119444-about-that-authenticator

Content
{| style="width: 100%;"

I don't see this as an either/or situation as in EITHER you get the authenticator OR you get compromised. I don't believe most accounts get "hacked" just out of the blue either. My friends and i have played online games for 8+ years and none of us ever got hacked on any of them, including this one .I believe most accounts that do get "hacked" are compromised by people that know you that somehow got your pass or *cough* you gave it to them at some point. I did get the authenticator on W* simply because I was too cheap to pony up the g for the mounts, not because I'm paranoid I'll get hacked. I keep this annoying evil so they don't take the mounts away. (I'm SO cheap :P) This is the ONLY game I have an auth. on simply because it offered  the free mount.


 * }
 * }

{| style="width: 100%;"

Remember that sometimes the user isn't directly at fault. This is especially true if your WildStar password isn't unique to WildStar. Many players use the same couple passwords everywhere, including places they consider "safe". Even if their machine/environment are secured, the fact that they gave their credentials to many different websites/platforms = higher chance for one of that website to get compromised and for the password to end up in the wild. This can happen -years- after you entered your credentials somewhere hence why it is recommended to change your passwords often, and that's again something most of people don't do unless enforced. Yes even us (employees) for example are always annoyed when we get that Windows reminder forcing us to change our password every 90 days and preventing us to use an old password for 3 consecutive years. If that policy wasn't in place in companies (including ours), I can tell you than less than 5% of users would actually take the time to change their password even once a year... Having two factor authentication (2FA) doesn't mean you should stop following all best practices when it comes to logins and passwords but at the very least if you do not, it will add a layer of security which is always welcomed :) Last but not least, we are currently working on adding some grace period for 2FA, which mean that if you connect from a known IP address + have used 2FA is the past X days (exact number to be determined), you will be able to log on without having to enter your 2FA code again. This should make using 2FA more convenient and hopefully encourage more players to use 2FA while still providing an excellent level of protection.


 * }
 * }

{| style="width: 100%;"

^this Hackers don't brute force anything at this scale; it's not profitable. They use keyloggers, click trackers, screen scrapers, remote access, they'll even gather lists of registration emails and passwords from sites of similar backgrounds (like someone is probably trying to break wildstar-roleplay.com for its passwords and usernames, and will fire those into the login just to make sure someone didn't use the same email/password combo for both the client and any number of other websites). Really dedicated hackers might even be able to pull a man-in-the-middle attack, mimicking your IP. All you know is that whatever the attack is, it will almost surely be automated as much as possible. They're casting their nets wide and catching people between password changes. 2FA essentially makes your system as unautomatable as possible, especially with the number-salad they pull at login (that seems like a small measure, but means 100% of keyloggers and about 99% of standard clicktracers wouldn't work in a stutter attack and that someone would specifically have to be targeting a known Wildstar account to even try it). If you don't have it, your Wildstar account is about as protected as your email; it just takes one slip up between password changes falling into the wrong hands. They don't need to fire a thousand login attempts at Carbine to log in. They're just trying to find a thousand individual logins to throw and seeing what sticks. At that rate, accounts with 2FA just aren't usually worth the work to break. Psyknis's post you were responding to was indicating a specifically shared password, since most people don't actually have completely idiosyncratic passwords. That said, Carbine might notice if you fire a thousand logins from the same IP. Carbine might not notice if you fire a thousand guesses from a thousand different IPs cycling between fifty different logins. It is possible to brute force a password. Psyknis is bringing up a good way for a password to become exceptionally secure against a brute force hack while still being very easy to remember. At present, I don't think Carbine's password system is set up to be that long (I'm not sure, I use 2FA so I don't have to worry about completely resetting my password every few months).


 * }
 * }