Guild Wars 2 Status by ANet

[Modern Angel]

Remember that massive security breach NCSoft had several years ago, with special emphasis on hacking GW1 accounts? I have a theory they're just using that list of email addresses (which was a LOT, as I recall) to see what sticks.

[Amaron]

Remember that massive security breach NCSoft had several years ago, with special emphasis on hacking GW1 accounts? I have a theory they're just using that list of email addresses (which was a LOT, as I recall) to see what sticks.

They already said that's what's happening.   They're using that and breaches at Bethesda, Blizzard, etc.

[Venkman]

Status update noted in the launcher today but actually posted on the wiki yesterday:

[Chimpy]

It is simple, if you don't want to have a "list of emails from other games" be a vector for hacking to your game DON'T FUCKING USE EMAIL ADDRESSES AS ACCOUNT NAMES. It is really that fucking simple.

[Kageru]

It's been a bad idea since Blizzard started it.

[Sky]

It's been a bad idea since Blizzard started it.

As has so much.

I boggled when Trion Worlds changed over to email login; not having been a wowtard it was shockingly poor security. I should've known from whence it came.

[Chimpy]

Amazon was the first site I can remember that had your email be your account login, long before WoW came along.

Regardless of where it came from, it is a stupid idea and the inconvenience of how big a security hole it opens is much worse than the convenience gained for the consumer when they just use their email account.

[Quinton]

Amazon was the first site I can remember that had your email be your account login, long before WoW came along.

Regardless of where it came from, it is a stupid idea and the inconvenience of how big a security hole it opens is much worse than the convenience gained for the consumer when they just use their email account.

Unfortunately, forcing users to use a per-site login would not be a huge improvement.  The problem here is that many, many people will use the same credentials over and over again -- whether it be their email address or a username they like.  If one database of username+password is compromised (an online game, forum, whatever), using that set of credentials to attempt to login to similar things is a pretty obvious attack.

The biggest downside of using email addresses is that it gives you an immediate obvious target (the email provider -- gmail, hotmail, etc) which also happens to be the vector through which confirmation and verification flows.

[Nightblade]

The state of the game states that password resetting is disabled, yet I somehow received an unsolicited email from arena net stating "click here to reset password".

Guess I'd better change my password just to be safe >.>

[Sky]

The problem here is that many, many people will use the same credentials over and over again -- whether it be their email address or a username they like.  If one database of username+password is compromised (an online game, forum, whatever), using that set of credentials to attempt to login to similar things is a pretty obvious attack.

It would be an improvement without having to roll up a new email sub-account for every damned site, for fuck's sake.

And fuck lazy people, who cares about their security? I'm talking about at least making it better for somewhat responsible people.

And as you say, you're giving them the vector for backup avenues - at least with a simple user/pass database they wouldn't have the keys to verification. It's just a really dumb idea that has become mainstream and then IT people wonder why the experts are pulling out their hair over the state of security in the US.

[March]

Amazon was the first site I can remember that had your email be your account login, long before WoW came along.

Regardless of where it came from, it is a stupid idea and the inconvenience of how big a security hole it opens is much worse than the convenience gained for the consumer when they just use their email account.

Unfortunately, forcing users to use a per-site login would not be a huge improvement.  The problem here is that many, many people will use the same credentials over and over again -- whether it be their email address or a username they like.  If one database of username+password is compromised (an online game, forum, whatever), using that set of credentials to attempt to login to similar things is a pretty obvious attack.

The biggest downside of using email addresses is that it gives you an immediate obvious target (the email provider -- gmail, hotmail, etc) which also happens to be the vector through which confirmation and verification flows.

I take your point... but the bigger problem is that *everyone* is doing it... just looking at some of the many accounts I have, a Major Bank, a Major Pay hub, a Major Telephone Company, a major Entertainment provider, etc.  all use email for user name.  Like everyone else I have several "categories" of passwords... and the password +1 is a bitch over time.  I *used* to also have varying login credentials depending on the account type... but that is precisely the second variable that email takes away.

I've started using Lastpass to try to keep track of everything (until they get hacked)... but seriously between work, play, and financials, I want bio-security and to be done with it.

[KallDrexx]

Honestly, I saw no issue with emails as usernames until this.

[Quinton]

Check if your email provider maps username+something@example.com to username@example.com (gmail does this, and I believe a number of others do) -- use a unique "something" for each account you care about -- now you've made it much harder for somebody to guess your credentials elsewhere if they obtain them from one location.  Added bonus it makes it easier to filter mail from different entities and better track who is giving your address out to random mailing lists or whatnot.

[koro]

Check if your email provider maps username+something@example.com to username@example.com (gmail does this, and I believe a number of others do) -- use a unique "something" for each account you care about -- now you've made it much harder for somebody to guess your credentials elsewhere if they obtain them from one location.  Added bonus it makes it easier to filter mail from different entities and better track who is giving your address out to random mailing lists or whatnot.

I have no idea how you would even begin to do something like that with Gmail.

[Quinton]

You don't need to do anything.  If you have username@gmail.com, mail to username+blargh@gmail.com, etc will be delivered to your inbox.  No configuration required. 

[Lantyssa]

Wouldn't hackers know to just drop the +something for providers such as gmail?

[01101010]

You don't need to do anything.  If you have username@gmail.com, mail to username+blargh@gmail.com, etc will be delivered to your inbox.  No configuration required. 

I had no idea... Thanks for the tip. 

[DraconianOne]

Wouldn't hackers know to just drop the +something for providers such as gmail?

To email you, yes, but that wouldn't work to log in - provided GW2 let you use that format in the email field.

[Lantyssa]

I suppose it depends how they get your account info.  And if you're scrambling the +something with gibberish and using unique passwords, then it adds that much more protection.  If you're already going to those lengths, though, your password is probably already fairly safe due to good habits.

Still, I suppose that's easier than creating a unique e-mail address for each game and every little bit helps.

[Xuri]

Could you not run into customer support trouble if you're setting up your account to be "blah+something@gmail.com" while you're sending e-mails to customer support from "blah@gmail.com"? I.e. they would not match.

[DraconianOne]

Still, I suppose that's easier than creating a unique e-mail address for each game and every little bit helps.

Got home to a couple of emails from ArenaNet telling me that my password had been changed. Luckily they had gone to an email address that I don't use for games because I do exactly that - a unique email address for each game. It's surprising how little they get used or how little spam they receive.

[Sky]

Or you could just stop using fucking email addresses as usernames.

[Trippy]

Still, I suppose that's easier than creating a unique e-mail address for each game and every little bit helps.

Got home to a couple of emails from ArenaNet telling me that my password had been changed. Luckily they had gone to an email address that I don't use for games because I do exactly that - a unique email address for each game. It's surprising how little they get used or how little spam they receive.

And when they do get spammed you know which fuckers sold your email address to spammers (assuming you didn't make your address trivial to guess).

[Quinton]

Could you not run into customer support trouble if you're setting up your account to be "blah+something@gmail.com" while you're sending e-mails to customer support from "blah@gmail.com"? I.e. they would not match.

Settings / Accounts / Add another email address you own - then you can add blah+something@gmail.com and it'll be in the dropdown menu on the From: field when composing mail.  There's even a "Reply from same address" option there if you want to automatically make the From: address match (if possible) when replying.  You can use this to add addresses from other domains as well (provided you can receive email there to get the "is this really you?" confirmation from gmail).

[qoute author=Lantyssa]
Wouldn't hackers know to just drop the +something for providers such as gmail?
[/quote]

Yeah, it's easy enough to guess the gmail login from another account, but if you're going through the trouble to do this hopefully you're using a decent password and/or have setup two-factor authentication on your gmail account. 

[WayAbvPar]

In addition to the use of email addresses as user names- how did this game not launch with an authenticator system? That should have been part of the first infrastructure design meeting. It is so much easier now that smart phones are ubiquitous that not having one at launch is just 

[Venkman]

Press release: Re-opened direct sales and a new Our Time is Now* video commercial.

Kinda ok video. Was thinking I was watching a TSW spot by accident at first, but then got the WoW "I'm a Night Elf Mohawk" vibe by the middle of it.

* Videos on GW2 site not loading for me so this is to YouTube.

[Furiously]

I totally agree the first bit seems very secret worldy,

[Wasted]

That video is fucking horrible, there's two minutes of ludicrous crap before they even show the game.

[jlwilli5]

That video is fucking horrible, there's two minutes of ludicrous crap before they even show the game.

yep

[Modern Angel]

I hate those fucking commercials because they subtly rely on a pernicious stereotype, which is that you're equating your Self with your in-game character. From there, it just all gets gross.

[Genev]

Holy shit, that's one lousy video.
Cool dragon, though.

[Falconeer]

The guy girl with the gasmask is totally looking like an Illuminati kid in The Secret World. I wonder if they didn't do it on purpose. Which would be weird. But it's even weirder to think they didn't.

[Brogarn]

That was terrible.

[01101010]

I am sure it is fine for the target demographic. But yeah, my near-40 ass thought it cringe-worthy.

[Miasma]

That video is so terrible I find it hard to believe it is official.  That would have to have been shown to a roomful of senior people in the company before released and somehow those people would have had to say "Yeah that was good let's release it".  Maybe ncSoft made it and it's a cultural thing?

The guy girl with the gasmask is totally looking like an Illuminati kid in The Secret World. I wonder if they didn't do it on purpose. Which would be weird. But it's even weirder to think they didn't.

I think they were trying to go for some sort of weird connection to occupy wall street protestors not TSW.