Passwords: The first, critical step in securing your account
In the past, many accounts were stolen due to the use of weak passwords. Today’s hackers usually steal game accounts by acquiring account credentials through security breaches related to other games or websites or through malicious software such as key-loggers or Trojans.
Choosing a single complicated password, memorizing it, and then using it everywhere is exactly the wrong practice in today’s security environment. To keep accounts secure today, you need to use a unique password for each account.
We’ve seen hackers use tens of thousands of different IP addresses to scan through millions of possible account name and password combinations looking for matches, almost all of which don’t exist in our database. They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@ example.com”, password “alligator101%.” If they don’t get a match immediately, they may try a variant like “alligator100%” or “alligator102%,” then they quickly move on to the next entry on their list.
Quick Tip: Use a separate, unique, strong password for each on-line account.
E-mail authentication is designed to help keep your account secure even if a hacker does learn your account name and password. It works by asking you to validate your e-mail address the first time you log in to the game. After that, whenever you attempt to log in from a new location, we send an e-mail asking you to approve or deny the log-in attempt. Of course, this only provides protection if your game account and e-mail account have different passwords – if they have the same password, the hacker can simply log in to your e-mail account and approve their own access.
If you ever see an unexpected e-mail asking you to validate a log-in attempt from anywhere other than your present location, or a log-in attempt when you are not actively trying to log in to the game, that means a hacker already knows your account name and password! The only thing that’s keeping the hacker from logging into your account is the e-mail authentication system. If you get one of these e-mails, change your game password immediately.
Unfortunately, even with the e-mail authentication system in place, people still get their accounts hacked. Here’s how:
- First, a significant number of players who initiate the e-mail authentication system never verify their e-mail address. Please keep in mind that we can’t require e-mail authentication for players with unverified e-mail addresses and you are not getting the benefits of e-mail authentication without verification. So please verify that address right away.
- Second, in many—even most—cases, hackers also have access to the player’s e-mail account. This means they can access the authentication e-mail message and approve their own log-in attempt. This is very common when people use the same password for their e-mail account and their Guild Wars 2 account.
- Use E-mail Authentication if Mobile Authentication isn't an option for you.
- Verify your e-mail address to activate e-mail authentication.
- Use a different, unique password for your e-mail account and your game account.
- If you suspect your e-mail account may be compromised, contact Customer Support from a different, secure e-mail address, providing account details within your ticket.
- If you believe your computer may be compromised, download and install security software and run a full scan of your system before contacting Customer Support or use a different, secure computer to contact us.
Two-Factor (Mobile) Authentication
With e-mail authentication in place, you can further protect your account by setting up two-factor authentication on your game account. This system will challenge any game log-in attempt from a new location, and you’ll be required to approve access using a code provided through your mobile device before you can get into the game.
If your e-mail provider offers two-factor authentication, you might consider adding it to your e-mail account, as well.
You can enable two-factor authentication for Guild Wars 2 on the official website at My Account > Security.
Quick Tip: Add Two-Factor Authentication for an extra layer of security.
For our players’ protection we maintain a blacklist of passwords that hackers have attempted to use in Guild Wars 2 and we’re preventing new players from choosing any of those passwords. The list of “known passwords” already exceeds 20 million passwords! (Please note that our blacklist contains passwords only, not account names.) This system reduced hacks of newly-created accounts from about 1.5% to approximately 0.1%.
To extend this protection to existing accounts, when you change your password, the system won’t allow you to use your previous password or any password that we’ve seen hackers testing against our system. This means that you can be confident that your new password is unique within Guild Wars 2. Please keep in mind, however, that your password will remain unique only if you don’t use it anywhere else.
Quick Tip: Don’t use your new, secure password on any other accounts in the future. Keep it secure – keep it unique.
Occasionally, players theorize that accounts have been hacked as the result of a breach of a Guild Wars or ArenaNet database. We have very strict blocks in place to keep network attacks from reaching our customer databases, and a team constantly monitors for any signs of intrusion. We’re confident that there has been no such breach and we are diligent about preventing one in the future.
If we were to experience a security incident, we’d be up-front with you about it and we’d take immediate steps to ensure that it didn’t lead to widespread account hacking. Using a unique password for each account you care about is the best way to protect yourself, not only from being hacked today, but also from being hacked as the result of any future security breach of any company you deal with.
Quick Tip: GW2 Accounts are compromised through breaches of individual security, and personal security measures such as unique passwords and authentication will help prevent such incidents.
Compromised E-mail Accounts
As mentioned above, we have discovered that nearly every time a game account is compromised, the e-mail account also is compromised. Many times, hackers mask their activities so the legitimate account owner doesn’t realize the hacker has access to the e-mail account.
The hacker may intercept authentication authorization requests and accept them in order to get onto the game account. The hacker may delete e-mailed receipts and retain the serial code in hopes of “proving” ownership of the account.
- Make certain your e-mail account is secure.
- If in doubt, contact our Customer Support Team through a different e-mail account.
- Our team will be happy to help you change to a new, secure Account Name (e-mail address) upon verification of account ownership.
- Don’t store your serial code in your e-mail archives. Instead, write it down and store it somewhere secure.
Selecting a Password: Choose a unique password for each account. Do not use variations of a password; make sure that each one is separate and individual. Never use the same password for the game and for the e-mail address used as your Account Name.
Phishing: If an email links you to a site that asks you to type in your password, do not type in your password. It could be a fake site. Go to the real account management site by typing “account.guildwars2.com”, or use a bookmark. This forum thread contains several samples of English-language phishing attempts.
Social engineering: If someone claims to work for ArenaNet or NCSOFT and asks you for your password, do not tell them your password. Our Customer Support Team doesn’t need your password and an employee will never ask you for your password.
Trojan horses and Spyware: Don’t download software, open files, or open e-mail attachments from a source you aren’t 100% sure about. Malicious software can install a key-logger on your system to record and transmit your passwords.
E-mail security: Keep the e-mail address associated with your Guild Wars 2 account secure, just as you keep your Guild Wars 2 game account secure. Use a strong, unique password there too, one that you’ve never used and will never use anywhere else.
For more information about Account Security, including interesting insights into the root cause of account hacking incidents, please see Mike O’Brien’s blog post on account security.
For English-language samples of phishing e-mails, see this forum post.
For information on E-mail Authentication, please see this article.
For details of the Two-Factor (Mobile) Authentication system, please see this article.