Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Blizzard's policy on passwords the root cause of Account Hacking success?
At my last job, as a(n) Network Administrator, one of the largest aspects of network & userAccount security was how strong passwords were, and how strong password attempt security was. Case sensitivity is a BIG thing, and amateur companies don't use this practice.
Apparently, Blizzard's stance on account security is horribly amateurish & lackluster allowing for even some of THE MOST basic account compromising attempts to be used.
At the end of the day, I don't believe Blizzard can "Do No Wrong", and I believe it is up to EA-Blizzard to own up to THEIR mistake here.
For those of you whom missed it: Link
Woody also touched on the subject: Here
Let's also not forget that you can attempt a password as many times as you like currently, or at least I can in Starcraft II which apparently is Blizzard wide?
Can you do this in WoW?
ps: I didn't see this subject already posted. Has it been discussed?
-Cheers
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
Comments
Well first of all, EA has nothing to do with Blizzard.
Secondly, I agree that perhaps Blizzard allows passwords that are too simplistic. But at the end of the day, they are a game company, not a bank or something else of greater importance. I think it is on the user to create secure passwords and to make sure that they don't fall for phishing scams, keyloggers, etc.
Blizzard already does FAR more than most gaming companies to enhance security by offering things like the mobile authenticator and the apps for all major cell phones.
True, but that does not mean that OP isn't right. Changing the password complexity is a great idea actually, it doesn't cost Blizz money and would probably makes things harder for many hackers....
i think you should post it on Blizz official forum OP.
I disagree entirely.
A LOT of personal information is stored in a "Game Company's" account information for a user that the user can readily get to from their account information page once logging in. Nothing like credit cards, but your name, address, etc are all there. Not something I want just anyone looking at.
Additionally, I've found Blizzard's account security to be the worst out of ANY game company i've had interactions with. If you worked in the IT field you'd understand just how absolutely absurd it is that their passwords are not only NOT case sensitive, but that you have unlimited tries to login with said case-less passwords.
Lastly, simply blaming the user for falling for "phishing scams" or keyloggers is also reasonably absurd. Someone brought up the point that when EA had accounts hacked it was a "Bad Company", but when it's Activision-Blizzard (sorry about that, I get EA & Activision mixed up in terms of company aquirements) Activision-Blizzard can do no wrong and the attention focuses on customers with keyloggers or phishing attempts.
From an IT point of view, I blame Blizzard for their piss poor account security. You'd be surprised how easy it is to hack an account once you know the account name with these kind of password standards. I'm not susprised AT ALL at the number of Diablo 3 accounts being compromised.
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
Think about that for a moment Loke.
Do you REALLY think it won't "cost them money" to increase account security thereby making their authenticators LESS valuable?
I clearly see why their authenticators are selling like hotcakes by allowing their standard account security to be so pathetic.
Also, I don't go to the Blizzard forums anymore, and haven't for 5years. It's filled with several hundred times more trolls than anyone else has seen on MMORPG.com. Not to mention that thread I posted in the "Link" is one detailing it, however Blizzard are trying to dismiss it entirely
.
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
Case insensitive passwords nearly halve the number of available characters needed to try. Unlimited attempts to try passwords, with no escalating wait times for attempts decreases the amount of time needed to guess a password dramatically. It seems pretty basic and if I were setting up an authentication system, it would be case sensitive, with a limited number of attempts with escalating timeouts between failed attempts. It's just a very simple thing to implement. In fact, I have implemented such things in production systems.
But let's be realistic. You can guess a password through Blizzard 172,800 times in a day. That's one guess every half second. If you used the numbers 1 through 8, using 8 digits for your password, you've got something like 16 million possible passwords. That's 90 possible days of guessing passwords to get the right one. Even checking the password 4 times a second means it takes up to 22 days to guess the password.
It's much more economically feasible to get users to download key loggers and just go after those people.
In the meantime, the length of your password is more important than anything else in determining how long it takes someone to guess it or brute force it. An 8 digit password, using all available numbers, letters and special characters can be brute forced in about 3 minutes with direct access to the password file. A 20 digit password, using only lower case letters and spaces can take as long as 15 days to guess with direct access to the password file. So...long easily remembered passwords are your best bet.
** edit **
The point is that brute force guessing passwords over the internet is the least likely attack vector. The most likely attack vectors have nothing to do with Blizzard, and everything to do with advertising networks and dumb passwords.
I can not remember winning or losing a single debate on the internet.
Well I'm not aware of Blizzards password policys but if passwords aren't case sensitive and you can try the password an unlimited amount of times then it makes it quite easy to hack accounts.
If someone gets your account name all they have to do is set up a computer to run a rainbow table(list of letter/number combinations) and run it until it finds your password. If your password is under 10 characters and it's not case sensitive then it doesn't take very long to break
Still, from my professional background it makes my stomach turn to learn this is commonplace in Blizzard's account security.
Literally, I can't express to you the horror you feel from my background when you think about it. It is, purely speaking, completely amateur and tells you a LOT about how the company feels about account security.
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
I'm against this idea. Password requirements have made it so I have to keep a physical list laying around that has passwords on them. It's not secure, but it's what I have to do because I can't have 5 different passwords that aren't dictionary words that must start with a capital letter and have at least 1 number in them blah blah blah. Just can't do it. Won't do it. My brain has better uses.
I imagine a lot of people are like me, and some of them probably keep this stuff on a list in their computer, or worse yet, a list they emailed to themselves to check online if they are away from home. This isn't good.
The internet has been around long enough for people to know better than to use passwords that are guessable within a few tries. Almost all systems lock you out after a few tries, and so the difference between a password that could be guessed within 10 attempts (starting from the most commonly used passwords, birth dates, personal info based) and 1 million is nil.
Almost never does password complexity have to do with hacking these days, and I think it actually sets us up for more account insecurity overall.
I work in the security software industry and I think I have a pretty strong grasp of this topic. Please explain what exactly Blizzard does that is sub-par in terms of security in relation to other companies.
As far as I can see, they have largely the same policies as their peers. Every online game company will have a user's name and address in the account information... so this is not something unique to Blizzard by any means.
If a person loses their password, they can have a password reset link sent to their email address. If someone does not know the password, they would have to either have access to the email account OR they would have to brute force the password. Either of these things are possible on virtually any secure website or service and it is always the responsibility of the user to make sure that no one else has access to their personal email accounts and that their passwords are not too easy to guess.
You could also gain control of an account by contacting support via email or phone, but you would still need to know the answer to personal information that is asked of you by the support representatives. This is also standard for online game companies.
And like I said in my original response, Blizzard also offers their mobile authenticator and mobile authenticator apps. These make account compromises almost impossible and Blizzard is one of the only companies in the industry to offer this.
I know that many people like to pick on Blizzard because they have so many accounts hacked, but the only reason for this is because their games are more popular than most other companies combined. Blizzard still has FAR more people attempting to compromise their players' accounts than anyone else. It's as simple as that.
Since we have so many pros here, I guess it's pointless for me to restate that brute forcing doesn't work on any modern system... no? okay then carry on.
I already did?
Password security is a BIG one, and is quite possibly the largest security issue in relation to other companies.
That is the focus of this thread, and not anything other in particular?
Not to mention the unlimited number of tries, but then again some "Peer" companies allow that too, but still force case sensitivity on their passwords.
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
How would they lose customers by adding case sensitivity? Case sensitive passwords are a choice on the customers part. My password for Starcraft II had 3 capitol letters in them prior to this discovery. Now my password is simply complex as all creation in lower case
.
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
Except that you can use simple passwords for accounts on many online games. That is my point. Blizzard is not doing anything that is unique in this regard. With the exception of maybe one or two companies, usually just about anything is allowed in terms of passwords.
If you are going to single Blizzard out, explain what they are doing that is unique to them. Until it is common practice for online game accounts to require complicated passwords, it is unfair to blame any single company.
Blizzard is a FAIRLY large target in the market, and has been ever since WoW hit 1million subscribers compared to its "Peers". Yourself, like me, being from a network security background understand that the larger a target your company is the more you have to lose than your "peers".
Perhaps it's simply me being surprised over such a very basic and pathetic security system for such a large company? It's like a giant walking around in a world of pigmys with a giant red mark on his knee saying "Bad Knee, don't hurt!".
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
I see your point, and a very depressing one at that. I hadn't thought of the Capslock key being the culprit
.
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
Blizz doesn't do anything less, and actually does a little more with the authenticator, that any other MMO I play does.
Most places I make a password for doesn't require case sensetive passwords. Most of them only require 8 characters, and a lot don't even require a number.
There are very few places that I've encounterd that require case sensetive, a number, and a non-alphanumeric character. Most of them that require that level of password creation have been for online banking.
I do not understand the hypocrisy of holding Blizzard to higher standards then any other company that does the same thing. People are acting like Blizz is the only company to not require more of you, when they aren't. Just becaue they're more popular doesn't make them more responsible.
And again, they aren't "guessing" your password. They're running against a list of passwords, usually associated with your email, that they got from other sites. They'll even guess on variations of the same passwords, using case sensetive and "leet speak" formats. Just because you used Mypass for one thing and then m4P455 for another doesn't mean you're any safer. Hackers already know you did that, and they're running stuff to guess those diffirent variation.
Also, it's been shown that case sensetive is no more secure then no case sensetive, and the only really safe passwords are ones that are completely random using leters, numbers, and symbols, made as long as possible, and then never the same password.
I will agree with you that a lot of problems could be avoided by requiring stronger passwords, but I believe this is an industry-wide issue... not something specific to Blizzard. There would probably be a lot less account thefts if they would implement this across all major online games.
I wonder how much of an impact it would have on Blizzard account thefts though. I think many of these stolen accounts come from keyloggers that are bundled with add-ons people download for games like WoW. You would be amazed at the sheer volume of malware that exists with the sole purpose of stealing WoW passwords.
It's not an industry wide issue because guessing passwords over the internet is not a primary or even secondary attack vector. I'd be surprised if it was even the 3rd largest way Blizzard accounts get hacked. However much people dislike Blizzard, they aren't complete idiots. They build cases against thousands of hackers every day.
Case sensitive passwords and increasing timeouts or lockouts are easy to implement. If Blizzard isn't changing the login system, it means it happens so little that it's more economically viable to have a real human restore items to players than it is to have an automated system filter out the attempts, which would cost $0.
Or it means that password guessing attempts are so transparently obvious (when was the last time you could type in your password 2 times a second?) that they can block the attempts to do so and block the IPs doing so while still allowing people to keep their short, easy to remember and dumb passwords.
I can not remember winning or losing a single debate on the internet.
The case-insensitivity of battle.net passwords is indeed moronic. But I'm pretty sure that people are getting their accounts jacked due to their passwords being keylogged, or shared with passwords on websites that got hacked, not due to them being brute-forced a little easier because they're not case-sensitive.
It significantly lowers the character space required to guess a password.
However, I'm pretty sure they lock your account after repeated failed logins. It happened to my wife when she couldn't figure out her password recently.
So effectively, the only effect not using case sensitive passwords would have is on cracking encrypted passwords in a stolen database. Thy may feel that this is unlikely to happen, but that's pretty over confident of them.
If they really believe that their database is not vulnerable to theft, then that would be a huge error in judgement on their part. It hasn't been stolen yet, but nothing is perfect.
Also, I don't get why this deserves it's own thread. Not to be rude but there is already a thread on the issue with over 200 posts and this particular issue has been discussed within that thread. This post isn't special enough to warrant yet another thread on the subject.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Sure Blizzard could do a better job. But case sensitivity is mainly important in brute force hacks. With so many dummies getting keylogged, I don't see why they would need to brute force, which will attract Blizzards attention. An authenticator is 1000x better than case sensitive passwords.
It would be nice to be able to use an authenticator AND be able to lock your logins to a specific IP.
I'll drop the science for you kids:
http://www.xkcd.com/936/
OP: Don't go back into security, please. Case sensitivity is a big thing to Amateurs.
^ pretty sure most password fields don't allow me to enter something that long. Nor does anyone force you to use leetspeak as substitution.
While I'm not a fan of the whole case-insensitive password issue (which honestly makes me go wtf. What did they do there, == String.toUpperCase() ? ), I am much more bothered by the fact that Blizzard uses your email as the login. That is pure idiocy. It means if you use your email anywhere else there's potential it gets out (since most companies aren't careful with them) and then hackers have a list of account names they can use. For that reason, I have an email just for battle.net alone. Using an internal ID would be so much better...
Oh well, at least I have my authenticator. Never been hacked and hopefully never will be.