Thursday, July 24, 2008

Account Security, or "How To Keep Your Gold, Gear, and Sanity"

Something I've been wanting to talk about for a while has been how to keep your account from being hacked. We've discussed it before with some basic tips from my computer guys, but I think it's time for a refresher course.
  1. Strong Password
  2. AntiVirus and Firewall
  3. Obscure Question
  4. Authenticator
  5. You
Layer 1: Strong Password

Pretty soon, I'm gonna try to change my regular password to something a little bit ridiculous. Something I'll have to look up every time I need it. It will include:
  • No proper names or words.
  • Lots of random symbols like semicolons and brackets.
  • Both upper and lowercase letters.
  • Numbers.
  • 14 characters long.
I recommend making your strong password and using it for everything you do. To keep track of it, put it in a .txt file deep in your My Documents folders (surrounded by other files) with an innocuous name like "Britain" or "catshampoo."

Heck, even use a really old book's ISBN number or the store code on a game box (my copy of Evil Genius still has the sticker on it and sits right beside my monitor). Nothing more innocuous than a couple of books or games piled up on your desk. (Just make sure it's nothing someone would borrow without asking. >_> That'd be awkward.)

Layer 2: AntiVirus and Firewall

I had to have my husband explain the difference. >_>

Basically, they serve the same function in a different way: AntiVirus programs identify possible malicious programs. Firewalls protect by blocking things from getting onto your private network.

We just have a Firewall because my husband knows how to set it up, but it's strongest to have both.

Layer 3: Obscure Question

You know how you get a question like "What was your mother's maiden name?" and that sort of thing in case you need to prove you're you?

Yeah, make it something only you know. I had a guildie lose his account because he got it from a guy who didn't give him the question/answer (the guy got my guildie's new password with that and changed it on him, and Blizzard does not allow account sharing so no action could be taken). They worked it out, but it could have been very bad.

A rumor ran around the WoW news that another girl got her account hacked in spite of the new Authenticator security tool because someone figured out her answer and used it to deactivate the Authenticator over the phone. If this happened, it would most likely be someone she knew.

I don't know how you can change your account question/answer at this time. :*(

Layer 4: Authenticator (Optional)

At the Blizzard Store, they sell small devices for $6.50. You buy one, you put its serial number on your account (Account Management -> Add Authenticator), and every time you want to log in you get an extra little "password" screen that asks you for a randomly generated code from the Authenticator (which has a battery life of "several years" according to Blizzard).

From what I can tell, each authenticator has its own style of codes recognized on your account by its registered serial number.

BUT you can use it on lots of different accounts. So if you're married, and you each have an account, you only need to get one for both of you.

WoWInsider Authenticator Post
Official Authenticator FAQ
Authenticator at Blizzard Store

I think I want to get one, personally. It would be a little annoying to input every time, but I've put enough effort and love into my account that I'd like the extra security.

Final Layer: You

All of this will be pointless if you don't watch what you click on. Keyloggers are only dangerous if you download them. Keep your surfing to known and trusted sites, never download anything with a .exe unless it's a trusted addon from Curse or some other reputable addon site, and never ever ever click on a link in an email that you didn't ask for (even if it's from a friend).

My husband and I recently got an email from his father about this new shopping site and how awesome it is. In the email, there was html and it called us "Dear Friends." Several warning signals:
  • My father-in-law never emails. He calls.
  • If he did email, that's about all he can do on a computer. He knows NOTHING of html.
  • He would never call us "Friends." It's too impersonal.
  • He always signs his emails with his nickname, but he didn't this time.
He called us two days later to warn us he had a virus on his computer and it had sent out an email to his mailing list. We had already recognized it as fake and deleted it without clicking on the link, but most people don't look at email from family in a suspicious manner. So keep an eye out.

Also, some web browsers are more vulnerable than others. Oddly, Opera is one of the safest web browsers around just because so few people use it that hackers don't consider it worth their time. (If you prefer mainstream, Firefox is safer than IE. I use Firefox.)

And, lastly, don't share your password. Blizzard will never ever ever ask you for it outside the official login panels, and if anyone else promises riches if you just "log in" to your account through their site, they're just stealing your data. This also goes for sharing your account info among friends. If you want to let Pete Pwner take your warlock for a spin, fine, but change your password afterward. This is not "Oh I don't trust him anymore" -- it's common sense. Who's to say he didn't write your info down on a slip of paper by his computer and forget about it until your mutual acquaintance Mr. Moron picks it up? Don't leave a major hole in your security just because you want to show that you trust someone. It's noble but daft.

A story: Friend A shared his account info with Friend B. Friend A wakes up one morning to find his acccount was hacked, his things sold, and his character transferred. He freaks and reports the hack. Turns out that Friend B logged onto his account while drunk and did everything. Blizzard banned Friend B for account hacking. So, kids, this isn't just to protect yourself. It protects your friends too.

Change your password if someone gives you their account. Do NOT keep the same password. I have had guildmates kicked from their characters in the middle of a raid because the previous owner decided (a year later) that they wanted the account back. I have had another guild member have to start a new account because the previous owner of his first account logged on to his 70 and took everything, and Blizzard wouldn't consider it a hacking attempt and give the items back because it was a "shared account" issue (sharing is against the terms of service and can get you banned). If you consider the account yours, make it yours with a new pass, I'm begging you!! (Or even make another account for yourself, with a your own question answer, and transfer the desired characters over.)

If you get hacked anyway.

Open a ticket with a GM and tell him or her the situation. They should guide you through the process of getting your stuff back. From my experience, if it's a straight hack and no "shared account" issues, you'll get your stuff back in a few weeks but won't be able to play in the meantime.


  1. Hai! Thanks for stopping by my humble home! I wanted to in touch with you for and idea you've sparked for me (I know way vague huh!) if you have the time could you drop an email to

  2. Wow, you make our guilies sound sorta... dumb.




    Oh well. Live and learn!

    PS - I use Opera for the very reason you've stated.


Note: Only a member of this blog may post a comment.