Thread Tools Display Modes
12-21-09, 03:53 AM   #1
Thrae
A Cyclonian
 
Thrae's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2005
Posts: 42
Lightbulb How to secure your World of Warcraft / Battle.net Password

Hello everyone. You may have been wondering where I've been, if you know who I am. Well here's a little tip I found out in my hobby of increasingly securing my digital life:

http://keepass.info/

1. Download KeePass 2.x (non-Windows versions too)
2. Create a new database. Give it a decent Master Password.
3. Create a key file. This file can be any non-changing file of at least 1024KB of size.
4. Associate the key with the new database. Require both the password and key file.
5. Create entry for World of Warcraft / Battle.net.
6. Generate a random password of maximum length and strength (16 characters, a-z, A-Z, 0-9, #!%$). Remember to collect additional entropy for your password generation using mouse movement (option at the bottom).
7. Run WoW. Wait until you're at the login screen.
8. Uncheck "Remember username".
9. Tab out and go back to KeePass.
10. Edit Auto-Type property of your new entry.
11. Select the appropriate World of Warcraft window from the drop-down menu.
12. Select Two-Channel Auto-Type Obfuscation (TCATO). Keep all other defaults.
13. Save database.
14. Name the database and key something that doesn't sound like a database and key (provides little extra security, but helps).
15. For additional security, store key and/or database on USB Flash Drives, with an encrypted backup somewhere (the database and key might already be encrypted, but you don't want them lost, and you also don't want people knowing what you're backing up).
16. Change your World of Warcraft and/or Battle.net password to the newly generated KeePass entry.
17. Tab back to World of Warcraft's login screen.
18. Press CTRL+ALT+A (KeePass 2.x's default Global Auto-Type).
19. Viola! You have now logged in using a very strong password protected by another password and a key.

WHAT THE HECK IS ALL THIS?
There are plenty of password managers out there, but KeePass 2.x is the best password manager I have found. It can also be found in a PortableApp format, meaning you can run it entirely from a USB Flash Drive.

What is a password manager? Well, maybe you're using Internet Explorer and you have it remember a password to some website (say, wowinterface.com). If you do, it saves that password encrypted. Unfortunately, this encryption method is rather insecure without additional tools. Let's say you're using Firefox. It has no saved password encryption without setting a Master Password first, which is not set by default. Some people don't know that. I suggest the addon LastPass instead for non-financial website logins.

What is encryption? Well, it's a way of making something unreadable to anything without proper decryption, further securing it. There are a lot of different ways to encrypt something and not all of them are very good. KeePass 2.x does a decent job when you use a password + key file pair.

By following the above steps, you can turn a possible guessable password into the strongest password possible given the normal password restrictions set by Blizzard while also defeating standard keyloggers and clipboard spies. The Auto-Type feature of Two-Channel Auto-Type Obfuscation (TCATO) uses the clipboard to transfer only part of the username and password, defeating standard clipboard spies as well. In theory, the only effective spy would be one designed around TCATO.

Currently this has been tested by me on Windows 7 64-bit using KeePass 2.09. You're free to reply with your results if you want to try it.

KeePass 2.x also works under Linux, Mac OSX, BSD, and other platforms with support for Mono 2.2+ (it's built on .NET 2.0).

My pfSense router has not detected any abnormalities coming from the KeePass program like it trying to phone home your stored passwords. This is a long-standing FOSS project split into Classic (old branch) and Professional (new branch).

If you want to further secure your data, I'd look at making encrypted volumes (even just file containers) using the FOSS TrueCrypt, and use hidden volumes and multiple keys spread across multiple locations. But that's only if you're seriously paranoid like me.

Of course, one may ask, what about the Authenticators? Well, this method isn't really better then the Authenticators and you won't get a cool pet. However,
a) they cost money (half of the people stop here)
b) it's annoying to manually type in the random sequence (other half stop here)
c) it's annoying to manually type in the random sequence BEFORE it changes (some people are slow typers / on laptops / etc.)
d) what happens if you lose it? (need to buy a new one and wait)
e) what happens if it gets stolen? (it's like you wrote down your password)
f) it's a single token system so it doesn't defeat standard keyloggers. They can still use the inputed PIN for as long as its valid.

But to the Authenticators' defense, the KeePass method really is a PITA to setup, especially for those unfamiliar with password managers. Proper authentication security is just a well-known PITA.

Cheers.
__________________
Yes, I was a Tauren. Yes, it was bigger.
  Reply With Quote
12-21-09, 04:01 AM   #2
Phantom
A Fallenroot Satyr
Join Date: Aug 2007
Posts: 27
I hope Thrae does not mind I comment on this thread.

I couldn't agree more programs like he/she suggested are great. There is one thing you must keep in mind. YOU MUST keep a backup of all your passwords.

In my case I have gone with the flash drive always plugged in and online synchronization to Roboform Online.

If you don't backup your passwords the 15 character random password is going to a pain to recover :-)

it's a single token system so it doesn't defeat standard keyloggers. They can still use the inputed PIN for as long as its valid.
The only thing I do not agree about this statement is the fact the code is not valid after its been used. The code also is only valid for 30-45 seconds. So at this time a keylogger cannot harvest his information in enough time to make use of it. Even if they did they wouldn't be able to remove it fast enough.

Last edited by Phantom : 12-21-09 at 04:05 AM.
  Reply With Quote
12-21-09, 04:21 AM   #3
Thrae
A Cyclonian
 
Thrae's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2005
Posts: 42
Originally Posted by Phantom View Post
I hope Thrae does not mind I comment on this thread.
I'm always up for discussion, especially on topics I do not consider myself an expert on.

YOU MUST keep a backup of all your passwords.
Yes, this was said in step #15. Yes, it's extremely important. Good for making an extra note of that. I did mention having extra USB flash drives.

In my case I have gone with the flash drive always plugged in and online synchronization to Roboform Online.
Online hosted backups are a good idea. I was going to write about them but felt it was a little off-topic. There's a really neat cross-platform solution called CrashPlan that I use with my friends. It's 128-bit encryption with the free, Java-based client. Backing up to their server is only $3.75/month (3-year contract) for up to 4TB volumes at a time (at like 500KB/s at most, so it'll still a while).

The only thing I do not agree about this statement is the fact the code is not valid after its been used. The code also is only valid for 30-45 seconds. So at this time a keylogger cannot harvest his information in enough time to make use of it. Even if they did they wouldn't be able to remove it fast enough.
Yes, the token method is good in practice but not in theory. In theory, a WoW-specific keylogger could grab the key, send it off to a nearby botted computer with low latency, and change key information in your account before the key changes. It's impracticable, but theoretically possible.
__________________
Yes, I was a Tauren. Yes, it was bigger.
  Reply With Quote
12-21-09, 04:28 AM   #4
Phantom
A Fallenroot Satyr
Join Date: Aug 2007
Posts: 27
I feel really...really bad.

I didn't actually read your entire post so I sort of missed the part where you told people to backup the database. Although it cannot be said enough I suppose, I wish I thought about it, almost lost my Google mail account because I didn't.

Online hosted backups are a good idea. I was going to write about them but felt it was a little off-topic. There's a really neat cross-platform solution called CrashPlan that I use with my friends. It's 128-bit encryption with the free, Java-based client. Backing up to their server is only $3.75/month (3-year contract) for up to 4TB volumes at a time (at like 500KB/s at most, so it'll still a while).
In my example Roboform has a free "online service" that lets you upload your accounts to an account. Which of course means you have to remember the password to that account. When you make a change to the database it uploads the file, which can be encrypted if you wanted it to.

Yes, the token method is good in practice but not in theory. In theory, a WoW-specific keylogger could grab the key, send it off to a nearby botted computer with low latency, and change key information in your account before the key changes. It's impracticable, but theoretically possible.
Most internet traffic takes several seconds and in the case of a token generated number that is only valid for once and for only 30 seconds every second counts. I don't disagree we might get to that point in the future. At this time there has never in 2 years been a single confirmed case. I don't disagree in theory its possible, I think your giving these people to much credit, they can't overcome normal internet traffic delays.

I should add I didn't save the database to a flash drive when I found Roboform. In my case it was saved to a hdd on a computer to this day, have never figured out what happen, although the only suspect is a bad controller bus. I did have a backup it just was not current, it worked out though, and I learned my lesson.

In other words I couldn't praise your suggestion more. Besides the fact of not having to remember account names, although that could be a bad thing at the same time.

Last edited by Phantom : 12-21-09 at 04:32 AM.
  Reply With Quote
12-21-09, 05:28 AM   #5
shkm
A Chromatic Dragonspawn
 
shkm's Avatar
AddOn Author - Click to view addons
Join Date: Aug 2008
Posts: 186
I always pop my DB into Dropbox and it works wonderfully. Oh hey, since I'm on the topic of Dropbox, here is my referral link. It's really a great service, and free for ~2GB.
__________________
Quit WoW again on 17/04/2014.
  Reply With Quote
12-21-09, 02:43 PM   #6
Phantom
A Fallenroot Satyr
Join Date: Aug 2007
Posts: 27
Originally Posted by shkm View Post
I always pop my DB into Dropbox and it works wonderfully. Oh hey, since I'm on the topic of Dropbox, here is my referral link. It's really a great service, and free for ~2GB.

Dropbox is a great solution for a password keeper database ;-
  Reply With Quote
12-21-09, 03:04 PM   #7
zero-kill
A Firelord
 
zero-kill's Avatar
Join Date: Aug 2009
Posts: 497
Another good tip: Remember your password.
  Reply With Quote
12-22-09, 02:54 AM   #8
Phantom
A Fallenroot Satyr
Join Date: Aug 2007
Posts: 27
Originally Posted by zero-kill View Post
Another good tip: Remember your password.
Whats with all these one liners being really funny, and what has happen to be, but so bloody true?
  Reply With Quote
11-29-10, 01:46 AM   #9
Niightblade
A Fallenroot Satyr
AddOn Author - Click to view addons
Join Date: Dec 2006
Posts: 21
Sorry to necro, but I thought it might be handy to mention the KeePass2 pattern for generating a 16-character Battle.net password:
Code:
Ld[A#!%$]{14}
  Reply With Quote
01-26-12, 04:37 PM   #10
Xuerian
A Fallenroot Satyr
 
Xuerian's Avatar
AddOn Author - Click to view addons
Join Date: Jul 2006
Posts: 27
Necro powers, activate. Etc.

Code:
{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 1500}{ENTER}
is a simple autotype sequence to skip the "select account" prompt.
  Reply With Quote
02-26-12, 03:10 PM   #11
ValerieS
A Kobold Labourer
 
ValerieS's Avatar
Join Date: Feb 2012
Posts: 1
Originally Posted by Phantom View Post
Dropbox is a great solution for a password keeper database ;-
Look, Dropbox is great for transferring large files that Gmail won't take, but as for saving your passwords, I think I would prefer saving them locally on a separate CD or USB (though I would keep them in a drawer and take them out only when needed).
__________________
Am I the only one concerned about all our data being moved to this or that cloud database? I want my information safe under my pillow
  Reply With Quote
02-27-12, 01:11 AM   #12
Phanx
Cat.
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 5,617
Originally Posted by ValerieS View Post
Look, Dropbox is great for transferring large files that Gmail won't take, but as for saving your passwords, I think I would prefer saving them locally on a separate CD or USB (though I would keep them in a drawer and take them out only when needed).
I have a half-dozen or so base passwords, each with 2-3 variations using capital letters, numbers, and/or non-alphanumeric symbols. Rather than write out the full password in my "database" (which is really just a text file) I write 1-3 characters that remind me which variation of which password I used.

For example, a base password could be "dogsreallysuck". Variations could be "DogsReallySuck!", "d0gsreallysuck", and "D0gsReallySuck!". Reminders could then be "d", "D!", "d0", and "D0!". (No, this isn't a real password I use, or have used. )

If someone gets a hold of the list, they can tell that I use the same password for Reddit and Imgur, but the 2 character reminder isn't going to be of much use to them in figuring out what that password actually is.

I feel that this is a reasonable compromise between security and usability. It's secure enough that I'm comfortable leaving it in "insecure" places (eg. an unencrypted copy in a plain text file on my hard drive, a copy in my Dropbox, and a copy in my browser's sync service), and that someone casually stumbling across it won't be able to use the information they've found, but it's still usable enough that I don't have to worry about losing a tiny USB drive or forgetting the password to an encrypted volume.

On a side note, Blizzard passwords are not case-sensitive, which is something that's always bothered me.
  Reply With Quote
02-27-12, 10:35 AM   #13
Petrah
A Pyroguard Emberseer
 
Petrah's Avatar
AddOn Author - Click to view addons
Join Date: Jan 2008
Posts: 2,988
I keep my passwords in my head. IMHO there is no piece of software, thumb-drive, CD, DVD, browser, or website safe enough.
__________________
♪~ ( ) I My Sonos!
AddOn Authors: If your addon spams the chat box with "Addon v8.3.4.5.3 now loaded!", please add an option to disable it!
  Reply With Quote
02-27-12, 03:17 PM   #14
Nibelheim
local roygbi-
 
Nibelheim's Avatar
AddOn Author - Click to view addons
Join Date: Jan 2010
Posts: 1,600
And with the latest NSA and CIA technology for probing our thoughts, not even our brains are safe
  Reply With Quote
04-30-16, 04:37 AM   #15
sydbarrett74
A Defias Bandit
Join Date: Apr 2016
Posts: 2
Question Password being pasted into username field

Thanks for providing us with instructions and a template for using Keepass with the WoW client.

I'm running into a slight problem, however. It seems that when I do CTRL + ALT + A, my username is being pasted into the appropriate field, but then my password overwrites the username instead of being properly pasted into the Password: field. Any ideas?
  Reply With Quote
05-01-16, 01:08 AM   #16
Ketho
A Pyroguard Emberseer
 
Ketho's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,026
Using KeePass is kind of obsolete now, with the Battle.net app login. Also, that necro.

-----

You're not giving us enough information.
* What Auto-Type sequence are you using? The default one?
* Do you have multiple WoW accounts on the same Battle.net account?

Otherwise try using a delay between the username and password:
Code:
{USERNAME}{DELAY 500}{TAB}{DELAY 500}{PASSWORD}{DELAY 500}{ENTER}
  Reply With Quote
05-03-16, 02:11 AM   #17
sydbarrett74
A Defias Bandit
Join Date: Apr 2016
Posts: 2
Thumbs up Resolved

Putting the delay in there fixed it. Thank you so much again for your help and the original instructions. Although many people may think KeePass obsolete, I still love it because it's FOSS and still has an active community of developers and add-on creators.
  Reply With Quote
05-03-16, 07:08 PM   #18
Ketho
A Pyroguard Emberseer
 
Ketho's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,026
I mean, I still use KeePass. Just meant obsolete, for the games with battle.net app login
  Reply With Quote

WoWInterface » General Discussion » Chit-Chat » How to secure your World of Warcraft / Battle.net Password

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off