So Recently ArenaNet Posted an article about account security here. What a joke. The article in of itself isn’t a joke in what he is saying. What he is saying is something you should actually take into consideration. Plus, it has an XKCD comic as one of the examples. What’s not to love? No the joke is that this article is a punchline in my fight with NCSoft and Account Security.
A couple years ago I had one of the biggest shocks of my life. My first account hack ever. And it happened to be on an account I had through NCSoft. I believe the account was an Aion Account and I lost pretty much everything. Understandably, I was pissed, infuriated, and had in-fact added NCSoft to my Shit list. I was blaming NCSoft even though I should have taken most of the blame. Why was I blaming NCSoft? Let me explain.
When I first got on the internet as a young teen and started frequenting websites, I was already familiar with the Password routines that Companies employ here in Denver back around 2003. This was because I went to a High School that had a Corporate work study program, and roughly once a week I worked at an actual office, which helped to pay tuition.
Starting out on the internet I started using passwords that I had originally had at those companies because they were a pain in the ass to memorize and hey, I already them memorized right? As I ventured out into the internet I made blunders and missteps like other people. Because of those blunders I eventually decided on a password system that would allow me to have variable passwords for each website, while being able to memorize each password without it being really hard.
At this time (Several years later, around ’05) I had begun playing MMO’s and other various games. I ran across this nifty little game called Guild Wars. Awesome! They had a master account at NCSoft and you could group all your games together! I was digging the company except for one problem.
NCSoft had Password “restrictions”. Passwords not to exceed N length (I can’t remember the length at the time. I think it was something like 6 or 10 characters), Passwords MUST start with a letter, and no symbols allowed.
What. The. Fuck.
I mean, seriously? What were they trying to do, save disk space on their databases or processing power when hashing? Were they even hashing the passwords? Hell, I don’t know. And I’ll never know (Unless someone at NCSoft would care to explain?). Hell, I probably wouldn’t understand anyways. My password system required me to use a number at the beginning of the password and I was using symbols. I thought to myself, “Why should I have to go out of my way, to change how I create passwords on the fly for websites and services, just because NCSoft wants to restrict what kind of passwords were used?”. And so I didn’t. I used one of my old work passwords that I had already rotated out of service for fear of getting hacked with it. And thus, I made my first grave mistake.
Years later when I would first picked up Aion, NCSoft was still employing the same password requirements and I decided to use that old work password. Thus, my downfall was complete. Not even a month after I had stopped playing my account was hacked (The password was probably lifted from some phishing site years earlier) and used to sell gold in game.
After countless wasted hours (Both on NCSoft and my end) in recovering the account, I swore off any NCSoft title as long as it restricted me in the password department. I even wrote several tickets into the NCSoft TM’s complaining about how they handled passwords, in the vain hope they would change their security requirements. I wanted to blame NCSoft but the truth is I only have myself to blame. But I have to ask myself this question, would I have been in a position of even considering my old password if there hadn’t been any restrictions on passwords? And the answer is No, I wouldn’t have. And so I like to blame NCSoft.
Since then I’ve had my Windows Live account hacked (And subsequently my XboxLive account) and it still burns like when my Aion account got hacked, if only more so since I had roughly $250 stolen out of my checking account that was linked through my check card on XBL. But that’s an entirely different matter.
Since then, I’ve already started using Ultra unique passwords for each important account I own. I’ve manned up and realized the only person I really have to blame is myself for using passwords I consider insecure.
tl;dr
But the Punchline here is when ArenaNet talks about security, when their parent company obviously has no idea what it’s doing when it comes to the account security, I laugh. I laugh so hard I cry.
So, My hats off to you ArenaNet for understanding you can’t restrict passwords in length or characters used. Next time your in the development department at NCSoft, Give them a shout out for me about your article, will you?