How to secure your World of Warcraft / Battle.net Password

[Phantom]

I hope Thrae does not mind I comment on this thread.

I couldn't agree more programs like he/she suggested are great. There is one thing you must keep in mind. YOU MUST keep a backup of all your passwords.

In my case I have gone with the flash drive always plugged in and online synchronization to Roboform Online.

If you don't backup your passwords the 15 character random password is going to a pain to recover :-)

it's a single token system so it doesn't defeat standard keyloggers. They can still use the inputed PIN for as long as its valid.

The only thing I do not agree about this statement is the fact the code is not valid after its been used. The code also is only valid for 30-45 seconds. So at this time a keylogger cannot harvest his information in enough time to make use of it. Even if they did they wouldn't be able to remove it fast enough.

[Thrae]

Originally Posted by Phantom I hope Thrae does not mind I comment on this thread.

I'm always up for discussion, especially on topics I do not consider myself an expert on.

YOU MUST keep a backup of all your passwords.

Yes, this was said in step #15. Yes, it's extremely important. Good for making an extra note of that. I did mention having extra USB flash drives.

In my case I have gone with the flash drive always plugged in and online synchronization to Roboform Online.

Online hosted backups are a good idea. I was going to write about them but felt it was a little off-topic. There's a really neat cross-platform solution called CrashPlan that I use with my friends. It's 128-bit encryption with the free, Java-based client. Backing up to their server is only $3.75/month (3-year contract) for up to 4TB volumes at a time (at like 500KB/s at most, so it'll still a while).

The only thing I do not agree about this statement is the fact the code is not valid after its been used. The code also is only valid for 30-45 seconds. So at this time a keylogger cannot harvest his information in enough time to make use of it. Even if they did they wouldn't be able to remove it fast enough.

Yes, the token method is good in practice but not in theory. In theory, a WoW-specific keylogger could grab the key, send it off to a nearby botted computer with low latency, and change key information in your account before the key changes. It's impracticable, but theoretically possible.

[Phantom]

I feel really...really bad.

I didn't actually read your entire post so I sort of missed the part where you told people to backup the database. Although it cannot be said enough I suppose, I wish I thought about it, almost lost my Google mail account because I didn't.

Online hosted backups are a good idea. I was going to write about them but felt it was a little off-topic. There's a really neat cross-platform solution called CrashPlan that I use with my friends. It's 128-bit encryption with the free, Java-based client. Backing up to their server is only $3.75/month (3-year contract) for up to 4TB volumes at a time (at like 500KB/s at most, so it'll still a while).

In my example Roboform has a free "online service" that lets you upload your accounts to an account. Which of course means you have to remember the password to that account. When you make a change to the database it uploads the file, which can be encrypted if you wanted it to.

Yes, the token method is good in practice but not in theory. In theory, a WoW-specific keylogger could grab the key, send it off to a nearby botted computer with low latency, and change key information in your account before the key changes. It's impracticable, but theoretically possible.

Most internet traffic takes several seconds and in the case of a token generated number that is only valid for once and for only 30 seconds every second counts. I don't disagree we might get to that point in the future. At this time there has never in 2 years been a single confirmed case. I don't disagree in theory its possible, I think your giving these people to much credit, they can't overcome normal internet traffic delays.

I should add I didn't save the database to a flash drive when I found Roboform. In my case it was saved to a hdd on a computer to this day, have never figured out what happen, although the only suspect is a bad controller bus. I did have a backup it just was not current, it worked out though, and I learned my lesson.

In other words I couldn't praise your suggestion more. Besides the fact of not having to remember account names, although that could be a bad thing at the same time.

[shkm]

I always pop my DB into Dropbox and it works wonderfully. Oh hey, since I'm on the topic of Dropbox, here is my referral link. It's really a great service, and free for ~2GB.

[Phantom]

Originally Posted by shkm I always pop my DB into Dropbox and it works wonderfully. Oh hey, since I'm on the topic of Dropbox, here is my referral link. It's really a great service, and free for ~2GB.

Dropbox is a great solution for a password keeper database ;-

[zero-kill]

Another good tip: Remember your password.

[Phantom]

Originally Posted by zero-kill Another good tip: Remember your password.

Whats with all these one liners being really funny, and what has happen to be, but so bloody true?

[ValerieS]

Originally Posted by Phantom Dropbox is a great solution for a password keeper database ;-

Look, Dropbox is great for transferring large files that Gmail won't take, but as for saving your passwords, I think I would prefer saving them locally on a separate CD or USB (though I would keep them in a drawer and take them out only when needed).

[Phanx]

Originally Posted by ValerieS Look, Dropbox is great for transferring large files that Gmail won't take, but as for saving your passwords, I think I would prefer saving them locally on a separate CD or USB (though I would keep them in a drawer and take them out only when needed).

I have a half-dozen or so base passwords, each with 2-3 variations using capital letters, numbers, and/or non-alphanumeric symbols. Rather than write out the full password in my "database" (which is really just a text file) I write 1-3 characters that remind me which variation of which password I used.

For example, a base password could be "dogsreallysuck". Variations could be "DogsReallySuck!", "d0gsreallysuck", and "D0gsReallySuck!". Reminders could then be "d", "D!", "d0", and "D0!". (No, this isn't a real password I use, or have used. )

If someone gets a hold of the list, they can tell that I use the same password for Reddit and Imgur, but the 2 character reminder isn't going to be of much use to them in figuring out what that password actually is.

I feel that this is a reasonable compromise between security and usability. It's secure enough that I'm comfortable leaving it in "insecure" places (eg. an unencrypted copy in a plain text file on my hard drive, a copy in my Dropbox, and a copy in my browser's sync service), and that someone casually stumbling across it won't be able to use the information they've found, but it's still usable enough that I don't have to worry about losing a tiny USB drive or forgetting the password to an encrypted volume.

On a side note, Blizzard passwords are not case-sensitive, which is something that's always bothered me.