New Battle.net merge security tip : Dis associate your toon name from your email !

[Bluspacecow]

Oh dear I'm getting the writing bug again.

With the coming mandatory battle net merging there have been concerns raised over this possibly making it easier for a hacker to hack you.

IMHO Before they can hack your email address they need to of course know if there is a World of Warcraft account attached to that email address.

There are several things you can do to alleviate these concerns :

1) DISSASSOCIATE YOUR TOON NAMES FROM YOUR EMAIL ADDRESS :

By making sure there is nothing out there on the interwebs linking your specific toon name to your email address the hackers won't know if there is a world of warcraft account attached to that email.

Many forum sites have an option to hide your email address from other members. Go to all of these and make sure that where you've mentioned what you toon name is make sure people can't get your email from there. Have a look at your profile and see if someone can click through to get your email (possibly do this while logged out).

On Wowinterface.com you can do this by going to :

http://www.wowinterface.com/forums/p...do=editoptions

And turning off Email options -> "Receive Email from Other Members". If they want you they can send you a PM which gets sent to your email address anyway if you have the option "Receive Email Notification of New Private Messages"

2) CHANGE THE EMAIL ADDRESS MERGED TO YOUR BATTLE NET ACCOUNT(IF ALREADY MERGED)

Go to Gmail.com or some reasonably secure email provider.

Get a new one from there just for wow related stuff.

Next go to the Battle net site and login.

US will be https://us.battle.net EU will be https://eu.battle.net Other locales I'm not sure but the use of https://battle.net should redirect you

You should now be looking at the management screen.

There's a link there for "Changing your email address"

Change it there.

A verification email gets sent to you.

Don't forgot to add this new email address into your email client in case you get emails from Blizzard in the future.

3) DON'T USE A HOTMAIL.COM , YAHOO.COM , MSN.COM OR LIVE.COM EMAIL.

They have been hacked in the past so I wouldn't trust them. I'm not one of those people who like to spread fear & uncertainty like this but heres news of the most recent time they got hacked :

http://lifehacker.com/5374745/10000-...-leaked-online
http://www.neowin.net/news/main/09/1...-leaked-online

4) MAKE SURE YOU ARE USING A STRONG PASSWORD

http://www.wired.com/threatlevel/200...000-passwords/

The most common password is "123456".

C'mon people. Don't be silly gooses here. Don't use any of the common passwords in that link above. Don't make it "123456". Or "password" or "letmein4" or anything in the dictionary or anything that can be easily guessed.

Use a code phrase only you can remember about yourself. Don't base it on anything anyone out there on the interwebs can research like your birthday or your kids birthday or anything like that.

EG Let's say you like dogs. Your personal favourite dog is shai peis. You try to make it something people can't guess you use the phrase "myfavdogsisblueshaipeis"

Fairly long, fairly hard to guess and in the middle of the alphabet to boot.

Let's make it slightly harder to guess. Let's replace some characters with numbers and easily remembered

myfavd0gs!$blu3$ha!p3!$

Really long , almost impossible to guess and oh dear god I think I've gone a bit overboard here

The point is the numbers you choose to replace the characters with should be things you can easily remember. EG replace all e with 3's or all 1 with ! s with $ etc etc etc

The idea is to make it a password that's long , hard to guess and really hard for a hacker to password for just by using your run of the mill dictionary attack. You also need to make it so you can reproduce it quickly and easily when you need to log in.

I was going to put something in here about Authenticators but I didn't want to imply you needed to go out and buy one to be considered secure.

If anyone wants to add more stuff about making your battle net account more secure please feel free to do so.

[wurmfood]

A couple things to note:

3) This is a problem because people are dumb, not because the site is insecure. These were gained from phishing (putting up a fake site and having people log in, same way a lot of WoW accounts are hacked) and not by getting access to the service somehow. Trust me, it can't happen.

4) A strong password doesn't need to be terribly long. In fact, having something really long can be worse because it will make it more difficult for you to remember. Normally, 6 - 8 characters of mixed numbers, characters, and symbols is plenty. "177t"-ification of a word is a good plan, though.

The single best thing you can possibly do is get an authenticator. Two factor authentication will best just about any other means of protection.

Avoiding phishing attacks is also really simple. Before clicking a link you're not sure about, mouse over it. If you have the status bar turned on in your browser/mail client, you should see a URL down at the bottom. Check it. Make sure the domain part matches what is in the link you're hovering over. Also, double check the domain and make sure it's where you want to go. For example, if it's not blizzard.com or battle.net, you shouldn't be going there for anything having to do with your WoW account.

[Zyonin]

Another thing when you changed your Battle.net email and passwords: Do it from a Linux LiveCD session. Linux LiveCDs are easy to get and use these days. Ubuntu will send you one free with the latest flavor or you can download and burn yourself.

In this way you will bypass any root-kitted malware (including keyloggers) and such that may be hiding on your system. This will help keep your account safe. I strongly reccommend using this route to change your password if you suspect you have something lurking on your system or if you have accessed WoW/Battle.net from a PC you do not control (such as a cyber cafe or other public location).

In addition, a LiveCD is a great item in your toolbox in the event something goes wrong on your machine and you need to either recover files prior to an OS reinstall or taking your machine to a tech.

[Bluspacecow]

Originally Posted by Lykofos Another thing when you changed your Battle.net email and passwords: Do it from a Linux LiveCD session. Linux LiveCDs are easy to get and use these days. Ubuntu will send you one free with the latest flavor or you can download and burn yourself.

Wish I could find a LiveCD that works for a Mac

You must find one for me

Also keep the tips coming guys.

I know some of us may feel a bit funny about merging our battle net accounts. The thing is isn't going to happen anyway - they warned us about this at the last Blizzcon we had.

The least we can do is keep sharing account security tips

[Zyonin]

Originally Posted by Bluspacecow Wish I could find a LiveCD that works for a Mac You must find one for me Also keep the tips coming guys. I know some of us may feel a bit funny about merging our battle net accounts. The thing is isn't going to happen anyway - they warned us about this at the last Blizzcon we had. The least we can do is keep sharing account security tips

Generally OS X and Linux systems will not have issues with most malware due to the inherent security of *nix based OSes. Generally for a user on a modern *nix based system to get owned by malware, they have to do something stupid and authorize (via Authentication/sudo) the malware unlike Windows systems were malware is usually silently installed without the user's knowledge.

Are *nix base systems immune? No. However it takes an effort on the part of the hacker and/or incompetence on the part of the user (not keeping systems up to date or authorizing anything that requests it) to get into *nix based systems. Thus the LiveCD route is generally not needed for password security.

However the phishing attacks will still work no matter what OS you use. Thus don't be a n00b and give your account details to every website/email that asks for it.

[Bluspacecow]

Originally Posted by Lykofos Thus the LiveCD route is generally not needed for password security

Oh I didn't want one for password security or anything.

I'm a techie geek. I just want one so I can go "Yes I can boot my computer up into Linux if I reallly really wanted to... See I can invoke the power of this Live CD disc"

[Slakah]

Originally Posted by Lykofos Another thing when you changed your Battle.net email and passwords: Do it from a Linux LiveCD session. Linux LiveCDs are easy to get and use these days. Ubuntu will send you one free with the latest flavor or you can download and burn yourself. In this way you will bypass any root-kitted malware (including keyloggers) and such that may be hiding on your system. This will help keep your account safe. I strongly reccommend using this route to change your password if you suspect you have something lurking on your system or if you have accessed WoW/Battle.net from a PC you do not control (such as a cyber cafe or other public location). In addition, a LiveCD is a great item in your toolbox in the event something goes wrong on your machine and you need to either recover files prior to an OS reinstall or taking your machine to a tech.

And what do you do when you want to log into WoW?

[Vyper]

Originally Posted by wurmfood 4) A strong password doesn't need to be terribly long. In fact, having something really long can be worse because it will make it more difficult for you to remember. Normally, 6 - 8 characters of mixed numbers, characters, and symbols is plenty. "177t"-ification of a word is a good plan, though.

L77tifying words is mostly useless, as there are pretty standard ways people go about doing that. Most brute-force/dictionary attacks already take into account that people are doing this, and try variations of the words they try.

[Zyonin]

Originally Posted by Slakah And what do you do when you want to log into WoW?

The LiveCD is only for when you need to change passwords and other log-in details either because you suspect you have "visitors" in your PC or you want to be cautious after using a public terminal to access your accounts. LiveCD sessions are recommended for Windows users using on-line banking and other sensitive sites.

The other reason for the LiveCD session is to recover from some major event that breaks your Windows installation (so you can recover/backup data or track down and deal with the source of the problem) or if you just want to try out Linux.

You could be masochistic and run WoW via a LiveCD session provided your LiveCD session includes a recent Wine setup and the host system is recent in terms of hardware. Your WoW installation is portable and can be run off a USB pen drive or even an external hard drive. The only real sticking point is Wine is fairly large and is usually not included with most LiveCD distros simply due to lack of space on the disc.

[Bluspacecow]

Originally Posted by wurmfood 4) A strong password doesn't need to be terribly long. In fact, having something really long can be worse because it will make it more difficult for you to remember. Normally, 6 - 8 characters of mixed numbers, characters, and symbols is plenty. "177t"-ification of a word is a good plan, though.

Going to have to disagree with you here.

If you use a phrase you can remember then typing in a 15 character long password simply becomes a matter of just typing it each letter of that phrase in in sequence. Hunt and peek at the keys if you must.

Replacing certain characters with numbers or symbols makes this process a little bit harder but not as terribly hard as you think. I you think of each time you put an "e" use a certain other symbol , every time you use a "t" use a certain number.

It becomes easier over time. Mines a combination of 2 randomly generated passwords , both non dictionary non - words with numbers in them and the names of two of my favourite cartoon character names back when I was smaller than a grasshopper. Its around 20 characters long.

I have to type that in every damn day every time I log into wow. I remember like this :

*old password from years back* *old password from years back* *toon1* *toon2*

After having to enter it in every day I can remember it by now

[bknab]

Originally Posted by Bluspacecow 2) CHANGE THE EMAIL ADDRESS MERGED TO YOUR BATTLE NET ACCOUNT(IF ALREADY MERGED) Go to Gmail.com or some reasonably secure email provider. Get a new one from there just for wow related stuff.

I personally would go a bit further and instead of using my account email for "wow related stuff" I do not use my account email for anything other than blizzard/battle.net. I get spam emails all the time saying I've been picked for beta access to this or that, or Blizzard needs to authenticate my email etc. The funny thing is blizzard doesn't even contact me at that email so I just mark them all spam and be done with it.

[Slakah]

The LiveCD is only for when you need to change passwords and other log-in details either because you suspect you have "visitors" in your PC or you want to be cautious after using a public terminal to access your accounts. LiveCD sessions are recommended for Windows users using on-line banking and other sensitive sites.

I still don't understand you advice, when logging in to an account you are just as susceptible to keyloggers as when changing password, so my main question is why bother loading a LiveCD when it's completely pointless as you'll end up logging on your windows partition partition anyway making your password visible to any visitors? Surely more sound advice would be to install some anti-virus software from a reliable retailer to make sure you have no "visitors".

[Psychophan7]

Here's one:
Always have a capital letter in your password. Why? The WoW client does NOT use case-sensitivity on passwords, while the website does.

All you have to do is log into the game without using any caps. If you've got a keylogger (and don't log into the main site), then you can keep your account safe by sacrificing access to your toons.

"Why the heck would I want to do that?" you might be asking. It's very simple, really: The 'hacker' can't easily change your password; It's easier to have your in-game items restored than it is to get your account back.



Best advice? Get an authenticator.

[wurmfood]

Originally Posted by Vyper L77tifying words is mostly useless, as there are pretty standard ways people go about doing that. Most brute-force/dictionary attacks already take into account that people are doing this, and try variations of the words they try.

True, but if you're going for simple guessing attacks it'll go a long way. Brute force attacks are difficult to execute against most online services as they have a hard limit on the amount of failed attempts that can happen before the account becomes locked. The most secure services allow less than 5 failures before lockout. There's also problems with time as brute-force attacks on an online service take much longer.

[zero-kill]

Ultimately, just change your password often enough or create a unique enough combination that will not be feasibly forced.

[Cairenn]

semi-hijack

We've been hearing a lot of reports of hacked accounts again recently. I thought I'd take the opportunity to use this thread to help educate people on some common misconceptions they have about how accounts get hacked (ie they got hacked because of an addon).

It isn't possible to get a keylogger from a normal AddOn:

First, in order to function, a keylogger must be run from an executable. You have to actively tell the executable to run (by clicking on a link on a webpage, deliberately running an .exe or other such file on your system, etc.). AddOns don't have executables in them (in general). As well, we don't allow (regular) AddOns to have executables on our site.

Second, WoW AddOns aren't loaded into memory until after you have logged into your account, so there is no way it can access your login info.

Third, most keylogged accounts are actually keylogged anywhere from two (2) weeks to six (6) months prior to them actually acting on the information. Malicious programmers get the information for so many accounts that they are usually that far behind to begin with. As well, they know better than to access the accounts immediately, because it's way too easy to go "oh, I got hacked right after doing this thing on this site". It's harder to remember what you did any where from two weeks to six months previously.

Fourth, just as many accounts are hacked via brute force or dictionary attacks as they are by keyloggers. That's why it's so important to make sure you have a really strong password and that it isn't something easily guessable.


How to keep yourself safe:

Make sure your password is really strong (a combination of numbers, letters and special characters like = % &), not a "word", and not something easily guessable, like your character name, or your birthday, or ...

Keep your anti-virus and anti-malware updated. Make sure to scan your system on a regular basis. If you think you may have a virus or some other form of malware on your system, but your scans aren't finding anything, try a different one. Not all scans pick up all malicious codes, it's hard to keep up with all the new ones being developed all the time. There are many free anti-virus and anti-malware programs out there, some that you can download, some that are run on-line. Try one of them if you aren't confident that your existing one is catching everything. (let's not get into a debate on this one, computer geeks, this is general info for the average person).

Browse smart. Download smart. Don't go to sites you don't trust, don't download from sites you don't trust. If you are running browsers that allow it, use things like the NoScript plugin for FireFox. This prevents sites from running code on your computer without you giving that site explicit permission to do so.

Pay attention to what site a link goes to, in emails and such that say that you've "won access to Blizzard's Beta" or similar. Make SURE it's Blizzard's site before you click on the link. As well, Blizzard will never ask you for your password. Don't tell it to anyone.

Another step I would strongly suggest you consider is getting one of the Blizzard Authenticators.


(Yes, I know, a lot of this is already covered in the rest of the thread, but this is a compiled version.)

[Shirik]

My magic formula for passwords:

Step 1: Choose two languages (English can be one of them if you want )
Step 2: Choose two words, one from each language
Step 3: Take first half of first word, second half of second word
Step 4: Interleave a number and a symbol
Step 5: Make at least one letter capitalized

It has worked well for me so far. And don't think you have to know other languages to do this, either. How many common phrases are out there everywhere that you know? For example, on every US coin we see "E Pluribus Unum." It's certainly able to be remembered, even if you don't know latin. (And no, before you get any bright ideas, none of my passwords come from phrases on a coin ).

EDIT: That being said, for me, passwords generally only exist for encryption of my RSA keys. I use passwords as little as possible, and immediately jump for anything more secure such as the Blizzard authenticator.

[Kallieen]

I tend to use passphrases, in that I'll take a sentence and pull a password out of it. I tend to draw them from books I've read or shows I've watched, but I don't use anything that I say often or use as a forum sig. One benefit of that is that I can use the sentence as a password reminder without giving anyone an easy way to guess the password. Subbing characters and numbers for letters or words makes it fairly secure as well.

Another thing is to not use the same password over and over. Especially don't use your WoW password anywhere sensitive.

[Dawn]

Woot! Ma account is ma babe, don't take it from me *cry*

Don't be afraid kids, the only thing that will really get your beloved wow account hacked is account sharing (aka giving your password away) or being keylog'ed (aka being dumb).
While you shouldn't make your password: "password" or the like. It's highly impossible for someone to hack your account if you aren't dumb enough to either spread around your accountname (or soon to be come) the email it's attached to.

What I'm trying to point out is just one thing: Security is nothing that you need to buy (via some authenticator crap) or comes from an uber secure password (which doesn't make a different if you got keylog'ed anyway). Not getting hacked comes simply from being smart enough, not to make obvious mistakes - like visiting gold selling or other untrustworthy pages, not to tell everyone you even have a warcraft account, take your time to create at least semi intelligent names (an while your on that, not only for your email, ... nasty ShadowforceroUGe is nasty), ...