Game: Improving Password Security

[Jinji]

PWO Community, today the Admin team learnt of something that really makes me sad about some of our players. There's an old saying that if you trust people never to make silly mistakes, you set yourself up for a fall. Well, let's just say they'll be quite a few insurance claims now for falling in public.

You see, in recent maintenance to the game's database, we discovered over a thousand accounts within PWO were using either the word "password", or copying their username as their password. This is seriously insecure and avoiding these choices is one of the first lessons of password security - such passwords are easily guessed and offer zero protection against a guilty player gaining access to your account.

The Playerdex has now been updated to prevent people setting either of these as their password for all PWO Services, both for new registrations and for existing accounts changing or resetting their passwords. In addition, after some consideration, we have decided that in the interests of player security, any account that used either "password" or their username as their password will now have had their passwords wiped from the database; and you will need to perform a password reset to obtain a new password in order to gain access into your account. Note that if you no longer have a valid email address, your account may no longer be accessible as a result of this change - we apologise for the inconvenience.

It surprises me that such measures are necessary as many of the Staff of PWO believed our player base was sufficiently smart enough to avoid choosing obvious passwords. To help players know what passwords to avoid in the future, here is a list of ten more passwords that were discovered, as of January 2010, to be used the most by internet users worldwide (study of 22 million internet users):

1. 123456
2. 12345
3. 123456789
4. monkey
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

If you are using one of these, or anything similar to them, you should change your password immediately. It's also a bad idea to use any part of your real name as your password; as the study also investigated how many people used names in their passwords - and discovered people's first names were number 11 on the list and many other name-related passwords appear further down.

Thank you for your attention.

In other news, a small Forum enhancement. If you go into your Profile Settings on your Profile today, you will notice a few new options with which to add more about your Pokémon journey to your Profile. In addition to the name of the Guild itself, you can now optionally set the position you have in a Guild; and you can choose your favourite Type of Pokémon to be added to your Forum Profile. Oh by the way, did you know that on anybody's Forum Profile, if you hover the mouse over the "Profile Info" or "Modify Profile" links at the top of the page, you'll see menus with links to search things about that player or, if it's your own Profile, change the way the Forum works for you? Check it out.

TL;DR: If you set your password to "password" or your username, you'll need to reset your password to log in again; and it is no longer possible to use these as passwords.

 

[LunaticJames]

Lol.
But really, yes, that is a good point to raise, poor passwords are just future problems.

"monkey"
^ wut?

And that's a cool addition for the Guild positions and affinity for certain types X3

 

[padopado]

why is the reset button not working ?_?

 

[rayquaza72]

Would it eventually be possible to have a blacklist for passwords? Add these really common/insecure ones so they cant be used when registering accounts or changing passwords

 

[padopado]

i wanted to reset my password but the password button is not working ?_?

 

[MacaroniMan]

I think instead of blacklisting passwords, set specific requirements.  As in, needs to 8+characters, A CAPITAL LETTER, a lowercase letter, a numb3r, and a sy/\/\bo|_, and it's automatically refused if it has part of your username (3-4 consecutive letters same?).  You can do it for operating systems (school does it), why not game?

 

[masterpugz001]

i wanted to reset my password but the password button is not working ?_?

me 2 i cant reset my password can someone tell me how to reset one.. im dying inside my hands are shaking i want to play... :-((((((((
anyone please help me!!!!! i want to secure my pass. still i cant...

 

[padopado]

i wanted to reset my password but the password button is not working ?_?

me 2 i cant reset my password can someone tell me how to reset one.. im dying inside my hands are shaking i want to play... :-((((((((
anyone please help me!!!!! i want to secure my pass. still i cant...

well dude too bad no one is answering this. i already asked someone in the irc channel but not a very accurate answer.

my one and only question is "why is the reset button not working" and no one answered my question specifically. i also wanted to play as soon as possible but well this is their game we're only playing in their game.

 

[rayquaza72]

Ever notice how asking the same question several times still hasn't done anything? Learn to wait until someone that can help comes along...

 

[masterpugz001]

thanks for the reply dude..  my hands are shakin... im startrin to log 11am its 3:36pm here in my place...

 

[voltahit]

Unlike some people that consider every announcement a big change. I actually consider this particular announcement a big change because you guys are updating security measures. good job!

 

[HoopZ69HoopZ]

Thanks for the heads up Jinji!

 

[Merry]

You see, in recent maintenance to the game's database, we discovered over a thousand accounts within PWO were using either the word "password", or copying their username as their password. This is seriously insecure and avoiding these choices is one of the first lessons of password security - such passwords are easily guessed and offer zero protection against a guilty player gaining access to your account.

I seriously hope you do not store the passwords in plaintext. If so, this newspost should be nominated for hypocrisy of the year.

 

[Bluerise]

i wanted to reset my password but the password button is not working ?_?

Maybe instead of simply posting it here, you can post it in the Bug Catcher where bugs are supposed to be reported.  I will though suggest the use of using an alternative browser.

I seriously hope you do not store the passwords in plaintext. If so, this newspost should be nominated for hypocrisy of the year.

We can only do our best with the limits in place.

 

[Merry]

I seriously hope you do not store the passwords in plaintext. If so, this newspost should be nominated for hypocrisy of the year.

We can only do our best with the limits in place.

What if somebody ended up getting their hands on the database?

Also: a lot of people use the same password on different sites. What about staff members with access to the database who might decide to go rogue with the information (keeping that possibility open even if it is not very likely)? Though I suppose that problem would apply with hashed passwords as well, but at least it would require a bit more effort. That is - Provided the passwords are not already hashed and stuff.

 

[Jinji]

I agree that the current password storage used by PWO is not very strong in itself. For this, much of the blame should be attributed to Kyro, PWO's original Project Lead, for failing to realise the importance of password salting and encryption (and based on what I know of him - for we were quite close back in the day - at the time he was actively working on this game, he probably lacked the knowledge to implement such features).

We are looking in to implementing database-level encryption for passwords in the game. However, for such a system to work, either the client would have to encrypt the passwords to the same standard used in the database before sending them (possible security risk); or, at login, the server would need to either encrypt the received password or decrypt the database password - and only compare the result, discarding it once completed. None of these actions are currently performed by the game, but this will hopefully change in the future. Of course, we would also need to forcibly encrypt the existing passwords if we wanted to ensure the system worked for all users without causing a massive inconvenience to them.

 

[Merry]

Mm... nu, I reacted a bit at the advocating of security when there at the same time was issues with ones own stuff. Though I guess the issues are two different ones.

 

[Mantis]

am i allowed to keep using drowssap as my password?

 

[inileater]

Another common mistake a few friends of mine do (for like their MSN/XBL passwords and such) is place a random word and add their birth year at the end example: Pancake91

 

[HuguinhoA]

Wow good topic, it's hard to believe that some players are really using easy passwords. This shows that they don't care so much about the game. If you staff think like a normal gamer just starting a online game, at the beginning all the easy passwords work fine. When the player shows interest in the game normally a percentage of them decide to change the easier password for an harder one.
I have a medium/hard pass... but, after this topic i will change somethings and i advise others to do the same.

Thanks for the info Jinji  :-*