EPTBlizzard Security Breach - Page 18
| Forum Index > SC2 General |
|
ymir233
United States8275 Posts
| ||
|
Sekken
Afghanistan248 Posts
 Also... I am too lazy to change my PW :c If I get hacked, so be it ^^ | ||
|
Rannasha
Netherlands2398 Posts
On August 10 2012 22:27 Ryder. wrote: Are we supposed to change our secret question/answer? It is not immediately obvious to me on how to do it myself, does Blizzard expect we contact them and do it or will that not be necessary? Players with accounts in the NA region will have their secret question reset by Blizzard in a few days or so. There is no regular option to change your SQ/SA. | ||
|
EnE
417 Posts
Can't blame them. | ||
|
andrewlt
United States7702 Posts
| ||
|
ThirdDegree
United States329 Posts
+ Show Spoiler + We've received a request to reset the password for this Battle.net account. Please click this link to reset your password: https://us.battle.net/account/support/password-reset-confirm....... If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail. If you have any questions regarding your Battle.net account, click here for answers to frequently asked questions and contact information for the Blizzard Billing & Account Services team. Sincerely, The Battle.net Account Team Online Privacy Policy I suppose this might be connected. | ||
|
dudeman001
United States2412 Posts
| ||
|
MasterMonkey
United States96 Posts
| ||
|
Nizaris
Belgium2230 Posts
On August 10 2012 20:26 paralleluniverse wrote: Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway? In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters. hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities. It pisses you off that websites forces you not to use a retarded password ? some ppl... who uses upper cases letter in their passwords ? smart ppl do. | ||
|
Gorsameth
Netherlands21666 Posts
On August 10 2012 23:10 Nizaris wrote: hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities. It pisses you off that websites forces you not to use a retarded password ? some ppl... who uses upper cases letter in their passwords ? smart ppl do. Actualy it barely matters at all. Brute forcing passwords (the only situation in which A/a matters) is just not viable. Keyloggers / man in the middle / other security breaches are how passwords get stolen. Not some computer trying out a trillion possible combinations. | ||
|
rast
Poland44 Posts
Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash. The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly. Long story short - it would be best for everyone affected to change the password everywhere they are using it  . | ||
|
sudosu
France120 Posts
On August 10 2012 17:22 klo8 wrote: MD5 has been considered unsafe for a long while now. Already in 1996, a researcher wrote: And in 2005: I guess, the point is: Don't use MD5 (or SHA1, or any hash function that you can evaluate very quickly) for hashing passwords, not even a salt value will help you out because MD5 is broken. Use Bcrypt or something similar instead. SHA512 is perfectly fine too (for the moment). | ||
|
Rannasha
Netherlands2398 Posts
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent. This is only true when the password is hashed without any added salt. Once you add salts to the hashing function, the use of rainbow tables becomes far less effective. Sophisticated salting techniques can negate pretty much any efficient attack with rainbow tables. Consequently, any well-designed authentication system uses salts in their hashing function. | ||
|
multiversed
United States233 Posts
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent. Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash. The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly. Long story short - it would be best for everyone affected to change the password everywhere they are using it .i was just explaining the other half of the process. i got lazy. thank you. | ||
|
GohgamX
Canada1096 Posts
| ||
|
windzor
Denmark1013 Posts
On August 10 2012 17:22 klo8 wrote: MD5 has been considered unsafe for a long while now. Already in 1996, a researcher wrote: And in 2005: I guess, the point is: Don't use MD5 (or SHA1, or any hash function that you can evaluate very quickly) for hashing passwords, not even a salt value will help you out because MD5 is broken. Use Bcrypt or something similar instead. MD5crypt and the MD5 hash function is 2 different algorithms for 2 different problems. So what you are linking too is like comparing apples and oranges. MD5crypt was the defacto standard to password hashing until 2 months ago, and most systems which are older still uses it because it. The MD5crypt weakness was first discovered by the author after Linkedin was hacked and their hashed passwords got hacked... | ||
|
kubiks
France1328 Posts
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent. Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash. The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly. Long story short - it would be best for everyone affected to change the password everywhere they are using it .Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything) | ||
|
DertoQq
France906 Posts
On August 10 2012 23:18 Gorsameth wrote: Actualy it barely matters at all. Brute forcing passwords (the only situation in which A/a matters) is just not viable. Keyloggers / man in the middle / other security breaches are how passwords get stolen. Not some computer trying out a trillion possible combinations. This thread is clearly talking about some hackers managing to get the hash pw of users. Brute Force / Dictionary attacks / Rainbow tables is not only "viable", but it is the only way to use those hash. Having a complicated password is the only thing you can do to prevent having issues with that. | ||
|
DertoQq
France906 Posts
On August 11 2012 00:48 kubiks wrote: Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything) it is pretty big. for example, a Rainbow table for password of length 9 (or less) containing numbers and upper case would be a file of ~800GB. | ||
|
windzor
Denmark1013 Posts
On August 11 2012 00:48 kubiks wrote: Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything) rainbow tables are really really big. But they don't have all possible combinations. But the more storage you have the more combinations you will have in the table. But people are stupid, so you don't need all possible combinations. People are really really bad at remembering passwords, so a very larger portion of the passwords are made up of a string of number (birthdays/phone number) words in dictionnaries, or combinations of those two. Heck even "secure" passwords which in theory is "impossible" to bruteforce often has a system for people in which you can then generate all possible combination for. But the beauty of rainbow tables is they are structered in a way which gives really good storage and search times. So you would be surprised how many passwords you can store with a table of only 20 gb. | ||
| ||
