Tobold's Blog
Saturday, April 20, 2013
An interesting approach to account security

World of Tanks is running a change your password event in which they reward every account which changes its password to something more secure with 300 gold, their real-money currency. That idea is brilliant on so many levels, you have to wonder why nobody ever thought of it.

Honestly it looks like "our password database was compromised and we need to have players change their passwords or we'll spend ages answering the phone calls of hacked people, 300g is cheaper than that, so full steam ahead!".
And it'll not solve people picking crappy passwords or reusing them on all the WoT websites.
I suppose it is one way of getting players to create of more secure password but honestly I don't think it is the best solution.

I still think the most secure solution is to employ authenticators. I always wondered why WoW doesn't offer more inducements to use authenticators.

Personally if I were them I would sell the Authenticator as "account insurance" but including some additional bonus such as a mount or some kind of XP boost item (perhaps with a monthly cooldown so you can use it more than once).

The "insurance" element should be that if you buy an authenticator and your account gets hacked, Blizzard would guarantee to recover all your lost items. If you also ban all trading when not using an authenticator I suspect you will practically kill gold selling over night.

The key point though would be that those not using an authenticator would never get their stolen gold/items recovered if they got hacked. That would be an anti-inflationary measure that even Maggie Thatcher would be proud of.

The other option is the one we use at work where the system automatically forces you to reset your password every couple of months and it gives you a choice of three passwords consisting of random letters. Problem with this option is that I know from working in IT support that I have to reset a lot of passwords due to users forgetting them...

Still I don't believe passwords are ever secure because you cannot guarantee the users machine is free of keyloggers and you can't guarantee that they won't use the password on other sites.

Whilst "only" 99.9999% secure I think authenticators are the way to go. I know my bank HSBC agree with me! I suspect that the few getting hacked with authenticators are those that were account sharing with room mates etc. In which case ban them anyway!
Yeah, but Blizzard got sued for using authenticators. Somebody claimed that this was a hidden cost.
It isn't the first time WoT has done something similar, and it is certainly a good 'positive' incentive to resecure your own account, in case account security wasn't enough.

You can associate a mobile phone with the account as well, like with many things these days, and they give you a gold bonus for that.

It is nice, but I would like a token authenticator or similar, as it works so well for blizzard accounts that I don't really see a downside..
What is the brilliant part? Offering an inducement or making the inducement specifically in-game currency?

The latter might be a first but surely this isn't the first time players have been offered benefits to their characters for changing passwords - I seem to remember getting Achievements and/or titles for doing this in several MMOs, EQ2 and Rift among them.

If you're saying giving in-game currency is the brilliant new idea, why is that?
If you're saying giving in-game currency is the brilliant new idea, why is that?

A large number of Free2Play customers do exactly that, play for free, and never use real-money currency. Handing out a "free sample" of that currency can show them the advantages, and thus lead to further sales. And it doesn't really "cost" anything!
Because it does not increase account security at all. "Strong" passwords create only fake sense of security.
This comment has been removed by the author.
Doesn't runes of magic give a free daily quest reset ticket each month you change your password?
I believe they've been compromised (launcher says so).

So they want people to change password -- and hence offering the gold if your new password is 'strong'.

Nice idea, but it would've been better if they hadn't gotten compromised in the first place :P

Actually, on that subject -- I think they are way too coy about the whole 'compromise' thing -- they ought've been more "in your face" about the fact so that you know that you *need* to change password.
Ah yes, Joystiq reports WoT having had a security breach.

Note that there is one HUGE difference between a MMORPG account being hacked and a WoT account being hacked: World of Tanks has absolutely no way to transfer tanks or gold from one account to another. Thus there is no black market for tanks or gold which would encourage thieves to hack your account to sell your stuff.
It's pretty cool what they did. I would have changed my password anyway, as soon as I found out about the breach, but the gold was just icing on the cake. Hey maybe they should have "password change events" several times a year, with gold bribes.

It wouldn't be a bad idea if they offered optional two factor authentication though.

On the other hand, like someone already mentioned, I'd guess that people would have less motivation to hack WoT accounts since you can't transfer tanks, gold or silver.
"We want our players to have secure passwords!"

(tries to change password to something more secure)

"The password contains incorrect characters. Use Latin characters, digits, and underscores only."

Yeah, good one,
Password strength is mostly something that gives users a warm fuzzy, not something that actually makes systems more secure. Disregarding your password being "password".

See also:

When accounts are compromised, it's very rarely that passwords are guessed or brute forced.
Password strength is mostly something that gives users a warm fuzzy, not something that actually makes systems more secure. Disregarding your password being "password".

See also:

When accounts are compromised, it's very rarely that passwords are guessed or brute forced.
Ofc TFA is highly desirable. It used to be a problem to keep up with a fob and worry about fob breakage and batteries. Smartphones have nearly obviated that.

I like the human engineering of a strategy of not allowing any two people to have the same password. So at most one person can have "password."

If they need their users to change passwords, they need to tell their users to change passwords.

More secure passwords may do more harm than good IMO. People don't remember them so they write them down. Forced use of authenticators is absurd also. Who wants to be clicking a different stupid expensive dongle to log into every game they play?
I really like SW:TOR's approach. Use an authenticator gain access to a unique in-game vendor and 100 bonus Cartel Coins a month.

Now that I think of it, account security is one thing SW:TOR got right.
While there is no black market for tanks, there is black market for the accounts itself.
Post a Comment

Links to this post:

Create a Link

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool