to lose playtime, possibly characters and items, and more. There is a lot to account security and we’re going to be going over methods to make your account secure the easy way.
Your account is like a car. If you leave the keys in it running then there is chance that someone will steal it. A common misconception when an account is compromised is that it’s ArenaNet’s fault and that they’re horrible people for letting someone steal your account. This could be true if ArenaNet’s systems have been compromised, but currently that isn’t the case. The recent spree of account intrusions are due to a lot of mainstream security breaches at Twitter and Yahoo combined with the reluctance of many to use different passwords for different services.
Ner’do’wells obtain password lists and try different email/password combinations to try to login. If a site was hacked and the information got out that your email was “gokutheultimatechef@supersaiyan.chefs” and your password was “planetnamek” then they’ll try this to login to the game. If it’s the same, then voila, they have access. If it’s different then access, of course, would be denied.
There are other ways for them to obtain access to your account, but we’ll go into the ways that you can lock up
There is an easy way to correct this of course.
Designing Secure Passwords
Password basics:
- It should NOT be used on ANY other website, game, or other login function.
- It should be UNIQUE to Guild Wars 2.
- It should be LONGER than 8 characters.
- It should NOT be a dictionary word, doubles of a dictionary word, any personally identifying information (social security number, driver’s license number, etc.) that you wouldn’t want published online, a dictionary word with a number on the end, or easily guessed by your roommates.
A common misnomer is that complicating your password makes it more secure. So a lot of people out there come up with a really good password like LokIisOdinNemiSiS49 and then call it a day. Of course, the difficulty of it creates a huge issue with remembering it, which means that they reuse it over and over again. Whenever a site is hacked and a list of passwords makes it to the net, well… everything they’ve ever used the password for is wide open for intrusion.
That’s why it’s better to make simpler, longer, safer passwords. ArenaNet allows up to 100 characters for a password. You may think that’s a lot, but let’s look at a good way to make a password. First, start with a sentence:
Remove the spaces:
Voila. You just created an insanely easy to remember password that is super secure. It would take 205 quattuorvigintillion years for a brute force attack (using an average desktop computer) to break the password with 25 trigintillion possible combinations. As a bonus, it’s already unique to GW2. Dictionary attacks would fail because it’s not just one or two common words, but a longer series. However:
This would take 15 hours for an average desktop computer to break this password and it would be hard as hades to remember. Is that an o or zero, where did I capitalize what? Huh?
Using something a bit simpler:
Remove the spaces:
Would take 493 quattuordecillion years to brute force and is a bit shorter. If you’re super concerned, throwing in a # and a 1 knocks it up to 174 septendecillion years. That’s a lot! Let’s do this again:
Into:
Would take 2 quadrillion years to brute force. It’s 23 characters long, takes a few seconds to type, and is easy to remember.
The key is to strike a balance between difficulty (length) and remembering it. If you want to go all super-secret spy, you can use password managers like LastPass to hold your super long super tough passwords, but ultimately I find just using simple easy to remember long passwords to work well enough for me. To this date, I have yet to have an account breached.
Bringing LastPass up, some argue the most secure method is to have an easy to remember password to access to LastPass or some other similar password manager, which would hold extremely long hard to break passwords. It's a viable method, for sure, although if your LastPass is hacked into then everything is open.
Just remember this simple fact: complexity is harder for us to remember than length. See this comic for more information.
The important thing to take away from this is that creating unique, easy to remember passwords is much better than creating a few hard to remember passwords. Brute force attacks aren't a super huge concern, having a password from another site listed in a database somewhere is. So unique passwords are the ultimate in security.
Guarding the Rear Entrance
Now that you have a secure password, it’s time to think about the backdoor. If you forget your password then you can reset it using your email. If your email password is password1 and/or already compromised, then an attacker just has to send a password reminder and be on their way. Again, use a super safe super secure password for your email, share with no one, and change it every now and then.
Phishing & Key Logging
These two are easy. First, anti-viral software is mostly free these days and running security scans isn’t tough. Don’t open anything strange offering you millions if you just run “notavirus.exe” and don’t enter your password into any site offering exclusive beta access that isn’t a site fully related to Guild Wars. If Goku San messages you in game informing you they’re ArenaNet and ask for your password, then well tell them to fly off to Namek.
The Thieves
This is how account trafficking works: the bad guys gather together as many accounts as they can, from using public password lists for major security breaches, passwords from phishing, keylogging, etc. and go through and try to gain access to your account. If they succeed, it’s thrown into a queue where the password is then changed, the account is stripped of its valuables and the money is either moved to a secure mule or kept on that account until its needed (trafficking large amounts of coin to a single character is one of the ways game companies catch them, so they often just keep it all on the different accounts until purchased). At this point, they measure the value of the account.
They will either sale the account (if it has high level characters that they think would make a profit), hand it off to their gold farming team to use it to farm gold, use it as a mule, or if it has no value (no high level characters, no money, etc.) then they will use it to advertise in capital cities.
Email Authentication
Turn it on, please, and the second you get an email about access from another country – please change your password. You don’t get the email unless someone types the password in correctly. If you play at a net café, some hipster dive bar with computers, or your best friends house then you can secure your account even further against their computer being compromised by checking your email on your smartphone and enabling access from there, to avoid your email being compromised also.
Last Words
Ultimately, we the gamers need to strive to keep our accounts secure against things that we can control. Using the same password across multiple sites that isn’t secure to begin with will never, ever, keep our accounts from being hacked. We have to be vigilant in creating passwords that the ner’do’wells can’t guess, can’t find in a database, and can’t have.
If your account is ever compromised, be sure to follow ArenaNet’s procedure for account recovery.