EPTCapitalization on Blizzard Passwords - Page 4
| Forum Index > SC2 General |
|
tok
United States691 Posts
| ||
|
RaLakedaimon
United States1564 Posts
| ||
|
Nagano
United States1157 Posts
On July 20 2011 03:42 Gheed wrote: No, original battle.net passwords are not case sensitive, either. I just tested it using Warcraft 3. Hum, yea you're right, I just tested it on BW bnet. I guess back in the day it was case-sensitive, because I had a case-sensitive password that I could never remember the exact capitalization of, and always took me like 5 minutes to log in. | ||
|
zhurai
United States5660 Posts
| ||
|
windsupernova
Mexico5280 Posts
This is not a huge deal, if you are worried about your password safety: 1.- Use long passwords, not common words and combine numbers and Symbols. 2.-Don´t use the same password for everything. 3.- Don´t fall for social engineering scams} 4.-Don´t download shady software. All of above is much more important than, caps sensitive passwords. Gosh, I can´t believe how many people just want to get angry for the sake of getting angry(not directed at the OP he had good intentions in informing us but it really its not a big deal). | ||
|
Dental Floss
United States1015 Posts
| ||
|
Skaff
United States240 Posts
The authenticator is a great tool but it does have some issues. I personally used the physical key chain authenticator for a period of time (I did not have a smart phone yet). However, it become more of a pain over time. It eventually lost sync with bnet and it was generally 30 - 60 seconds ahead of bnet. (would have to start login, wait 30 - 60 seconds between putting in key and logging in) Though, the mobile version has other sync features the physical device does not. | ||
|
Ramuh
Germany238 Posts
On July 20 2011 04:09 Dental Floss wrote: You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity. if something like this would happend to blizzard they would close down servers in the blink of an eye and make sure everyone would need too change their pw with whatever method. Plus im almost certain their passwords are salted and stuff, making their passwords more secure | ||
|
Torte de Lini
Germany38463 Posts
On July 20 2011 04:08 windsupernova wrote: I can´t believe how big of a deal many people are making out of this. This is not a huge deal, if you are worried about your password safety: 1.- Use long passwords, not common words and combine numbers and Symbols. 2.-Don´t use the same password for everything. 3.- Don´t fall for social engineering scams} 4.-Don´t download shady software. All of above is much more important than, caps sensitive passwords. Gosh, I can´t believe how many people just want to get angry for the sake of getting angry(not directed at the OP he had good intentions in informing us but it really its not a big deal). Point being that their extensive form of protection is completely overlooked. | ||
|
TelecoM
United States10679 Posts
| ||
|
zhurai
United States5660 Posts
| ||
|
Antylamon
United States1981 Posts
On July 20 2011 03:42 Ramuh wrote: It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers. You forgot numbers  6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years. | ||
|
Dental Floss
United States1015 Posts
On July 20 2011 04:13 Ramuh wrote: if something like this would happend to blizzard they would close down servers in the blink of an eye and make sure everyone would need too change their pw with whatever method. Plus im almost certain their passwords are salted and stuff, making their passwords more secure Thats not how it works. Such attacks are common-place against banks and major corporations. You get no warning, and once you find out its too late. Modern GPUs can crack passwords hundreds if not thousands of times faster than CPUs. See bitcoin mining for more information about parallel hash-checking. | ||
|
Kralic
Canada2628 Posts
http://us.battle.net/wow/en/forum/topic/1869566296#2 http://us.battle.net/wow/en/forum/topic/1658712043?page=2#21 It is not a big deal. I said this before and I stand beside it. | ||
|
celious
United States195 Posts
On July 20 2011 04:04 tok wrote: Key logging has been apparent in almost all Blizzard games. World of Warcraft seems to be hit the most because of key logging programs hidden in addons that are common in the game. I think blizzard should indeed make passwords case sensitive in addition to adding a log in on screen keyboard that is randomly generated each click, a little excessive I know but security is important. Lol you cannot hide keyloggers in addons because LUA cannot execute another process. back to topic having case sensitive passwords increases difficulty of brute forcing a password which in all honesty is difficult to do these days because accounts are locked after so many attempts like 10 I think? And it doesn't matter if they use proxies or not the account still becomes locked. Just avoid simple easy to guess passwords and don't reuse passwords and you'll be fine  | ||
|
Dental Floss
United States1015 Posts
On July 20 2011 04:17 noobinator wrote: You forgot numbers 6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years. Yes...251 days with that hypothetical rate. However, modern computers can calculate 2,000,000,000 hashes PER SECOND. Your 6 char password would then take 1.5 seconds to break. | ||
|
Bobbias
Canada1373 Posts
On July 20 2011 04:09 Dental Floss wrote: You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity. Someone with some sense. Yes, if someone were to gain access to the SQL databases with the hashed keys, they could use an attack to break the keys and get your password... Problem with thinking that 26 extra keys would help here is that they aren't actually looking for your password, they are looking for whatever password will give you that key, because there are collisions in the hash function. Adding 26 extra keys wouldn't do too much, but would probably slow things down. Unfortunately, if they have access to the hashed passwords, and happen to have a rainbow table, things are looking pretty grim for a lot of people. This is part of why the LulzSec hacks were so bad. Not to mention that if they happen to get your password for something else (due to shoddy security practice), if you happen to use the same, or a similar password, you re in trouble, regardless of how blizz stores your password. I urge everyone here to read up about how LulzSec managed to get their information. They exposed thousands of username and password combinations, they broke into tons of different systems, many of which were supposed to be secure. | ||
|
celious
United States195 Posts
On July 20 2011 04:25 Bobbias wrote: Someone with some sense. Yes, if someone were to gain access to the SQL databases with the hashed keys, they could use an attack to break the keys and get your password... Problem with thinking that 26 extra keys would help here is that they aren't actually looking for your password, they are looking for whatever password will give you that key, because there are collisions in the hash function. Adding 26 extra keys wouldn't do too much, but would probably slow things down. Unfortunately, if they have access to the hashed passwords, and happen to have a rainbow table, things are looking pretty grim for a lot of people. This is part of why the LulzSec hacks were so bad. Not to mention that if they happen to get your password for something else (due to shoddy security practice), if you happen to use the same, or a similar password, you re in trouble, regardless of how blizz stores your password. I urge everyone here to read up about how LulzSec managed to get their information. They exposed thousands of username and password combinations, they broke into tons of different systems, many of which were supposed to be secure. LulzSec preformed many simple hacks against systems that weren't secure. Technically you could say everything is supposed to be secure but it obviously isn't. Also the databases that LulzSec released were of random gaming sites or low budget game developers that obviously dont have the means or resources to secure and monitor their system like companies such as Blizzard. If you've ever seen the behind the scenes WoW systems you would be amazed. | ||
|
Dental Floss
United States1015 Posts
On July 20 2011 04:29 celious wrote: LulzSec preformed many simple hacks against systems that weren't secure. Technically you could say everything is supposed to be secure but it obviously isn't. Also the databases that LulzSec released were of random gaming sites or low budget game developers that obviously dont have the means or resources to secure and monitor their system like companies such as Blizzard. If you've ever seen the behind the scenes WoW systems you would be amazed. Low level targets like senate.gov or nintendo.com? navy.mil or citibank.com? Blizzard isn't some invincible titan. There is literally no reason to arbitrarily reduce the number of possible passwords. | ||
|
Losiff
8 Posts
This doesnt really make it any less secure. Maybe if somebody has a password "pAsswORd", this would change it from almost guessable to guessable. | ||
| ||
