WoW Account Maximum Security Guide

[Sinshroud]

The more gold, items, achievements and general progression you gain for your characters in your World of Warcraft account, the higher you will value it. There is also another value that increase - the value it has on the blackmarket whether it's the entire account or just the gold within it. Account hackers, phishers and scammers get more advanced and innovative each day and in turn we need to ensure that we have maximum security for our accounts.

My name is Sinshroud I'm going to share with you some of the best security practices to keep your account safe! I have been playing World of Warcraft non-stop since Pre-BC, I have 2 accounts on US and 2 accounts on EU servers. I have over 1.5 million gold that I guard very closely. I've never been hacked. EVER. I don't even have an authenticator (although I do recommend it).



Before we get started, the most basic form of protection for your account will be a proper password. There are various ways that your password can be obtained and account compromised. Some of the attacks are hit and miss random attacks sent to thousands of people, while others are more sinister and targeted attacks to your account specifically.

• Guesswork / Common Sense Password Attacks - entering words or phrases that are directly related to you, or trying common password variations such as "sinshroudpassword", "ericwowpassword" or "password1234".
• Bruteforce Password Attacks - this is when a computer runs an algorithm that tries every single possible number, letter or character combination until one works such as "000", "001", "002" ... "009", "010", "011", "012" ... "019", "020", "021", "022" ... etc, or plain guesswork (such as entering your main character name or your real life credentials in various forms for simply commonly used ones such as "sinshroudpassword" or "ericwowpassword" or "password1234", etc).
• Phishing Attacks - account thieves impersonate someone such as Blizzard and ask you to login on a fake site, which them gives them access to your account or installs a keylogger/virus on your computer. I will show you how to identify such attacks later on in this guide.
• Keylogging or Virus Attacks - spyware, trojans, viruses and other malicious programs can install keyloggers on your computer which record your key strokes and capture your username and passwords. Very dangerous because if they have access to your WoW account like this, there is a good chance they have access to your Facebook/Twitter/MySpace/Email/Work accounts for Identity Theft as well as your Banking Details. I will show you how to use a program such as KeePass to avoid needing to type in usernames and passwords ever again, making keyloggers ineffective against you.

You can easily guard against both Guesswork / Common Sense Password Attacks and Bruteforce Password Attacks by having a password that follows good password practices and standards. Microsoft has a good example of How To Create Strong Passwords that the average computer user can apply and make use of without too much inconvenience of needing to remember a 64 character hexadecimal password.

• Always use a password that is eight characters or longer - the longer they are the longer a bruteforce attack will take to crack it.
• Never use the same password for everything - if one of your passwords gets compromised you want to limit it to only that account. I will show you how to use KeePass to store and manage all of your different passwords.
• Change your passwords often - this is something people always either forget to do, or purposely put off out of inconvenience. Just do it every couple of months.
• Use a variety of characters in your passwords - letters, numbers, symbols, words, phrases.
• Never include personal data in your passwords - don't include anything related to you such as your name, wife's name, school name, date of birth, ID/social security number, etc. Always keep it random and unrelated.

You can use a site such as this to get a general idea of your Password Strength.

For absolute maximum account security, as advised for WHM/cPanel/FTP/admin accounts or simply really paranoid individuals you can use a Random Password Generator to generate a decent but impossible to remember password. You could try combining a few of these randomly generated characters with the password created through Microsoft's method.

Phishing is one of the most commonly used methods to steal WoW accounts. If you have been playing World of Warcraft for a significant length of time, chances are you have seen every phishing attempt in the book sent to you.

The absolutely best thing to do is to create a new email account with a trusted email host such as Google's Gmail.

• Create the account using a username (also known as a "local-part") that is easy to remember, descriptive and unique. I usually include the word "wow" so that I can identify the account. E.G. "sinshroudwow@gmail.com".
• Create the account using a password that is NOT THE SAME AS ANY OTHER PASSWORD OF YOURS. If you struggle to remember your passwords I will give you a few tips on this later on in this guide.
• Change your Battle.net World of Warcraft login account username to this new email address that you have created.
• Most importantly, NEVER use this email address for anything else. Not for MMO-Champion, not for The Consortium Forums, not for Elitist Jerks, not for Facebook, not for University of Work and definitely not for Buyquickgoldherewedontscamyou Gold Selling Sites.

What you have effectively achieved with this is made it impossible for you to receive phishing or spam email. The ONLY email you should ever get in this Email Account is from the real Blizzard Entertainment or from your Email Provider. If you ever receive email from somewhere else then you know you have been compromised. You might have a keylogger or virus on your computer that has provided spammers with your email address.



Even if you follow my advice above, I highly recommend ALWAYS checking every email you ever receive for phishing attempts.

Blizzard will ALWAYS greet you by your real name (or whatever name you made the account under). They will never just say "Hello" or "Dear Player", it will ALWAYS be "Dear Eric" or "Hello Eric" or just "Eric", etc. Account phishing is almost never a targeted attack, they won't be singling you out to attack, so scammers won't know any details about you.

Blizzard will NEVER send you an email notifying you that they are "aware you are trying to sell/trade your personal World of Warcraft account" or anything similar. If there is a problem or suspected breech in their Terms of Service / End User License Agreement by you, they will simply lock, suspend or ban your account. If you receive an email about account disciplinary actions simply try login in-game or visit Battle.net by manually typing it into your web browser.

Scammers and Phishers will try get you to follow a link to a fake website. They are impersonating the Blizzard website and when you login on that site they then have your login details. So ALWAYS check your links in the email. An easy way to do this is to hover over the link and look at your "Status bar" in your email client or web browser usually found in the bottom left corner of the screen and if it shows a different email address or an email address that isn't Blizzard's then it's a scam.

As you can see when hovering over the email address "https://www.battle.net/account/support/password-verify.html" the scammers make use of Hyperlinking which allows a user to click on a text based link (which has been made to look like a URL). For example www.facebook.com will actually take you to Twitter because I hyperlinked it. The link they show you in the email wants to actually take you to a different place. Also note that they make the fake link look like it ends in "battle.net" but it actually ends in "-account.com".

• Blizzard Entertainment will never ask you for your password (except at login screen harhar).
• Phishing emails make urgent / high priority appeals to you about your account being under investigation. Real Blizzard will just notify you and move on.
• Phishing emails that offer you stuff are usually too good to be true. If there is a giveaway or competition you will see it on the World of Warcraft homepage or announced on MMO-Champion and similar sites.
• Check for spelling, typos and syntax errors, Blizzard very rarely make typos because they use a lot of macros and copy/paste answers and are also highly trained.
• Here is an article for ensuring that your web browser's Phishing Filter is enabled.

Here is Blizzard's guide at identifying Phishing Emails:

Blizzard have an excellent analysis of real versus fake comparisons for both In-game Mail and In-game Whispers.

With this step we are taking preparation for if you ever want to login to your World of Warcraft Battle.net Account online from someone else's computer. A scenario could be that you are out at a friend and a guildy calls you to tell you that someone else is on your account who shouldn't be. You can quickly log onto your friend's computer to change your password - but how secure is their computer? You take one look at their browser and it looks like THIS - yikes!

You should always be prepared and these days you can fit half your life on a flash drive attached to your keychain. Make sure a portable CLEAN web browser such as Firefox Portable Edition is one of them.



Download the Portable KeePaas Professional Edition ZIP Package found on the right, reason for the portable version is that it does not require installation and you can put it on a flash drive. Same reason as above, you can login from elsewhere but how secure is that computer?

KeePass is actually very useful to managing all of your passwords (you should never use the same password for everything anyways). It stores all your passwords and can also auto-fill username/password fields in web browsers or allow you to copy and paste into in-game logins such as World of Warcraft.

1. Extract the downloaded file onto a Flash Drive that you carry around everywhere on a keychain or something if possible.
2. Run KeePass.exe Application and click File > New.
3. Create the Password Database on the same Flash Drive (if you not using a flash drive, put it in your C drive, you may need to close the program and run it as administrator to do this depending on your OS security settings) - you can name it something like "KeePass Database" or whatever you want.
4. Enter a Master Password and click OK. You could have 20 different passwords but this is the ONLY one that you ever need to remember. It gives you access to all your other passwords. You can also use Key File / Provider or Windows User Account security (you can use all three), but for this guide I will only be using Master Password. Follow good password creation practices.
5. Enter a Database Name. Call it KeePass Database or whatever you wish.

You will not be taken back to the program and see 2 Sample Passwords already made which you can delete.

1. Right click in the main window that has Title, User Name, Password and URL Columns in it and choose Add Entry.
2. Enter a title to describe what the login details are for.
3. Enter your username and password.
4. If it's for a website then enter the URL for that website too.
5. Add any notes that you want and click OK (perhaps a link to this guide for future reference? :P).

You will now see your saved Entry in the main window. Now all you need to do is:

Right click the entry and choose URL(s) > Open, or just hit CTRL + U while you have the entry selected and it will open the website, in this case the World of Warcraft Battle.net website.

Once you have the website open, right click the entry again and choose Perform Auto-Type, or just hit CTRL + V while you have the entry selected and it will automatically fill and submit your details. NOTE: Some sites such as the Battle.net site will require you to open the Login Dialog Box first (KeepPass is smart though and sometimes it automatically finds those login boxes and will open it for you but you will need to click Perform Auto-Fill a second time to fill it in).

CTRL + B while you have the entry selected will copy the Username, while CTRL + C will copy the password - so you can just copy and paste into your World of Warcraft in-game login screen too.

Using KeePass will allow you to practice proper password security by having a variety of passwords for different websites and logins and also protect you from keyloggers when logging into websites and games.

• Some keyloggers have the ability to check your clipboard/copy and paste data which can to an extent render KeePass useless but keep in mind that isn't the only security that KeePass is providing.
• KeePass promotes proper security practices by using a variety of unique login details for various websites or accounts.
• If your email login details, wow login details, computer login details, facebook login details and any other site or account login details are all unique and different from each other, you immediately reduce the chance of account compromise drastically.
• Instead of a hacker only needing to somehow obtain 1 of your many identical passwords (through identity theft, impersonation , guessing, bruteforce, etc) to gain access to all of your accounts, they are now limited to that specific account only. If they compromise your facebook account then they only have access to that account instead of access to everything else too.
• Remember KeePass offers up to 3 different combinations of security access to your password vault, Password authentication, Key File authentication and Windows User Account authentication - meaning even if they obtain your master password they still won't have access without the other 2.

KeePass also provides a feature called Two-Channel AutoType Obfuscation where it sends simulated keypresses to chosen programs at the same time and keyloggers cannot determine the difference between simulated keypresses and actual keypresses that contain your username and password.




World of Warcraft is a game with an enormous amount of customization available in terms of addons and UI packages. We as gold makers make particularly good use of these resources to enhance our game play and get an edge over our competitors. I use Curse for all my Addon Download needs, and very occasionally WoWInterface. I've never had any problems with either of them account compromise through addons is VERY rare and usually found and reported immediately.

You can view my thread on How To Install An Addon if you are new to using them.

The only real tips I can give you for account security via addons is always download only from a trusted source such as Curse, never download, install or run executable addon files, never pay money for addons (it's against Blizzard's ToS/EULA anyways) and always only use addons that you have downloaded yourself.

I would highly recommend storing your addons on your Flash Drive too, or perhaps even using DropBox to store your addons so that you can access them any time from another computer. Come to think of it you could use DropBox to store KeePass databases and the program itself too. Here is a nice guide for using DropBox, otherwise just follow the tutorials on their site which are adequate too.

• Don't open ANY attachments in emails (unless it's work related and you're 100% sure it's safe). Tell the person to send it over MSN or something, but an email address can always be faked.
• Don't click any odd and/or unknown links sent per whisper, in trade, IRC, forums, or what ever. Don't know the person; don't trust the person.
• You aren't banned (or being investigated) unless you get the "your account has been suspended" when trying to login. Don't trust any emails saying otherwise.
• You aren't invited for <new game/new expansion> Alpha/BETA before the testing start has been announced on either MMO-Champion or another Blizzard fan site.
• Use an up-to-date browser. I would recommend Firefox with AdBlockPlus (ads can be used to infiltrate usually safe websites, as happened with World of Raids a long time ago).
• Update Windows and do a virus scan once every 5 weeks or so (more often is of course preferred).
• Don't share your login information with anyone. A very common tip, but people still do it to get around the queue or something like that. My advice: just don't do it. To skip the queue you could use TeamViewer or LogMeIn yourself.
• Don't buy power leveling services. Again: don't share your account information.
• Don't buy gold, or rent your account to gold farmers. Same as above.
• Don't install bots or other cheating applications. Keyloggers can be in anything.
• Use your common sense - train yourself to detect bad links and emails so not opening them becomes a nobrainer.

I don't know how many times we need to say this, but NEVER EVER SHARE YOUR ACCOUNT DETAILS. I don't care if it's your real life friend of 20 years, your uncle or your wife. People often scoff and say that that person will never do anything, but you know what? If they are going to be logging in on a computer that isn't yours, and they haven't followed this guide here accurately then your chance of account compromise has just been raised a huge amount. Key loggers, phishing attempts, viruses, malicious addons and malicious websites that someone else's computer may have been exposed to puts your account at risk.

Lastly but certainly not least, the World of Warcraft Authenticator! A vital component to your maximum account security system. You can buy them from Blizzard, you can buy them from eBay, you can buy the mobile version on your iPhone and similar, and there are a few computer emulator ones floating around the net too.



To finish off we will look at some of the procedures to regain control of your account and recover any lost items, gold and characters in case your account does indeed get compromised or you with to assist a friend who has suffered such fate.

Blizzard have created an excellent series of Customer Support Videos on Youtube including a What to do after being hacked help video.

The Chapters that it covers are:

• Chapter 1 - Better Safe Than Sorry
• Chapter 2 - Secure Your Computer
• Chapter 3 - Secure Your Personal Accounts
• Chapter 4 - Recovery: Known Account Details
• Chapter 5 - Recovery: Unknown Account Details
• Chapter 6 - After Reporting The Compromise

A wealth of information and links about Anti-Viruses, Account Security, How to Request In-Game Support, Contact Billing and Account Services and other Support Articles for both US and EU players can be found in the video information.

Author: Sinshroud.
Contributors: Zero and Blizzard Entertainment's Types of Account Thefts Security Page.

This guide was originally written by me for The Consortium Forums but since it's the kind of guide that everyone can benefit from and we don't want to be selfish I figured I would post it here too. In the end we want to raise awareness and help combat the increasingly alarming rate of account compromise and theft that is taking place.

The Consortium Forums main and initial focus is on legitimate gold making and wealth accumulation in World of Warcraft. We promote gold making as a fun, educational and constructive activity and highly disapprove of and discourage buying gold or cheating in any way in the game that we love so much.

Also found on MMO-Champion is our:

• Multi-Millionnaire's Auction House Gold Guide - by Sterling
• Neutral Auction House Snipers and [How-to] prevent being sniped - by Sinshroud

We also have a Quality Guides Section on our forums that contain other well-written and informative guide, mostly focusing on making gold.

[Lora]

Nicely done.

[Deleted]

Really nice and thorough guide. thanks

[Soisoisoi]

I don't really see the point in that KeePass thing, assuming you don't log in anywhere else. I mean, you could just as easily write them down on a notepad without downloading a .exe for them all, and Copy/Pasting doesn't stop keyloggers either.

Other than that, looks pretty nice. GJ.

[Emane]

Nicely written. Combine this guide with Scott Hanselmans blog about computer security and you will never have to worry again.

http://www.hanselman.com/blog/TenThi...rdashians.aspx

[Darthmarcus28]

nice. Sticky This!

[Sinshroud]

I don't really see the point in that KeePass thing, assuming you don't log in anywhere else. I mean, you could just as easily write them down on a notepad without downloading a .exe for them all, and Copy/Pasting doesn't stop keyloggers either.

Other than that, looks pretty nice. GJ.

KeePass is a very commonly used program and has a high reputation. KeePass has several advantages over using the old pen and paper method:

• If you combine it with DropBox you can access your password vault while on the move and you always have a backup of it. Paper you would have to store in a wallet or somewhere which is an item highly targeted for theft.
• KeePass has a 3 level security protection, where as there isn't really any available form of protection for paper unless you carry around one of those personal diaries that teenage girls use to hide their personal love life crushes haha.
• You can auto-fill or copy and paste logins which is much quicker than needing to type them in manually.

While on the topic of copy and paste, it's true that some keyloggers are able to read clipboard or copy and paste data as I mentioned in my guide but it does protect your account from certain key loggers that can't read clipboard data.

KeePass also provides a feature called Two-Channel AutoType Obfuscation where it sends simulated keypresses to other programs at the same time and keyloggers cannot determine the difference between simulated keypresses and actual keypresses that contain your username and password.

Other than that thanks very much for the feedback so far everyone

[noteworthynerd]

Nice guide, you should probably give credit to XKCD for that comic at the end though.

[Deleted]

Very nice!

[Deleted]

KeePass is a very commonly used program and has a high reputation. KeePass has several advantages over using the old pen and paper method:

• If you combine it with DropBox you can access your password vault while on the move and you always have a backup of it. Paper you would have to store in a wallet or somewhere which is an item highly targeted for theft.
• KeePass has a 3 level security protection, where as there isn't really any available form of protection for paper unless you carry around one of those personal diaries that teenage girls use to hide their personal love life crushes haha.
• You can auto-fill or copy and paste logins which is much quicker than needing to type them in manually.

While on the topic of copy and paste, it's true that some keyloggers are able to read clipboard or copy and paste data as I mentioned in my guide but it does protect your account from certain key loggers that can't read clipboard data.

KeePass also provides a feature called Two-Channel AutoType Obfuscation where it sends simulated keypresses to other programs at the same time and keyloggers cannot determine the difference between simulated keypresses and actual keypresses that contain your username and password.

Other than that thanks very much for the feedback so far everyone

also hackers can get the "password of your passwords" but unless they have a direct access to KeePass they have no use for it.
Also the fact that keylogger (most of them at least) works on recording your "keyboard strokes" is defeated by keepass because it does not use your keyboard while filling your pasword, so it will not be keylogged

[Friberg]

Nice guide, but to make it more simple, skip everything and go to step 9.

[Dietrik]

An awesome guide apart from one thing, the keepass software trades one security risk (keylogger) for an even more basic security risk a password in the clipboard.

Been a while since I have looked into this but I don't think the clipboard has been made any more secure. Something that reads the clipboard is harder to detect than something with a keyboard hook.

Not saying its bad but I would prefer to type. Otherwise a great guide, and if everyone followed it there would be significantly less hacked accounts.

Edit: typing on the phone takes forever... Lol

[Slanderize]

I didn't notice a script blocker for a web browser in this... am I just high or should that not be in there?

[Synithin]

I didn't notice a script blocker for a web browser in this... am I just high or should that not be in there?

Agreed, it should be up there with AdBlockPlus as well Noscript is awesome.

[Marahdeka]

Nice guide! May we have it stickied, pls?

P.S. Please keep up the good work@ Consortium

[Resentful]

This is well done OP, very nice Indeed. Someone sticky this!

[Sinshroud]

Nice guide, but to make it more simple, skip everything and go to step 9.

I wish people like you would stop spreading false information and make people feel absolutely safe when they really aren't.

Authenticators are still vulnerable to Man in the Middle Attacks, Blizzard doesn't ship Authenticators to every country (e.g. I live in South Africa and they aren't sold here), not everyone has an iPhone or similar that allow for Authenticator Apps and some don't like to / don't know how to use the emulators.

Besides most of this guide can also be applied to general computer security and numerous other online games.

Believe it or not people DO still get hacked while using an Authenticator.

[Deleted]

Step 2 doesn't work. I am under the belief that phishers somehow get access to Blizzard's user email database anyway. Step 5 is irrelevant if the computer you're using is not secure (bring a light linux distro on a usb drive if it's that important and you don't have a laptop/smartphone).

[kapowaz]

Great guide, and good advice to follow.

I'll just add this: as an alternative to KeePass, there is also the excellent 1Password, which although not free is an excellent tool. In addition to having all the same features as KeePass (Dropbox-based sync, multi-platform clients) it also stores its encrypted password bundle as a local HTML web application. What this means is you open the folder up and load the index.html file within, you can use this as an interface to your encrypted passwords even when you don't have the client installed (the passwords are all still encrypted; it just uses JavaScript to interact with the file data).

On top of that, you can use it to store all manner of other stuff securely (bank details, license keys for software, passport info) with arbitrary files attached (which also get scanned). For example I use it to keep a scan of my passport, which is peace of mind should I ever be unfortunate enough to lose it.

[Sinshroud]

Step 2 doesn't work. Phishers somehow get access to Blizzard's user email database anyway, I am sure of it. Step 5 is irrelevant if the computer you're using is not secure (bring a light linux distro on a usb drive if it's that important and you don't have a laptop/smartphone).

Would appreciate it if you could post some proof about Phishers getting access to Blizzard's email DB before stating it. Besides a phisher is someone who impersonates someone else, a company or an entity etc to get a user to reveal their login details under the false sense of security. A hacker would be the one (if possible) gaining access to the DB.

I've been using this method since Pre-BC and never received a spam/phishing email and never been hacked.

I never claimed Step 5 to be fool proof. It's just an additional layer of security to try and reduce the chance of account compromise. Believe it or not ever bit helps. Using a portable web browser when logging in from someone else's PC removes the chance their their web browser has spyware, viruses or other security compromises in it. There is still a chance of the computer being at risk but the chance has just been lessened.