Website Feedback
Closed Threads
IRC Web ChatTeamSpeak 3 (82 users)
Active: 9169 users | |
|
| MyLastSerenade Germany. August 10 2012 09:06. Posts 707 | Profile # | |
| |
|
| Medrea August 10 2012 09:08. Posts 9999 | Profile # |
| Well it's not like they kept the passwords in plaintext. |
| |
|
| Corrosive Canada. August 10 2012 09:11. Posts 3663 | Profile # |
Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
If you want to see how long it would take your password to be cracked check this out
http://howsecureismypassword.net/ |
| | Hello. |  |
|
|
| creamer Canada. August 10 2012 09:11. Posts 128 | Profile # |
| If they have a half decent encryption on the passwords (which I'm sure they do), I'm not worried at all about my account being accessed. |
| | MKP - Best player of all time |  |
|
|
| andReslic August 10 2012 09:11. Posts 200 | Profile # |
I feel like people that bought accounts will feel safer after beign able to change the secret question
|
| |
|
| Wuster August 10 2012 09:14. Posts 627 | Profile # |
On August 10 2012 08:51 Virtue wrote:
Show nested quote +On August 10 2012 08:30 netherh wrote:
It's lucky they don't do anything stupid like make all the passwords case insensitive... Oh wait.
Usually at this point after a hack, case of the characters in your passwords doesn't matter. They are just going to brute force (Try every possible combination of characters for a certain length) and when a computer is just calculating hashes and comparing them it doesn't make it harder or easier. Thankfully, it seems like Blizzard's password storage protocol is a lot better than most encryption methods at standing up to brute forcing their hashes. (Might even be impossible.)
I'm by no means an expert, so I'm wondering if you could explain how a storage protocol could be better or worse against brute force. Do you mean things like individual salts or increased entropy?
Because all I'm thinking is that once someone has the actual hash you can't slow their velocity when it comes to brute-force attacks (which Blizzard does when you enter passwords through the game client / web).
Edit: I do agree that case actually is a red herring here, because the allowable character set and password lengths already have plenty of permutations to prevent someone easily cracking one password let alone all of them.Last edit: 2012-08-10 09:16:42 |
|
|
| v3chr0 United States. August 10 2012 09:17. Posts 855 | Profile Blog # |
| My password is pretty crazy, I think I'll be alright. Will be changing my secret q/a when prompted though. |
| | "He catches him with his pants down, backs him off into a corner, and then it's over." - Khaldor |  |
|
|
| Sikly United States. August 10 2012 09:20. Posts 411 | Profile # |
On August 10 2012 09:17 v3chr0 wrote:
My password is pretty crazy, I think I'll be alright. Will be changing my secret q/a when prompted though.
Why risk it? Using a new password takes minutes, getting a stolen account and all the other bullshit that comes with it could take you quite a lot of stressful hours. |
| |
|
| Chunhyang Bangladesh. August 10 2012 09:20. Posts 1349 | Profile # |
So, someone hacked? Or someone went all Mission Impossible on Blizzard HQ? The latter, I hope.
I'm not worried. |
| | If you could reason with haters, there would be no haters. YGTMYFT |  |
|
|
| achristes Norway. August 10 2012 09:25. Posts 649 | Profile Blog # |
Did anyone know that if you type your bnet password on TL it automatically turns into stars?
Here's mine: *******
Pretty sick.
On a serious note, looks like blizz handled it nicely. |
| | youtube.com/spooderm4n | twitch.tv/spooderm4n | Random videos and games I feel like uploading |  |
|
|
| nath United States. August 10 2012 09:26. Posts 1317 | Profile Blog # |
On August 10 2012 07:38 Probe1 wrote:
So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
as a programmer, yes. |
| | Founder of Flow Enterprises, LLC http://flow-enterprises.com/ | |
|
|
| Vorenius Denmark. August 10 2012 09:26. Posts 1660 | Profile Blog # |
1 million years.
I'll take my chances.  |
| | Func 1030 improved Liquid`Jinro's accuracy by 1000% (true story) |
|
|
| Kaasstengel Netherlands. August 10 2012 09:27. Posts 8 | Profile # |
| Thanks for posting this! I'm playing on the European server but changed my password and question anyone, never can be too certain these days! |
| |
|
| leo23 United States. August 10 2012 09:30. Posts 2852 | Profile Blog # |
T_T oh my god  ... |
| |
|
| trifecta United States. August 10 2012 09:30. Posts 834 | Profile # |
On August 10 2012 09:06 MyLastSerenade wrote:
unbelievable......
Why is this unbelievable? Security is a really hard problem of asymmetric warfare. At least Blizzard, as far as we know, didn't make any obvious mistakes like keeping passwords in plaintext. As the Apple/Amazon story from a few days ago reinforced, users have to share the responsibility of security (don't reuse passwords, use strong passwords, keep backups etc)–you can't expect even the largest corporations to keep out all attackers all the time. |
| |
|
| Laneir United States. August 10 2012 09:31. Posts 1112 | Profile # |
| No bueno hope they fix this fast |
| | Follow me on Twitter @Laneirstarcraft | Liquid Tera GM | liquidtera.shivtr.com |  |
|
|
 xrapture United States. August 10 2012 09:31. Posts 1643 | Profile Blog # |
Last edit: 2012-08-10 13:33:35 |
| | Everyone is either delusional, a nihlilst, or dead from suicide. |  |
|
|
| Eufouria United Kingdom. August 10 2012 09:32. Posts 4120 | Profile Blog # |
On August 10 2012 09:26 Vorenius wrote:1 million years. I'll take my chances.
128 decillion years
Possible Combinations: 16 sexdecillion
I'm quietly confident. |
| |
|
| zergrushkekeke Australia. August 10 2012 09:33. Posts 241 | Profile # |
On August 10 2012 09:17 v3chr0 wrote:
My password is pretty crazy, I think I'll be alright. Will be changing my secret q/a when prompted though.
That is not how passwords work, if you have a crazy long and difficult password and someone steals it, they don't care how long or complicated it is, they will more likely be copy/pasting it.
And to the other post about using a webpage to check how secure your password is, i seriously hope you didn't use your real one, how secure is a secret you told someone about to see if they have heard it? |
| |
|
| Shenghi August 10 2012 09:33. Posts 119 | Profile # |
On August 10 2012 08:16 R1CH wrote:
Show nested quote +On August 10 2012 08:08 Shenghi wrote:
Assuming Blizzards implementation of the RSP-protocol is correct and they use sufficiently large numbers, and there is no reason to assume otherwise, then the passwords of the NA accounts are still just as safe as they were before, with the minor difference that more attempts at breaking them could now be made per second. However, for strong passwords this doesn't matter, as strong passwords take billions of years to break anyway.
While SRP is very secure, there are many services (like the battle.net website) that can't use SRP, so it seems reasonable to conclude that some password-equivalent data is stored somewhere and that it could have been leaked.
Even so, it can reasonably assumed that Blizzard sufficiently salts and otherwise obscures the password before hashing it with a safe hash, so the point stands. Weak passwords remain weak, strong ones remain strong.
Nevertheless, everyone affected should of course still change their passwords, just to make sure.
On August 10 2012 08:26 thurst0n wrote:
LOL SO TRUE!
I seriously cannot have a password for each site because I cannot remember that many passwords. I have to change my password at work every 10 weeks, and I'm running out of options, I cannot use ANY password I've previously used... security questions I have a little trick for, that this hacker ruined. I always answer the same 3 things for security questions, and they are complete bullshit, so it doesn't matter what questions are asked, just the random answers i have selected, it makes it hard when sites ask me in random order.
Bleh, I guess I'll have to write down my passwords at home, and start making them different for everything. Luckily I already use seperate password for things i care about, like banking/personal email. Fuck you hackers
The sad part is that changing your password every 10 weeks doesn't even increase security. If your password is strong, then it's strong. If it's weak, then it's weak. In fact, having to change it often will probably lead to much weaker passwords, such as "thissux10" and then just increment it every time you are forced to change it.
As for security questions, don't get me started. They are pretty much the bane of my existence. If I can avoid having to answer them, I will. If that means I have to avoid a certain service, so be it.
Don't write your passwords down. Use KeePass, like some people have already suggested.
On August 10 2012 08:43 Pufftrees wrote:This is just... unacceptable. What the flux. + Show Spoiler +
This happens to every major company and every government. Nothing you can do about it. Attackers are always ahead of defenders. Not Blizzards fault, and in fact, as far as we can tell they're handling it better than most.
On August 10 2012 08:45 RoyGBiv_13 wrote:
I went to a talk at DEFCON about fuzzing d3, where they showed just how secure blizzard's password system is. I would not be worried about them breaking you password hash (a properly salted and hashed password is a difficult thing to unravel). The security questions are a real risk though.
Always those dang security questions...
On August 10 2012 08:51 Virtue wrote:
Show nested quote +On August 10 2012 08:30 netherh wrote:
It's lucky they don't do anything stupid like make all the passwords case insensitive... Oh wait.
<snip> Still, when it comes to passwords length is all that matters. I work for a company that audits IT and when we get hashes of passwords like these guys did, we can usually crack all of an institutions passwords in a day. The only ones we can't crack no matter how long they are are ones that are long (Something like 13-15 characters or longer). <snip>
Even if the hashing algorithm is known and only lower-case characters (no uppercase, no digits, no special characters, etc.) are used, then at 1 billion (1 000 000 000) attempts per second it takes ~50 000 years to break 15-character password, assuming the hash is safe (no collisions are known, or are expected to be found within that time frame.)
For a 20-character password, this would be ~631 billion years.
Note: The (possibly) fastest computer on earth can make about 75 billion attempts per second.
(Reinforcing your point here, not disputing it)
On August 10 2012 09:01 DertoQq wrote:
Actually, case does help. They are going to brute force it and if they have to take into account the case, it will increase the number of possibilities by A LOT.
It helps, but it won't change much for a password of desirable length. If it's impossible to get in a few billion years, then one way or the other, you'll be fine.
On August 10 2012 09:20 Sikly wrote:
Why risk it? Using a new password takes minutes, getting a stolen account and all the other bullshit that comes with it could take you quite a lot of stressful hours.
Memorizing a new, strong password takes more than minutes.
On August 10 2012 09:25 achristes wrote:
Did anyone know that if you type your bnet password on TL it automatically turns into stars?
Here's mine: *******
Pretty sick.
Oh, you read bash.org.
|
| | People are not born stupid, they choose to be stupid. If you made that choice, please change your mind. |
|
|
| Prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Next All |
|
|
|
|
|
|
| |
|
Sidebar Settings...
|
Store
WCS
SC2Links Mobile App …
