|
Hey there TL'ers,
As I was logging on to play teams last night, my friends told me that he was able to log into SC2 with caps lock on. Only his password contained a mix of lower/uppercase letters. Not believing this I tried it for myself, and then checked on Battle.net and lo and behold it seems that Blizzard does not utilize case detection (I don't know what else to call it ><) for passwords.
Considering neither of us were aware of it, I'd well imagine that some of you reading this weren't aware too, and I was quite shocked myself. I can't imagine why they wouldn't implement this when so many other free sites/games (yahoo, google, LoL even) detect letter cases in passwords. I realize this may not be the best time for this thread as NA can't access BNet at the moment, but being as my password is a mix of lower/uppercase letters and numbers, I'm positive that this is the case.
My main point besides getting people aware of this would be for some reactions of people who either did or did not know about this, or if you even think it's a big deal.
TL:DR: Blizz doesn't have case sensitive password recognition on SC2 or BNet (cannot confirm on WoW)
I also searched for a thread like this and couldn't come up with any results, but if this is out of line feel free to close this.
|
It has been like this in WoW for years. Really poor in my opinion, especially given the huge amount of account hacks users (without authenticators) are seeing in that game.
And coupled with the fact that you use your email as your login.
|
Wow I had no idea.
That's pretty scary... something should be done. That's really not ideal for security at all and a weird omission.
|
um my passwords are case sensitive and I cant log in to wow or sc2 if they arent the exact l
*edit*
must be a recent change cause i swear it use to be case sensitive just logged into wow not capitalizing any letters.
|
Interesting, guess I can skip trying to be smart/safe  Rather silly to not utilize it, but there must be some reason behind it.
|
You also can log into WoW by typing your entire password in capslock.
|
Really poor programming by Blizzard. Who knows what other vulnerabilities exist within their system. Or maybe it was their plan all along to reveal a limited vulnerability to make money off of authenticators.
|
Didn't know.
I tried to log in a few months ago and got a message along the lines of "The way you log in changed" and my password did not work. I went and changed it using security questions, and added in caps letters... Guess it didn't help lol.
|
Has been in Battle.net for years.
If you're really worried about your account you have an authenticator or authenticator app anyway.
|
huh, maybe it automatically detects cap's in a password and ignores cap detection if its all the same. testing now.
Edit- forgot server is down.
|
On July 20 2011 01:59 vnlegend wrote:
Really poor programming by Blizzard. Who knows what other vulnerabilities exist within their system. Or maybe it was their plan all along to reveal a limited vulnerability to make money off of authenticators.
They don't make money on authenticators, they are sold at cost. And do you know how much Game Master time hacking takes up on WoW? It costs them a ridiculously large amount of money.
Stupid nonetheless.
|
Oh wow I didn't know about it, but as far as I know, their system detects caps lock when you want to change passwords.
For example, you can't change it from ASDasd to ASDasd, but you can change it from ASDasd to asdASD.
|
On July 20 2011 02:00 PassiveAce wrote:
huh, maybe it automatically detects cap's in a password and ignores cap detection if its all the same. testing now.
Edit- forgot server is down.
It ignores it. But really, just make your password longer or get an authendicator if you are worried about security
|
Well, if someone gets your password say through a keylogger which is the most common. It doesn't really matter anyway. I have a hard time seeing how making it read upper and lower cases different makes a difference in security. It's still symbols. Maybe someone can explain it too me,
|
At first glance, this seems like a terrible thing. Why would they ignore caps?! But think about it. Most hackings are done by snooping and not brute force cracking. At this point in time, you're more in danger if you use the same password everywhere than if your password ignores case.
|
wtf really... that's some major flaw there -_-
|
the lesson here is
dont play WoW
|
On July 20 2011 01:59 Qurid wrote:
You also can log into WoW by typing your entire password in capslock.
I LOVE TO SHOUT AT MY GAME, THEN IT'S SO SCARED THAT IT LOGS IN RIGHT AWAY!
(Get it? Because like, in caps you're shouting and.... yeah right.... I thought it was lame too...)
But yeah, I don't know if it's a recent change in sc2 or something, but I don't remember ever having to remove caps lock in order to log in sc2(but it's not like I'm using caps lock often either!)
and also :
On July 20 2011 01:59 Glowbox wrote:
Has been in Battle.net for years.
If you're really worried about your account you have an authenticator or authenticator app anyway.
Best 5$ investment of my gamer life.
|
On July 20 2011 01:58 Sky0 wrote:
um my passwords are case sensitive and I cant log in to wow or sc2 if they arent the exact l
*edit*
must be a recent change cause i swear it use to be case sensitive just logged into wow not capitalizing any letters.
Same here. Just tried both on EU SC2 site and also in-game, and it wasn't case-sensitive :-/
But I, too, can remmember that it didn't let me log into game becouse I forgot to upper-case some letters in my password.
Weird.
|
I don't really think this is as big of a deal as people are making it out to be. People tend to panic a bit when they feel like they or their property is at risk, and rightfully so. However, the vast majority of the time people get their accounts stolen is due to some sort of keylogging malware, in which case the a case sensitive password system would not matter, because your hacker would know anyway. The only thing I can see it being good for is if somebody is trying to guess your password or something like that. Case sensitive passwords make that a million times harder I would imagine, as you'd have to guess the password and the patter of lowercase/uppercase.
So overall, yes I think it is bad and there is no reason not to have case sensitive passwords for that little bit of extra security, but in reality I don't really think it is that big of a deal. I'm not going to worry about it personally 
|
It's not a major flaw, it's harder to make it ignore the casing. Really. It's one command more. They do it on purpose.
|
I'm honestly not surprised, considering all the flaws bnet 2.0 has. There's just so many simple little things with easy fixes that most programmers would consider bad programming found in the user interface and functionality of bnet.
|
On July 20 2011 02:04 busbarn wrote:
Well, if someone gets your password say through a keylogger which is the most common. It doesn't really matter anyway. I have a hard time seeing how making it read upper and lower cases different makes a difference in security. It's still symbols. Maybe someone can explain it too me,
It only makes a difference if someone is trying to crack your password by guessing (dictionary attack). Having case-sensitive passwords adds 26 more symbols, increasing the number of possible "words" to choose from when guessing. So, technically, it is harder to crack a password in a system that distinguishes upper and lower case.
|
have to agree that this really isn't a big deal. Nobody will try to brute force crack your password for a battle.net account. Virtually all "hacks" of blizz-accounts are done via a keylogger and in that case it doesn't matter whether your password is 12345 or a 50-character monstrosity of lower case, upper case, numbers and special characters.
|
also, what's with all the bnet hate threads this week
whether it's indirect or direct i feel like I've seen WAY to many of these last few days
|
On July 20 2011 02:20 Carush wrote:
also, what's with all the bnet hate threads this week
whether it's indirect or direct i feel like I've seen WAY to many of these last few days
Where did I say I hated bnet? I don't even think this is that big of a deal but I thought people should know...go to one of the "this is why bnet sucks, this is how I could do it better" threads and post there.
|
On July 20 2011 02:12 ApBuLLet wrote:I don't really think this is as big of a deal as people are making it out to be. People tend to panic a bit when they feel like they or their property is at risk, and rightfully so. However, the vast majority of the time people get their accounts stolen is due to some sort of keylogging malware, in which case the a case sensitive password system would not matter, because your hacker would know anyway. The only thing I can see it being good for is if somebody is trying to guess your password or something like that. Case sensitive passwords make that a million times harder I would imagine, as you'd have to guess the password and the patter of lowercase/uppercase. So overall, yes I think it is bad and there is no reason not to have case sensitive passwords for that little bit of extra security, but in reality I don't really think it is that big of a deal. I'm not going to worry about it personally
I think implementing a "feature" for case recognition is done super quick, its no work.
It is a good thing and "should" be in games anyway, so Blizzard should just do it and everyone is happy.
So no matter what, if the features is done so quick, just do it, nothing to lose.
|
On July 20 2011 02:21 Badfatpanda wrote:Show nested quote +On July 20 2011 02:20 Carush wrote:
also, what's with all the bnet hate threads this week
whether it's indirect or direct i feel like I've seen WAY to many of these last few days Where did I say I hated bnet? I don't even think this is that big of a deal but I thought people should know...go to one of the "this is why bnet sucks, this is how I could do it better" threads and post there.
Post was possibly inspired by lysergic. Not sure why he decided to come in here to tell us how much he hates bnet. I found this bit of info out months ago, but I'm glad you posted about it.
|
On July 20 2011 02:12 ApBuLLet wrote:I don't really think this is as big of a deal as people are making it out to be. People tend to panic a bit when they feel like they or their property is at risk, and rightfully so. However, the vast majority of the time people get their accounts stolen is due to some sort of keylogging malware, in which case the a case sensitive password system would not matter, because your hacker would know anyway. The only thing I can see it being good for is if somebody is trying to guess your password or something like that. Case sensitive passwords make that a million times harder I would imagine, as you'd have to guess the password and the patter of lowercase/uppercase. So overall, yes I think it is bad and there is no reason not to have case sensitive passwords for that little bit of extra security, but in reality I don't really think it is that big of a deal. I'm not going to worry about it personally
caseinsensitive passwords and without numbers and signs are just as good as to have your password the same as the login. The password should be _always_ more than 10 characters with small/big letters, numbers and signs. So this is in my opinion a real big problem. For sc2 it might just be bad, but for wow this could end desastrous because people have their account data saved up
|
My password is still too strong for anything remotely script-kiddy-ish. But no case sensitivity makes me think they have a partnership with Microsoft 
|
On July 20 2011 02:12 ApBuLLet wrote:I don't really think this is as big of a deal as people are making it out to be. People tend to panic a bit when they feel like they or their property is at risk, and rightfully so. However, the vast majority of the time people get their accounts stolen is due to some sort of keylogging malware, in which case the a case sensitive password system would not matter, because your hacker would know anyway. The only thing I can see it being good for is if somebody is trying to guess your password or something like that. Case sensitive passwords make that a million times harder I would imagine, as you'd have to guess the password and the patter of lowercase/uppercase. So overall, yes I think it is bad and there is no reason not to have case sensitive passwords for that little bit of extra security, but in reality I don't really think it is that big of a deal. I'm not going to worry about it personally
Haha, not even that. Most of the time when they lose control of their accounts its because they fall for some social engineering scheme.
Still, I didn´t know about this.Ehhhhh, while it would be nice as long as you follow the rules for a secure password(not using common words,mixing up symbols, letter and numbers, etc) you should be fine.
Ehh anyways Blizzard should fix this to give their customers peace of mind, but this isn´t nearly as bad as it seems.
|
Not a big deal. You can buy an authenticator or just add numbers.
|
Ironically, most people who have their accounts hacked use the same password for forum boards and that is how hackers get their information. Hacking website databases is much easier than sifting through potentially millions of keystrokes through mass keylogging (and the bandwidth required!!), and it turns out most people use the same password for everything, or keep everything gaming related as one password etc. This is how you get caught, and having it ignore casing on full caps or full non caps passwords wont change a thing. Honestly it's good that blizzard implemented it, when I used to use a simpler password it was quite aggravating to mash the caps lock key a few times until it lets me log in.
|
Brute force isn't the only way to break passwords... Cryptoanalasys is a far larger threat, all things considered. It's bad practice to ignore case, but the real question is how blizz stores the passwords,a and which algorithms they use.
Of course, using the same password as somewhere else is FAR worse than either of these risks. Anyone who's been following the LulzSec hacks should be aware of this...
|
Basically what this means is that the hashing algorithm ignores capitals. Shouldn't be that big of a deal, considering blizzard is doing a lot for people that got their accounts hacked. Still, it's a flaw in security that should not have been there in the first place.
|
o.0" Really?
/downloads Authendicator
|
On July 20 2011 03:04 Bobbias wrote:
Brute force isn't the only way to break passwords... Cryptoanalasys is a far larger threat, all things considered. It's bad practice to ignore case, but the real question is how blizz stores the passwords,a and which algorithms they use.
As far as I know Blizzard uses the SRP6 protocol ( http://en.wikipedia.org/wiki/Secure_remote_password_protocol ) for the login.
|
WHAT?
I cant believe it... Blizz so stupid once again...
|
Looks like blizzard decided this design decision would inevitably increase their authenticator sales.
+ Show Spoiler +joke: they probably have hackers on payroll helping convince authenticator sales too, haha
|
If you have a smartphone, the authenticator apps are free for all 3 major platforms (iOS, android and BB). no reason not to get it if you have a smartphone
|
I guess I shouldn't be surprised at how stupid people are anymore. Are you really blaming battle net 2.0? its been like this with blizzard for at least 5 years. Do you actually rely on alternate caps being the crutch that keeps your account safe? LOL its just amazing how people think because passwords are not case sensitive they are all of the sudden super vulnerable to getting hacked or something, what kind of fucking logic do you people hating on battle net and saying that your account is at risk now use?
|
It is not really a big deal. Their login server is pretty secure. If you have a keylogger on your computer it doesn't matter how many alternative capital letters and numbers you have in your password anyway.
|
On July 20 2011 03:19 Akill_ wrote:Looks like blizzard decided this design decision would inevitably increase their authenticator sales. + Show Spoiler +joke: they probably have hackers on payroll helping convince authenticator sales too, haha
But it's free....
|
Oh give me a break guys, go get an authenticator for your iPhone if you're scared of people hacking into your Starcraft account -_-
|
On July 20 2011 02:12 ZerGuy wrote:
It's not a major flaw, it's harder to make it ignore the casing. Really. It's one command more. They do it on purpose.
This is the truth. This is not a case of "Blizzard was lazy" or "Blizzard forgot" or even "it's a bug": this must have been a conscious design decision.
|
What this means, is that it's 26 times more likely someone will get your password by guessing randomly. Which sounds big, but really, it isn't that much of a deal. If they knew your password already, case sensitive or not they will find it anyway.
Really the thing that makes your password the hardest to guess is how long it is, the amount of characters is already pretty large.
|
it doesn't change much, but i would have prefered the added security. still gonna keep playing as normal though
|
I don't understand this blizzard hate train. Your password isn't case sensitive... boohoo. It's not like you're suddenly vulnerable to hackers. I read the OP and sort of laughed, because this didn't even cross me as people thinking this would be a big deal. Man, was I wrong. Most of the time when you're hacked it's you being stupid and unsafe downloading malware or using some stupid social site, not because blizz's password requirements aren't case sensitive.
|
Interesting note: BW bnet1.0 was case-sensitive.
|
Authenticators are free, and I sincerely doubt anyone is going to try to bruteforce your account anyway. Adding case sensitivity to passwords wouldn't do anything.
|
On July 20 2011 03:39 Nagano wrote:
Interesting note: BW bnet1.0 was case-sensitive.
No, original battle.net passwords are not case sensitive, either. I just tested it using Warcraft 3.
|
It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option.
I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff
http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right
Quick Math:
26 chars, 6 char password length, and assuming you can try 100 passwords per second you
26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers.
|
On July 20 2011 03:14 Glowbox wrote:Show nested quote +On July 20 2011 03:04 Bobbias wrote:
Brute force isn't the only way to break passwords... Cryptoanalasys is a far larger threat, all things considered. It's bad practice to ignore case, but the real question is how blizz stores the passwords,a and which algorithms they use.
As far as I know Blizzard uses the SRP6 protocol ( http://en.wikipedia.org/wiki/Secure_remote_password_protocol ) for the login.
Thanks for the link, never knew about that (I'm no crypto nerd, but I'm not clueless either).
At first glance it looks like a pretty secure system, but like I said at first glance.
|
definitely a big deal. You pay for your account so it should be able to detect case. This is dumb oversight anyway. everything detects case so no reason not to
|
rofl, here i was thinking my password actually had capitals in them. Made me get an authenticator (was on my todo list for ages, just to lazy).
Never had one before, and irony is i hardly play WoW anymore which authenticator is most needed for and gave away most of my gold already but ah well.
|
On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers.
This guy has the right idea.
Just make your password a few letters longer if you're really concerned. That will have a MUCH larger impact on the security of your password from bruteforcing.
However, it makes zero difference if you're getting keylogged.
|
i knew this, it sucks hard
|
I just thought about this for a moment and came to conclusion that (like always) people are just making assumptions that case sensitive would be a worthy benefit.
So let's go ahead and look at it, blizzard passwords already use letters, numbers, and symbols. This is already a ton of possibilities and whether there's case sensitive to add another 26 possibilities or not probably doesn't matter enough to have case sensitive because either way the searches are somewhat long.
Next reason would be that hacking is often resulting from a keylogger not some hacker searching all the possible combinations of your passwords when they have your username.
Another reason why this isn't applicable is that hackers don't have a reason to spend time to search your password on Starcraft 2 whether there is case sensitive or not.
This last reason ties in with all the above reasons to make them more sensible and realistic: Having case sensitive is simply less user friendly thus not having it is much more convenient for starcraft users.
Thus blizzard probably doesn't see the point in having case sensitive. Instead of trashing blizzard who happen to be one of the best gaming companies out there and making assumptions on what you believe is right you should probably just weigh the facts as this topic isn't really important.
|
unless you use a password that is not a word and is a jumble of letters/numbers/symbols it being case sensitive or not doesn't really matter, as people have said. If you get your account hacked 99.9% of the time its because you screwed up, not because some hacker has it in for you.
|
On July 20 2011 02:28 Tofugrinder wrote:Show nested quote +On July 20 2011 02:12 ApBuLLet wrote:I don't really think this is as big of a deal as people are making it out to be. People tend to panic a bit when they feel like they or their property is at risk, and rightfully so. However, the vast majority of the time people get their accounts stolen is due to some sort of keylogging malware, in which case the a case sensitive password system would not matter, because your hacker would know anyway. The only thing I can see it being good for is if somebody is trying to guess your password or something like that. Case sensitive passwords make that a million times harder I would imagine, as you'd have to guess the password and the patter of lowercase/uppercase. So overall, yes I think it is bad and there is no reason not to have case sensitive passwords for that little bit of extra security, but in reality I don't really think it is that big of a deal. I'm not going to worry about it personally caseinsensitive passwords and without numbers and signs are just as good as to have your password the same as the login. The password should be _always_ more than 10 characters with small/big letters, numbers and signs. So this is in my opinion a real big problem. For sc2 it might just be bad, but for wow this could end desastrous because people have their account data saved up
I'm fairly certain WoW blocks brute force (and dictionary-based) attempts. If somebody is pounding out even a hundred thousand passwords a second, they're going to deactivate the account.
And at 500,000 a second, it would take your entire life to crack a 10 character password through brute force (using all lowercase). Dictionary based attempts are faster, but we're still talking about like a year at least.
On July 20 2011 03:58 schmeebs wrote:
unless you use a password that is not a word and is a jumble of letters/numbers/symbols it being case sensitive or not doesn't really matter, as people have said. If you get your account hacked 99.9% of the time its because you screwed up, not because some hacker has it in for you.
I would extend that 99.9% to 99.999% honestly. Basically, only people like Totalbiscuit, Reckful, Swifty, and other very notable WoW players would be in danger of these types of attacks.
(And even then, it would be easier to specifically target them in other ways)
|
Key logging has been apparent in almost all Blizzard games. World of Warcraft seems to be hit the most because of key logging programs hidden in addons that are common in the game. I think blizzard should indeed make passwords case sensitive in addition to adding a log in on screen keyboard that is randomly generated each click, a little excessive I know but security is important.
|
I noticed this after release but thought maybe it was widely known and yeah it certainly is a stupid way to run things given all the people in WoW getting there account hijacked, just another glimpse at how Blizzard likes to do things I suppose. I guess you just gotta be smart about making the most long ass strange password you can that nobody would ever think of, but that's assuming there not stealing it through more standard means in which case I think your screwed either way.
|
On July 20 2011 03:42 Gheed wrote:Show nested quote +On July 20 2011 03:39 Nagano wrote:
Interesting note: BW bnet1.0 was case-sensitive. No, original battle.net passwords are not case sensitive, either. I just tested it using Warcraft 3.
Hum, yea you're right, I just tested it on BW bnet. I guess back in the day it was case-sensitive, because I had a case-sensitive password that I could never remember the exact capitalization of, and always took me like 5 minutes to log in.
|
wow. blizzard, do you have any idea what security is ~_~
|
I can´t believe how big of a deal many people are making out of this.
This is not a huge deal, if you are worried about your password safety:
1.- Use long passwords, not common words and combine numbers and Symbols.
2.-Don´t use the same password for everything.
3.- Don´t fall for social engineering scams}
4.-Don´t download shady software.
All of above is much more important than, caps sensitive passwords. Gosh, I can´t believe how many people just want to get angry for the sake of getting angry(not directed at the OP he had good intentions in informing us but it really its not a big deal).
|
You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity.
|
Still an odd line of defense to just neglect.. However most comments about brute force attacks are correct. They would take forever and bnet will already cut you out after so many failed attempts.
The authenticator is a great tool but it does have some issues. I personally used the physical key chain authenticator for a period of time (I did not have a smart phone yet). However, it become more of a pain over time. It eventually lost sync with bnet and it was generally 30 - 60 seconds ahead of bnet. (would have to start login, wait 30 - 60 seconds between putting in key and logging in) Though, the mobile version has other sync features the physical device does not.
|
On July 20 2011 04:09 Dental Floss wrote:
You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity.
if something like this would happend to blizzard they would close down servers in the blink of an eye and make sure everyone would need too change their pw with whatever method.
Plus im almost certain their passwords are salted and stuff, making their passwords more secure
|
On July 20 2011 04:08 windsupernova wrote:
I can´t believe how big of a deal many people are making out of this.
This is not a huge deal, if you are worried about your password safety:
1.- Use long passwords, not common words and combine numbers and Symbols.
2.-Don´t use the same password for everything.
3.- Don´t fall for social engineering scams}
4.-Don´t download shady software.
All of above is much more important than, caps sensitive passwords. Gosh, I can´t believe how many people just want to get angry for the sake of getting angry(not directed at the OP he had good intentions in informing us but it really its not a big deal).
Point being that their extensive form of protection is completely overlooked.
|
It must of been a recent change because My pw has always been case sensitive and if I didn't type it in exactly , it wouldn't work
|
you know, the other thing that pissed me off, is that I couldn't actually like... use punctuation in the passwords either. which increases security by _a lot_ (like period, commas, etc) = =
|
On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers.
You forgot numbers 
6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime.
EDIT: 10 char password would take 1,159,360 years.
|
On July 20 2011 04:13 Ramuh wrote:Show nested quote +On July 20 2011 04:09 Dental Floss wrote:
You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity. if something like this would happend to blizzard they would close down servers in the blink of an eye and make sure everyone would need too change their pw with whatever method. Plus im almost certain their passwords are salted and stuff, making their passwords more secure
Thats not how it works. Such attacks are common-place against banks and major corporations. You get no warning, and once you find out its too late. Modern GPUs can crack passwords hundreds if not thousands of times faster than CPUs. See bitcoin mining for more information about parallel hash-checking.
|
|
|
On July 20 2011 04:04 tok wrote:
Key logging has been apparent in almost all Blizzard games. World of Warcraft seems to be hit the most because of key logging programs hidden in addons that are common in the game. I think blizzard should indeed make passwords case sensitive in addition to adding a log in on screen keyboard that is randomly generated each click, a little excessive I know but security is important.
Lol you cannot hide keyloggers in addons because LUA cannot execute another process.
back to topic having case sensitive passwords increases difficulty of brute forcing a password which in all honesty is difficult to do these days because accounts are locked after so many attempts like 10 I think? And it doesn't matter if they use proxies or not the account still becomes locked.
Just avoid simple easy to guess passwords and don't reuse passwords and you'll be fine
|
On July 20 2011 04:17 noobinator wrote:Show nested quote +On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers. You forgot numbers 6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years.
Yes...251 days with that hypothetical rate. However, modern computers can calculate 2,000,000,000 hashes PER SECOND. Your 6 char password would then take 1.5 seconds to break.
|
On July 20 2011 04:09 Dental Floss wrote:
You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity.
Someone with some sense. Yes, if someone were to gain access to the SQL databases with the hashed keys, they could use an attack to break the keys and get your password... Problem with thinking that 26 extra keys would help here is that they aren't actually looking for your password, they are looking for whatever password will give you that key, because there are collisions in the hash function.
Adding 26 extra keys wouldn't do too much, but would probably slow things down. Unfortunately, if they have access to the hashed passwords, and happen to have a rainbow table, things are looking pretty grim for a lot of people. This is part of why the LulzSec hacks were so bad. Not to mention that if they happen to get your password for something else (due to shoddy security practice), if you happen to use the same, or a similar password, you re in trouble, regardless of how blizz stores your password.
I urge everyone here to read up about how LulzSec managed to get their information. They exposed thousands of username and password combinations, they broke into tons of different systems, many of which were supposed to be secure.
|
On July 20 2011 04:25 Bobbias wrote:Show nested quote +On July 20 2011 04:09 Dental Floss wrote:
You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity. Someone with some sense. Yes, if someone were to gain access to the SQL databases with the hashed keys, they could use an attack to break the keys and get your password... Problem with thinking that 26 extra keys would help here is that they aren't actually looking for your password, they are looking for whatever password will give you that key, because there are collisions in the hash function. Adding 26 extra keys wouldn't do too much, but would probably slow things down. Unfortunately, if they have access to the hashed passwords, and happen to have a rainbow table, things are looking pretty grim for a lot of people. This is part of why the LulzSec hacks were so bad. Not to mention that if they happen to get your password for something else (due to shoddy security practice), if you happen to use the same, or a similar password, you re in trouble, regardless of how blizz stores your password. I urge everyone here to read up about how LulzSec managed to get their information. They exposed thousands of username and password combinations, they broke into tons of different systems, many of which were supposed to be secure.
LulzSec preformed many simple hacks against systems that weren't secure. Technically you could say everything is supposed to be secure but it obviously isn't. Also the databases that LulzSec released were of random gaming sites or low budget game developers that obviously dont have the means or resources to secure and monitor their system like companies such as Blizzard. If you've ever seen the behind the scenes WoW systems you would be amazed.
|
On July 20 2011 04:29 celious wrote:Show nested quote +On July 20 2011 04:25 Bobbias wrote:On July 20 2011 04:09 Dental Floss wrote:
You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity. Someone with some sense. Yes, if someone were to gain access to the SQL databases with the hashed keys, they could use an attack to break the keys and get your password... Problem with thinking that 26 extra keys would help here is that they aren't actually looking for your password, they are looking for whatever password will give you that key, because there are collisions in the hash function. Adding 26 extra keys wouldn't do too much, but would probably slow things down. Unfortunately, if they have access to the hashed passwords, and happen to have a rainbow table, things are looking pretty grim for a lot of people. This is part of why the LulzSec hacks were so bad. Not to mention that if they happen to get your password for something else (due to shoddy security practice), if you happen to use the same, or a similar password, you re in trouble, regardless of how blizz stores your password. I urge everyone here to read up about how LulzSec managed to get their information. They exposed thousands of username and password combinations, they broke into tons of different systems, many of which were supposed to be secure. LulzSec preformed many simple hacks against systems that weren't secure. Technically you could say everything is supposed to be secure but it obviously isn't. Also the databases that LulzSec released were of random gaming sites or low budget game developers that obviously dont have the means or resources to secure and monitor their system like companies such as Blizzard. If you've ever seen the behind the scenes WoW systems you would be amazed.
Low level targets like senate.gov or nintendo.com? navy.mil or citibank.com? Blizzard isn't some invincible titan. There is literally no reason to arbitrarily reduce the number of possible passwords.
|
A wild guess, they turned it off, because their customer service got flooded by messages from noob wow-players who had their caps lock on.
This doesnt really make it any less secure. Maybe if somebody has a password "pAsswORd", this would change it from almost guessable to guessable.
|
On July 20 2011 04:23 Dental Floss wrote:Show nested quote +On July 20 2011 04:17 noobinator wrote:On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers. You forgot numbers 6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years. Yes...251 days with that hypothetical rate. However, modern computers can calculate 2,000,000,000 hashes PER SECOND. Your 6 char password would then take 1.5 seconds to break.
This is relevant if they have the hash through some type of sniffing - which is probably one technique used to gather passwords and hack accounts. However, the Blizzard system automatically locks you out if you try too many passwords too quickly, so you're time-limited. Obviously if you have already have the hash then the time to brute for it is inconsequential as long as you're using something for which they have a prebuilt hash.
|
Seems like a brilliant plan... so they can sell more authenticators
|
Low level targets like senate.gov or nintendo.com? navy.mil or citibank.com? Blizzard isn't some invincible titan. There is literally no reason to arbitrarily reduce the number of possible passwords.
Nintendo and Citibank hacks were not LulzSec. Citibank had a flaw in software that was audited by a 3rd party that contract obviously came to an end And the navy site well who knows what happened there all they did was release a screenshot of some garbage injected into their job listing page. Companies such as facebook, google, and blizzard have millions of users, high profile targets and none of which have been mined yet as far as we know and good luck to any hacker that attempts the feat.
Google has been attacked a few times but nothing incredibly serious.
|
On July 20 2011 04:23 Dental Floss wrote:Show nested quote +On July 20 2011 04:17 noobinator wrote:On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers. You forgot numbers 6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years. Yes...251 days with that hypothetical rate. However, modern computers can calculate 2,000,000,000 hashes PER SECOND. Your 6 char password would then take 1.5 seconds to break.
Also cloud time and time on botnets is cheap as FUCK.
|
Calgary25983 Posts
On July 20 2011 04:32 Dental Floss wrote:Show nested quote +On July 20 2011 04:29 celious wrote:On July 20 2011 04:25 Bobbias wrote:On July 20 2011 04:09 Dental Floss wrote:
You guys are all missing the point. The problem comes when someone executes a mysql injection attack or gets access to the database that stores user data. A hacker can then use a GPU-based attack to guess and check against the hash values stored in the database without going over the network. They then have access to your email address and password. If its a common password they can basically steal your identity. Someone with some sense. Yes, if someone were to gain access to the SQL databases with the hashed keys, they could use an attack to break the keys and get your password... Problem with thinking that 26 extra keys would help here is that they aren't actually looking for your password, they are looking for whatever password will give you that key, because there are collisions in the hash function. Adding 26 extra keys wouldn't do too much, but would probably slow things down. Unfortunately, if they have access to the hashed passwords, and happen to have a rainbow table, things are looking pretty grim for a lot of people. This is part of why the LulzSec hacks were so bad. Not to mention that if they happen to get your password for something else (due to shoddy security practice), if you happen to use the same, or a similar password, you re in trouble, regardless of how blizz stores your password. I urge everyone here to read up about how LulzSec managed to get their information. They exposed thousands of username and password combinations, they broke into tons of different systems, many of which were supposed to be secure. LulzSec preformed many simple hacks against systems that weren't secure. Technically you could say everything is supposed to be secure but it obviously isn't. Also the databases that LulzSec released were of random gaming sites or low budget game developers that obviously dont have the means or resources to secure and monitor their system like companies such as Blizzard. If you've ever seen the behind the scenes WoW systems you would be amazed. Low level targets like senate.gov or nintendo.com? navy.mil or citibank.com? Blizzard isn't some invincible titan. There is literally no reason to arbitrarily reduce the number of possible passwords.
Okay, let's move on. Most people agree that there should be capitals in the passwords - No need to fearmonger like this.
|
On July 20 2011 04:41 celious wrote:Show nested quote +
Low level targets like senate.gov or nintendo.com? navy.mil or citibank.com? Blizzard isn't some invincible titan. There is literally no reason to arbitrarily reduce the number of possible passwords.
Nintendo and Citibank hacks were not LulzSec. Citibank had a flaw in software that was audited by a 3rd party that contract obviously came to an end And the navy site well who knows what happened there all they did was release a screenshot of some garbage injected into their job listing page. Companies such as facebook, google, and blizzard have millions of users, high profile targets and none of which have been mined yet as far as we know and good luck to any hacker that attempts the feat. Google has been attacked a few times but nothing incredibly serious.
Does anyone else feel like this post is kind of suspicious 0.o
Anyways, the senate is a pretty big target, bigger than Nintendo or even the navy. You didn't explain that in your post
|
Had no idea, my battle.net PW has always contained(or so I thought) capitalization. Not a big deal though my PW is still long enough and complex enough that the only way someone is going to get in is via a keylogger, in which case the capitals are irrelevant.
I just find it interesting that a company of Blizzards stature doesn't have a simple, standard feature like case sensitive passwords.
|
On July 20 2011 04:38 DrBoo wrote:
Seems like a brilliant plan... so they can sell more authenticators
Blizzard does not make money on authenticators, they are sold essentially at cost and if you have a smartphone of ANY variety they are free.
|
Definitely odd to not allow it but as long you are mixing up your passwords with numbers, it needn't be a concern.
|
It DEFINITELY used to be case-sensitive, 100% positive. I did notice they changed it, not sure how long. It has to be recently because I remember having to log in to another Bnet account of mine with caps just a few months ago.
|
On July 20 2011 04:23 Dental Floss wrote:Show nested quote +On July 20 2011 04:17 noobinator wrote:On July 20 2011 03:42 Ramuh wrote:It doesn't matter. You almost can't bruteforce passwords over network, it just does too damn long. while capitalization doubles the number of possible passwords (well not exactly, but you get the point) bruteforcing it is not an option. I guarantee you that 99,9 % of so called "hacked" accounts are from keyloggers, phishing sites, trojans and such stuff http://imgur.com/gallery/YWFLq substitute viruses with hacks and you're about right Quick Math: 26 chars, 6 char password length, and assuming you can try 100 passwords per second you 26^6 / 100 / 60 / 60 / 24 = 35 days for bruteforcing a 6(!) char password. And thats assuming blizzard lets you bombard their servers. You forgot numbers 6 char password would be 36 possible chars, so 251 days. GG hackers, mine would take more than your lifetime. EDIT: 10 char password would take 1,159,360 years. Yes...251 days with that hypothetical rate. However, modern computers can calculate 2,000,000,000 hashes PER SECOND. Your 6 char password would then take 1.5 seconds to break.
And that's why you don't use MD5/SHA-family hash functions. Here's how you do it: http://codahale.com/how-to-safely-store-a-password/ Good luck bruteforcing that!
|
I knew about that in WoW, but I always kind of assumed that they would have changed that for SC2. Guess not. :/ They really probably should do something about that but I'm not worried as my password is quite long and contains symbols.
|
On July 20 2011 04:47 schmeebs wrote:Show nested quote +On July 20 2011 04:38 DrBoo wrote:
Seems like a brilliant plan... so they can sell more authenticators Blizzard does not make money on authenticators, they are sold essentially at cost and if you have a smartphone of ANY variety they are free.
This is correct. There is an iPhone app, which I have, that I use. HIGHLY recommend it if you value your account in the least bit. I suppose if you were to lose your phone AND have your account hacked by the person that stole it... but then you're just having one hell of a bad day!
|
I would say get an authenticator. It gives peice of mind. My only beef wih it is the authenticator can be hard to read. In low light Also it can be a real hassel if you lose or break it.
|
definitely used to be case sensitive, interesting
but for real, nobody is going to go around bruteforcing your blizzard account unless it's some super decked WoW character or famous SC2 account. just be careful about showing your bnet email addy.
|
The fact it used to work, and no longer works, implies they are using an insecure form of storing your password, i.e one that is most likely plaintext
GJ BLIZZARD
|
If they have proper systems in place to prevent password brute forcing, alternating caps won't realistically protect you more than just using a password that is not in the most popular passwords list, which I can only assume you don't if you alternate caps in your passwords.
The line of reasoning here being: If they got your PW via a number of ways, case of the PW won't change a thing, so if case doesn't change a thing but has the potential of causing frustrations it shouldn't matter all that much. NOTE: This is NOT true if the PW is for a system that could be brute forced! (In which case this adds an exponential amount of extra possibilities to your PW)
If you are really worried about security, get an authenticator.
|
I'm actually quiet shocked to read this, that's a terrible think and it's just poor by blizzard given how long wow has been around.
|
Case sensitivity is not some integral aspect to internet security, if your password has a decent amount of numbers and a word that isn't predictable, along with having an authenticator, it should never get hacked, and if it still does, then YOU did something wrong.
|
On July 21 2011 03:45 BrTarolg wrote:
The fact it used to work, and no longer works, implies they are using an insecure form of storing your password, i.e one that is most likely plaintext
GJ BLIZZARD
Eh? I don´t see the logic behind this. They are insecure about your password security so.... they make it laxer?
|
On July 21 2011 05:14 windsupernova wrote:Show nested quote +On July 21 2011 03:45 BrTarolg wrote:
The fact it used to work, and no longer works, implies they are using an insecure form of storing your password, i.e one that is most likely plaintext
GJ BLIZZARD Eh? I don´t see the logic behind this. They are insecure about your password security so.... they make it laxer?
If it's not case-sensitive that doesn't imply it's simple text, I have no idea how he drew this conclusion either.
|
On July 20 2011 02:32 windsupernova wrote:Show nested quote +On July 20 2011 02:12 ApBuLLet wrote:I don't really think this is as big of a deal as people are making it out to be. People tend to panic a bit when they feel like they or their property is at risk, and rightfully so. However, the vast majority of the time people get their accounts stolen is due to some sort of keylogging malware, in which case the a case sensitive password system would not matter, because your hacker would know anyway. The only thing I can see it being good for is if somebody is trying to guess your password or something like that. Case sensitive passwords make that a million times harder I would imagine, as you'd have to guess the password and the patter of lowercase/uppercase. So overall, yes I think it is bad and there is no reason not to have case sensitive passwords for that little bit of extra security, but in reality I don't really think it is that big of a deal. I'm not going to worry about it personally Haha, not even that. Most of the time when they lose control of their accounts its because they fall for some social engineering scheme.
Not totally true (I don't have the numbers though >.>. But just from what people have said). In FFXI (not sure about WoW), most accounts were lost by visiting well known FFXI sites like ffxiah, ffxi wiki (from wikia), somepage, atlus, or even your linkshell(clan/guild)'s site (yes drama happens, someone who has access to the site loads it up with all the malware they can find). Seeing as how the WoW Wiki used to be hosted on wikia, I wouldn't be surprised if the wiki hosted bad ads occasionally too.
Sometimes this even happened with noscript and adblock plus users too (noscript needs to be set to block all things including iframes and be set to block it on trusted sites too).
Main reason is most of those sites need revenue from ads and some bad ads slip by (also sometimes the site owner leaves or is lazy and site ends up being compromised without anyone fixing it and without users who checked it before knowing).
Finally authenticators aren't full proof either. Some malware redirect, replace, or infect playonlineviewer.exe (for example) to something else. It brings the usual (really spoofed) pop up screen, asks for the one time password and password.
User enters it, it doesn't work. They find out that their authenticator has been disabled and password changed (this can happen by using the one time password the user entered and entering it on the site with the password then disabling the authenticator which is possible with SE, not sure about Blizzard).
Yes so even two step authentication is not completely safe (but it is still much safer).
Anyway as for is cap locks safer? Yes. Now in cases where its stranger vs stranger, account hackings usually happen with the full password given (social engineering, keylogger, etc).
But not all account lost are due to that. Maybe it's a PC bang or public place (where some may be able to sneak and look at what you're typing), or someone you know IRL, etc.
Having caps lock would reduce the risk of passwords stolen in that case (even though it's already small since it's already hard, it'd make it harder at least).
Anyway I think someone should bring this up on the battle.net forums (the caps thing) so they can read it.
|
What the heck blizzard, my password seems easy enough as it is.....
|
They probably figure that it will result in less overall hassle for them since the number of people who are getting locked out of their bnet account will go through the roof if its case sensitive. If you have a good password its still going to take someone a ridiculously long time to brute force it even without case sensitivity (if its good they can't dictionary it).
|
Well, the thing is...
a) if you really want a well protected password, you'd have to use upper case, down case, numbers and symbols.
b) efficient hacking methods won't really care about uppercase or not
c) If you REALLY want to protect your account, use an authenticator.
Either way, it isn't such a big deal.
|
On July 21 2011 09:17 UnitedKronos wrote:
What the heck blizzard, my password seems easy enough as it is.....
lol well that's not really blizzard's fault
|
Didn't realize how many conspiracy theorists we had on TL until I read this thread.
Blizzard making it easier for you to get hacked so people will get authenticators? lol
Blizzard loses a ton of time and money because of hacking, and their Game Masters are legendary for how efficiently they handle your case in the event of a compromised account (if you scoff at this, you have never played another online game).
Furthermore, if someone gets your password through keylogging, whether your letters were capped or not has near zero significance.
It's funny to see cryptoanalasys/bruteforcing brought up in this thread. Unless you're Destiny or BoxeR, you have no reason to worry about the safety of your account.
On July 21 2011 05:14 Aberu wrote:
Case sensitivity is not some integral aspect to internet security, if your password has a decent amount of numbers and a word that isn't predictable, along with having an authenticator, it should never get hacked, and if it still does, then YOU did something wrong.
On July 21 2011 05:14 Aberu wrote:
Case sensitivity is not some integral aspect to internet security, if your password has a decent amount of numbers and a word that isn't predictable, along with having an authenticator, it should never get hacked, and if it still does, then YOU did something wrong.
Quoted twice in case you skip over it the first time.
|
At least they don't store our passwords in a text file. Right? RIIIIIIIGHT?
|
who the hell cares? it's been ages since i took a data management/probability class so i won't bother trying to prove it, but i have a good feeling that removing 26 possible characters doesn't put a dent in the total permutations of passwords available for you to choose.
|
capitalization is not a big deal when the majority of password leaks are due to
a) User visiting phishing website, and giving up the full password
b) User having a keylogger, and program logs the full password
The only time capitalization ever matters is
i) Blizzard has their user database leaked, making it quicker to brute force your weaker password
ii) Someone looks over your shoulder and guesses your password and can see that you don't press the shift key so they don't need to worry about that.
Thankfully i) has never happened, and if ii) happened then you deserve it for either typing too slow or having a guessable password
|
|
|
|
|
|
EPT
