|
On August 10 2012 13:07 Zato-1 wrote:Show nested quote +On August 10 2012 12:39 zhurai wrote:On August 10 2012 10:16 Integra wrote:On August 10 2012 09:11 Corrosive wrote:Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine. If you want to see how long it would take your password to be cracked check this out http://howsecureismypassword.net/ according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that. maybe if they try cracking it on one computer with a single core Actually, if you're serious about cracking a large number of passwords then you don't care so much about your processor, you'll get a high-end graphics card to do the brunt of the work because they have orders of magnitude more computing power for this purpose. Also, in its estimate, that site makes the rather huge (and probably incorrect) assumption that the programs hackers use will be sequentially trying completely random sequences of characters, when there are substantially more efficient ways to crack more than enough bad passwords to make it worth your while.
I know. I'm just saying that site is unrealistic which probably is a simulating a computer that can only work on one thing at a time rather than e.g. multithreading cracking, using dictionary tables, etc.
(read: sarcasm)
|
On August 10 2012 13:13 zhurai wrote:Show nested quote +On August 10 2012 13:07 Zato-1 wrote:On August 10 2012 12:39 zhurai wrote:On August 10 2012 10:16 Integra wrote:On August 10 2012 09:11 Corrosive wrote:Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine. If you want to see how long it would take your password to be cracked check this out http://howsecureismypassword.net/ according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that. maybe if they try cracking it on one computer with a single core Actually, if you're serious about cracking a large number of passwords then you don't care so much about your processor, you'll get a high-end graphics card to do the brunt of the work because they have orders of magnitude more computing power for this purpose. Also, in its estimate, that site makes the rather huge (and probably incorrect) assumption that the programs hackers use will be sequentially trying completely random sequences of characters, when there are substantially more efficient ways to crack more than enough bad passwords to make it worth your while. I know. I'm just saying that site is unrealistic which probably is a simulating a computer that can only work on one thing at a time rather than e.g. multithreading cracking, using dictionary tables, etc. (read: sarcasm)
Actually the chinese with their supercalculator may be able to break his password in a few months xD (can't remember how many units of 16 cores they have).
|
So now I know why " FedExe delivery failure" and "Penis Enlargment" got through my spam.
Edit: Changing password now
|
And blizzard screws up again. How surprising. 
|
On August 10 2012 13:41 Clazziquai10 wrote:And blizzard screws up again. How surprising.
No. You're wrong. When you're a multibillion dollar corporation which operates with user information online, there are people constantly targeting you.
Bank vaults can be opened.
Safes can be cracked.
Door knobs can be picked.
Email passwords can be stolen.
So long as locks continue to have the singular flaw of allowing authorized users to bypass their security nothing which is kept behind locked doors will ever be completely safe. Imagine the number of attempts they have halted. Imagine how many times people have tried to access this data. Considering the frequency of their success, I would say Blizzard is doing a damned good job.
|
Thanks for the speedy heads-up BliZZ.
Password changed.
|
On August 10 2012 13:52 Chargelot wrote:Show nested quote +On August 10 2012 13:41 Clazziquai10 wrote:And blizzard screws up again. How surprising. No. You're wrong. When you're a multibillion dollar corporation which operates with user information online, there are people constantly targeting you. Bank vaults can be opened. Safes can be cracked. Door knobs can be picked. Email passwords can be stolen. So long as locks continue to have the singular flaw of allowing authorized users to bypass their security nothing which is kept behind locked doors will ever be completely safe. Imagine the number of attempts they have halted. Imagine how many times people have tried to access this data. Considering the frequency of their success, I would say Blizzard is doing a damned good job.
regarding security. never assume you're 100% safe.
|
Good thing I never had any credit card information associated with my US battle.net account.
|
On August 10 2012 13:41 Clazziquai10 wrote:And blizzard screws up again. How surprising.
In the past few years this has happened to far bigger names and with far worse outcomes. Nobody is safe from this.
|
On August 10 2012 07:38 Probe1 wrote:
So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Cryptographically scrambled passwords aren't unbreakable, it just takes too much computational effort to unscramble the entire database. Cherry picked accounts can still easily be unscrambled.
It effectively means they have your password if they're willing to devote effort to acquiring it. If there are other places of significance where you use the same password and your identity is traceable through your account data, change those passwords as well.
So if you use your blizzard password as your bank password, and your email is basically your real name, change that shit.
|
On August 10 2012 07:38 Probe1 wrote:
So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Yes, trust math
|
Oh god... I know Blizzard are lazy, but now not secure enough...? -.-
|
On August 10 2012 14:11 darkness wrote:
Oh god... I know Blizzard are lazy, but now not secure enough...? -.-
People can break into government agencies and you think it surprising that a videogame manufacturer isn't foolproof?
Welcome to the internet - nothing is ever truly safe.
|
This thread has been really insightful. Thanks to all the folks dropping some real security knowledge.
Good advice for sex and passwords: Don't fool around with ridiculous characters. Hash makes it better. Size matters.
|
I felt like Battle.net e-mails were leaked long before this. I kinda doubt it's a coincidence when I start getting blizzard-game-related spam mail a while after using the e-mail for a battle.net account.
|
On August 10 2012 13:12 sudosu wrote:
"cryptographically scrambled versions"
"each password would have to be deciphered individually"
Andwhy the hell are the passwords ciphered and not hashed ?
I'd guess that's what Blizzard actually does, and their webpage has simplified the description so that people who haven't gone through a CS undergrad know what it means. :-) (OK, that's an exgeration a bit, but I still think it's mostly true.)
Besides, the first quote is perfectly applicable to the hashing scenario anyway (and in fact the weird wording of the first quote just makes me more sure of my guess).
There is absolutely no reason to store ciphered passwords because there is even less reason to deciphered a password.
(The following isn't really meant to say you're wrong per se -- and definitely not in this scenario -- just to add some additional information that the above isn't some inviolable rule.)
So it's pretty inapplicable to the WWW scenario, but by my understanding there is actually one reason that storing passwords in encrypted (and not hashed) form is a fairly legitimate tactic: it allows mutual authentication without a trusted third-party.
Alice wants to talk to Bob, so Alice picks a random secret key to use in future messages (the "session key") and encrypts that key with her password, and forwards it off to Bob, along with "I'm Alice!" in plaintext. Bob looks up Alice's password (decrypting it if necessary), uses that to decrypt the session key. Now both Alice and Bob know the session key, and no one else can subject to the strength of Alice's password. They can then handshake to make sure they have the same session key -- if they do, then mutual authentication is successful. Mallory can't mimic Alice because he can't encrypt the session key without Alice's password, nor can he mimic Bob because he can't decrypt it for the same reason.
My understanding (though this is weak and stuff I learned quite a long time ago so I could be wrong) is this idea is behind Kerberos. Kerberos adds a bunch of additional layers (and protections against other attacks like replays), and calls the "password" the "password hash" -- but it's basically how it works. (What I mean by that password vs password hash comment is that everything you need to do to authenticate yourself in Kerberos -- if I'm right -- you can do with the password hash. The extra hash step bascially provides no protection except that an attacker would have a hard time reversing to the actual input from the user to try to apply to other sites.)
(SSL gets around this by having "trusted" third parties -- e.g. Verisign -- attest to the identity of one of the parties via its public key.)
(I'd appreciate any comments about how much of what I say here is correct. :-))
|
Seeing this is my expertise, I can comment on this;
Bank vaults can be opened.
Safes can be cracked.
Door knobs can be picked.
Email passwords can be stolen
It's what you do with the info that matters!
I said that I received 3 emails that got through my filters, and that the FexEx asks for info (2009) ( my wife almost clicked).
I'm just trying to say that a lot of this stuff can be harmless but this 1 needs to be addressed
|
|
|
I would never have expected Blizzard to be exploited in this way! Man, the site is such a rich hacking field, so many accounts reside on it. I'm like ... surely they've seen everything, are prepared against everything ... but wow, how meddlesome are the bugs that remain.
At least the passwords had cryptographic protection unlike controversies like Sony.
|
I just received recently a warning on my Battle.net email that someone unauthorized was trying to access it from North America. So these hackers are actively trying to break the emails, beware.
I was wondering how a hacker could even find this particular email, because I don't use it in any public forms, only for Battle.net.
|
|
|
|
|
|
EPT
