---

Current talk page!

Archive #1
Archive #2

Generic announcements

Is it just me, or are we not getting them anymore? When there's no weekly event announcement, the right-hand announcement box doesn't even show up at all for me, only the login box on the left. RoseOfKali 16:28, 12 August 2009 (UTC)

I haven't been getting them anymore either, for a while now actually. 72.220.143.224 07:20, 17 August 2009 (UTC)

I haven't seen any for at least a month now. If they are gone indeed, then the whole section should be put into a separate archive. RoseOfKali 18:45, 17 August 2009 (UTC)

Hmmm I am still getting them,atm I have the "I have a new key" Generic announcement and I am quite sure they never dissappeared for me. ***EAGLEMUT*** TALK 02:13, 18 August 2009 (UTC)Contributions

i'm with the rose, haven't gotten it in quite a while, but if he's still getting them... hmm...Akbaroth 22:37, 26 August 2009 (UTC)

Most of them are gone, but the only one that is special is "I have a new key", some people get it some don't. — Balistic

double faction

Did anyone else notice that the faction was doubled for MQK HM runs?

So were the DSC ones average of 28k total per run (Talk to me) 20:14, October 6, 2009 (UTC)

November 19, 2009: Game Updated!

Anyone know why this was announced? It's not even a major update...or are they going to start announcing every time they update? Any ideas? The El33t 06:20, November 20, 2009 (UTC)

All releases are supposed to be announced on the official website. Sometimes, the text isn't updated until a few days afterwards. The first release today deserved special attention: The Waiting Game finally ended the wait. And later in the day, the second release fixed some widespread and noticeable bugs with the Friends server and disconnects.   — Tennessee Ernie Ford (TEF) 07:10, November 20, 2009 (UTC)

Please change your password today!

Today's login announcement is in red with the following text:

We are seeing hackers try to log into Guild Wars accounts using passwords stolen from other games and web sites. For your security, you should never use the same or a similar password for Guild Wars that you use for any other purpose. We strongly recommend that all Guild Wars players change their passwords immediately.

Not sure if this should be added to generic login announcements or an entry made somewhere else.Thorn17 15:48, December 16, 2009 (UTC)

Got it, thanks. It is pretty important, so we should probably let it go to the main page for now, at least until the Wintersday announcement starts. —Dr Ishmael 15:54, December 16, 2009 (UTC)

I hope Anet's happy. It'll take me weeks to memorize this new one. --Macros 18:24, December 16, 2009 (UTC)

Good call to highlight it.   — Tennessee Ernie Ford (TEF) 18:31, December 16, 2009 (UTC)

I got lamer'd because of that (using same password on GWG, here and ANet site). I changed all my important passwords now but yeah, GW is pretty much over for me because of it. Well, it was already pretty much done for me (nothing is new after 2200 hours) but this was the final nail. 173.177.49.49 04:46, December 17, 2009 (UTC)

Stay classy, 100 bit password generator. —Noman (talk | contribs) 23:02, December 17, 2009 (UTC)

Ty for heads up, but what caused this to start happening? I thought passwords were supposed to be secure? ShoganKiller 15:26, December 18, 2009 (UTC)

They still have to be. They just aren't that secure, and using the same password everywhere makes it easy for a hacker to access everything. Hack one weak spot, get the password and go freely. KeepAss KeePass is a useful tool to prevent this, but I don't think I can remember passwords that long :P --- -- (contribs) (talk) 15:32, December 18, 2009 (UTC)

That's the whole point of using KeePass, you don't have to remember them - just copy/paste from KeePass, or even better, use the AutoType feature. —Dr Ishmael 15:42, December 18, 2009 (UTC)

I just have a quick question, how are passwords stored on a website or a game server, w/e? are they actually there to be looked at (obviously protected) or what? ShoganKiller 15:52, December 18, 2009 (UTC)

They're usually stored as a value in a column in a database, most likely encrypted beyond our knowledge but now I'm not so sure how they maintain security on their database. 198.163.212.17 16:01, December 18, 2009 (UTC)

I don't know the specifics, but doesn't that require you to install KeePass everywhere just to access GW? --- -- (contribs) (talk) 16:12, December 18, 2009 (UTC)

Just save your KeePass database on a USB drive and take that with you. —Dr Ishmael 17:17, December 18, 2009 (UTC)

(Reset indent) I think it was Gaile who said that Anet staff cannot see the passwords stored for our accounts. She didn't go into details. RoseOfKali 18:49, December 18, 2009 (UTC)

A typical password storage system uses at least one level of encryption, so that the "password" stored on the database is unreadable. Some systems use two levels of encryption, some "salt" the password by prepending/appending (sometimes both) a string of random characters before encrypting it, etc. You have to know the exact encryption algorithm that was used in order to decrypt the password. Typical systems, though, never decrypt stored passwords — instead, to verify a submitted password, they encrypt it using the same algorithm and then check that against the stored, encrypted password. —Dr Ishmael 19:37, December 18, 2009 (UTC)

Recently some hacker broke into the site RockYou and stole their password database. This gave them user names with corresponding e-mail addresses and passwords for more than 30 million people. This would give them very good guesses to try if they wanted to get into accounts elsewhere, as if someone uses the same password on an account with the same user name or e-mail address on another site, the hacker has it sitting there and can guess it and get into your account. I'm guessing that this or a similar attack on another site is what precipitated the warning.

Normally stealing the password database wouldn't really be that bad. Standard practice is that stored passwords are hashed, so that only the hash of a password is stored, and not the original password. When you enter a password to log in, the game doesn't check your password against a database. Rather, it hashes your password and sees if it matches the stored hash, and if so, it lets you log in.

The point of this is that if someone steals the database, they only get the hashes, which don't do them much good. For example, if your password is "guildwars" (which I hope it isn't, as that's incredibly insecure) and it hashes to "#km#8CSgQ", then if someone stole the Guild Wars database, they'd see your account information together with the hash "#km#8CSgQ". If they tried to enter that to log in to the game and use your account, it would hash to something else, and be rejected by the system. Knowing the hash wouldn't give the hacker the original password.

For example, if passwords were integers, a system could take the password you enter, multiply by 3, subtract 7, and store the result of that. So if your password was 28, the system wouldn't store 28, but only the hash of it, which is 77. If a hacker got the hash and tried entering 77 as your password, it would hash to 224, which doesn't match the 77 stored in the database, and so it would be rejected by the system.

This would be a bad hash function, of course, as if someone knows the hash function and has your hash of 77, it's easy to add 7, divide by 3, and get back your original password of 28. Good hash functions are essentially impossible to reverse like that. For example, with passwords as numbers again, if you take the original password to the 48234943543rd power, divide by some large prime number, and store the remainder of the division operation as the hash, getting the hashes wouldn't quickly give access to the password, unless there were few enough possibilities that the hacker could get the password by brute force, i.e., trying things at random until he hits the right one.

The problem is that whoever designed the password system at RockYou was an idiot and didn't hash passwords. Rather, the site's database stored plaintext passwords, so the hacker who got the password file has the password of everyone who used the site. So basically, if you use (or have ever used) the site RockYou, you should assume that your password for that site is known to hackers--and the same password is still known to hackers on every other site you use it for. For a site like Wikia, that might not be such a big deal, but for sites like PayPal, with real money on the line (and real incentives for hackers to steal stuff), it could be a big problem, so you should change passwords immediately. Quizzical 20:27, December 18, 2009 (UTC)

I learned something today lol. Last question before I quit being the annoying talk page guy, how secure is something like KeePass? By that I mean, would it be possible for someone to extract passwords from the program, or how do I know the passwords I enter arn't being sent somewhere (I know you can look at the script, but I don't understand that stuff ShoganKiller 20:45, December 18, 2009 (UTC)

Even if you can't understand the code, other people can, and if there were anything suspicious in there it would've been discovered by now. KeePass doesn't send anything anywhere (there are programs for monitoring network activity you could use to verify that), it doesn't even install itself into Windows (yes, you can download an "installer" package, but all it does is extract the program files - no registry keys or system files or anything like that), and it creates a single key database file (.kdbx) where it keeps all your passwords. It uses a very strong 256-bit one-way hash encryption algorithm, and it can only be unlocked with the master password or keyfile that you provide when creating the database. If you use a strong enough master password, the sun will go nova before anyone could crack that encryption.

Summary: it's very secure. Just don't forget your master password. :P —Dr Ishmael 21:35, December 18, 2009 (UTC)

After reading that, I tried it out. I've been wary of such things in the past (I have the same fears as Shogan), but when it comes to stuff like this, I know Ishy knows what he's talking about. But I have one question: since it's open source, could the source code be used against it in any way? If so, I would think it would have happened by now, so I'm reasonably certain I already know the answer. --Macros 05:51, December 20, 2009 (UTC)

SHA-256 is a one-way hash algorithm, meaning it is, for all practical time frames, impossible to reverse-hash anything that's been hashed with it. It also uses a number of randomly-generated seeds/salts at different points of the encryption process, themselves seeded by a number of different system parameters (not just the commonly used system time). So even though it's open-source and a hacker can see exactly how everything was encrypted, it would still take somewhere in the billions of years of computer time to decrypt it without knowing the master password. They've got more info here, of course. —Dr Ishmael 15:31, December 20, 2009 (UTC)

Depending on the length of the password, it could be quicker to try passwords by brute force until you hit one that has the same hash. But no method for encrypting passwords can beat the rubber hose method: find someone who knows the password and beat him with a rubber hose until he gives it up. Quizzical 17:51, December 20, 2009 (UTC)

I also gave it a test, and I know it may be getting anoying and your going to stamp my head with "ITS SECURE", if you put it on a USB stick that you use a lot on different computers, is it any less secure? I mean, I know its secure no matter where it is, but I'm really interested in this stuff and I'm curious... lol ShoganKiller 19:00, December 20, 2009 (UTC)