EPTBlizzard Security Breach - Page 19
| Forum Index > SC2 General |
|
Daehlie
United States43 Posts
| ||
|
Panthae
Canada205 Posts
| ||
|
HolydaKing
21254 Posts
On August 11 2012 01:48 Panthae wrote: Im pretty sure people who have D3 are in more trouble than people that have SC2. I'm pretty sure many if not most have both of them. Still you are of course right in terms of value of the account. | ||
|
Deleted User 101379
4849 Posts
On August 11 2012 00:48 kubiks wrote: Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything) What a lot of rainbow tables did when they started a long time ago is not to randomly generate stuff but instead gather cleartext passwords from a lot of sources and then started from there. Since a lot of people use similar passwords it already covered 75% of all passwords that way. Now that storage has become cheap those databases are so huge that basically any <8 character password is covered for most of the common hashing algorithms and the only thing you can hope for if your password is that short is that the password has a good salt. | ||
|
snively
United States1159 Posts
| ||
|
Deleted User 101379
4849 Posts
On August 11 2012 02:03 snively wrote: i got this too. can anyone confirm if its legit? Did you click on the "reset password" button? If not, delete that mail. | ||
|
paralleluniverse
4065 Posts
On August 10 2012 23:10 Nizaris wrote: hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities. It pisses you off that websites forces you not to use a retarded password ? some ppl... who uses upper cases letter in their passwords ? smart ppl do. http://www.teamliquid.net/forum/viewmessage.php?topic_id=359393¤tpage=17#328 http://www.teamliquid.net/forum/viewmessage.php?topic_id=359393¤tpage=18#350 | ||
|
paralleluniverse
4065 Posts
It basically says that the SRP protocol, which is what Blizzard uses to encrypt passwords, is very easy to crack. | ||
|
rast
Poland44 Posts
On August 11 2012 02:34 paralleluniverse wrote: Can someone with more knowledge on cryptography offer their thoughts on this article: http://www.opine.me/blizzards-battle-net-hack/ It basically says that the SRP protocol, which is what Blizzard uses to encrypt passwords, is very easy to crack. This article is true, as I said before, SRP is just a protocol which "carry" your password to Blizzard. Imagine you want to send a message to your friend few blocks away. You tell this message to your fellow postman. The postman is very relliable, and even if someone kidnaps him, bits him, and torture him for several days, he wont tell anyone your message. When postman arrives in your friends home, he writes down this message and leaves it on his table. The SRP is that relliable postman. What hackers stole, is the message that postman left on your friends table. They dont need to crack "postman" to read out your messaage. Of course the password are probably salted, and it might be that salt is keept seperately from passwords. But all they need now is perform a dictionary attack or maybe use a rainbow table if there is no salt or the salt is really weak. Also, lest not forget that hackers has access to some big botnets, whichs computing power might challange best super computers, but this is just assumption. | ||
|
MrTortoise
1388 Posts
good job blizz. The point is the security bought TIME. That is all it can buy. Your accoutn could be hacked directly through permutations of passwords directly ito the client... that would take hundreds of years. This gives them a short cut but it still gives users a decent amount of time untill a significant proportion of passwords get cracked Personally i use bcrypt on one of its hardest settings to hash things ... but that is because i can afford to. As a developer who comes down on any security breach like a ton of bricks (we havent found out how and if it turns out to be a sql injection attack i will reverse this statement VERY quickly) - it seem like blizzard has done a lot of what is reasonable to secure things. SHA1 is recognised as a good strong hash. Its only weakness is that it is quite a quick hash and so not the best choice for password hashing (it is great for h ashing LARGE file streams) - where you want to choose a slow algorithm as that massivley reduces number of guesses pe5r second. The problem with slow algorithms is that they EAT cpu ... and go back to D3 release when authentication servers kept falling over. You see the really hard spot they were in ... ie they seemingly couldn't afford to use blowfish due to the scale of their operations as their servers cant cope with a fast sha1 algorithm. | ||
|
cLAN.Anax
United States2847 Posts
| ||
|
Viliphied
United States2 Posts
On August 11 2012 00:55 DertoQq wrote: This thread is clearly talking about some hackers managing to get the hash pw of users. Brute Force / Dictionary attacks / Rainbow tables is not only "viable", but it is the only way to use those hash. Having a complicated password is the only thing you can do to prevent having issues with that. The thing is, if your password is 8+ characters of only lower case and numbers, adding another character adds more complexity than adding case sensitivity. | ||
|
DertoQq
France906 Posts
On August 11 2012 03:16 Viliphied wrote: The thing is, if your password is 8+ characters of only lower case and numbers, adding another character adds more complexity than adding case sensitivity. True, but I was responding to a post saying that password complexity doesn't matter because hackers won't brute force it, which is completely false. Password complexity is really important. Upper case DO increase it, even though it is not needed because you can achieve better results by increasing the length. | ||
|
NIIINO
Slovakia1320 Posts
| ||
|
Shenghi
167 Posts
On August 11 2012 04:11 NIIINO wrote: What if they hacked Mikes mail too, so they can ask us to change our passwords on the site they are monitoring ? Then just follow the golden rule: Blizzard will never ask you for your password. | ||
|
Integra
Sweden5626 Posts
On August 11 2012 01:58 Morfildur wrote: What a lot of rainbow tables did when they started a long time ago is not to randomly generate stuff but instead gather cleartext passwords from a lot of sources and then started from there. Since a lot of people use similar passwords it already covered 75% of all passwords that way. Now that storage has become cheap those databases are so huge that basically any <8 character password is covered for most of the common hashing algorithms and the only thing you can hope for if your password is that short is that the password has a good salt. To simplify the difference between bruteforce and rainbow tables. Bruteforce uses process power to calculate various test passwords and then compare them with the real password to be cracked, what Rainbow tables does is that each test password is already saved in a database table. Then Instead of using raw process power you simply have huge tables of already pre-calculated test passwords that you simply fetch from the table instead of generating new ones. to simply fetch already created passwords goes allot faster compared to computing new ones each time. Bruteforce requires allot of process power while rainbow tables requires allot of HD space. And that is the difference between brute force and rainbow tables. | ||
|
Finalmastery
United States58 Posts
| ||
|
windzor
Denmark1013 Posts
On August 11 2012 03:00 rast wrote: This article is true, as I said before, SRP is just a protocol which "carry" your password to Blizzard. Imagine you want to send a message to your friend few blocks away. You tell this message to your fellow postman. The postman is very relliable, and even if someone kidnaps him, bits him, and torture him for several days, he wont tell anyone your message. When postman arrives in your friends home, he writes down this message and leaves it on his table. The SRP is that relliable postman. What hackers stole, is the message that postman left on your friends table. They dont need to crack "postman" to read out your messaage. Of course the password are probably salted, and it might be that salt is keept seperately from passwords. But all they need now is perform a dictionary attack or maybe use a rainbow table if there is no salt or the salt is really weak. Also, lest not forget that hackers has access to some big botnets, whichs computing power might challange best super computers, but this is just assumption. But then again this article assumes that the hacker got the verifier database, which isn't totally clear from the blizzard statement if this is true. The statement could just be a eavesdrop of the data between the machine who has the verifier database and the login service. But anyway people should still not believe their password to be secure. | ||
|
discomatt
113 Posts
On August 11 2012 02:34 paralleluniverse wrote: Can someone with more knowledge on cryptography offer their thoughts on this article: http://www.opine.me/blizzards-battle-net-hack/ It basically says that the SRP protocol, which is what Blizzard uses to encrypt passwords, is very easy to crack. It's still difficult. Unless you're using a common password found in that list of 1,000,000 the attacker wants to test, you have nothing to worry about. Each digest must be brute-forced individually. Even 1billion computations/day doesn't come close to the number of possible alphanumeric, lowercase, 8-character passwords for a single user. 36^8 = Nearly 3-trillion possible combinations. Even if the attacker finds a match 50% through the attack, it would still cost him just under $1,500 to recover a single user's password via Amazon EC2. As for rainbow tables, this method uses individual salts. Rainbow tables are useless. On August 11 2012 03:00 rast wrote: This article is true, as I said before, SRP is just a protocol which "carry" your password to Blizzard. Imagine you want to send a message to your friend few blocks away. You tell this message to your fellow postman. The postman is very relliable, and even if someone kidnaps him, bits him, and torture him for several days, he wont tell anyone your message. When postman arrives in your friends home, he writes down this message and leaves it on his table. The SRP is that relliable postman. What hackers stole, is the message that postman left on your friends table. They dont need to crack "postman" to read out your messaage. Of course the password are probably salted, and it might be that salt is keept seperately from passwords. But all they need now is perform a dictionary attack or maybe use a rainbow table if there is no salt or the salt is really weak. Also, lest not forget that hackers has access to some big botnets, whichs computing power might challange best super computers, but this is just assumption. Pretty over-simplified here. Salts are considered public data. They aren't meant to be private, they're meant to make 2 identical passwords produce different digests. Unique salts are part of SRP, so it's pretty safe to assume they were used. The analogy is a terrible one, and flat out wrong. The same message given to the postman is written on the paper. The postman doesn't know what the original message even was, and that's the point of SRP. Finally, botnets aren't usually used to harness CPU power... the idea is for the zombie computer to never realize they're infected. Stealing CPU cycles isn't a good way to do this. You're much better off simply renting a cluster of high-powered floating point processors and using that. | ||
|
Kvz
United States463 Posts
| ||
| ||
.
