I have two words for blizzard and their account security.
Coin Lock
This is a Trion invention. If your account is compromised, say you live in NYC and you account is accesed from China, that person who hacked you will not be able to sell,delete, or talk. Once you log back in you hit the coin button and an email is sent to you with a code to unlock your toon.
Blizzard has an SMS system that works much the same way, except they text you if there's any suspicious activity.
"What games and services does the Battle.net Dial-in Authenticator protect? The Battle.net Dial-in Authenticator protects any World of Warcraft accounts attached to a Battle.net account, as well as Battle.net Account Management. The Battle.net Dial-in Authenticator is not currently compatible with StarCraft II or Diablo III, though that may change in the future."
OP, a lot of idiots use the simplest passwords you can possibly think of. Sure, Blizzard could have done something to prevent that, but blaming them entirely, and not putting any blame of the users (unless you did in some later posts), that's just absurd.
You may or may not know about such things in your job, but there's no way for us to know, therefore using such as an argument has no weight whatsoever. Especially considering all the fools on this site that have clamed to be developers, marketing directors, and who knows what. Saying "If you worked in the IT field you'd understand ..." (post 5) is just arrogant, again: because there's no way for us to know if you're telling the truth or not. Also, you have no way of knowing what other posters on this site do for a living, or did in the past.
Implying that Blizzard is doing a poor job on security on purpose, just to sell more authenticators, takes away all your cred, imo.
And no, I'm not some mindless fanboy defending Blizzard against everything, if that's what you were going to reply.
OP, a lot of idiots use the simplest passwords you can possibly think of. Sure, Blizzard could have done something to prevent that, but blaming them entirely, and not putting any blame of the users (unless you did in some later posts), that's just absurd.
You may or may not know about such things in your job, but there's no way for us to know, therefore using such as an argument has no weight whatsoever. Especially considering all the fools on this site that have clamed to be developers, marketing directors, and who knows what. Saying "If you worked in the IT field you'd understand ..." (post 5) is just arrogant, again: because there's no way for us to know if you're telling the truth or not. Also, you have no way of knowing what other posters on this site do for a living, or did in the past.
Implying that Blizzard is doing a poor job on security on purpose, just to sell more authenticators, takes away all your cred, imo.
And no, I'm not some mindless fanboy defending Blizzard against everything, if that's what you were going to reply.
I read the OP and he wasn't talking about Blizzard making it so idiots can't use the simplest passwords........
The complaint was that there wasn't a limit to how many times you can enter a password and that passwords were not case sensitive. This is bad, you do not need to be an IT specialist to understand that this is bad.
Without passwords being case sensitive and with unlimited attempts at "guessing" the password it doesn't take a great deal of effort to "crack" an account.
With the way Blizzards account security currently is something like a basic dictionary attack will be fairly successful on many accounts. Other more complex methods exist and will yield an even better success rate.
You should NEVER have unlimited attempts in guessing a password.
Passwords should ALWAYS be case sensitive.
There are only 3 logical conclusions.
1) Blizzard is inept and has no idea how to protect your information - this is bad
2) Blizzard does this intentionally to push authenticator sales - this is bad
3) Blizzard simply doesn't care about protecting your accounts - this is bad
I won't sit here and say I'm an IT or that I'm a developer or anything like that, I'm simply a regular joe gamer and even I know the way Blizzard has this setup is bad.
You can only blame so much on users. This system is simply flawed and the blame rests solely on Blizzard until it's fixed. After this glaring gaping hole in security is fixed then you can start blaming users for being incompetent, but not before.
OP, a lot of idiots use the simplest passwords you can possibly think of. Sure, Blizzard could have done something to prevent that, but blaming them entirely, and not putting any blame of the users (unless you did in some later posts), that's just absurd.
You may or may not know about such things in your job, but there's no way for us to know, therefore using such as an argument has no weight whatsoever. Especially considering all the fools on this site that have clamed to be developers, marketing directors, and who knows what. Saying "If you worked in the IT field you'd understand ..." (post 5) is just arrogant, again: because there's no way for us to know if you're telling the truth or not. Also, you have no way of knowing what other posters on this site do for a living, or did in the past.
Implying that Blizzard is doing a poor job on security on purpose, just to sell more authenticators, takes away all your cred, imo.
And no, I'm not some mindless fanboy defending Blizzard against everything, if that's what you were going to reply.
I read the OP and he wasn't talking about Blizzard making it so idiots can't use the simplest passwords........
The complaint was that there wasn't a limit to how many times you can enter a password and that passwords were not case sensitive. This is bad, you do not need to be an IT specialist to understand that this is bad.
Without passwords being case sensitive and with unlimited attempts at "guessing" the password it doesn't take a great deal of effort to "crack" an account.
With the way Blizzards account security currently is something like a basic dictionary attack will be fairly successful on many accounts. Other more complex methods exist and will yield an even better success rate.
You should NEVER have unlimited attempts in guessing a password.
Passwords should ALWAYS be case sensitive.
There are only 3 logical conclusions.
1) Blizzard is inept and has no idea how to protect your information - this is bad
2) Blizzard does this intentionally to push authenticator sales - this is bad
3) Blizzard simply doesn't care about protecting your accounts - this is bad
I won't sit here and say I'm an IT or that I'm a developer or anything like that, I'm simply a regular joe gamer and even I know the way Blizzard has this setup is bad.
You can only blame so much on users. This system is simply flawed and the blame rests solely on Blizzard until it's fixed. After this glaring gaping hole in security is fixed then you can start blaming users for being incompetent, but not before.
There's another possible logical conclusion. Password security isn't the problem to begin with - this is neutral. I think people really overestmate dictionary attacks too. They seem to have an unearned mystical aura. I blame Matthew Broderick.
If more complex things than dictionary attacks didn't exist you may have a point. I used that as an example because it's fairly basic and most people know about it, I didn't want to list other methods for obvious reasons.
Password security is the problem, thats not a disputable point. Unlimited attempts at guessing a password + Passwords not being case sensitive. This is something that just about everyone figured out was a bad idea long ago.
The complaint was that there wasn't a limit to how many times you can enter a password and that passwords were not case sensitive. This is bad, you do not need to be an IT specialist to understand that this is bad.
Which is exactly what the OP is using as an argument again and again and again...
For example, post #1:
"as a(n) Network Administrator"
Post #10:
"from my professional background"
Etc.
He's calling himself a "professional", while Blizzard is "amateurs". Classic forum troll, imo.
Further proof of him being a troll:
Post #6:
"Also, I don't go to the Blizzard forums anymore, and haven't for 5years"
The link in post #1 tells a different story. That thread is 4 days old, not over 5 years... lol.
I do agree that Blizzard could have done more, but he OP does a horrible job in presenting his case.
OP, a lot of idiots use the simplest passwords you can possibly think of. Sure, Blizzard could have done something to prevent that, but blaming them entirely, and not putting any blame of the users (unless you did in some later posts), that's just absurd.
You may or may not know about such things in your job, but there's no way for us to know, therefore using such as an argument has no weight whatsoever. Especially considering all the fools on this site that have clamed to be developers, marketing directors, and who knows what. Saying "If you worked in the IT field you'd understand ..." (post 5) is just arrogant, again: because there's no way for us to know if you're telling the truth or not. Also, you have no way of knowing what other posters on this site do for a living, or did in the past.
Implying that Blizzard is doing a poor job on security on purpose, just to sell more authenticators, takes away all your cred, imo.
And no, I'm not some mindless fanboy defending Blizzard against everything, if that's what you were going to reply.
I read the OP and he wasn't talking about Blizzard making it so idiots can't use the simplest passwords........
The complaint was that there wasn't a limit to how many times you can enter a password and that passwords were not case sensitive. This is bad, you do not need to be an IT specialist to understand that this is bad.
Without passwords being case sensitive and with unlimited attempts at "guessing" the password it doesn't take a great deal of effort to "crack" an account.
With the way Blizzards account security currently is something like a basic dictionary attack will be fairly successful on many accounts. Other more complex methods exist and will yield an even better success rate.
You should NEVER have unlimited attempts in guessing a password.
Passwords should ALWAYS be case sensitive.
There are only 3 logical conclusions.
1) Blizzard is inept and has no idea how to protect your information - this is bad
2) Blizzard does this intentionally to push authenticator sales - this is bad
3) Blizzard simply doesn't care about protecting your accounts - this is bad
I won't sit here and say I'm an IT or that I'm a developer or anything like that, I'm simply a regular joe gamer and even I know the way Blizzard has this setup is bad.
You can only blame so much on users. This system is simply flawed and the blame rests solely on Blizzard until it's fixed. After this glaring gaping hole in security is fixed then you can start blaming users for being incompetent, but not before.
There's another possible logical conclusion. Password security isn't the problem to begin with - this is neutral. I think people really overestmate dictionary attacks too. They seem to have an unearned mystical aura. I blame Matthew Broderick.
If more complex things than dictionary attacks didn't exist you may have a point. I used that as an example because it's fairly basic and most people know about it, I didn't want to list other methods for obvious reasons.
Password security is the problem, thats not a disputable point. Unlimited attempts at guessing a password + Passwords not being case sensitive. This is something that just about everyone figured out was a bad idea long ago.
But thank you for chiming in.
It is a disputable point. Blizzard is saying flat out that's not what is happening. Also the attempts are not unlimited. Try it. Your account will be locked eventually. Case sensitivity is less of an issue if brute force attacks are stopped but I'd like it. For no reason other than it would make me feel better.
I could explain it to you but I'll simply say this. It's easier for me to "recover" my password on SC2 than it is going through Blizzard support and no lol my passwords aren't ever simple :P.
No it's not a disputable point lmao. But I won't argue the point further. Some know, some don't. Just the way it is.
The password protection isn't that big of a thing in and of itself to me, but it highligts a bigger issue. If they can't be bothered to do even something as simple as case sensitivity on their passwords, why should I believe them when they say they are doing anything else? Even the authenticator seems to me to be an attempt to try to push their own responsibilities off to the users. It just seems that they don't seem to be spend even a small amount of the massive profits they are making to take care of their customers, and that they really don't care about their customers at all, just their customer's money; this in enhanced by the fact they are willing to fix it for those who complain, but don't want to do anything proactive to prevent it. While I suppose it is a valid business strategy from their perspective, it's not one that I have any interest in supporting, as I do expect some kind of support from a company I am going to pay a premium price to for their game and service.
Meh, its not 1995, if your pass is "sunflower" and not something like "1337wow4life" , you are asking for it.
As for brute force, @1000 attempts a second (good luck with that), it would take years for a 8 character pass, this is not a zip password cracker or your intranet mail account, so what is the fuzz all about?
As for blizz arrogance and disconnect from reality, you should be used to that, its not like they are that way since last saturday
Of course they want your account password to be comprisable. They're selling those stupid auth devices. With that being said I feel like they want to intentionally make it unsafe so you'll fork over more cash into those devices.
Not sure what this thread is about. I have a keepass encrypted password for my battlenet account that nobody could figure out and I change it every 30 days. In fact, my passwords are so strong that I don't even know what they are. If someone wants to try and guess it all I have to say is... good luck!
Of course they want your account password to be comprisable. They're selling those stupid auth devices. With that being said I feel like they want to intentionally make it unsafe so you'll fork over more cash into those devices.
Yea, sure it's a big conspiracy to make maybe 25 cents per authenticator after cost ....
I have two words for blizzard and their account security.
Coin Lock
This is a Trion invention. If your account is compromised, say you live in NYC and you account is accesed from China, that person who hacked you will not be able to sell,delete, or talk. Once you log back in you hit the coin button and an email is sent to you with a code to unlock your toon.
Blizzard has an SMS system that works much the same way, except they text you if there's any suspicious activity.
"What games and services does the Battle.net Dial-in Authenticator protect? The Battle.net Dial-in Authenticator protects any World of Warcraft accounts attached to a Battle.net account, as well as Battle.net Account Management. The Battle.net Dial-in Authenticator is not currently compatible with StarCraft II or Diablo III, though that may change in the future."
No with Coin Lock you don't have to do anything. No authenticator or anything. SMS does not prevent a hacker from selling all your stuff and deleting you toon. Coin Lock does. All a hacker could do is walk around. When he logs off or is booted off. You login, press the coin on your screen, then a code is emailed to you, you enter it in IN GAME, and whala you toon is unlocked.
The problem isn't their poor standards for passwords etc, the problem is battle.net and the armory.
The people don't try single accounts randomly and they don't use keyloggers. They scout for good accounts and then hack these very accounts, by either using brute-force or by hacking battle.net itself to get the databanks and the passwords etc.
Accounts with no gold don't get hacked.. it's allways the phat accounts that get hacked for the big amounts of gold.
The problem isn't their poor standards for passwords etc, the problem is battle.net and the armory.
The people don't try single accounts randomly and they don't use keyloggers. They scout for good accounts and then hack these very accounts, by either using brute-force or by hacking battle.net itself to get the databanks and the passwords etc.
Accounts with no gold don't get hacked.. it's allways the phat accounts that get hacked for the big amounts of gold.
Again, there's no random hacking there.
Wrong, wrong, wrong... and wrong!
A friend's account got hacked. Iirc, his highest lvl toon was 27, at least it was below 30. According to you, he was targeted because of his "big amounts of gold".... lol.
"They don't use keyloggers"? Maybe not in the majority of cases (don't know for sure), but they ARE used.
It is a WELL KNOWN FACT that gold sellers will use any account they get their hands on, either for stealing gold, farm, or simply use it's toons (or make new ones) to stand in the cities spamming their ads.
Heard about phishing? Such mails are not sent to carefully chosen individuals, they're sent to just about everyone.
Steve Gibson made it. He knows more about security than you or I or probably anyone else here.
Even though he clearly points out that capitalization is important, if you use that calculator at the top, you will find that a sufficiently long password of only lowercase letters is sufficiently secure. People pribably don't use a sufficiently long password.
Anyways, The no capital thing is annoying, but with a symbol and a number plus a long password you will be fine.
It may be a stupid policy on Blizzards end, but it can be accounted for.
Put in a 15 letter password with one number and one symbol all lowercase in there and look at the results. It would take a brute force attack a couple hundred thousand centuries to try all possible combinations that would include such a password.
Of course a cracker could get lucky and get it on the first try or something, but the point is that no attacker is going to be looking at their software saying that and even bothering to try. Odds are extremely low that they will even get it in 100 years.
It is very easy to make an 'uncrackable' password without capitalization.
It's up to you to be smart enough to do that. If someone is the type to make an easily cracked password no amount of capital letters on blizzards end will save them. If you are not that person you'll be just fine regardless.
There was alot more noise about hacking when blizzard made you log in using your battle.net account, making people believe that battle.net was compromised. The problem wasn't battle.net the problem was that people were using the same email for their account as they use on forums. For some forums, like mmo-champion your email adress is viewable by ANYONE by default, so you need to go into your settings to hide it.
What this does is that it gives these thieves a huge number of email adresses that are very likely used for world of warcraft.
Now they added diablo 3, with a real money AH. Thats a huge incentive for hackers to steal accounts. And if all they have to do to get access to thousands of email adresses that are likely used to play diablo 3 is to scrape information of a forum dedicated to diablo. This combined with the simple password requirements gives them easy access to accounts.
Alot of people use the simplest passwords they can, because it makes them easier to remember.
Heh, guys I just witnessed an account lock for unsuccessful attempts a couple weeks ago. My wife freaked out when she could remember her password and it started asking security questions. When she still couldn't get it they locked the account.
Comments
Is this what you are talking about?
"What games and services does the Battle.net Dial-in Authenticator protect?
The Battle.net Dial-in Authenticator protects any World of Warcraft accounts attached to a Battle.net account, as well as Battle.net Account Management. The Battle.net Dial-in Authenticator is not currently compatible with StarCraft II or Diablo III, though that may change in the future."
Oops..sorry...see this now...another cell based authenticator.
OP, a lot of idiots use the simplest passwords you can possibly think of. Sure, Blizzard could have done something to prevent that, but blaming them entirely, and not putting any blame of the users (unless you did in some later posts), that's just absurd.
You may or may not know about such things in your job, but there's no way for us to know, therefore using such as an argument has no weight whatsoever. Especially considering all the fools on this site that have clamed to be developers, marketing directors, and who knows what. Saying "If you worked in the IT field you'd understand ..." (post 5) is just arrogant, again: because there's no way for us to know if you're telling the truth or not. Also, you have no way of knowing what other posters on this site do for a living, or did in the past.
Implying that Blizzard is doing a poor job on security on purpose, just to sell more authenticators, takes away all your cred, imo.
And no, I'm not some mindless fanboy defending Blizzard against everything, if that's what you were going to reply.
I read the OP and he wasn't talking about Blizzard making it so idiots can't use the simplest passwords........
The complaint was that there wasn't a limit to how many times you can enter a password and that passwords were not case sensitive. This is bad, you do not need to be an IT specialist to understand that this is bad.
Without passwords being case sensitive and with unlimited attempts at "guessing" the password it doesn't take a great deal of effort to "crack" an account.
With the way Blizzards account security currently is something like a basic dictionary attack will be fairly successful on many accounts. Other more complex methods exist and will yield an even better success rate.
You should NEVER have unlimited attempts in guessing a password.
Passwords should ALWAYS be case sensitive.
There are only 3 logical conclusions.
1) Blizzard is inept and has no idea how to protect your information - this is bad
2) Blizzard does this intentionally to push authenticator sales - this is bad
3) Blizzard simply doesn't care about protecting your accounts - this is bad
I won't sit here and say I'm an IT or that I'm a developer or anything like that, I'm simply a regular joe gamer and even I know the way Blizzard has this setup is bad.
You can only blame so much on users. This system is simply flawed and the blame rests solely on Blizzard until it's fixed. After this glaring gaping hole in security is fixed then you can start blaming users for being incompetent, but not before.
If more complex things than dictionary attacks didn't exist you may have a point. I used that as an example because it's fairly basic and most people know about it, I didn't want to list other methods for obvious reasons.
Password security is the problem, thats not a disputable point. Unlimited attempts at guessing a password + Passwords not being case sensitive. This is something that just about everyone figured out was a bad idea long ago.
But thank you for chiming in.
Which is exactly what the OP is using as an argument again and again and again...
For example, post #1:
"as a(n) Network Administrator"
Post #10:
"from my professional background"
Etc.
He's calling himself a "professional", while Blizzard is "amateurs". Classic forum troll, imo.
Further proof of him being a troll:
Post #6:
"Also, I don't go to the Blizzard forums anymore, and haven't for 5years"
The link in post #1 tells a different story. That thread is 4 days old, not over 5 years... lol.
I do agree that Blizzard could have done more, but he OP does a horrible job in presenting his case.
I could explain it to you but I'll simply say this. It's easier for me to "recover" my password on SC2 than it is going through Blizzard support and no lol my passwords aren't ever simple :P.
No it's not a disputable point lmao. But I won't argue the point further. Some know, some don't. Just the way it is.
The password protection isn't that big of a thing in and of itself to me, but it highligts a bigger issue. If they can't be bothered to do even something as simple as case sensitivity on their passwords, why should I believe them when they say they are doing anything else? Even the authenticator seems to me to be an attempt to try to push their own responsibilities off to the users. It just seems that they don't seem to be spend even a small amount of the massive profits they are making to take care of their customers, and that they really don't care about their customers at all, just their customer's money; this in enhanced by the fact they are willing to fix it for those who complain, but don't want to do anything proactive to prevent it. While I suppose it is a valid business strategy from their perspective, it's not one that I have any interest in supporting, as I do expect some kind of support from a company I am going to pay a premium price to for their game and service.
Meh, its not 1995, if your pass is "sunflower" and not something like "1337wow4life"
, you are asking for it.
As for brute force, @1000 attempts a second (good luck with that), it would take years for a 8 character pass, this is not a zip password cracker or your intranet mail account, so what is the fuzz all about?
As for blizz arrogance and disconnect from reality, you should be used to that, its not like they are that way since last saturday
Flame on!
Of course they want your account password to be comprisable. They're selling those stupid auth devices. With that being said I feel like they want to intentionally make it unsafe so you'll fork over more cash into those devices.
Not sure what this thread is about. I have a keepass encrypted password for my battlenet account that nobody could figure out and I change it every 30 days. In fact, my passwords are so strong that I don't even know what they are. If someone wants to try and guess it all I have to say is... good luck!
Yea, sure it's a big conspiracy to make maybe 25 cents per authenticator after cost ....
No with Coin Lock you don't have to do anything. No authenticator or anything. SMS does not prevent a hacker from selling all your stuff and deleting you toon. Coin Lock does. All a hacker could do is walk around. When he logs off or is booted off. You login, press the coin on your screen, then a code is emailed to you, you enter it in IN GAME, and whala you toon is unlocked.
The problem isn't their poor standards for passwords etc, the problem is battle.net and the armory.
The people don't try single accounts randomly and they don't use keyloggers. They scout for good accounts and then hack these very accounts, by either using brute-force or by hacking battle.net itself to get the databanks and the passwords etc.
Accounts with no gold don't get hacked.. it's allways the phat accounts that get hacked for the big amounts of gold.
Again, there's no random hacking there.
Wrong, wrong, wrong... and wrong!
A friend's account got hacked. Iirc, his highest lvl toon was 27, at least it was below 30. According to you, he was targeted because of his "big amounts of gold".... lol.
"They don't use keyloggers"? Maybe not in the majority of cases (don't know for sure), but they ARE used.
It is a WELL KNOWN FACT that gold sellers will use any account they get their hands on, either for stealing gold, farm, or simply use it's toons (or make new ones) to stand in the cities spamming their ads.
Heard about phishing? Such mails are not sent to carefully chosen individuals, they're sent to just about everyone.
I could go on and on, but you get the picture.
You know, the more I consider this subject the more mathematically I can see that it isn't that big of an issue.
It is possible to make a password with only lowercase letters that is extremely resistant to brute force attacks.
While capitalization is an extra layer of password security, length IS the most important factor when trying to prevent guessing.
I posted this in the other thread but I'll share it here as it's relevant:
https://www.grc.com/haystack.htm
Steve Gibson made it. He knows more about security than you or I or probably anyone else here.
Even though he clearly points out that capitalization is important, if you use that calculator at the top, you will find that a sufficiently long password of only lowercase letters is sufficiently secure. People pribably don't use a sufficiently long password.
Anyways, The no capital thing is annoying, but with a symbol and a number plus a long password you will be fine.
It may be a stupid policy on Blizzards end, but it can be accounted for.
Put in a 15 letter password with one number and one symbol all lowercase in there and look at the results. It would take a brute force attack a couple hundred thousand centuries to try all possible combinations that would include such a password.
Of course a cracker could get lucky and get it on the first try or something, but the point is that no attacker is going to be looking at their software saying that and even bothering to try. Odds are extremely low that they will even get it in 100 years.
It is very easy to make an 'uncrackable' password without capitalization.
It's up to you to be smart enough to do that. If someone is the type to make an easily cracked password no amount of capital letters on blizzards end will save them. If you are not that person you'll be just fine regardless.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
There was alot more noise about hacking when blizzard made you log in using your battle.net account, making people believe that battle.net was compromised. The problem wasn't battle.net the problem was that people were using the same email for their account as they use on forums. For some forums, like mmo-champion your email adress is viewable by ANYONE by default, so you need to go into your settings to hide it.
What this does is that it gives these thieves a huge number of email adresses that are very likely used for world of warcraft.
Now they added diablo 3, with a real money AH. Thats a huge incentive for hackers to steal accounts. And if all they have to do to get access to thousands of email adresses that are likely used to play diablo 3 is to scrape information of a forum dedicated to diablo. This combined with the simple password requirements gives them easy access to accounts.
Alot of people use the simplest passwords they can, because it makes them easier to remember.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com