Ultimate Account Security

[Maccer]

Hi,

This is a thread I decided to make to stop accounts being stolen and people being scammed on a daily basis.
The guide shall be divided in couple of sections, covering on how to protect from different kinds of dangerous scam and hacking techniques.

1. Introductory point
2. General account security
3. Securing the email account
4. Securing from phishing
5. Securing from Social Engineering
6. Adding the final layer

---

1. Introductory point

Alright, before we start with anything else, we have to make sure we're totally secure right now, in this very moment. It would be really silly to start all of these securing steps without previously securing our computer. You can't make a good house without a good bedrock, can you?
I'm really not going to suggest which antivirus or firewall software to use, or which one is the best. If you're suspecting that you might be infected with a keylogger or a RAT, format your computer. You really shouldn't trust AVs when it comes to this. Now, don't think I'm forcing you into formatting your computer just for the cause of this guide, but when it comes to an infected computer, formatting is always the best option.

Once you are certain that your computer is not infected with any kind of spyware, we can move on. Choose a good antivirus, turn your firewall on, and remember the golden rule.
Don't run the .exe which you know nothing about.

2. General account security

Now that our computer is secured with three layers; formatted HD, antivirus, Firewall, we can move on to Battle.net account security.
The main component of every security in the world is the password. We now must choose a damn good password which can't be bruteforced or guessed by social engineers.
What does this mean? Well, we gotta figure out a new password which will be unique only to Battle.net. Remember that there must be no references from your life in your password.

Don't use a password generation websites as you never know where the generated data goes, rather take a pencil and think of something. Let's do it together. I'll take the movie "Life of Pi" as I've never watched it, and none of my friends ever watched it. There's no browser history of it and no references that could connect me to it. How this occured to me? I saw a TV commercial a minute or something ago.

Code:

lIFE753OF951Pi

Easy to remember, right? Replace capitalized letters with non capitalized and vice versa, add an X number pattern between all words. What's the best thing of all of this? No social engineer could ever guess a password, none of your "friends" could ever even imagine you have a retarded password like this one. What's the best of the best things?
Let's take it like this, a desktop computer can make 4 billion calculations per second. Our password has 12 septillion possible combinations. Let's just say that, between a billion, and a septillion, there is trillion, quadrillion, quintillion, and a sextillion.
So how much does an average computer has to work to get this password cracked? 98 million years

You can check your password's security here; https://howsecureismypassword.net/
Don't go on any other password checking websites, as you, again, never know if the data is stored in the back end or not. This is a javascript-ran website which means that your computer does all the calculations, and the data isn't sent back to the server. It is also only HTML site which means it's not vulnerable to XSS and SQL injection attacks.
Note: Do the same for secret answer and question!

3. Securing the email account

I've picked this one some time ago from Unholy Shaman, so I hope he won't be mad at me for copying it over. It's a brilliant technique to secure yourself from scam emails and social engineers.
1. Make a new GMail E-Mail with random characters, something like;

Code:

[email protected]

2. Change your Battle.net account email to this email.

What have we accomplished with this? Well, we're no longer using our main and well known email address and are no longer subject to social engineers and scam emails.
How so? Well, only Blizzard knows our email account now and only Blizzard will send mails to that email account.
Just remember to only use it for Battle.Net, nothing else.

4. Securing from phishing

---

Definition of phishing.

---

Now that you know what phishing is, let me say a couple of words. Phishing is the biggest threat and the most used account stealing technique today, in general, not only for Battle.net.
There is really not much to say but that you must be extremely careful when visiting certain websites by checking the URL in your address bar. Certain antiviruses have the "Anti-Phishing" module which can come in handy, so you might want to consider that.
There are also add-ins for the most popular browsers like Chrome and Mozilla;
Chrome: https://chrome.google.com/webstore/d...pamia?hl=en-GB
Mozilla: https://addons.mozilla.org/en-us/fir...=cb-dl-created

Tip: I know I'll probably be called an IEfag now, but I don't care. Use bookmarks! Sites can't mess with your bookmarks so they'll always be accurate.
Golden rule: Check URLs!

On to desktop phishing now. You must acknowledge that there are no gold hacks, gold generators, stats changers, gamecard generators and such overpowered shit like that. If it's not in the Legendary section it doesn't exist.
You still don't believe me? Let's do a simple Youtube search query.

---

---

Hmm... 634 new gold generators today, seems legit doesn't it? I mean, everyone in WoW is gold capped so maybe it's coming from this?
Don't fall for this, these programs are either backdoor infected and not working, or phishing and not working.

Conclusion: Check URLs, use bookmarks, don't download .exes which look too good to be true.

5. Securing from Social Engineering

---

Definition of Social Engineering

---

Nutshell: People who pretend to be someone else to gain something they need, often giving you a false sense of security. We've pretty much secured ourselves from this, but there's still a risk a social engineer will appear. A set of short rules will help you bypass these people;

1. No Blizzard representative will ever contact you first.
2. No representative will ask you about your email, password, secret question.
3. Trust no one.

Basically, if you have at least one bit of suspicion, 95% of the time you'll be right.

6. Adding the final layer

---

---

This one is often hesitated by most people and is optional, but you should strongly consider it. If you can, use an authenticator. It's the final layer of protection which makes your account pretty much bulletproof.
Use either a physical authenticator, a mobile phone application or a desktop authenticator.

---

That's it. I hope you've enjoyed and are now less paranoid about your account. Share your thoughts and questions, if you have any, in the comments below.

[cukiemunster]

Very well written and quite informative. I hope people actually take this information and use it. I would +rep, but on CD for you.

On a side note, my pw says it would take 412 years to crack. I'm ok with that

[markons]

For a persistent hacker any account can be hacked/stolen,
Authenticator is the only thing you will need and
create email on gmail and use 2-step verification so none can enter it.

[Maccer]

For a persistent hacker any account can be hacked/stolen,
Authenticator is the only thing you will need and
create email on gmail and use 2-step verification so none can enter it.

Some people just don't want to use an authenticator, or aren't able to.

[Augury13]

For a persistent hacker any account can be hacked/stolen,
Authenticator is the only thing you will need and
create email on gmail and use 2-step verification so none can enter it.

Yeah some people don't want to use an auth, and i've hacked through auth's so it makes it really not too much challenging, just one more tiny step. Well i guess any account can be stolen, but like this is to help your account not be stolen, and the last gmail thing doesn't even really make sense.

[markons]

Ofc but if your account gets phished and many do on a daily basis without authenticator and 2-step verification on email you are in a deep s**t.
I have 2-step verification on my gmail, when ever i try to log from different IP or from different computer I have to enter password that i receive to my phone. Just with that no1 can enter your mail and change it.

If you just use simple command in google you can see how many accounts are compromised, well not exact number, but with that command you will get his/hers password and mail...

[markons]

Yeah some people don't want to use an auth, and i've hacked through auth's so it makes it really not too much challenging, just one more tiny step. Well i guess any account can be stolen, but like this is to help your account not be stolen, and the last gmail thing doesn't even really make sense.

If i remember right you need to accept email change and ownership for a stolen account, or any change to account, Preventing person to do that will secure your account even more.
But i might be wrong.

[aamlord]

Checked my password. It's rather long and convoluted, the checker indicated over 4 quintillion years. So good luck finding my main account's password before Earth is toast (5 billion) or before Milky Way is devoured by Andromeda. Hell, the theoretical Big Rip would destroy everything we know of this reality before my password is cracked.

[Rayz]

Checked my password. It's rather long and convoluted, the checker indicated over 4 quintillion years. So good luck finding my main account's password before Earth is toast (5 billion) or before Milky Way is devoured by Andromeda. Hell, the theoretical Big Rip would destroy everything we know of this reality before my password is cracked.

The NSA could crack your password during lunch break for fun.

[IChangedMyUsername]

This is a great guide, ive already locked my account in a vault (hypothetically speaking) so im reather confident in its protection. I took some tips from here and really enjoyed the read. The effort you put into this is much appreciated!

[Maccer]

The NSA could crack your password during lunch break for fun.

If they manage to get all hashes from Blizzard and if they bother to hack someone's WoW account. And not really lunch break.

This is a great guide, ive already locked my account in a vault (hypothetically speaking) so im reather confident in its protection. I took some tips from here and really enjoyed the read. The effort you put into this is much appreciated!

Thanks.

[Akuma-]

+1, but I'd like to mention one thing about the password.

Code:

lIFE753OF951Pi

I'm sure I'm not the only one that has noticed this before, and I wanted to point this out because you don't mention this in your guide:

It doesn't matter at all if your battle.net/wow password has the letters in upper or lower case, because the system only supports lower case letters.

Your password can be AbCdEfG123 and you can still login by writing ABCDEFG123 or ABCDEFG123 or any other variation with lower and upper case letters.

I remember making a support ticket about this back in burning crusade and the only answer I got from blizzard was that "the upper case letters are not needed" :-/

[Maccer]

+1, but I'd like to mention one thing about the password.



I'm sure I'm not the only one that has noticed this before, and I wanted to point this out because you don't mention this in your guide:

It doesn't matter at all if your battle.net/wow password has the letters in upper or lower case, because the system only supports lower case letters.

Your password can be AbCdEfG123 and you can still login by writing ABCDEFG123 or ABCDEFG123 or any other variation with lower and upper case letters.

I remember making a support ticket about this back in burning crusade and the only answer I got from blizzard was that "the upper case letters are not needed" :-/

I just realized that is true. Tried with my own password. This is a major security flaw and should get fixed in case a password hash table is ever leaked into the public. The reason for this is because this shortens a potential brute-force attack Thank you for your information.

[Garalon]

Great guide Maccer .

[Maccer]

Great guide Maccer .

Thanks guy .