EPTBlizzard Security Breach - Page 5
| Forum Index > SC2 General |
|
netherh
United Kingdom333 Posts
| ||
|
-RusH
United States240 Posts
| ||
|
Eufouria
United Kingdom4425 Posts
On August 10 2012 08:26 R1CH wrote: I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that? Its so bad nobody would ever use it, so hackers won't even try it. Metagame. So can we all expect to be added to a bunch more spam email lists because of this? | ||
|
BadgerBadger8264
Netherlands409 Posts
On August 10 2012 08:26 R1CH wrote: I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that? Typically passwords are hashed in combination with a username and other information. You can't simply hash "password123" and have thousands of results turn up. You'd have to know the hashing algorithm used by Blizzard, then for every individual user, hash "password123" and compare it to the stored hash. That still obviously wouldn't take a month to do with a single password, so you're right that it is probably feasible to do that for very common passwords and obtain a good amount of accounts. Still, if your password is even remotely unique, they will never realistically obtain it. | ||
|
sour_eraser
Canada932 Posts
But I want to know if we need to know Previous Answer to Secret Question when they force us change it into new one. I forgot mine :/ | ||
|
VPVanek
Canada238 Posts
| ||
|
Crying
Bulgaria778 Posts
On August 10 2012 08:31 -RusH wrote: I can't seem to find how to edit the secret question/answer. Anyone know where? i think the security question is not changeable. | ||
|
thatsundowner
Canada312 Posts
On August 10 2012 08:30 netherh wrote: It's lucky they don't do anything stupid like make all the passwords case insensitive... Oh wait. if somebody gets the password case sensitivity is irrelevant and brute forcing is not how the vast majority of stolen b.net accounts are taken. it's kind of an irrelevant thing, and not a big deal at all that they don't do it | ||
|
entropius
United States1046 Posts
On August 10 2012 08:26 R1CH wrote: I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that? Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them. It's been a while since I studied this stuff, of course, so I could be wrong. | ||
|
IM_Junior
Mexico29 Posts
| ||
|
Silidons
United States2813 Posts
| ||
|
Maluk
France987 Posts
Edit : Yes, my question probably sounds pretty noob but I am clueless concerning hacks t.t | ||
|
ROOTIllusion
United States1060 Posts
| ||
|
jnkw
Canada347 Posts
On August 10 2012 08:37 entropius wrote: Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them. It's been a while since I studied this stuff, of course, so I could be wrong. Given that there exist many extremely common passwords like 'password', it is not unreasonable to assume that rainbow tables might exist for a large number of possible salts per common password. | ||
|
EleanorRIgby
Canada3923 Posts
| ||
|
Kambing
United States1176 Posts
On August 10 2012 08:37 entropius wrote: Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them. It's been a while since I studied this stuff, of course, so I could be wrong. Not necessarily, e.g., http://www.openwall.com/john/. Passwords in practice are frequently suitably weak and amendable to cracking (e.g., via a dictionary attack). Knowing how the passwords were salted --- or at least narrowing it down to a small set of salting schemes --- makes things more tractable as well. So theoretically intractable. Practically hard to do, but not impossible. | ||
|
Pufftrees
2449 Posts
This is just... unacceptable. What the flux. + Show Spoiler + Blizzard is such a joke | ||
|
RoyGBiv_13
United States1275 Posts
| ||
|
Dingobloo
Australia1903 Posts
On August 10 2012 08:37 entropius wrote: Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them. It's been a while since I studied this stuff, of course, so I could be wrong. They actually tell us the method by which they encrypt the passwords in the faq: http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol It includes the username, password, salt and an unspecified hash function, so dictionary attacks aren't likely to be a problem. Again, no guarantee's but they seem to have done due diligence with regards to making getting the actual password very difficult given just the hash. | ||
|
Kambing
United States1176 Posts
On August 10 2012 08:43 EleanorRIgby wrote: damn this sucks but i think hackers usually go for wow/d3 accounts, sc2 accounts are probably the least profitable Likely that they can't differentiate without cracking the account. And besides, your email address and secret answers can be enough to do damage. For example, some (badly designed) sites will let your reset a password immediately after you successfully answer a secret question without sending email to your account first. | ||
| ||
