If you follow simple security steps such as a) have a hard to guess 10+ key password (including numbers), b) you don't share your password with anyone, c) don't use one and the same password for everything and d) have an autheticator, you will reduce the chances of being hacked to virtually nonexistant. In this case you are probably more likely to win the lottery than get hacked.
Why did you remove your autheticator in the first place?
Mission in life: Vanquish all MMORPG.com trolls - especially TESO, WOW and GW2 trolls.
You need to seriously read up on password encryption.
Blizzard absolutely does not have your password in plain text. Not a chance.
The reason they don't ask for your password is because that is a security no-no. Big time. It prevents people from giving their password to imposters.
They don't know your password. Period.
Again, your statements display your lack of knowledge on the subject.
I made a response to you in one of the other threads about password hashes. Read it.
Look up md5 salted encryption and password authentication.
Blizzard absolutely dies not have a plain text version of your password.
Blizzard absolutely does not have a plain text version of your password.
Say it with me:
Blizzard absolutely does not have a plain text version of your password.
With the right resources to decrypt the passwords, one doesn't need it to be in plain text. All they need is insider information on the encryption and they can do this. Decryption with the key is not that difficult and in a company as big as Blizzard, I'm sure that insiders have found a way to do just that. BTW you should read my post again, nowhere did i ever claim it was in plain text, I claimed they knew the passwords and the decryption for the authenticators. This did happen and there was an investigation and they found many GM's guilty of it, the tiny article talking about it was quickly claimed as being nonsense by the infamous Blizz PR department right after it was posted just as quickly as their claim that the D3 hacks only happened to a tiny bit of the player population.
If you follow simple security steps such as a) have a hard to guess 10+ key password (including numbers), b) you don't share your password with anyone, c) don't use one and the same password for everything and d) have an autheticator, you will reduce the chances of being hacked to virtually nonexistant. In this case you are probably more likely to win the lottery than get hacked.
Why did you remove your autheticator in the first place?
It was an old physical keychain authenticator I had from when I had played WoW. It had been sitting in a corner for... a long while and was rather yucky. Due to me being what I thought was rather diligent about my computer I was not very concerned about removing it, and procrastinated putting the mobile authenticator on (the app). As it is I put the physical auth back on because it was the fastest thing to do when the person accessed my account. I just cleaned it up a bit since then : P
If this ends up being a keylogger of some sort on my system, though, I am very happy I had it off. I still have not had it detected by any scanner, but if it exists than I would much rather deal with the inconvenience of an accessed battle.net account than having other, more important information stolen.
I had removed my authenticator since I was confident my PC was clean - this is the only even slightly diablo related website I visit on my computer, everything else is on my phone. I only use firefox with noscript, have not downloaded anything other than the latest nvidia drivers, and visited no odd websites.
However, right after I logged in just a few minutes ago, someone else logged into my account, kicking me off. I quickly went to battle net and reattached my authenticator, while it turned out they were on battle net changing my password. Fortunately the email notifying me of the password change had a link to recover my account in it and reset the password. Also fortunately all of the email to that address is sent to a different email address, so I did not have to worry about the email being compromised.
Point of this?
Watch out, keep your authenticator attached, and I am not feeling too confident in blizzard's account security.
you haz keylogger, stop going to powerleveling/gold buy site!
Originally posted by dubyahite Lol itgrowls You need to seriously read up on password encryption. Blizzard absolutely does not have your password in plain text. Not a chance. The reason they don't ask for your password is because that is a security no-no. Big time. It prevents people from giving their password to imposters. They don't know your password. Period. Again, your statements display your lack of knowledge on the subject. I made a response to you in one of the other threads about password hashes. Read it. Look up md5 salted encryption and password authentication. Blizzard absolutely dies not have a plain text version of your password. Blizzard absolutely does not have a plain text version of your password. Say it with me: Blizzard absolutely does not have a plain text version of your password.
I never said they had stored passwords in plaintext, but an insider could without too much hassle get a copy of the hashed/encryped passwords file and then decrypt them at home and sell them on. Its really not that hard.
It amazes me too to think that to save corporate time and resources so the bigwigs can keep their bonuses that people like Dubyahite think that they wouldn't have expanded security to those of lower ranks IE Tier 1 customer service personel to accommodate their large customer base in an attempt to fill in the blanks of oh i dunno, those people they just fired recently and that this type of common corporate action wouldn't leave accounts open to this type of security breach when we all know that a company this big would not be paying their customer service reps much above a standard wage which ALSO leads people of this type of character to seek ways of making more money on the side IE getting the decryption code apps, using them and getting in league with one or many gold farmer deals thus getting kickbacks on virtual items that are easily restorable instantly via in game mail. It's really not rocket science.
Originally posted by dubyahite Lol itgrowls You need to seriously read up on password encryption. Blizzard absolutely does not have your password in plain text. Not a chance. The reason they don't ask for your password is because that is a security no-no. Big time. It prevents people from giving their password to imposters. They don't know your password. Period. Again, your statements display your lack of knowledge on the subject. I made a response to you in one of the other threads about password hashes. Read it. Look up md5 salted encryption and password authentication. Blizzard absolutely dies not have a plain text version of your password. Blizzard absolutely does not have a plain text version of your password. Say it with me: Blizzard absolutely does not have a plain text version of your password.
I never said they had stored passwords in plaintext, but an insider could without too much hassle get a copy of the hashed/encryped passwords file and then decrypt them at home and sell them on. Its really not that hard.
It amazes me too to think that to save corporate time and resources so the bigwigs can keep their bonuses that people like Dubyahite think that they wouldn't have expanded security to those of lower ranks IE Tier 1 customer service personel to accommodate their large customer base in an attempt to fill in the blanks of oh i dunno, those people they just fired recently and that this type of common corporate action wouldn't leave accounts open to this type of security breach when we all know that a company this big would not be paying their customer service reps much above a standard wage which ALSO leads people of this type of character to seek ways of making more money on the side IE getting the decryption code apps, using them and getting in league with one or many gold farmer deals thus getting kickbacks on virtual items that are easily restorable instantly via in game mail. It's really not rocket science.
Originally posted by itgrowls
Originally posted by dubyahite Lol itgrowls
You need to seriously read up on password encryption.
Blizzard absolutely does not have your password in plain text. Not a chance.
The reason they don't ask for your password is because that is a security no-no. Big time. It prevents people from giving their password to imposters.
They don't know your password. Period.
Again, your statements display your lack of knowledge on the subject.
I made a response to you in one of the other threads about password hashes. Read it.
Look up md5 salted encryption and password authentication.
Blizzard absolutely dies not have a plain text version of your password.
Blizzard absolutely does not have a plain text version of your password.
Say it with me:
Blizzard absolutely does not have a plain text version of your password.
With the right resources to decrypt the passwords, one doesn't need it to be in plain text. All they need is insider information on the encryption and they can do this. Decryption with the key is not that difficult and in a company as big as Blizzard, I'm sure that insiders have found a way to do just that. BTW you should read my post again, nowhere did i ever claim it was in plain text, I claimed they knew the passwords and the decryption for the authenticators. This did happen and there was an investigation and they found many GM's guilty of it, the tiny article talking about it was quickly claimed as being nonsense by the infamous Blizz PR department right after it was posted just as quickly as their claim that the D3 hacks only happened to a tiny bit of the player population.
To be clear, I have been using some different terms interchangably. It's a bad habbit. The terms are hashing and encryption. They are different things, and I'm going to focus on one-way encryption or hashing for this response.
First of all, I have already posted several times about how hashing transfers your password from the client to the server in an "encrypted" state that is not the plain text of your actual password.
The client turns what you type in into a string of hexidecimal digits (varying length depending on the algorithm used).
So you type in "password" for your password. The client runs it through an algorithm (we'll assume MD5 here because it has vulnerabilities and helps me prove a point). "Password" becomes f8bbff024e7d04d98a349ccb0984ad85d8ba86fa (this hash is made up btw). This long string of hex is what is sent to the server, not your password. When you created your password, the same process happened. The server doesn't compare the word "password" to the word "password" in their database. They compare the hex string to another hex string.
I am going to show you how your statement about "decrypting" the database is completely false and how easily Blizzards password database can quite literally be made uncrackable and unguessable.
Ok, so remember when I said MD5 is insecure? Well it is. Extremely. If Blizzard is using MD5 as their algorithm then that would be a problem. They aren't though. However, I'll show you what they are most likely doing to protect your password.
There is a process called salting in hashing. This basically uses another algorithm or some other system to insert data into your password. An extremely simple salting method would be to insert a word in front of your password. So when you type in "password" the client might append the word "a1B2c3D4" in front of your password before hashing it. So the client takes the phrase "a1B2c3D4password" and hashes that.
The hash for this would be very different. We are also taking in to consideration that blizzards passwords are not case sensitive for whatever reason. This doesn't mean that the salt cannot be case sensitive. "a1B2c3D4password" is a LOT more secure than "password" for obvious reasons. By doing this, the company has basically enforce password complexity on you, behind the scenes without your knowledge. It is seamless and your crappy "password" is still valid.
The client may not recognize uppercase in the password you type in, but can still use it in the salt! Not only does this enforce complexity, it is perfectly seamless to the user. They have no idea it is ever going on. On top of that, it protects against brute force attacks.
Every hash is different. If I were to change one letter in your password it would drastically alter the resulting hash. MD5 always produces a 32 bit hash, no matter how many characters are in your actual password. This is important to remember.
Ok, lets get back to MD5. It is very vulnerable, and shouldn't be used to store passwords, on it's own. Now that you understand salt, let me explain how MD5 can be used to make an extremely secure, salted, extremely complex password, that cannot be brute forced. There is no method to "decrypt" this as you suggest.
There exists a hashing algorithm that is not crackable (or "decryptable" as you put it). Actually it is a set of algorithms to be exact and they are called SHA-2. They function similarly to the way i described MD5. Plain text goes in, hash comes out.
SHA-2 algorithms were developed by none other than the NSA. Yes that NSA. As of right now, SHA-2 has not been cracked, and even though it is still secure the NSA is working on SHA-3 to replace it. SHA stands for Secure Hashing Algorithm and the name is fitting.
So why the hell are we even talking about MD5? Why not jsut use SHA-2 and be done with it? Well, while SHA-2 does not have any known vulnerabilities, it can still be brute forced. This is an unfortunate side effect of hashing that can probably not be accounted for except with private custom algorithms.
So check this out. This is a relatively easy to implement solution, and there are many other ways of doing things to salt that are even better than this.
So your password is "password." We assume the client is going to hash that with the crackable MD5. We also assume there is a salt in use.
What if that MD5 hash IS the salt? So "password" becomes f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword. Pretty crazy password right? Lets take that and run it through one of the SHA-2 algorithms. Lets say SHA-256. This means the output hash will be 256 bits, while the output of MD5 is 32 bits. In other words, it's much much longer. So it produces a 256 bit hash based on f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword NOT based on "password"
I won't type a 256 bit example out here, but you get the picture. This can (and is) taken to even further extremes. We can put the a1B2c3D4 example i gave earlier in front of the text BOTH times it is hashed to make it even more complex. Or we could run it through even more hashing algorithms.
Imagine if this is your password to D3. a1B2c3D4f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword
That is BEFORE it even touches the SHA-2 which results in a hash similar to this: d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592
Let me be clear about this. The yellow, blue, and red example I gave is basically the same as having that as your password. It is no different than if you sat down at your computer and typed that whole long mess into your client to log in every time.
You THINK your password is "password" but in fact it is that craziness.
The green hash is what is stored on blizzards server. That is the only thing they have. Period. Again, these are made up hashes.
I can almost garuntee that Blizzard has a very unique salting method. I doubt it is as I described this one, but something that would be impossible to guess. The only people that would have access to their hashing method would be people at the highest levels of IT. Noone else needs to know anything about it for it to function.
Let me be very clear about this. Those hashes, if using SHA-2, are NOT crackable. The hash CANNOT be turned back into your password. It is truly a one-way trip. Those hashes are the ONLY thing stored on the server. Nobody at blizzard could tell you what your password is. They could pull up their database and all they would have was that crazy ass hash
Not ONLY is it uncrackable, and irreversible, but it is not really even Brute Forceable either! Unless the attacker knows exactly how the passwords are salted, which is highly unlikely.
I am convinced that blizzard uses a complex salting algorithm. This would explain the lack of case sensitivity in their passwords and it would also excuse it. It would not be necessary at all.
You know who rarely uses a scheme like this? Fansites, guild sites, and other small websites.
Let's assume your tin-foil hat theory about an inside job is true. Lets also assume that the person doing it knows the salting method and Blizzard never changes their salt.
We are still at the point where the ONLY viable attack on the database is a brute force attack. The SHA-2 algorithm used is not crackable. So again, assuming all that is true, the only passwords that will be retreived are those of the people that do not use a complex password already, which is foolish and their own part. The company has gone to a reasonable length to protect the database. It is the very definition of secure. We are right back to user error again.
I garuntee you that no GM knows the salting method used. There is absolutely no reason for them to know it, and the method would be considered extremely sensitive information by the IT department. If a GM was made aware of the salt, it would be considered a huge security breach, even though that GM works for the company. My guess is that very few people at Blizzard understand the salt that is used.
To be clear, I have been using some different terms interchangably. It's a bad habbit. The terms are hashing and encryption. They are different things, and I'm going to focus on one-way encryption or hashing for this response.
First of all, I have already posted several times about how hashing transfers your password from the client to the server in an "encrypted" state that is not the plain text of your actual password.
The client turns what you type in into a string of hexidecimal digits (varying length depending on the algorithm used).
So you type in "password" for your password. The client runs it through an algorithm (we'll assume MD5 here because it has vulnerabilities and helps me prove a point). "Password" becomes f8bbff024e7d04d98a349ccb0984ad85d8ba86fa (this hash is made up btw). This long string of hex is what is sent to the server, not your password. When you created your password, the same process happened. The server doesn't compare the word "password" to the word "password" in their database. They compare the hex string to another hex string.
I am going to show you how your statement about "decrypting" the database is completely false and how easily Blizzards password database can quite literally be made uncrackable and unguessable.
Ok, so remember when I said MD5 is insecure? Well it is. Extremely. If Blizzard is using MD5 as their algorithm then that would be a problem. They aren't though. However, I'll show you what they are most likely doing to protect your password.
There is a process called salting in hashing. This basically uses another algorithm or some other system to insert data into your password. An extremely simple salting method would be to insert a word in front of your password. So when you type in "password" the client might append the word "a1B2c3D4" in front of your password before hashing it. So the client takes the phrase "a1B2c3D4password" and hashes that.
The hash for this would be very different. We are also taking in to consideration that blizzards passwords are not case sensitive for whatever reason. This doesn't mean that the salt cannot be case sensitive. "a1B2c3D4password" is a LOT more secure than "password" for obvious reasons. By doing this, the company has basically enforce password complexity on you, behind the scenes without your knowledge. It is seamless and your crappy "password" is still valid.
The client may not recognize uppercase in the password you type in, but can still use it in the salt! Not only does this enforce complexity, it is perfectly seamless to the user. They have no idea it is ever going on. On top of that, it protects against brute force attacks.
Every hash is different. If I were to change one letter in your password it would drastically alter the resulting hash. MD5 always produces a 32 bit hash, no matter how many characters are in your actual password. This is important to remember.
Ok, lets get back to MD5. It is very vulnerable, and shouldn't be used to store passwords, on it's own. Now that you understand salt, let me explain how MD5 can be used to make an extremely secure, salted, extremely complex password, that cannot be brute forced. There is no method to "decrypt" this as you suggest.
There exists a hashing algorithm that is not crackable (or "decryptable" as you put it). Actually it is a set of algorithms to be exact and they are called SHA-2. They function similarly to the way i described MD5. Plain text goes in, hash comes out.
SHA-2 algorithms were developed by none other than the NSA. Yes that NSA. As of right now, SHA-2 has not been cracked, and even though it is still secure the NSA is working on SHA-3 to replace it. SHA stands for Secure Hashing Algorithm and the name is fitting.
So why the hell are we even talking about MD5? Why not jsut use SHA-2 and be done with it? Well, while SHA-2 does not have any known vulnerabilities, it can still be brute forced. This is an unfortunate side effect of hashing that can probably not be accounted for except with private custom algorithms.
So check this out. This is a relatively easy to implement solution, and there are many other ways of doing things to salt that are even better than this.
So your password is "password." We assume the client is going to hash that with the crackable MD5. We also assume there is a salt in use.
What if that MD5 hash IS the salt? So "password" becomes f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword. Pretty crazy password right? Lets take that and run it through one of the SHA-2 algorithms. Lets say SHA-256. This means the output hash will be 256 bits, while the output of MD5 is 32 bits. In other words, it's much much longer. So it produces a 256 bit hash based on f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword NOT based on "password"
I won't type a 256 bit example out here, but you get the picture. This can (and is) taken to even further extremes. We can put the a1B2c3D4 example i gave earlier in front of the text BOTH times it is hashed to make it even more complex. Or we could run it through even more hashing algorithms.
Imagine if this is your password to D3. a1B2c3D4f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword
That is BEFORE it even touches the SHA-2 which results in a hash similar to this: d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592
Let me be clear about this. The yellow, blue, and red example I gave is basically the same as having that as your password. It is no different than if you sat down at your computer and typed that whole long mess into your client to log in every time.
You THINK your password is "password" but in fact it is that craziness.
The green hash is what is stored on blizzards server. That is the only thing they have. Period. Again, these are made up hashes.
I can almost garuntee that Blizzard has a very unique salting method. I doubt it is as I described this one, but something that would be impossible to guess. The only people that would have access to their hashing method would be people at the highest levels of IT. Noone else needs to know anything about it for it to function.
Let me be very clear about this. Those hashes, if using SHA-2, are NOT crackable. The hash CANNOT be turned back into your password. It is truly a one-way trip. Those hashes are the ONLY thing stored on the server. Nobody at blizzard could tell you what your password is. They could pull up their database and all they would have was that crazy ass hash
Not ONLY is it uncrackable, and irreversible, but it is not really even Brute Forceable either! Unless the attacker knows exactly how the passwords are salted, which is highly unlikely.
I am convinced that blizzard uses a complex salting algorithm. This would explain the lack of case sensitivity in their passwords and it would also excuse it. It would not be necessary at all.
You know who rarely uses a scheme like this? Fansites, guild sites, and other small websites.
Let's assume your tin-foil hat theory about an inside job is true. Lets also assume that the person doing it knows the salting method and Blizzard never changes their salt.
We are still at the point where the ONLY viable attack on the database is a brute force attack. The SHA-2 algorithm used is not crackable. So again, assuming all that is true, the only passwords that will be retreived are those of the people that do not use a complex password already, which is foolish and their own part. The company has gone to a reasonable length to protect the database. It is the very definition of secure. We are right back to user error again.
I garuntee you that no GM knows the salting method used. There is absolutely no reason for them to know it, and the method would be considered extremely sensitive information by the IT department. If a GM was made aware of the salt, it would be considered a huge security breach, even though that GM works for the company. My guess is that very few people at Blizzard understand the salt that is used.
So because their DB is secure, Blizzard is not at fault in any way for letting their uses create accounts with extremely weak passwords? Passwords so weak a program running variations of common passwords could pick up an account maybe every hour per computer used?
I don't believe Blizzard is handing out passwords but it is the same as not putting any blame on ciggerette companies for the health issues they cause. They warned you about the risks and you bought them anyways so it's your own fault and not their own for giving you a product that is harmful to your health.
You have a point that I was a bit pissy in my post.
But you are incorrect about the OP's statements.
He has made several posts in this thread saying "I do x, y, and z so it must be blizzard"
Here's a direct quote " I am assuming the error is on blizzard's end"
He's directly saying blizzard has been compromised because it can't be on his end, when in fact it is far more likely that his machine was compromised.
Anyone can make a list of things they do that is flawess security, but its never a veryconvincing list to me.
The bottom line is that he's just another poster that is saying "I'm perfect, it must be blizzards fault. Look at all the stiff I do! It's clearly blizzards fault!"
When in fact the thing that allegedly gave them acces to his account was the removal of the authenticator.
If this story is true, I believe it is a case where the OP knows he messed up, regrets it and is kicking himself in the butt, but wants to blame someone else to make himself feel better.
I previously posted that I wasn't trying to blame him, but I should say that obviously the biggest mistake was in fact that very decision.
I get your point. These are PC gamers though, I don't think it's a secret the average PC gamer usually likes to view themselves as in the know about all things PC or net related. Geek cred and all that nonsense.
I'm not even that knowledgable in this department, I can make a PC work I can MOD games, and I build my PC's, but at the end of the day, I know what I bothered learning, not much more. I at least know it's best to listen to those who seem knowledgable like yourself. So I'm not going to pretend to be able to argue about something I have no idea about.
The one thing I see that is repeated by many like yourself is that no system is truly protected, I just want to know if that means anything is possible when it comes to this topic?
I'm not saying that anything is possible. Not at all actually.
What I am saying is that personal computers and their associated networks are in a perpetual state of vulnerability. It is through no fault of the user that this is the case.
No anti-virus can catch everything. No home system is without vulnerability in some fasion or another. There are security flaws in the world that simply have no technological solution. There are vulnerabilities in products that we use every day that noone even knows about except the person using them.
For example: man in the middle attacks. If I am on the same network as you, I can with extreme ease intercept every single piece of data that you send out and every single packet sent to your machine. This could be on a home network or a public network. Doesn't matter.
Your SSL logins are encrypted, but I can also spoof those logins (again if I am on the same machine as you) so that you send your password to my machine with the wrong encryption. I take the password and send it off to the server with the correct encryption nearly immediately. The server doesn't know whats up and neither does your machine, but I have your password.
There are ways to detect/prevent this attack, but there is no commercially available product that is going to detect it. No firewall will notice. Your AV software won't notice. Your browser with no-script in a sandbox won't notice.
This is actually a perfect example. Like I said there are means to prevent this type of attack, but they usually rely on protecting your network from physical local intrusion. A big company will also have the technology to detect it. However, your home PC is extremely vulnerable.
Oh, and I can do this from my smartphone!
The point is, most of us don't have the means to protect against something like this. A large company might, but not directly. They protect their network and systems in other ways that prevent this attack from even being a possibility.
[snippage] read my super long ass post for this stuff
So because their DB is secure, Blizzard is not at fault in any way for letting their uses create accounts with extremely weak passwords? Passwords so weak a program running variations of common passwords could pick up an account maybe every hour per computer used?
I don't believe Blizzard is handing out passwords but it is the same as not putting any blame on ciggerette companies for the health issues they cause. They warned you about the risks and you bought them anyways so it's your own fault and not their own for giving you a product that is harmful to your health.
End of the day, imo, both parties are to blame.
Ok. I know my post was incredibly long and pretty technical, but you missed the entire point of salt.
Salting is not a means to secure the database. That would be achieved through other methods of preventing intrusion or data theft.
Salting a hash has several effects. Let me try to post this in a simpler manner.
Salting does NOT prevent the database from being stolen.
Salting does NOT protect your password from compromise from sources that are not the user database.
Salting does NOT make anything more secure on the users end. It's purpose is to protect data server side.
Salting does NOT prevent someone from guessing your password manually or with scripts by entering it into the client (Blizzard achieves this through throttling of login attempts as opposed to blocking login attempts usually, they will eventually ask for security questions and even lock your account in extreme cases)
Salting DOES prevent the passwords in the database from being cracked, guessed, brute forced, or otherwise retrieved if properly secure hashing algorithms are used.
Salting DOES add complexity to insecure passwords. The user can use their easy to remember password, but the server sees it as something entirely different.
Assume your password is 'password'
The first round of salt changes that to a1B2c3D4e5%password This is the exact same as if this was your password to begin with. It is by all accounts a complex password. The client has just forced password complexity on you without you knowing it.
The client runs a1B2c3D4e5%password through the MD5 algorithm. The result is something along the lines of 79054025255fb1a26e4bc422aef54eb4 Again, at this stage this is effectively your password. Your password is NO LONGER 'password' for all intents and purposes.
So the client does another pass of salting. 79054025255fb1a26e4bc422aef54eb4 becomes z9Y8t7R6&79054025255fb1a26e4bc422aef54eb4password. Again, as far as the server is concerned, this is the password you are entering, not the insecure password.
That is the final stage of salting. At this point the client has finished salting your password and is ready to hash it.
Again, let me be very clear here. You think your password is password and that is what you typed into the box. However, because of the salt, the client believes your password is z9Y8t7R6&79054025255fb1a26e4bc422aef54eb4password. I don't need to tell you which one of those is a better password.
Even though your actual password doesn't have any numbers or capital letters or symbols, the client inserts them into your password anyways.
This IS the forced complexity everyone thinks doesn't exist. All you know is that you enter a non-case sensitive password. The salt IS case sensitive.
The client hashes your password with SHA-2. z9Y8t7R6&79054025255fb1a26e4bc422aef54eb4password becomes:
The blue part is what is sent to the server. Unlike the previous steps, this is not a salt. This is the actual hash of your password + all salt. This is not effectively your password like the multicolored examples in the previous steps.
This is the part that Blizzard keeps in their database. It is unique to your password. It is unreversible, uncrackable, and not able to be brute forced. It cannot be used to log in to the server, as it would be salted and hashed and result in a mismatch with the hash on the database.
The point is this: You started with a weak password. Blizzard did not enforce case senstivity. They went ahead and allowed you to use the word password as your password. This is all correct.
Behind the scenes they are 'fixing' your password. They are adding case sensitive characters. They are adding numbers. They are adding symbols. They are adding extreme length.
This is how they canget away with allowing such weak passwords. They strengthen them. This obviously doesn't protect against other means of compromise of your account, but it does one thing very very well. Prevents any issue on their end from compromising your account password. An attacker could still get your password from a keylogger or another sites database, or malware or whatever, but they CANNOT get it from Blizzards database unless they know the salt method (which they don't).
Oh, and on the topic of salting, I would just like to add that this is the industry standard for password security as opposed to enforcing complexity on the user's end.
Google does it (gmail and all other accounts).
Online Banking sites do it.
Paypal does it.
Ebay does it.
Microsoft does it.
Other video game companies do it, especially mmo companies.
Steam does it.
Apple does it.
There is a very simple reason why companies would choose salting over enforcing password complexity on their users.
Salting is garunteed complexity and length. No matter what.
If I wanted to, I could make my online banking password "123456' right this very second. What should be more secure, Blizzard or a major nationwide bank with online access to your account?
If my bank enforced some simple complexity, say 10 characters with an uppercase letter, lowercase letter, a symbol, and a number, I could totally invalidate this security by making my password 'P@ssword01' It fits their complexity rules, yet it is incredibly insecure. The system would think it was perfectly fine though.
Salting is MORE secure than enforcing complex passwords and also more user friendly. It's a win-win.
The point is this: You started with a weak password. Blizzard did not enforce case senstivity. They went ahead and allowed you to use the word password as your password. This is all correct.
Behind the scenes they are 'fixing' your password. They are adding case sensitive characters. They are adding numbers. They are adding symbols. They are adding extreme length.
This is how they canget away with allowing such weak passwords. They strengthen them. This obviously doesn't protect against other means of compromise of your account, but it does one thing very very well. Prevents any issue on their end from compromising your account password. An attacker could still get your password from a keylogger or another sites database, or malware or whatever, but they CANNOT get it from Blizzards database unless they know the salt method (which they don't).
It wouldn't hurt anyone if they forced some more complex passwords though, better yet, passphrases, like in the XKCD comic someone on page 1 posted. It forces people to at least think about it and because a lot of websites let you get away with less complex passwords, chances are that the Battle.net password would stay unique for players.
The theory of a Blizzard insider, leaking information is a possibility, albeit a small one. It's not like everyone has intel on what kind of encryption is used or how to get into the databases. It's probably not that simple. Same with the claim that GM's know everything, like your account details, password, e-mail, etc. It's ridicilous. That would be the worst security practice. If it was true, I wouldn't be suprised that Blizzard would be sued because of that. It's you personal, private information. Blizzard has no need for it.
To the OP. There're so many ways that you can compromised. Java and flash are two likely candidates. If you have No-Script, but still allow sites, then the defense of No-Script is already compromised. Just saying.
To the OP. There're so many ways that you can compromised. Java and flash are two likely candidates. If you have No-Script, but still allow sites, then the defense of No-Script is already compromised. Just saying.
I am aware of that, but I really allow noscript on very very few sites, and never on everything requesting access on a site.
However this morning one of the scanners finally found something:
My girlfriend had showed me several photos she took over an instant messenger. She interspersed the photos with small .gif animations of a cute dancing cartoon bunny.
The scanner said one of the .gifs was actually a trojan. To be bluntly honest I had never heard of such a thing - a trojan hiding in a gif I mean. I will be sure to protect myself from it from now on.
Unfortunately I did not think to check the name of the gif or any of the details of it before removing it. I was rather aggravated and was not thinking of checking things like that. In fact I am not even positive it was the bunny, but I cannot remember her showing me anything other than that and the photos that she took.
If anybody is wondering why I left out having an instant messenger before, it simply did not occur to me to mention it. I only use it to talk to my gf and don't let it display advertisements or go to any of the sites it links to etc. I did not let files transfer though it, but pictures it by default allows and I did not think anything of it.
I am shocked that nothing else was messed with if this was indeed the culprit. I am continuing scanning with everything I can think of, and will update if anything else is found. So far every other scanner has come up completely empty. I was rather surprised spybot missed it as it has always been the best for me when helping friends with computer problems in the past. Of course it could just be a false positive, but I updated all my passwords and cancelled my debit card, would rather be safe. Back to scanning.
Edit: I used to keep the instant messenger just to my phone as well, but it wasted the battery so I used it on the computer. Back to the phone I guess.
You should have gone the extra mile and told us that right after you got a call from your bank to ask if the 14 different subscriptions to various Bolivian pron sites was legit. Because the only other thing you've ever used that CC info for was to purchase D3.
Wasn't really dramatic enough to pull me and get immersed in the story.
You should have gone the extra mile and told us that right after you got a call from your bank to ask if the 14 different subscriptions to various Bolivian pron sites was legit. Because the only other thing you've ever used that CC info for was to purchase D3.
Wasn't really dramatic enough to pull me and get immersed in the story.
It was at least good enough to be a quest in SWTOR!
Originally posted by dubyahite As far as malware in image files, that issue dates back to at least windows 95. There was a well popularized jpg malware that gave the attacker complete control over windows 95.
Yeah buffer overflow in Windows 95's built-in JPEG decoder, if I recall correctly. Carefully crafted metadata in a JPEG could cause the buffer overflow and execution of arbitrary code.
Comments
If you follow simple security steps such as a) have a hard to guess 10+ key password (including numbers), b) you don't share your password with anyone, c) don't use one and the same password for everything and d) have an autheticator, you will reduce the chances of being hacked to virtually nonexistant. In this case you are probably more likely to win the lottery than get hacked.
Why did you remove your autheticator in the first place?
Mission in life: Vanquish all MMORPG.com trolls - especially TESO, WOW and GW2 trolls.
With the right resources to decrypt the passwords, one doesn't need it to be in plain text. All they need is insider information on the encryption and they can do this. Decryption with the key is not that difficult and in a company as big as Blizzard, I'm sure that insiders have found a way to do just that. BTW you should read my post again, nowhere did i ever claim it was in plain text, I claimed they knew the passwords and the decryption for the authenticators. This did happen and there was an investigation and they found many GM's guilty of it, the tiny article talking about it was quickly claimed as being nonsense by the infamous Blizz PR department right after it was posted just as quickly as their claim that the D3 hacks only happened to a tiny bit of the player population.
It was an old physical keychain authenticator I had from when I had played WoW. It had been sitting in a corner for... a long while and was rather yucky. Due to me being what I thought was rather diligent about my computer I was not very concerned about removing it, and procrastinated putting the mobile authenticator on (the app). As it is I put the physical auth back on because it was the fastest thing to do when the person accessed my account. I just cleaned it up a bit since then : P
If this ends up being a keylogger of some sort on my system, though, I am very happy I had it off. I still have not had it detected by any scanner, but if it exists than I would much rather deal with the inconvenience of an accessed battle.net account than having other, more important information stolen.
you haz keylogger, stop going to powerleveling/gold buy site!
To be clear, I have been using some different terms interchangably. It's a bad habbit. The terms are hashing and encryption. They are different things, and I'm going to focus on one-way encryption or hashing for this response.
First of all, I have already posted several times about how hashing transfers your password from the client to the server in an "encrypted" state that is not the plain text of your actual password.
The client turns what you type in into a string of hexidecimal digits (varying length depending on the algorithm used).
So you type in "password" for your password. The client runs it through an algorithm (we'll assume MD5 here because it has vulnerabilities and helps me prove a point). "Password" becomes f8bbff024e7d04d98a349ccb0984ad85d8ba86fa (this hash is made up btw). This long string of hex is what is sent to the server, not your password. When you created your password, the same process happened. The server doesn't compare the word "password" to the word "password" in their database. They compare the hex string to another hex string.
I am going to show you how your statement about "decrypting" the database is completely false and how easily Blizzards password database can quite literally be made uncrackable and unguessable.
Ok, so remember when I said MD5 is insecure? Well it is. Extremely. If Blizzard is using MD5 as their algorithm then that would be a problem. They aren't though. However, I'll show you what they are most likely doing to protect your password.
There is a process called salting in hashing. This basically uses another algorithm or some other system to insert data into your password. An extremely simple salting method would be to insert a word in front of your password. So when you type in "password" the client might append the word "a1B2c3D4" in front of your password before hashing it. So the client takes the phrase "a1B2c3D4password" and hashes that.
The hash for this would be very different. We are also taking in to consideration that blizzards passwords are not case sensitive for whatever reason. This doesn't mean that the salt cannot be case sensitive. "a1B2c3D4password" is a LOT more secure than "password" for obvious reasons. By doing this, the company has basically enforce password complexity on you, behind the scenes without your knowledge. It is seamless and your crappy "password" is still valid.
The client may not recognize uppercase in the password you type in, but can still use it in the salt! Not only does this enforce complexity, it is perfectly seamless to the user. They have no idea it is ever going on. On top of that, it protects against brute force attacks.
Every hash is different. If I were to change one letter in your password it would drastically alter the resulting hash. MD5 always produces a 32 bit hash, no matter how many characters are in your actual password. This is important to remember.
Ok, lets get back to MD5. It is very vulnerable, and shouldn't be used to store passwords, on it's own. Now that you understand salt, let me explain how MD5 can be used to make an extremely secure, salted, extremely complex password, that cannot be brute forced. There is no method to "decrypt" this as you suggest.
There exists a hashing algorithm that is not crackable (or "decryptable" as you put it). Actually it is a set of algorithms to be exact and they are called SHA-2. They function similarly to the way i described MD5. Plain text goes in, hash comes out.
SHA-2 algorithms were developed by none other than the NSA. Yes that NSA. As of right now, SHA-2 has not been cracked, and even though it is still secure the NSA is working on SHA-3 to replace it. SHA stands for Secure Hashing Algorithm and the name is fitting.
So why the hell are we even talking about MD5? Why not jsut use SHA-2 and be done with it? Well, while SHA-2 does not have any known vulnerabilities, it can still be brute forced. This is an unfortunate side effect of hashing that can probably not be accounted for except with private custom algorithms.
So check this out. This is a relatively easy to implement solution, and there are many other ways of doing things to salt that are even better than this.
So your password is "password." We assume the client is going to hash that with the crackable MD5. We also assume there is a salt in use.
What if that MD5 hash IS the salt? So "password" becomes f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword. Pretty crazy password right? Lets take that and run it through one of the SHA-2 algorithms. Lets say SHA-256. This means the output hash will be 256 bits, while the output of MD5 is 32 bits. In other words, it's much much longer. So it produces a 256 bit hash based on f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword NOT based on "password"
I won't type a 256 bit example out here, but you get the picture. This can (and is) taken to even further extremes. We can put the a1B2c3D4 example i gave earlier in front of the text BOTH times it is hashed to make it even more complex. Or we could run it through even more hashing algorithms.
Imagine if this is your password to D3. a1B2c3D4f8bbff024e7d04d98a349ccb0984ad85d8ba86fapassword
That is BEFORE it even touches the SHA-2 which results in a hash similar to this: d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592
Let me be clear about this. The yellow, blue, and red example I gave is basically the same as having that as your password. It is no different than if you sat down at your computer and typed that whole long mess into your client to log in every time.
You THINK your password is "password" but in fact it is that craziness.
The green hash is what is stored on blizzards server. That is the only thing they have. Period. Again, these are made up hashes.
I can almost garuntee that Blizzard has a very unique salting method. I doubt it is as I described this one, but something that would be impossible to guess. The only people that would have access to their hashing method would be people at the highest levels of IT. Noone else needs to know anything about it for it to function.
Let me be very clear about this. Those hashes, if using SHA-2, are NOT crackable. The hash CANNOT be turned back into your password. It is truly a one-way trip. Those hashes are the ONLY thing stored on the server. Nobody at blizzard could tell you what your password is. They could pull up their database and all they would have was that crazy ass hash
Not ONLY is it uncrackable, and irreversible, but it is not really even Brute Forceable either! Unless the attacker knows exactly how the passwords are salted, which is highly unlikely.
I am convinced that blizzard uses a complex salting algorithm. This would explain the lack of case sensitivity in their passwords and it would also excuse it. It would not be necessary at all.
You know who rarely uses a scheme like this? Fansites, guild sites, and other small websites.
Let's assume your tin-foil hat theory about an inside job is true. Lets also assume that the person doing it knows the salting method and Blizzard never changes their salt.
We are still at the point where the ONLY viable attack on the database is a brute force attack. The SHA-2 algorithm used is not crackable. So again, assuming all that is true, the only passwords that will be retreived are those of the people that do not use a complex password already, which is foolish and their own part. The company has gone to a reasonable length to protect the database. It is the very definition of secure. We are right back to user error again.
I garuntee you that no GM knows the salting method used. There is absolutely no reason for them to know it, and the method would be considered extremely sensitive information by the IT department. If a GM was made aware of the salt, it would be considered a huge security breach, even though that GM works for the company. My guess is that very few people at Blizzard understand the salt that is used.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
So because their DB is secure, Blizzard is not at fault in any way for letting their uses create accounts with extremely weak passwords? Passwords so weak a program running variations of common passwords could pick up an account maybe every hour per computer used?
I don't believe Blizzard is handing out passwords but it is the same as not putting any blame on ciggerette companies for the health issues they cause. They warned you about the risks and you bought them anyways so it's your own fault and not their own for giving you a product that is harmful to your health.
End of the day, imo, both parties are to blame.
I'm not saying that anything is possible. Not at all actually.
What I am saying is that personal computers and their associated networks are in a perpetual state of vulnerability. It is through no fault of the user that this is the case.
No anti-virus can catch everything. No home system is without vulnerability in some fasion or another. There are security flaws in the world that simply have no technological solution. There are vulnerabilities in products that we use every day that noone even knows about except the person using them.
For example: man in the middle attacks. If I am on the same network as you, I can with extreme ease intercept every single piece of data that you send out and every single packet sent to your machine. This could be on a home network or a public network. Doesn't matter.
Your SSL logins are encrypted, but I can also spoof those logins (again if I am on the same machine as you) so that you send your password to my machine with the wrong encryption. I take the password and send it off to the server with the correct encryption nearly immediately. The server doesn't know whats up and neither does your machine, but I have your password.
There are ways to detect/prevent this attack, but there is no commercially available product that is going to detect it. No firewall will notice. Your AV software won't notice. Your browser with no-script in a sandbox won't notice.
This is actually a perfect example. Like I said there are means to prevent this type of attack, but they usually rely on protecting your network from physical local intrusion. A big company will also have the technology to detect it. However, your home PC is extremely vulnerable.
Oh, and I can do this from my smartphone!
The point is, most of us don't have the means to protect against something like this. A large company might, but not directly. They protect their network and systems in other ways that prevent this attack from even being a possibility.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Ok. I know my post was incredibly long and pretty technical, but you missed the entire point of salt.
Salting is not a means to secure the database. That would be achieved through other methods of preventing intrusion or data theft.
Salting a hash has several effects. Let me try to post this in a simpler manner.
Assume your password is 'password'
The first round of salt changes that to a1B2c3D4e5%password This is the exact same as if this was your password to begin with. It is by all accounts a complex password. The client has just forced password complexity on you without you knowing it.
The client runs a1B2c3D4e5%password through the MD5 algorithm. The result is something along the lines of 79054025255fb1a26e4bc422aef54eb4 Again, at this stage this is effectively your password. Your password is NO LONGER 'password' for all intents and purposes.
So the client does another pass of salting. 79054025255fb1a26e4bc422aef54eb4 becomes z9Y8t7R6&79054025255fb1a26e4bc422aef54eb4password. Again, as far as the server is concerned, this is the password you are entering, not the insecure password.
That is the final stage of salting. At this point the client has finished salting your password and is ready to hash it.
Again, let me be very clear here. You think your password is password and that is what you typed into the box. However, because of the salt, the client believes your password is z9Y8t7R6&79054025255fb1a26e4bc422aef54eb4password. I don't need to tell you which one of those is a better password.
Even though your actual password doesn't have any numbers or capital letters or symbols, the client inserts them into your password anyways.
This IS the forced complexity everyone thinks doesn't exist. All you know is that you enter a non-case sensitive password. The salt IS case sensitive.
The client hashes your password with SHA-2. z9Y8t7R6&79054025255fb1a26e4bc422aef54eb4password becomes:
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c.
The blue part is what is sent to the server. Unlike the previous steps, this is not a salt. This is the actual hash of your password + all salt. This is not effectively your password like the multicolored examples in the previous steps.
This is the part that Blizzard keeps in their database. It is unique to your password. It is unreversible, uncrackable, and not able to be brute forced. It cannot be used to log in to the server, as it would be salted and hashed and result in a mismatch with the hash on the database.
The point is this: You started with a weak password. Blizzard did not enforce case senstivity. They went ahead and allowed you to use the word password as your password. This is all correct.
Behind the scenes they are 'fixing' your password. They are adding case sensitive characters. They are adding numbers. They are adding symbols. They are adding extreme length.
This is how they can get away with allowing such weak passwords. They strengthen them. This obviously doesn't protect against other means of compromise of your account, but it does one thing very very well. Prevents any issue on their end from compromising your account password. An attacker could still get your password from a keylogger or another sites database, or malware or whatever, but they CANNOT get it from Blizzards database unless they know the salt method (which they don't).
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Oh, and on the topic of salting, I would just like to add that this is the industry standard for password security as opposed to enforcing complexity on the user's end.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
It wouldn't hurt anyone if they forced some more complex passwords though, better yet, passphrases, like in the XKCD comic someone on page 1 posted. It forces people to at least think about it and because a lot of websites let you get away with less complex passwords, chances are that the Battle.net password would stay unique for players.
The theory of a Blizzard insider, leaking information is a possibility, albeit a small one. It's not like everyone has intel on what kind of encryption is used or how to get into the databases. It's probably not that simple. Same with the claim that GM's know everything, like your account details, password, e-mail, etc. It's ridicilous. That would be the worst security practice. If it was true, I wouldn't be suprised that Blizzard would be sued because of that. It's you personal, private information. Blizzard has no need for it.
To the OP. There're so many ways that you can compromised. Java and flash are two likely candidates. If you have No-Script, but still allow sites, then the defense of No-Script is already compromised. Just saying.
I am aware of that, but I really allow noscript on very very few sites, and never on everything requesting access on a site.
However this morning one of the scanners finally found something:
My girlfriend had showed me several photos she took over an instant messenger. She interspersed the photos with small .gif animations of a cute dancing cartoon bunny.
The scanner said one of the .gifs was actually a trojan. To be bluntly honest I had never heard of such a thing - a trojan hiding in a gif I mean. I will be sure to protect myself from it from now on.
Unfortunately I did not think to check the name of the gif or any of the details of it before removing it. I was rather aggravated and was not thinking of checking things like that. In fact I am not even positive it was the bunny, but I cannot remember her showing me anything other than that and the photos that she took.
If anybody is wondering why I left out having an instant messenger before, it simply did not occur to me to mention it. I only use it to talk to my gf and don't let it display advertisements or go to any of the sites it links to etc. I did not let files transfer though it, but pictures it by default allows and I did not think anything of it.
I am shocked that nothing else was messed with if this was indeed the culprit. I am continuing scanning with everything I can think of, and will update if anything else is found. So far every other scanner has come up completely empty. I was rather surprised spybot missed it as it has always been the best for me when helping friends with computer problems in the past. Of course it could just be a false positive, but I updated all my passwords and cancelled my debit card, would rather be safe. Back to scanning.
Edit: I used to keep the instant messenger just to my phone as well, but it wasted the battery so I used it on the computer. Back to the phone I guess.
There was a well popularized jpg malware that gave the attacker complete control over windows 95.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
You should have gone the extra mile and told us that right after you got a call from your bank to ask if the 14 different subscriptions to various Bolivian pron sites was legit. Because the only other thing you've ever used that CC info for was to purchase D3.
Wasn't really dramatic enough to pull me and get immersed in the story.
It was at least good enough to be a quest in SWTOR!