Register
  • WoW Account Maximum Security Guide

    The more gold, items, achievements and general progression you gain for your characters in your World of Warcraft account, the higher you will value it. There is also another value that increase - the value it has on the blackmarket whether it's the entire account or just the gold within it. Account hackers, phishers and scammers get more advanced and innovative each day and in turn we need to ensure that we have maximum security for our accounts.


    My name is Sinshroud I'm going to share with you some of the best security practices to keep your account safe! I have been playing World of Warcraft non-stop since Pre-BC, I have 2 accounts on US and 2 accounts on EU servers. I have over 1.5 million gold that I guard very closely. I've never been hacked. EVER. I don't even have an authenticator (although I do recommend it).



    Before we get started, the most basic form of protection for your account will be a proper password. There are various ways that your password can be obtained and account compromised. Some of the attacks are hit and miss random attacks sent to thousands of people, while others are more sinister and targeted attacks to your account specifically.


    • Guesswork / Common Sense Password Attacks - entering words or phrases that are directly related to you, or trying common password variations such as "sinshroudpassword", "ericwowpassword" or "password1234".
    • Bruteforce Password Attacks - this is when a computer runs an algorithm that tries every single possible number, letter or character combination until one works such as "000", "001", "002" ... "009", "010", "011", "012" ... "019", "020", "021", "022" ... etc, or plain guesswork (such as entering your main character name or your real life credentials in various forms for simply commonly used ones such as "sinshroudpassword" or "ericwowpassword" or "password1234", etc).
    • Phishing Attacks - account thieves impersonate someone such as Blizzard and ask you to login on a fake site, which them gives them access to your account or installs a keylogger/virus on your computer. I will show you how to identify such attacks later on in this guide.
    • Keylogging or Virus Attacks - spyware, trojans, viruses and other malicious programs can install keyloggers on your computer which record your key strokes and capture your username and passwords. Very dangerous because if they have access to your WoW account like this, there is a good chance they have access to your Facebook/Twitter/MySpace/Email/Work accounts for Identity Theft as well as your Banking Details. I will show you how to use a program such as KeePass to avoid needing to type in usernames and passwords ever again, making keyloggers ineffective against you.


    You can easily guard against both Guesswork / Common Sense Password Attacks and Bruteforce Password Attacks by having a password that follows good password practices and standards. Microsoft has a good example of How To Create Strong Passwords that the average computer user can apply and make use of without too much inconvenience of needing to remember a 64 character hexadecimal password.


    • Always use a password that is eight characters or longer - the longer they are the longer a bruteforce attack will take to crack it.
    • Never use the same password for everything - if one of your passwords gets compromised you want to limit it to only that account. I will show you how to use KeePass to store and manage all of your different passwords.
    • Change your passwords often - this is something people always either forget to do, or purposely put off out of inconvenience. Just do it every couple of months.
    • Use a variety of characters in your passwords - letters, numbers, symbols, words, phrases.
    • Never include personal data in your passwords - don't include anything related to you such as your name, wife's name, school name, date of birth, ID/social security number, etc. Always keep it random and unrelated.



    You can use a site such as this to get a general idea of your Password Strength.


    For absolute maximum account security, as advised for WHM/cPanel/FTP/admin accounts or simply really paranoid individuals you can use a Random Password Generator to generate a decent but impossible to remember password. You could try combining a few of these randomly generated characters with the password created through Microsoft's method.




    Phishing is one of the most commonly used methods to steal WoW accounts. If you have been playing World of Warcraft for a significant length of time, chances are you have seen every phishing attempt in the book sent to you.


    The absolutely best thing to do is to create a new email account with a trusted email host such as Google's Gmail.


    • Create the account using a username (also known as a "local-part") that is easy to remember, descriptive and unique. I usually include the word "wow" so that I can identify the account. E.G. "sinshroudwow@gmail.com".
    • Create the account using a password that is NOT THE SAME AS ANY OTHER PASSWORD OF YOURS. If you struggle to remember your passwords I will give you a few tips on this later on in this guide.
    • Change your Battle.net World of Warcraft login account username to this new email address that you have created.
    • Most importantly, NEVER use this email address for anything else. Not for MMO-Champion, not for The Consortium Forums, not for Elitist Jerks, not for Facebook, not for University of Work and definitely not for Buyquickgoldherewedontscamyou Gold Selling Sites.


    What you have effectively achieved with this is made it impossible for you to receive phishing or spam email. The ONLY email you should ever get in this Email Account is from the real Blizzard Entertainment or from your Email Provider. If you ever receive email from somewhere else then you know you have been compromised. You might have a keylogger or virus on your computer that has provided spammers with your email address.



    Even if you follow my advice above, I highly recommend ALWAYS checking every email you ever receive for phishing attempts.

    Blizzard will ALWAYS greet you by your real name (or whatever name you made the account under). They will never just say "Hello" or "Dear Player", it will ALWAYS be "Dear Eric" or "Hello Eric" or just "Eric", etc. Account phishing is almost never a targeted attack, they won't be singling you out to attack, so scammers won't know any details about you.

    Blizzard will NEVER send you an email notifying you that they are "aware you are trying to sell/trade your personal World of Warcraft account" or anything similar. If there is a problem or suspected breech in their Terms of Service / End User License Agreement by you, they will simply lock, suspend or ban your account. If you receive an email about account disciplinary actions simply try login in-game or visit Battle.net by manually typing it into your web browser.

    Scammers and Phishers will try get you to follow a link to a fake website. They are impersonating the Blizzard website and when you login on that site they then have your login details. So ALWAYS check your links in the email. An easy way to do this is to hover over the link and look at your "Status bar" in your email client or web browser usually found in the bottom left corner of the screen and if it shows a different email address or an email address that isn't Blizzard's then it's a scam.


    As you can see when hovering over the email address "https://www.battle.net/account/support/password-verify.html" the scammers make use of Hyperlinking which allows a user to click on a text based link (which has been made to look like a URL). For example www.facebook.com will actually take you to Twitter because I hyperlinked it. The link they show you in the email wants to actually take you to a different place. Also note that they make the fake link look like it ends in "battle.net" but it actually ends in "-account.com".


    • Blizzard Entertainment will never ask you for your password (except at login screen harhar).
    • Phishing emails make urgent / high priority appeals to you about your account being under investigation. Real Blizzard will just notify you and move on.
    • Phishing emails that offer you stuff are usually too good to be true. If there is a giveaway or competition you will see it on the World of Warcraft homepage or announced on MMO-Champion and similar sites.
    • Check for spelling, typos and syntax errors, Blizzard very rarely make typos because they use a lot of macros and copy/paste answers and are also highly trained.
    • Here is an article for ensuring that your web browser's Phishing Filter is enabled.


    Here is Blizzard's guide at identifying Phishing Emails:








    Blizzard have an excellent analysis of real versus fake comparisons for both In-game Mail and In-game Whispers.






    With this step we are taking preparation for if you ever want to login to your World of Warcraft Battle.net Account online from someone else's computer. A scenario could be that you are out at a friend and a guildy calls you to tell you that someone else is on your account who shouldn't be. You can quickly log onto your friend's computer to change your password - but how secure is their computer? You take one look at their browser and it looks like THIS - yikes!

    You should always be prepared and these days you can fit half your life on a flash drive attached to your keychain. Make sure a portable CLEAN web browser such as Firefox Portable Edition is one of them.



    Download the Portable KeePaas Professional Edition ZIP Package found on the right, reason for the portable version is that it does not require installation and you can put it on a flash drive. Same reason as above, you can login from elsewhere but how secure is that computer?

    KeePass is actually very useful to managing all of your passwords (you should never use the same password for everything anyways). It stores all your passwords and can also auto-fill username/password fields in web browsers or allow you to copy and paste into in-game logins such as World of Warcraft.



    1. Extract the downloaded file onto a Flash Drive that you carry around everywhere on a keychain or something if possible.
    2. Run KeePass.exe Application and click File > New.
    3. Create the Password Database on the same Flash Drive (if you not using a flash drive, put it in your C drive, you may need to close the program and run it as administrator to do this depending on your OS security settings) - you can name it something like "KeePass Database" or whatever you want.
    4. Enter a Master Password and click OK. You could have 20 different passwords but this is the ONLY one that you ever need to remember. It gives you access to all your other passwords. You can also use Key File / Provider or Windows User Account security (you can use all three), but for this guide I will only be using Master Password. Follow good password creation practices.
    5. Enter a Database Name. Call it KeePass Database or whatever you wish.


    You will not be taken back to the program and see 2 Sample Passwords already made which you can delete.


    1. Right click in the main window that has Title, User Name, Password and URL Columns in it and choose Add Entry.
    2. Enter a title to describe what the login details are for.
    3. Enter your username and password.
    4. If it's for a website then enter the URL for that website too.
    5. Add any notes that you want and click OK (perhaps a link to this guide for future reference? :P).



    You will now see your saved Entry in the main window. Now all you need to do is:

    Right click the entry and choose URL(s) > Open, or just hit CTRL + U while you have the entry selected and it will open the website, in this case the World of Warcraft Battle.net website.


    Once you have the website open, right click the entry again and choose Perform Auto-Type, or just hit CTRL + V while you have the entry selected and it will automatically fill and submit your details. NOTE: Some sites such as the Battle.net site will require you to open the Login Dialog Box first (KeepPass is smart though and sometimes it automatically finds those login boxes and will open it for you but you will need to click Perform Auto-Fill a second time to fill it in).


    CTRL + B while you have the entry selected will copy the Username, while CTRL + C will copy the password - so you can just copy and paste into your World of Warcraft in-game login screen too.

    Using KeePass will allow you to practice proper password security by having a variety of passwords for different websites and logins and also protect you from keyloggers when logging into websites and games.



    World of Warcraft is a game with an enormous amount of customization available in terms of addons and UI packages. We as gold makers make particularly good use of these resources to enhance our game play and get an edge over our competitors. I use Curse for all my Addon Download needs, and very occasionally WoWInterface. I've never had any problems with either of them account compromise through addons is VERY rare and usually found and reported immediately.

    You can view my thread on How To Install An Addon if you are new to using them.

    The only real tips I can give you for account security via addons is always download only from a trusted source such as Curse, never download, install or run executable addon files, never pay money for addons (it's against Blizzard's ToS/EULA anyways) and always only use addons that you have downloaded yourself.

    I would highly recommend storing your addons on your Flash Drive too, or perhaps even using DropBox to store your addons so that you can access them any time from another computer. Come to think of it you could use DropBox to store KeePass databases and the program itself too. Here is a nice guide for using DropBox, otherwise just follow the tutorials on their site which are adequate too.




    • Don't open ANY attachments in emails (unless it's work related and you're 100% sure it's safe). Tell the person to send it over MSN or something, but an email address can always be faked.
    • Don't click any odd and/or unknown links sent per whisper, in trade, IRC, forums, or what ever. Don't know the person; don't trust the person.
    • You aren't banned (or being investigated) unless you get the "your account has been suspended" when trying to login. Don't trust any emails saying otherwise.
    • You aren't invited for Alpha/BETA before the testing start has been announced on either MMO-Champion or another Blizzard fan site.
    • Use an up-to-date browser. I would recommend Firefox with AdBlockPlus (ads can be used to infiltrate usually safe websites, as happened with World of Raids a long time ago).
    • Update Windows and do a virus scan once every 5 weeks or so (more often is of course preferred).
    • Don't share your login information with anyone. A very common tip, but people still do it to get around the queue or something like that. My advice: just don't do it. To skip the queue you could use TeamViewer or LogMeIn yourself.
    • Don't buy power leveling services. Again: don't share your account information.
    • Don't buy gold, or rent your account to gold farmers. Same as above.
    • Don't install bots or other cheating applications. Keyloggers can be in anything.
    • Use your common sense - train yourself to detect bad links and emails so not opening them becomes a nobrainer.


    I don't know how many times we need to say this, but NEVER EVER SHARE YOUR ACCOUNT DETAILS. I don't care if it's your real life friend of 20 years, your uncle or your wife. People often scoff and say that that person will never do anything, but you know what? If they are going to be logging in on a computer that isn't yours, and they haven't followed this guide here accurately then your chance of account compromise has just been raised a huge amount. Key loggers, phishing attempts, viruses, malicious addons and malicious websites that someone else's computer may have been exposed to puts your account at risk.




    Lastly but certainly not least, the World of Warcraft Authenticator! A vital component to your maximum account security system. You can buy them from Blizzard, you can buy them from eBay, you can buy the mobile version on your iPhone and similar, and there are a few computer emulator ones floating around the net too.

    Author: Sinshroud.
    Contributors: Zero and Blizzard Entertainment's Types of Account Thefts Security Page.

    This article was originally published in forum thread: WoW Account Maximum Security Guide started by Sinshroud View original post
    Comments 42 Comments
    1. Stede's Avatar
      Stede -
      tl;dr

      Quote Originally Posted by Sinshroud View Post
      1) Use a different username and password for each site.
      To me, that's a lot easier said than done. I realize you address this in a later step, and I'll get to that. My experience (and I imagine I have as many passwords as anybody here) tells me that passwords should follow a hierarchical structure. Forums that I don't care about being hacked on get a password that I can remember. It is shared. Each email has a different password. These two don't overlap. Facebook has its own. Banks have their own. Credit Cards have their own.

      There is some sharing, but each level is partitioned and separate from the next. If each had its own pw, I wouldn't be able to function.

      Quote Originally Posted by Sinshroud View Post
      2) Use a unique email address only for WoW.
      More or less. I use my primary email, but I never use that email for crap like forums or blogs. You definitely don't want to use an email that's plastered all over the web.

      Quote Originally Posted by Sinshroud View Post
      3) Learn to ID Phishing.
      Yeah. The average WoW player sees more of this than the average Yahoo! reader. Makes sense to have this.

      Quote Originally Posted by Sinshroud View Post
      4) Learn to ID in-game Phishing.
      Absolutely. If there isn't a Blizz icon next to the name, report the player as spam and move on.

      Quote Originally Posted by Sinshroud View Post
      5)Have a clean web Browser when not at home.
      Yep. Also - make sure you log out of shit and don't use cookies or anything while you're not at home. Most browsers have a private browsing feature.

      Quote Originally Posted by Sinshroud View Post
      6) Use KeePass.
      Eh, no. I have half a dozen corporate passwords that I manage on a permanent, 90-day, or 30-day basis. The company employs 75k people worldwide. They have their own global Help Desk. If you screw up your password, you get locked out and have to call them to reset it. So, it kinda makes me think that if having a universal password account that safegaurded your other passwords was actually a good idea, they'd scale the Help Desk back by 50% and keep the money for themselves.

      It doesn't make sense to me to lock all my passwords behind another, single password. Seems like it's actually less secure.

      Quote Originally Posted by Sinshroud View Post
      7) Only use trusted add-ons.
      Yeah, guys. Download your shit from Curse or from Sapu or Erorus. That's it.

      Quote Originally Posted by Sinshroud View Post
      8) Don't be a dumbass.
      'nuff said.

      Quote Originally Posted by Sinshroud View Post
      9) Authenticator, to me this is the most irritating and time wasting part of the entire system, yet for many this is their only line of defense.
      It's also the most time-effective method from everything you cited, and I think it's one area in your guide that you completely blew off.

      Blizzard has implemented an opt-in feature that you can enable in your account settings which forces authentication on every login rather than the currently standard once-a-week. The issue with once-a-week is that it is highly susceptiple to a man-in-the-middle attack or ip-spoofing. By requiring authentication every login, I don't see any effective means by which an account can be compromised.

      There is a reason why global Fortune 500 companies use RSA tokens for employees who VPN in. They are secure.
    1. Sinshroud's Avatar
      Sinshroud -
      Quote Originally Posted by Stede View Post
      It's also the most time-effective method from everything you cited, and I think it's one area in your guide that you completely blew off.
      I agree, I did talk about it the least for 2 reasons.
      1) Most people are the most familiar with this step compared to all the others listed.
      2) I do not use an Authenticator myself, so I'm not going to write about something that I actually really don't know all that much about.

      If you have time to do a little write up about it then I will happily throw you some rep and add it to the guide.
    1. Stede's Avatar
      Stede -
      There are two kinds of people in the World of Warcraft:
      #1 - Those that need an Authenticator.
      #2 - Those that don't yet realize they need an Authenticator.


      This article is for both types, so I hope you'll take the time to read it.

      Why do you need an authenticator?
      Because people get hacked. Everyday. This past summer, my brother was hacked and lost 700k in gold & items. While it was all eventually restored, it took a full day of stress and headache to get it all back. Being hacked isn't fun. He didn't use an authenticator up to that point, even though he had a smartphone and could've easily been using the mobile authenticator app for free. Afterwards, though, he started using one.

      What is an authenticator?
      An authenticator is available as either a free mobile app (for Windows Phone 7, iPhone, and Android devices), or a hardware / keyfob token. You link it to your Battle.net account via its serial number, which is displayed on request for the mobile version, or printed on the back of the hardware token. Once linked, you are required to use the Authenticator to generate an authentication code in order to log in to Battle.net services - to manage your B.net account, post in the WoW official forums, and log in the game.

      How does an authenticator prevent me from being hacked?
      Without getting too technical, the Authenticator usesthe latest crypto algorithms in standard usage. Once linked, all you have to do is press a button to generate your authentication code, when prompted by Battle.net, and enter it in.

      But I heard about this one guy who had an authenticator and still got hacked...
      Prior to just recently, Blizzard felt that entering your authentication code once a week was enough to prove it was still you sitting at the computer. They did this because they also check your IP and Location when you login. If you're at your brother's house across the country and try to login, you'll get locked out and have to respond to some emails to regain access to your account (you'll also have to authenticate throughout this process).

      Note: There is a new Dial-In Authentication Feature that was recently implemented to make this feature more user-friendly to people who frequently log in from different locations. Since it does not function as the authenticators I'm referencing in this article, I won't talk much more about it.

      This seemed like a good idea, but it had a weakness: if someone could spoof your IP / Location / MAC Address well enough, they could use that to impersonate you and skate in on your weekly "I'm really me" check. It's not too hard to imagine that you posted on some wank's forums with your main toon's name and server, and somebody got their hands on server logs with your info. It's not ez-mode, but feasible.

      Blizzard recently added the option to force authentication at every login. That means when you authenticate, it's not good for a whole week - it's only good for that session. This essentially closes the door to the man-in-the-middle attack described above. If you use this option (and I highly recommend it), the only way you'll get hacked is if someone takes control of your toon through your computer while you're logged in. Since most of us play with one eye on the screen, and such incursions are far more difficult to execute without being traced or stopped, that really minimizes your chance of being hacked.

      Does it worth?
      Your call. The mobile authenticator app is free, but smartphones are pricey if you don't already have one. It's $6.50 (USD) plus a bit of shipping for a token Authenticator. That's <$10 for a permanent, active safeguard to the gold you've spent months and countless hours accumulating. There's also peace of mind, which, anyone who has been hacked will tell you is worth a good deal. It also comes with a cool pet for all your toons
    1. Stede's Avatar
      Stede -
      Felt it was easier to post in the thread, though it may be logn enough to warrant its own post.

      (the 'tl;dr' part from my 1st post was very tongue-in-cheek - in case the length of my reply didn't highlight that enough )
    1. dbMjolnir's Avatar
      dbMjolnir -
      Is lastpass similar to keepass? The only difference I can tell for sure is that lastpass stores info online and keepass stores it locally.

      I know with lastpass it's encrypted end to end and if you lose your master password your saved passwords are lost forever because they don't have access to your master pass.
    1. red88formula's Avatar
      red88formula -
      could someone explain the emulated authenticators
    1. Xsinthis's Avatar
      Xsinthis -
      @Stede epic typo in that last heading :P

      Also something to note, even if you set it to authenticate you every single time, you can still get hacked. You are still susceptible to man-in-the-middle attacks. People were being hacked long before blizzard made the change to the looser authentication system
    1. Sinshroud's Avatar
      Sinshroud -
      Quote Originally Posted by red88formula View Post
      could someone explain the emulated authenticators
      There are a couple user-made programs floating around such as:


      I know the creator of the first one Jadd, to some extent and he is a decent guy. But I've never tried either so I'm not going to recommend anyone to use an unofficial program like that.
    1. Reverb's Avatar
      Reverb -
      I love the mobile authenticator personally; it's very much worth it if you have an android or iOS smart phone.
    1. I3ig Al's Avatar
      I3ig Al -
      Great write up, both Sin and Stede

      I was hacked early on, shortly after the authenticator system was introduced. luckily it happened while I was playing and I got to force disconnect the other person repeatedly until my brother changed my password on his computer. I ordered an authenticator as soon as I was sure my system was clean

      I tried the smartphone Authenticator for a bit but didn't like it. pull the phone out, unlock, load app, get code. keychain, pull it out and press button. Plus I like to tinker with android alot and it gets frustrating when the app backup goes wrong, have to call bliz and tell them you broke the serial link to the account :P
    1. Sinshroud's Avatar
      Sinshroud -
      Quote Originally Posted by red88formula View Post
      could someone explain the emulated authenticators
      @Feelings PMed me to let me know about Windows Blizzard Authenticator which looks pretty promising. I'm going to try it out a bit later when I have time and if I like it will do a write up about it.
    1. Stede's Avatar
      Stede -
      Honestly, I would not trust any authentication method that was not authorized by Blizzard. That's asking for trouble, imo.

      @Xsinthis - Sure, the only computer that's safe from hacking is one powered-off, connected to nothing, locked inside a 12" thick lead case and buried a mile under the ground in an undisclosed loaction. If someone takes control of your computer via the type of man-in-the-middle you described... call me crazy, but I think I'm gonna be worried about far more important stuff than my WoW account.
    1. Xsinthis's Avatar
      Xsinthis -
      Quote Originally Posted by Stede View Post
      Honestly, I would not trust any authentication method that was not authorized by Blizzard. That's asking for trouble, imo.

      @Xsinthis - Sure, the only computer that's safe from hacking is one powered-off, connected to nothing, locked inside a 12" thick lead case and buried a mile under the ground in an undisclosed loaction. If someone takes control of your computer via the type of man-in-the-middle you described... call me crazy, but I think I'm gonna be worried about far more important stuff than my WoW account.
      Just pointing out it has been done. They use a virus to catch the number you enter (along with password and username I assume) and then log in. Obviously it has to be done real time, so it's still difficult, but not impossible
    1. Davison's Avatar
      Davison -
      I still cant believe how many people still don't use an authenticator, what is 10$/€ to safeguard something you have most likely spent (well, i have) thousands of hours on.
      Password security and being aware what you click on and react to on the internet is something everyone should keep in the back of their mind, so even if you're not playing wow (witch is pretty unlikely given the whole idea of this forum :-p) it is worth the read.
    1. Sinshroud's Avatar
      Sinshroud -
      Ah my dear mother had such an epic fail this morning.

    1. Mikathi's Avatar
      Mikathi -
      One method I am trying is a virtual machine that is totally locked down. Windows 7 Home Premium (I have a spare key that I use for testing after a phonecall to Microsoft) and totally updated. The firewall will be configured to alert me on any inbound and outbound connections, and the only application on there, apart from a full suite of security software, will be WoW. Hopefully, that means that no-one will be able to get into the system, and if it IS compromised, I can simply delete the VM and restore from a clean Backup, which is one of the advantages to Virtualisation. I'll get back and update this post regarding performance hits, usability, etc.
    1. Sinshroud's Avatar
      Sinshroud -
      Quote Originally Posted by Mikathi View Post
      One method I am trying is a virtual machine that is totally locked down. Windows 7 Home Premium (I have a spare key that I use for testing after a phonecall to Microsoft) and totally updated. The firewall will be configured to alert me on any inbound and outbound connections, and the only application on there, apart from a full suite of security software, will be WoW. Hopefully, that means that no-one will be able to get into the system, and if it IS compromised, I can simply delete the VM and restore from a clean Backup, which is one of the advantages to Virtualisation. I'll get back and update this post regarding performance hits, usability, etc.
      Sounds interesting, I sometimes mess around with VM to test programs that I've downloaded or to try registry tricks before doing them on my live computer, but in the end it's just too much hassle and I just make sure that I have a recent backup available.

      I agree playing wow on a VM will probably be a big security boost, but to what extent I'm not sure. Because if you have a keylogger on your main computer, surely it would still detect keystrokes that you are sending to the VM? Let me know how it goes!
    1. Mikathi's Avatar
      Mikathi -
      Quote Originally Posted by Sinshroud View Post
      Sounds interesting, I sometimes mess around with VM to test programs that I've downloaded or to try registry tricks before doing them on my live computer, but in the end it's just too much hassle and I just make sure that I have a recent backup available.

      I agree playing wow on a VM will probably be a big security boost, but to what extent I'm not sure. Because if you have a keylogger on your main computer, surely it would still detect keystrokes that you are sending to the VM? Let me know how it goes!
      it probably would detect the actual key strokes, but it'd have no idea what the key strokes are used for. I'd hypothesise that it'd show *username* and *password* as relating to VMWare.exe (My virtualisation agent of choice) rather than wow.exe since WoW exists in a different environment to the key logger. Combined with a good security proceedure on the Host (IE: the Operating system on which the VM software itself is installed,) consisting of regular AV/AM scans and a good firewall, along with paranoid settings on the firewall, antivirus and antimalware in the GuestOS (Which is the operating system that's been virtualised, in this case Windows 7) then you should have a solid setup. Coupled with the steps outlined by Sinshroud, and the whole thing should be safe.

      I know running two lots of AV/AM and Firewall might seem like overkill, but keep in mind that a VM presents itself exactly as a normal computer. Your normal Antivirus can't scan anything going to the virtual machine, hence why it needs its own security suite.

      As I said in the previous post, the one really big advantage for Virtualisation is that once the system has been created and configured, you can copy the files to another disk, or another computer, and use them as your backup in case the VM becomes compromised. They're also useful for creating secure machines for other purposes, such as web browsing (Particularly for online banking).
    1. Sinshroud's Avatar
      Sinshroud -
      I've been doing some more thinking on the subject of wow security and I remember a few years ago hearing some rumours that starting wow with launcher.exe rather than wow.exe is safer because it adds some extra layer of security somehow (I seem to remember people saying that it helps to scan / block keyloggers).

      I doubt this, but has anyone heard the similar thing or know any facts about that?
    1. Mikathi's Avatar
      Mikathi -
      Quote Originally Posted by Sinshroud View Post
      I've been doing some more thinking on the subject of wow security and I remember a few years ago hearing some rumours that starting wow with launcher.exe rather than wow.exe is safer because it adds some extra layer of security somehow (I seem to remember people saying that it helps to scan / block keyloggers).

      I doubt this, but has anyone heard the similar thing or know any facts about that?
      Perhaps effective back when WoW was relatively new, because as far as I'm aware keyloggers associate the keystrokes with an application process, so using Launcher.exe to load Wow.exe would have the effect of hiding the correct process. However, nowdays, I doubt it would be any more effective at confusing a keylogger snce the process is now rather well known.

      This is just what I know on how keyloggers work, which isn't much.