PSA - Account Security - It's a thing - You should look at this thing.

[KisaiTenshi]

I want to add on that in this day and age, lots of people just don't make good passwords in general. Passwords should be longer than five characters with uppercase, undercase, numbers, and symbols in them. My password for the game is at least 11 characters long with a combination of various things, it's also nothing that could be easily guessed from even people that know me well enough, but, like above what the OP said.

I also use a One-Time-Password via my cellphone as well for extra security measure because it still is possible that hackers could crack my password with the tools that they have available.

Don't bother with making an overly complex password, just make something you can remember unique to this game.


The OTP is your insurance against someone being able to replay-attack/keylogging. Also do not use an Android emulator for your OTP on the same machine. Buy an authenticator if you're unwilling to put the authenticator software on your personal cell phone or tablet. OTP doesn't protect against session jacking.

Now you might ask... wait, why can my account get jacked anyway?

Yes. MMO's can be jacked several ways

1) Username and Password jacked by brute force (which is usually not done) by emulating the launcher.
2) Username and Password jacked by password reuse
3) Username and Password jacked by keylogging/malware by hooking the keyboard api.
4) Session jacked by unauthorized third party software/mods (don't trust anything you can not get the source code for and compile yourself)
5) Session jacked by network replay attack (compromised browser plugins)
6) Session jacked by shared proxy (players using VPN's)
7) Account compromised by Remote access tools (eg Teamviewer) on the system.

Clearly the easiest is #2, which you shouldn't reuse passwords in the first place.

Of these, #4 is not that hard to pull off as it bypasses the username/password/OTP process by simulating the game launcher and passing along the session string while it's hooked into the process, while it secretly passes along that information to a third party. So you will probably find that people who report being hacked, were probably engaging in RMT, or modding, or used a third party tool for some reason and naively trusted a total stranger on the internet.

Earlier on in V2.x A player reported to the forums that they couldn't log into the game, but I found them in the game, being a RMT spammer. So, people will deny they did anything wrong, even if they clearly did, and just want to save face.

With #7, Teamviewer is often a vector by which accounts get stripped and deleted as well. If you used TeamViewer or other remote access tools to let someone "Borrow your account" or play remotely yourself, you are opening yourself up to a world of hurt if you don't uninstall the software immediately after you don't need it anymore.

The only way to prevent all of above is by requiring a OTP to login/delete the character. If your game is idle and goes AFK, it should also request a OTP to come out of AFK mode. But it doesn't do that.

a OTP is good to have... until the day that you have to hand in your phone at the end of its 18-month lease. Then you HAVE to deactivate all 2-factor for any and all apps that use it on your phone. Once you have a new one, you gotta reset all your 2-factors. I got this coming up in September and my options are: do what I said (deactivate Steam's 2 factor, SE's, uplay's) and risk compromisation OR pay $216 to own the phone. security token apps are only good if you have a smartphone too or want to spend more on them every few years. While it's possible to crack my account, I have proof of ownership to get it back.

I actually use my ipad 3 for this. As it doesn't recieve updates anymore from Apple, the only risk of "losing" the OTP generator is by losing the ipad or it being damaged. I didn't put it on my phone because SE's authenticator doesn't work through major OS updates, and the phone tends to update automatically.

[Mhaeric]

Four random common words

This is what I do, with the addition of using a different set of four for every password I have (as long as the password requirements let me.) Even with the multiple accounts it's quite easy to remember them, and more importantly, to type them out.

[Sigma-Astra]

Don't bother with making an overly complex password, just make something you can remember unique to this game.

You and Mhaeric are both correct that four random words is a good strategy for a password, but it's also suggested that you should still use uppercase, lowercase, numbers, and/or symbols with the four random words.

My fiance works in the IT field specifically, these are things that he himself suggested to me from his knowledge in the field that he's been working in for at least 10 years. I've heard horror stories of passwords he'd find for a business server that hosts all of their emails when he was called in to fix a problem with it, and their server password was "12345". I think he facepalmed so hard and immediately corrected them because that's a huge security problem for a business. xD

[KisaiTenshi]

You and Mhaeric are both correct that four random words is a good strategy for a password, but it's also suggested that you should still use uppercase, lowercase, numbers, and/or symbols with the four random words.

My fiance works in the IT field specifically, these are things that he himself suggested to me from his knowledge in the field that he's been working in for at least 10 years. I've heard horror stories of passwords he'd find for a business server that hosts all of their emails when he was called in to fix a problem with it, and their server password was "12345". I think he facepalmed so hard and immediately corrected them because that's a huge security problem for a business. xD

The length and the type of characters are two different practices.

If you are trying to prevent brute-force password cracking (eg a site gets hacked and their password hashes are downloaded) then all the cracker needs is time to crack a password, and in the case of Unix crypt, most systems only generate the password from the first 8 characters. So if you create a 32 character password, the hash only needs the first 8 characters, because really, the password is only the first 8 characters. So if you only have 8 characters of entropy, adding symbols, numbers and mixed-cased letters increases the entropy.

However most websites make arbitrary requirements like upper and lower case, at least one number and symbol and in fact lower the entropy by doing so. So instead of someone having a 32 character password phrase, they are forced to remember where they put those numbers and symbols, so to make the password checker happy you put those at the beginning or end.

Now, preventing password reuse is an easily solved problem, you keep the old hashes (but increase the data breech risk,) so the user doesn't keep switching between two favored passwords. However password-reuse between different sites is not easily solved, and in fact the bad actors made it easy to prevent these passwords from being used. https://haveibeenpwned.com/ will tell you which sites you have accounts with that have had data breeches. If a site has it's user/password hashes stolen, there is another concept called "rainbow tables" that can be used against non-salted or poorly-salted password hashes. By current estimates ANY 9 character password can be cracked in 4 days. https://www.betterbuys.com/estimatin...racking-times/ . So by current times, you only need a 12 character password, regardless of symbols, letters or numbers, it would still take 200 years to crack with a single PC. However current botnets could reduce this time significantly if an important target (eg celebrities, politicians, billionaires) is the target.



But it also needs to be said that tools like lastpass/keeppass are solutions created because of crappy password rules enforcement, thus instead of the user creating passwords they can remember, they're forced to create passwords they will never know. It would make more sense to require users to create passwords that are minimally 12 characters in length, and to which one could easily "pad" their favorite reused password out to hit the entropy requirement (eg say your password was "ffxiv" 5 characters is way too low, you can pad it to "ilovetoplayffxiv", which is 16 characters, rather than trying to make "ffXIV14*" to meet the requirements, but the entropy is too low. That 8 character password can be cracked in 5-10 hours, over the 16 character password which would take 91 millennia.

As an example using the Apple password manager, I created an account for my parents when they drove through a toll plaza, as we were going through it. The iphone created a password at that time and I didn't write it down. So when my dad asked for it, I was able to pull it off... the iMac. Because the passwords on the device have to be decryptable, anyone who has access to the machine can see your passwords. So if you use password managers, don't share your computer, store the encrpyted password file on a USB stick or on the cell phone memory that is only visible after being unlocked.

The reason "cloud" password managers are bad, has more to do with relying on third parties to stay in business and not be blocked in certain countries. If you're crossing the border (eg into or out of the US as an example) you want to make sure that anyone who inspects the device can not simply turn on the WiFi and access your cloud services if you're forced to unlock it. Hence my comment about not saving banking or your email passwords on the device.