EPTBlizzard Security Breach - Page 7
| Forum Index > SC2 General |
|
MyLastSerenade
Germany710 Posts
| ||
|
Medrea
10003 Posts
| ||
|
Corrosive
Canada3741 Posts
If you want to see how long it would take your password to be cracked check this out http://howsecureismypassword.net/ | ||
|
creamer
Canada128 Posts
| ||
|
andReslic
216 Posts
| ||
|
Wuster
1974 Posts
On August 10 2012 08:51 Virtue wrote: Usually at this point after a hack, case of the characters in your passwords doesn't matter. They are just going to brute force (Try every possible combination of characters for a certain length) and when a computer is just calculating hashes and comparing them it doesn't make it harder or easier. Thankfully, it seems like Blizzard's password storage protocol is a lot better than most encryption methods at standing up to brute forcing their hashes. (Might even be impossible.) I'm by no means an expert, so I'm wondering if you could explain how a storage protocol could be better or worse against brute force. Do you mean things like individual salts or increased entropy? Because all I'm thinking is that once someone has the actual hash you can't slow their velocity when it comes to brute-force attacks (which Blizzard does when you enter passwords through the game client / web). Edit: I do agree that case actually is a red herring here, because the allowable character set and password lengths already have plenty of permutations to prevent someone easily cracking one password let alone all of them. | ||
|
v3chr0
United States856 Posts
| ||
|
Sikly
United States413 Posts
On August 10 2012 09:17 v3chr0 wrote: My password is pretty crazy, I think I'll be alright. Will be changing my secret q/a when prompted though. Why risk it? Using a new password takes minutes, getting a stolen account and all the other bullshit that comes with it could take you quite a lot of stressful hours. | ||
|
Chunhyang
Bangladesh1389 Posts
I'm not worried. | ||
|
achristes
Norway653 Posts
Here's mine: ******* Pretty sick. On a serious note, looks like blizz handled it nicely. | ||
|
nath
United States1788 Posts
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it. (Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?") as a programmer, yes. | ||
|
Vorenius
Denmark1979 Posts
On August 10 2012 09:11 Corrosive wrote: If you want to see how long it would take your password to be cracked check this out http://howsecureismypassword.net/ 1 million years. I'll take my chances.  | ||
|
Kaasstengel
Netherlands15 Posts
| ||
|
leo23
United States3075 Posts
 ... | ||
|
trifecta
United States6795 Posts
On August 10 2012 09:06 MyLastSerenade wrote: unbelievable...... Why is this unbelievable? Security is a really hard problem of asymmetric warfare. At least Blizzard, as far as we know, didn't make any obvious mistakes like keeping passwords in plaintext. As the Apple/Amazon story from a few days ago reinforced, users have to share the responsibility of security (don't reuse passwords, use strong passwords, keep backups etc)–you can't expect even the largest corporations to keep out all attackers all the time. | ||
|
Laneir
United States1160 Posts
| ||
|
xrapture
United States1644 Posts
| ||
|
Eufouria
United Kingdom4425 Posts
128 decillion years Possible Combinations: 16 sexdecillion I'm quietly confident. | ||
|
zergrushkekeke
Australia241 Posts
On August 10 2012 09:17 v3chr0 wrote: My password is pretty crazy, I think I'll be alright. Will be changing my secret q/a when prompted though. That is not how passwords work, if you have a crazy long and difficult password and someone steals it, they don't care how long or complicated it is, they will more likely be copy/pasting it. And to the other post about using a webpage to check how secure your password is, i seriously hope you didn't use your real one, how secure is a secret you told someone about to see if they have heard it? | ||
|
Shenghi
167 Posts
On August 10 2012 08:16 R1CH wrote: While SRP is very secure, there are many services (like the battle.net website) that can't use SRP, so it seems reasonable to conclude that some password-equivalent data is stored somewhere and that it could have been leaked. Even so, it can reasonably assumed that Blizzard sufficiently salts and otherwise obscures the password before hashing it with a safe hash, so the point stands. Weak passwords remain weak, strong ones remain strong. Nevertheless, everyone affected should of course still change their passwords, just to make sure. On August 10 2012 08:26 thurst0n wrote: LOL SO TRUE! I seriously cannot have a password for each site because I cannot remember that many passwords. I have to change my password at work every 10 weeks, and I'm running out of options, I cannot use ANY password I've previously used... security questions I have a little trick for, that this hacker ruined. I always answer the same 3 things for security questions, and they are complete bullshit, so it doesn't matter what questions are asked, just the random answers i have selected, it makes it hard when sites ask me in random order. Bleh, I guess I'll have to write down my passwords at home, and start making them different for everything. Luckily I already use seperate password for things i care about, like banking/personal email. Fuck you hackers The sad part is that changing your password every 10 weeks doesn't even increase security. If your password is strong, then it's strong. If it's weak, then it's weak. In fact, having to change it often will probably lead to much weaker passwords, such as "thissux10" and then just increment it every time you are forced to change it. As for security questions, don't get me started. They are pretty much the bane of my existence. If I can avoid having to answer them, I will. If that means I have to avoid a certain service, so be it. Don't write your passwords down. Use KeePass, like some people have already suggested. On August 10 2012 08:43 Pufftrees wrote: This is just... unacceptable. What the flux. + Show Spoiler + Blizzard is such a joke This happens to every major company and every government. Nothing you can do about it. Attackers are always ahead of defenders. Not Blizzards fault, and in fact, as far as we can tell they're handling it better than most. On August 10 2012 08:45 RoyGBiv_13 wrote: I went to a talk at DEFCON about fuzzing d3, where they showed just how secure blizzard's password system is. I would not be worried about them breaking you password hash (a properly salted and hashed password is a difficult thing to unravel). The security questions are a real risk though. Always those dang security questions... On August 10 2012 08:51 Virtue wrote: <snip> Still, when it comes to passwords length is all that matters. I work for a company that audits IT and when we get hashes of passwords like these guys did, we can usually crack all of an institutions passwords in a day. The only ones we can't crack no matter how long they are are ones that are long (Something like 13-15 characters or longer). <snip> Even if the hashing algorithm is known and only lower-case characters (no uppercase, no digits, no special characters, etc.) are used, then at 1 billion (1 000 000 000) attempts per second it takes ~50 000 years to break 15-character password, assuming the hash is safe (no collisions are known, or are expected to be found within that time frame.) For a 20-character password, this would be ~631 billion years. Note: The (possibly) fastest computer on earth can make about 75 billion attempts per second. (Reinforcing your point here, not disputing it) On August 10 2012 09:01 DertoQq wrote: Actually, case does help. They are going to brute force it and if they have to take into account the case, it will increase the number of possibilities by A LOT. It helps, but it won't change much for a password of desirable length. If it's impossible to get in a few billion years, then one way or the other, you'll be fine. On August 10 2012 09:20 Sikly wrote: Why risk it? Using a new password takes minutes, getting a stolen account and all the other bullshit that comes with it could take you quite a lot of stressful hours. Memorizing a new, strong password takes more than minutes. On August 10 2012 09:25 achristes wrote: Did anyone know that if you type your bnet password on TL it automatically turns into stars? Here's mine: ******* Pretty sick. Oh, you read bash.org. | ||
| ||
