Is it too easy to reset the password?

#1 - Oct. 31, 2012, 5:46 a.m.

My account was hacked and have just been recovered thanks to the rapid response of the support team. I suspect that my email account is also hacked so that someone now knows quite a lot of information about my account such as the serial code, credit card last four digits, etc.

Now, even if I changed my email address and passwords, I still feel unsafe since resetting my GW2 password only requires my email account, serial code and the name of one of my characters. Certainly, I can’t change my serial code nor my characters’ names. So if the hackers can hack into my email account again then they can reset my GW2 password.

Maybe I get too afraid after being hacked once but I think the system should ask for more secured questions and allow user to set up some security questions. I think security questions are quite common in many games or websites. Or can someone provide me some suggestions about this situation?

Anyway, once again thank you for the immediate help from the support team.

Gaile Gray

#10 - Oct. 31, 2012, 10:34 a.m.

I am going to ask our Security Coordinator about this. I understand your concerns, and I think things are more secure than you understand, but I’ll see if he can share some info on this and either he or I will post to get you up to date.

MikeLewis

#11 - Oct. 31, 2012, 11:42 a.m.

Account recovery requires us to strike a difficult balance.

We need to ask for information that you know, but only you should know; the easier those questions are to answer, the less secure the recovery process. However, the harder those questions are to answer, the less likely that our players will be able to actually reclaim their own accounts through that mechanism.

Obviously we want to protect accounts as much as possible, but we also have another real concern to manage, which is helping players get back into the game as quickly as possible. Account recovery has been carefully designed to be generally secure (in terms of the questions it asks) while still being effective for as many players as we can help.

The combination of serial code and character name has proven to be a very effective balance for meeting these requirements. Keep in mind that unless you are being very selectively targeted by an attacker, the odds of them knowing your character names and serial code are extremely small. Account recovery is secure in the face of anonymous mass attacks based on stolen password databases and so on.

At some point we have to draw the line. There is no conceivable set of hoops to make you jump through in account recovery that could not be compromised by a suitably dedicated attacker. The fact is that protecting your account is a cooperative effort – we are happy to do everything we can, but there are also steps that individuals need to take to protect themselves.

Securing your email address with a unique password is a good first step. (And I don’t mean just “password123” instead of “password” – something totally unrelated to your other passwords is a good idea.)