Never before, on any online service or game has someone obtained and used one of my passwords. Until GW2. I cannot imagine how they got it - I definitely do not enter my account details on any site that isn't GuildWars2.com or their client, and I haven't given anyone my details.

Yet still, someone tried twice to log in to my account from Zhongyuan. This leaves me thinking, what do I put now as my password? Clearly, given by my experience and the countless, countless others who have had external log in attempts (or even their accounts stolen), ArenaNet's system is horribly unsecure. So it hardly matters what I use as my password, if someone is just gunna find it out again and I can never use it thereafter? I'm not going to go to the effort of thinking up a great password and learning it if it potentially will be compromised again.

What did you guys do, or what would you do, if your account was compromised? And how has the security been for GW2 as of late?

I imagine that if you did indeed not let your password get into the hands of anyone who isn't ArenaNet that they just brute-forced it.

If so, use stronger passwords. 1234 is not a good password.

12345, that's the combination for my luggage!

everyone knows the safest password is password or p4ssw0rrd

use a nonsense phrase that you will remember. Something like thebigorangewaterofasia, or something like that. It's much much harder to crack than say an eight digit password with symbols, numbers and upper lower case. Easier to remember as well.

How is ArenaNet's system horribly unsecure if even if the person has your password they still could not even login to your account?

ArenaNet doesn't just give out people's passwords, either you have used that password for multiple websites and one of them has been comprised or you have a keystroke logger on your pc.

use numbers and letters along with upper case and lower case stuff, make it 20 characters long and write it down. Nobody in the world is ever going to steal your GW2 account because you wrote down the password on paper. Never use the password anywhere else either, the vast majority of GW2 account breaches are from people using the same details they used on a GW2 fansite like GW2 guru or any other mmo or guild wars related site that has ties to GW2. A ton of these sites are compromised so if you used the same password anywhere else, it's likely that someone somewhere has already stolen your password.

@Chavtheworld:

Get Lastpass and use it to remember complex passwords for you.

The best way to prevent against brute-forcing is to have a lengthy password with mixed case and special charcters. Lastpass has a password generator you can use to gin up your own. Something like this: uM7Z^GjbiAOruR4HN$eaz^JeQ#Ogh8m2

I have your password.

It was snausages.

If you are terribly worried I'm sure you can also give the mobile authenticator a shot. You seam to speak like you have one username and password combination. That's just a really bad idea. Make sure you mix them up. I had keypass for years and now I use lastpass because its just such a breeze. It figures out most forms (not all though).

Some Chinese dude tried to log into my account once. Changed pass.

Get the mobile authenticator. Also see @Benny 's post.

@Benny said:

use numbers and letters along with upper case and lower case stuff, make it 20 characters long and write it down. Nobody in the world is ever going to steal your GW2 account because you wrote down the password on paper. Never use the password anywhere else either, the vast majority of GW2 account breaches are from people using the same details they used on a GW2 fansite like GW2 guru or any other mmo or guild wars related site that has ties to GW2. A ton of these sites are compromised so if you used the same password anywhere else, it's likely that someone somewhere has already stolen your password.

I don't use any GW2 fansites or anything as such. I'm not a massive fan of writing passwords down but I guess it wouldn't be that harmful. Remembering complex passwords for every different service I use is just crazy.

@Ravenlight said:

@Chavtheworld:

Get Lastpass and use it to remember complex passwords for you.

The best way to prevent against brute-forcing is to have a lengthy password with mixed case and special charcters. Lastpass has a password generator you can use to gin up your own. Something like this: uM7Z^GjbiAOruR4HN$eaz^JeQ#Ogh8m2

I almost did check this out once, but it just seems like a target for people to aim for. If that thing is storing my passwords and autocompleting them, then they're in there and accessible for anyone who wants at them. And then they get all my passwords, and not just one. What's your thoughts on it?

@akzo said:

use a nonsense phrase that you will remember. Something like thebigorangewaterofasia, or something like that. It's much much harder to crack than say an eight digit password with symbols, numbers and upper lower case. Easier to remember as well.

Not by brute force it isn't - adding symbols increases the number of possible combinations so much more!

@jesterroyal said:

If you are terribly worried I'm sure you can also give the mobile authenticator a shot. You seam to speak like you have one username and password combination. That's just a really bad idea. Make sure you mix them up. I had keypass for years and now I use lastpass because its just such a breeze. It figures out most forms (not all though).

Hmm that's an idea. I use the Blizz authenticator, but I guess I already have an authenticator for GW2 through the email stuff or else I wouldn't have caught this attempt, so what would another one achieve? And hell no, I obviously don't have one user/pass combo. I do share a password every so often between a couple of sites but that's just because I'm not a superhuman who can remember crazy passwords! I really hate that I now have to use a unique password for YouTube and Twitter (for example) when they are both such trivial crap - that really don't warrant me going out my way and spending time memorising another 2 awkward character/number/symbol strings - just because if I don't someone use a new password for everything someone might get into something I care about (my PayPal, my bank etc.)

@Chavtheworld:

Get Lastpass and use it to remember complex passwords for you.

The best way to prevent against brute-forcing is to have a lengthy password with mixed case and special charcters. Lastpass has a password generator you can use to gin up your own. Something like this: uM7Z^GjbiAOruR4HN$eaz^JeQ#Ogh8m2

Something that isn't a word. A series of numbers and letters that mean something to you. Mix in capital letters as well.

@Chavtheworld said:

I almost did check this out once, but it just seems like a target for people to aim for. If that thing is storing my passwords and autocompleting them, then they're in there and accessible for anyone who wants at them. And then they get all my passwords, and not just one. What's your thoughts on it?

Well, the only way for anyone to get into your Lastpass account is to break your Lastpass password. Being that you only need one password if you use Lastpass, you can devote your brainpower to remembering only one ultra-secure password, rather than 20 iffy ones. As always, your password is only safe as long as you remain smart about your security practices. If you share a computer with your mom who installs every toolbar and clicks on every advertisement, you're probably going to get pwned by malware eventually.

If you're still hella paranoid, you can go the extra mile and check out this article.

Yeah, I have to imagine something on their end isn't ultra secure. I've never had anything of mine hacked before, yet I got the email notification a while back (I actually made a thread about it) that some evil doer in China had attempted to log into my account with my password. My password isn't something simple like chinadontcare1234 either. I kind of wish there was a GW2 authenticator like the one Blizzard has, as in an actual physical authenticator. Even though I don't play any Blizzard games anymore, that thing gave me peace of mind.

In relation to adding random numbers/symbols for fixing brute force attacks, just going to link http://xkcd.com/936/

Also @Subjugation : They added the mobile authenticator beta, but it isn't the same as the physical one you prefer

@Chavtheworld said:

@akzo said:

use a nonsense phrase that you will remember. Something like thebigorangewaterofasia, or something like that. It's much much harder to crack than say an eight digit password with symbols, numbers and upper lower case. Easier to remember as well.

Not by brute force it isn't - adding symbols increases the number of possible combinations so much more!

They don't know whether you have symbols at the start, they're going to use them in their attempts anyway.

Since this is going to be posted anyway, I might as well be the one to do it

@Pinworm45 said:

@Chavtheworld said:

@akzo said:

use a nonsense phrase that you will remember. Something like thebigorangewaterofasia, or something like that. It's much much harder to crack than say an eight digit password with symbols, numbers and upper lower case. Easier to remember as well.

Not by brute force it isn't - adding symbols increases the number of possible combinations so much more!

They don't know whether you have symbols at the start, they're going to use them in their attempts anyway.

Since this is going to be posted anyway, I might as well be the one to do it

This. I love math!!! :D Facts that you can not say is not true! Cause...MATH!!!

@Subjugation said:

Yeah, I have to imagine something on their end isn't ultra secure. I've never had anything of mine hacked before, yet I got the email notification a while back (I actually made a thread about it) that some evil doer in China had attempted to log into my account with my password. My password isn't something simple like chinadontcare1234 either. I kind of wish there was a GW2 authenticator like the one Blizzard has, as in an actual physical authenticator. Even though I don't play any Blizzard games anymore, that thing gave me peace of mind.

What's wrong with the current authenticator system they have for GW2? Even if someone has your login username and password they still cannot gain access to your account, so what's the problem?

Self-plug. There's a link in there to MOB's way-too-extensive guide to account security, especially in relation to Guild Wars 2. Slightly out of date now, because - as has been mentioned - ArenaNet has recently released the first beta version of their mobile authenticator (which can be used with any phone that receives text messages).

IMPORTANT FOR EVERYONE: If you haven't since O'Brien's blog was first posted, change your GW account password. ArenaNet has no way to guarantee yours is safe until you bring it in line with their new security standards/practices.

How do you know when someone tries to log in to your GW2 account? Also, how do you find out? I'd like to know since I'm kind of paranoid myself (nothing's happened, but you can never be too craz-careful).

Just get a new password & then go into the account settings for GW2 to tell it to only let someone on your email/IP able to get into your account. That should help though best to use the random password generators or do better at making it unique as hell that's hard to let some China spammer to figure it out.

@insane_shadowblade85: Like fox says, there's an option in your account settings to seek verification whenever a non-associated IP tries to log in. Obviously, this system only works if your e-mail is also secure.

@Chavtheworld said:

@akzo said:

use a nonsense phrase that you will remember. Something like thebigorangewaterofasia, or something like that. It's much much harder to crack than say an eight digit password with symbols, numbers and upper lower case. Easier to remember as well.

Not by brute force it isn't - adding symbols increases the number of possible combinations so much more!

No, that's not the case. Length is far more important than symbols. Try it out at http://howsecureismypassword.net/ . "thebigorangewaterofasia" would take a desktop PC 2 quadrillion years to bruteforce. "L8£x@D0p" would take just five years to crack on a desktop PC. The main issue with those are, many sites have character limits on passwords, and it may not be possible to use such a long password on every site.

Ultimately though, I started using Lastpass a while ago. Using the same password on multiple sites just leaves you open to attack. There are so many password database breaches that have come to light recently, and I wouldn't be surprised if significantly more had been covered up or kept secret to avoid bad publicity. If someone hacks one account, they'll have access to all your accounts. Of course, it is theoretically possible for lastpass to be hacked and all your passwords out there, but lastpass' servers are super secure. It would take a hell of a hack. Plus, as a backup, have a unique, memorized password for your email address, and don't store that in Lastpass. Then, if the worst does come to the worst, you can still use password reset emails to gain access to your accounts. Also, use an email provider with two tier authentication, so even if someone does somehow hack your password, they can't access it.

Ultimately, you're never going to be 100% safe. That's impossible. But you can make it as difficult as possible for unwanted people to access your accounts.

@Ravenlight said:

@Chavtheworld said:

I almost did check this out once, but it just seems like a target for people to aim for. If that thing is storing my passwords and autocompleting them, then they're in there and accessible for anyone who wants at them. And then they get all my passwords, and not just one. What's your thoughts on it?

Well, the only way for anyone to get into your Lastpass account is to break your Lastpass password. Being that you only need one password if you use Lastpass, you can devote your brainpower to remembering only one ultra-secure password, rather than 20 iffy ones. As always, your password is only safe as long as you remain smart about your security practices. If you share a computer with your mom who installs every toolbar and clicks on every advertisement, you're probably going to get pwned by malware eventually.

If you're still hella paranoid, you can go the extra mile and check out this article.

Cheers for that article.

@Subjugation said:

Yeah, I have to imagine something on their end isn't ultra secure. I've never had anything of mine hacked before, yet I got the email notification a while back (I actually made a thread about it) that some evil doer in China had attempted to log into my account with my password. My password isn't something simple like chinadontcare1234 either. I kind of wish there was a GW2 authenticator like the one Blizzard has, as in an actual physical authenticator. Even though I don't play any Blizzard games anymore, that thing gave me peace of mind.

Was fairly sure I couldn't be alone in thinking something was a bit iffy, security wise.

@MattyFTM said:

@Chavtheworld said:

@akzo said:

use a nonsense phrase that you will remember. Something like thebigorangewaterofasia, or something like that. It's much much harder to crack than say an eight digit password with symbols, numbers and upper lower case. Easier to remember as well.

Not by brute force it isn't - adding symbols increases the number of possible combinations so much more!

No, that's not the case. Length is far more important than symbols. Try it out at http://howsecureismypassword.net/ . "thebigorangewaterofasia" would take a desktop PC 2 quadrillion years to bruteforce. "L8£x@D0p" would take just five years to crack on a desktop PC. The main issue with those are, many sites have character limits on passwords, and it may not be possible to use such a long password on every site.

Ultimately though, I started using Lastpass a while ago. Using the same password on multiple sites just leaves you open to attack. There are so many password database breaches that have come to light recently, and I wouldn't be surprised if significantly more had been covered up or kept secret to avoid bad publicity. If someone hacks one account, they'll have access to all your accounts. Of course, it is theoretically possible for lastpass to be hacked and all your passwords out there, but lastpass' servers are super secure. It would take a hell of a hack. Plus, as a backup, have a unique, memorized password for your email address, and don't store that in Lastpass. Then, if the worst does come to the worst, you can still use password reset emails to gain access to your accounts. Also, use an email provider with two tier authentication, so even if someone does somehow hack your password, they can't access it.

Ultimately, you're never going to be 100% safe. That's impossible. But you can make it as difficult as possible for unwanted people to access your accounts.

The general consensus seems to be check out LastPass. I think I'll have to get on that some time. It doesn't store bank passwords and stuff right?

@TaliciaDragonsong said:

@Ravenlight said:

@Chavtheworld:

Get Lastpass and use it to remember complex passwords for you.

The best way to prevent against brute-forcing is to have a lengthy password with mixed case and special charcters. Lastpass has a password generator you can use to gin up your own. Something like this: uM7Z^GjbiAOruR4HN$eaz^JeQ#Ogh8m2

This, Lastpass' random generator is awesome. Just be sure to never forget your master password and if you're skittish write down (as in paper and pen!) your important ones. I know I do. Never been hacked or had my account stolen in any game. (which can just be luck, but still).

I was in the same boat using my current passwording scheme... Until yesterday :P So yeah, could just be luck haha. Or maybe LastPass is great!

Shit, I just got back from a camping trip only to find out someone tried to log in from Beijing.

@fox01313 said:

Just get a new password & then go into the account settings for GW2 to tell it to only let someone on your email/IP able to get into your account. That should help though best to use the random password generators or do better at making it unique as hell that's hard to let some China spammer to figure it out.

I don't see this option in my account settings. All that I have under the security tab is a table that shows who logged on and when. Or have I already enabled it?

I had this happen to me last week as well. Apparently some asshole from Taiwan tried to log in but the authentication email was sent to me.

I was horrified. I've never had any account hacked before. I changed my password instantly.

@Gonmog said:

@Pinworm45 said:

@Chavtheworld said:

@akzo said:

use a nonsense phrase that you will remember. Something like thebigorangewaterofasia, or something like that. It's much much harder to crack than say an eight digit password with symbols, numbers and upper lower case. Easier to remember as well.

Not by brute force it isn't - adding symbols increases the number of possible combinations so much more!

They don't know whether you have symbols at the start, they're going to use them in their attempts anyway.

Since this is going to be posted anyway, I might as well be the one to do it

This. I love math!!! :D Facts that you can not say is not true! Cause...MATH!!!

Goddammit, I came in here to post exactly that.

That XKCD comic is partially invalidated by the fact that its very unlikely that someone is going to attempt to brute force your password. There are much easier fish to fry than trying to brute force one person's password. Often hacking comes from using repeat or common passwords.

Edit: Also don't use public wifi. Packet sniffing is easy.

http://strongpasswordgenerator.com/

Here you go bro, you're welcome. Just DON'T, DO NOT- EVER, DON'T EVER use the same password as your email that you do for your game.