In an analysis performed by Imperva of 32 million leaked passwords from rockyou.com, it was found that nearly 50% of passwords consist of people's names, slang words, dictionary words or trivial passwords. The study estimates that if a hacker used the top 5000 passwords in a dictionary attack, it would take, on average, only 111 attempts to break into a given account.
World of Warcraft does not have an account or IP address lockout after any number of bad password attempts. This gives the bad guys an opportunity to dictionary attack your account.
Assuming that the WoW account password frequency distribution is similar and that a hacker could try a password every 2 seconds - it would take an average of only 3.7 minutes to hack an account.
Obviously the time required to hack your account is going to vary based on the strength of your game password so choosing an uncommon and complex password is key. The report lists the following as the most commonly used passwords:
- 123456
- 12345
- 123456789
- password
- iloveyou
- princess
- rockyou (or 'warcraft' in our case)
- 1234567
- 12345678
- abc123
Other common passwords include monkey, qwerty, 654321 and first names of people.
How can you better protect your WoW account?
First, buy yourself an authenticator and add another layer of security to your account. A dictionary attack is largely rendered useless with the addition of a hardware token.
Second, if you don't have an authenticator or wish to be more secure then choose a strong password. Strong passwords contain numeric and non-standard characters and do not have any strings that contain dictionary words. They should be at 12-14 characters in length. However, don't bother too much with upper and lower case characters since the battle.net authentication service does not differentiate between upper/lower case. An example of strong WoW password would be something like "sdm#6wua2pa9jk".
If you have trouble remembering a strong password (and most of us will) then try to create something similar from a memorable saying. For example, Professor Putricide's "Bad news everyone! I don't think I'm going to make it" becomes "bne!idtig2mi" as your password. Such a password will be close to impossible to dictionary attack and will take a long time to brute force attack. Don't share this password with anyone and don't use this password on any other service - keep it unique to WoW only.
Finally, create a unique email address as your battle.net login. Hackers need to be able to guess or steal your username so making this complex will certainly hinder their efforts.
Update: If you want to read more about hackers stealing account usernames and passwords, check out the Symantec article where they recently discovered 44 million stolen gaming credentials.
A little bit of effort with your password selection will make hacking your precious account significantly more difficult... and don't forget to get yourself an authenticator.