I have some feedback on account security, after seeing the numerous hacks and account takeovers here, and seeing my husband’s account get an attempted login from Japan.
1) GW2 password requirements are lax. I had to dumb down my fairly secure password to match the password requirements. If anything, it should be the other way around. Complex, secure passwords with a minimum character length should be encouraged, not unsupported.
2) Using an email address as a login is clearly causing security issues. Many users seem to be using the same password for their email service as they do for GW2, making it a breeze for account hackers. The authentication login emails are pointless if hackers have access to those as well. If email addresses continue to be the required login username, there needs to be a user reminder to use completely different passwords for their email login. Ideally the email address login requirement would give way to using our GW2 account ID (ie, ciannait.1945) to obfuscate the email address of the user if email continues to be used for approving new authentication attempts.
3) Mobile authenticator. At the moment, users are being actively discouraged from using the authenticator, due to bugginess and frequent disconnects. This makes me incredibly nervous.
4) Stored credit card info. With the ease of gaining access to accounts, given the above points, I believe credit cards should not be able to be stored for BLTP access. I’ve seen enough reports of unauthorized account access and then unauthorized gem purchases that I refuse to store my CC info (even with an authenticator) until I feel Arenanet steps up to do more to protect users’ info.
