NCSoft - Soft on Security?

[Arcuss]

Hey All!

Getting excited about GW2 I decided to try out GW1. I noticed something that has caused me to pause and think about the security thet NCSoft will provide/provides.

When creating my account , the password field would only allow a password of 8 to 13. While I fully understand the need for a minimum, the maximum has me concerned.

Why are they limiting my password length? This is usually an indication that the password is not being hashed and stored.
Anyone who has had an account care to offer some insight into any problems they have encountered?

[Kaneth]

No issues what-so-ever with account security on my NCSoft account. CoX and GW1 accounts with no issues.

[Mif]

http://www.guildmag.com/gamescom-interview-series

After having discovered the NCsoft and ArenaNet logos at the Vasco booth (a company offering secure login services) I grabbed my chance to get some confirmation. Randy confirmed that they have ‘lined up’ with Vasco to explore the various security options they have to offer. If and what kind of security measures they will eventually implement though are not yet determined.

Vasco is the company that makes the Digipass, also know as the Blizzard authenticator.

[Tutorial]

To be honest, i've played GW1 without any problems regarding support, security or the likes.
However, when I played Aion, I have to admit they had the crappiest team ever on the support section.
Nothing was done properly, tickets could take up to 2 weeks (not exagerating).. Sad story, They better have their sh** straight for GW2.

[Umbra]

http://www.guildmag.com/gamescom-interview-series
Vasco is the company that makes the Digipass, also know as the Blizzard authenticator.

The Digipass is also used by several banks for their account management. It's about as safe as you're gonna get.

[Sundreamer]

the limit isnt the problem i have...its the fact that u cant use any special letters like "!" or "@"" for your password...so pretty much u can only do crappy pw's like "SuPer1337lol" ><

[Nibi]

i thought GW1 had good security same with Aion

[Umbra]

the limit isnt the problem i have...its the fact that u cant use any special letters like "!" or "@"" for your password...so pretty much u can only do crappy pw's like "SuPer1337lol" ><

Assuming they're going alphanumeric, and strictly going by the English alphabet, you have 36 possibilities for each letter. With a password length of 8 to 13, that's 36^13 + 36^12 + 36^11 + 36^10 + 36^9 + 36^8 = 1.75 * 10^20 passwords.

That's one-hundred trillion million passwords.

You're not limited.

EDIT: Corrected the magnitude of the number. Twice.

[Onos]

Assuming they're going alphanumeric, and strictly going by the English alphabet, you have 36 possibilities for each letter. With a password length of 8 to 13, that's 36^13 + 36^12 + 36^11 + 36^10 + 36^9 + 36^8 = 1.75 * 10^20 passwords.

That's one-hundred trillion million passwords.

You're not limited.

EDIT: Corrected the magnitude of the number. Twice.

The problem with that analysis is that no one will create a purely random password (outside my sysadmin). Which means that dictionary attacks are a very valid approach against such a system. Also note that when talking about password strength you need to talk about it's entropy (wikipedia has afairly decent article on it)

At the same time, most people do not use special chars anyway unless forced for passwords.

[jvbastel]

To be honest, i've played GW1 without any problems regarding support, security or the likes.
However, when I played Aion, I have to admit they had the crappiest team ever on the support section.
Nothing was done properly, tickets could take up to 2 weeks (not exagerating).. Sad story, They better have their sh** straight for GW2.

I've played GW for about 5 years myself, and never had any problems with support either, however, I never once had to contact support

[Deleted]

Played GW1 since it came out, I've never had any problem with my account, I've never had a problem with my NCSoft master account either.

You can use different passwords on your GW account and NCSoft account, so even if your GW2 account got hacked, they can't get your master account.

I've very rarely heard of GW accounts been hacked, compared to WoW.

[Umbra]

The problem with that analysis is that no one will create a purely random password (outside my sysadmin). Which means that dictionary attacks are a very valid approach against such a system. Also note that when talking about password strength you need to talk about it's entropy (wikipedia has afairly decent article on it)

Then that's the person limiting themselves - not the system. My problem was that the person blamed the game for "limiting" them to alphanumeric characters.

[Gentlepenguin]

the limit isnt the problem i have...its the fact that u cant use any special letters like "!" or "@"" for your password...so pretty much u can only do crappy pw's like "SuPer1337lol" ><

well that pw's pretty crappy just due to using words. even with numbers replacing letters that's not very safe. jumbled mixture of nonsensical numbers and letters in alternating caps is fine.

[Mif]

dictionary attacks are a very valid approach

As someone who has stolen many a neighbours wifi with dictionary attacks, the best way to defend yourself is to put a Z at the start of your password.

[zaoly]

When my GW1 account was hacked a month ago (not blaming ANet, my own fault), I emailed the customer support for restoration of my items. The GM contacted me didn't say "no, we cannot restore your items" but instead said "no, we are not capable of restoring your items", that scares me.

[Deleted]

When my GW1 account was hacked a month ago (not blaming ANet, my own fault), I emailed the customer support for restoration of my items. The GM contacted me didn't say "no, we cannot restore your items" but instead said "no, we are not capable of restoring your items", that scares me.

Why exactly? What has items not getting restored got to do with been scared about security?

[Merendel]

The problem with that analysis is that no one will create a purely random password (outside my sysadmin). Which means that dictionary attacks are a very valid approach against such a system. Also note that when talking about password strength you need to talk about it's entropy (wikipedia has afairly decent article on it)

Thats a personal problem that many people have but not all. For my secure passwords I have the computer generate large random strings, normaly on the order of 200 characters long, limited to the avalible valid characters for the desired password system. I then grab a random chunk of whatever length I need for the password somewhere out of that string. frequently a bitch to type but they are as secure as you can get with a password of N length. Also maximum entropy is not strictly an indicator of password strength. It makes it harder to type and remember for sure but if your looking at a brute force attack ensuring you have at least one of every character type (uper/lower case, numbers, symbols) and password total length is just as if not more important. If you want a really good article and a practical demonstration of how difficult a password is to crack I'd recommend the following site.
https://www.grc.com/haystack.htm

For the lazy with just a password limited to 13 characters and only uper and lower case leters and numbers your looking at billions of years to brute force the password on any reasonable online style attack. Trying to crack the password offline and a hundred trillion guesses a second is still on the order of 64 years. This is with a brute force attack only, if you make a password vulnerable to a dictionary attack your screwed either way.

[zaoly]

Why exactly? What has items not getting restored got to do with been scared about security?

They should expect that people will have their accounts compromised. Is it not reasonable to expect that they have some level of measure in place to better handle account compromise?

[Blznsmri]

When my GW1 account was hacked a month ago (not blaming ANet, my own fault), I emailed the customer support for restoration of my items. The GM contacted me didn't say "no, we cannot restore your items" but instead said "no, we are not capable of restoring your items", that scares me.

It's a database thing. In order to restore your items they'd have to roll back the entire database to before your items were merched/ destroyed.

[Deleted]

They should expect that people will have their accounts compromised. Is it not reasonable to expect that they have some level of measure in place to better handle account compromise?

Not really, Blizzard didn't used to do it, then they had it so you could only have 6 single items back, and only once. Now they're rolling in money so can afford any means necessary.

Anet aren't as large a company and had very little resources for GW1.

I've got more faith in account security with Anet than Blizzard.