|
On July 20 2011 04:23 Dental Floss wrote:Show nested quote +On July 20 2011 04:17 noobinator wrote:On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers. You forgot numbers  6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years. Yes...251 days with that hypothetical rate. However, modern computers can calculate 2,000,000,000 hashes PER SECOND. Your 6 char password would then take 1.5 seconds to break.
This is relevant if they have the hash through some type of sniffing - which is probably one technique used to gather passwords and hack accounts. However, the Blizzard system automatically locks you out if you try too many passwords too quickly, so you're time-limited. Obviously if you have already have the hash then the time to brute for it is inconsequential as long as you're using something for which they have a prebuilt hash.
|
Seems like a brilliant plan... so they can sell more authenticators
|
Low level targets like senate.gov or nintendo.com? navy.mil or citibank.com? Blizzard isn't some invincible titan. There is literally no reason to arbitrarily reduce the number of possible passwords.
Nintendo and Citibank hacks were not LulzSec. Citibank had a flaw in software that was audited by a 3rd party that contract obviously came to an end  And the navy site well who knows what happened there all they did was release a screenshot of some garbage injected into their job listing page. Companies such as facebook, google, and blizzard have millions of users, high profile targets and none of which have been mined yet as far as we know and good luck to any hacker that attempts the feat.
Google has been attacked a few times but nothing incredibly serious.
|
On July 20 2011 04:23 Dental Floss wrote:Show nested quote +On July 20 2011 04:17 noobinator wrote:On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers. You forgot numbers 6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years. Yes...251 days with that hypothetical rate. However, modern computers can calculate 2,000,000,000 hashes PER SECOND. Your 6 char password would then take 1.5 seconds to break.
Also cloud time and time on botnets is cheap as FUCK.
|
Calgary25983 Posts
On July 20 2011 04:32 Dental Floss wrote:Show nested quote +On July 20 2011 04:29 celious wrote:On July 20 2011 04:25 Bobbias wrote:On July 20 2011 04:09 Dental Floss wrote:
You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity. Someone with some sense. Yes, if someone were to gain access to the SQL databases with the hashed keys, they could use an attack to break the keys and get your password... Problem with thinking that 26 extra keys would help here is that they aren't actually looking for your password, they are looking for whatever password will give you that key, because there are collisions in the hash function. Adding 26 extra keys wouldn't do too much, but would probably slow things down. Unfortunately, if they have access to the hashed passwords, and happen to have a rainbow table, things are looking pretty grim for a lot of people. This is part of why the LulzSec hacks were so bad. Not to mention that if they happen to get your password for something else (due to shoddy security practice), if you happen to use the same, or a similar password, you re in trouble, regardless of how blizz stores your password. I urge everyone here to read up about how LulzSec managed to get their information. They exposed thousands of username and password combinations, they broke into tons of different systems, many of which were supposed to be secure. LulzSec preformed many simple hacks against systems that weren't secure. Technically you could say everything is supposed to be secure but it obviously isn't. Also the databases that LulzSec released were of random gaming sites or low budget game developers that obviously dont have the means or resources to secure and monitor their system like companies such as Blizzard. If you've ever seen the behind the scenes WoW systems you would be amazed. Low level targets like senate.gov or nintendo.com? navy.mil or citibank.com? Blizzard isn't some invincible titan. There is literally no reason to arbitrarily reduce the number of possible passwords.
Okay, let's move on. Most people agree that there should be capitals in the passwords - No need to fearmonger like this.
|
On July 20 2011 04:41 celious wrote:Show nested quote +
Low level targets like senate.gov or nintendo.com? navy.mil or citibank.com? Blizzard isn't some invincible titan. There is literally no reason to arbitrarily reduce the number of possible passwords.
Nintendo and Citibank hacks were not LulzSec. Citibank had a flaw in software that was audited by a 3rd party that contract obviously came to an end And the navy site well who knows what happened there all they did was release a screenshot of some garbage injected into their job listing page. Companies such as facebook, google, and blizzard have millions of users, high profile targets and none of which have been mined yet as far as we know and good luck to any hacker that attempts the feat. Google has been attacked a few times but nothing incredibly serious.
Does anyone else feel like this post is kind of suspicious 0.o
Anyways, the senate is a pretty big target, bigger than Nintendo or even the navy. You didn't explain that in your post
|
Had no idea, my battle.net PW has always contained(or so I thought) capitalization. Not a big deal though my PW is still long enough and complex enough that the only way someone is going to get in is via a keylogger, in which case the capitals are irrelevant.
I just find it interesting that a company of Blizzards stature doesn't have a simple, standard feature like case sensitive passwords.
|
On July 20 2011 04:38 DrBoo wrote:
Seems like a brilliant plan... so they can sell more authenticators
Blizzard does not make money on authenticators, they are sold essentially at cost and if you have a smartphone of ANY variety they are free.
|
Definitely odd to not allow it but as long you are mixing up your passwords with numbers, it needn't be a concern.
|
It DEFINITELY used to be case-sensitive, 100% positive. I did notice they changed it, not sure how long. It has to be recently because I remember having to log in to another Bnet account of mine with caps just a few months ago.
|
On July 20 2011 04:23 Dental Floss wrote:Show nested quote +On July 20 2011 04:17 noobinator wrote:On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers. You forgot numbers 6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years. Yes...251 days with that hypothetical rate. However, modern computers can calculate 2,000,000,000 hashes PER SECOND. Your 6 char password would then take 1.5 seconds to break.
And that's why you don't use MD5/SHA-family hash functions. Here's how you do it: http://codahale.com/how-to-safely-store-a-password/ Good luck bruteforcing that!
|
I knew about that in WoW, but I always kind of assumed that they would have changed that for SC2. Guess not. :/ They really probably should do something about that but I'm not worried as my password is quite long and contains symbols.
|
On July 20 2011 04:47 schmeebs wrote:Show nested quote +On July 20 2011 04:38 DrBoo wrote:
Seems like a brilliant plan... so they can sell more authenticators Blizzard does not make money on authenticators, they are sold essentially at cost and if you have a smartphone of ANY variety they are free.
This is correct. There is an iPhone app, which I have, that I use. HIGHLY recommend it if you value your account in the least bit. I suppose if you were to lose your phone AND have your account hacked by the person that stole it... but then you're just having one hell of a bad day!
|
I would say get an authenticator. It gives peice of mind. My only beef wih it is the authenticator can be hard to read. In low light Also it can be a real hassel if you lose or break it.
|
definitely used to be case sensitive, interesting
but for real, nobody is going to go around bruteforcing your blizzard account unless it's some super decked WoW character or famous SC2 account. just be careful about showing your bnet email addy.
|
The fact it used to work, and no longer works, implies they are using an insecure form of storing your password, i.e one that is most likely plaintext
GJ BLIZZARD
|
If they have proper systems in place to prevent password brute forcing, alternating caps won't realistically protect you more than just using a password that is not in the most popular passwords list, which I can only assume you don't if you alternate caps in your passwords.
The line of reasoning here being: If they got your PW via a number of ways, case of the PW won't change a thing, so if case doesn't change a thing but has the potential of causing frustrations it shouldn't matter all that much. NOTE: This is NOT true if the PW is for a system that could be brute forced! (In which case this adds an exponential amount of extra possibilities to your PW)
If you are really worried about security, get an authenticator.
|
I'm actually quiet shocked to read this, that's a terrible think and it's just poor by blizzard given how long wow has been around.
|
Case sensitivity is not some integral aspect to internet security, if your password has a decent amount of numbers and a word that isn't predictable, along with having an authenticator, it should never get hacked, and if it still does, then YOU did something wrong.
|
On July 21 2011 03:45 BrTarolg wrote:
The fact it used to work, and no longer works, implies they are using an insecure form of storing your password, i.e one that is most likely plaintext
GJ BLIZZARD
Eh? I don´t see the logic behind this. They are insecure about your password security so.... they make it laxer?
|
|
|
|
|
|
EPT
