|
On August 10 2012 20:10 Ganondorf wrote:Show nested quote +On August 10 2012 20:01 paralleluniverse wrote:
This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data. If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime. The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc..
Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack.
And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about.
Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever.
|
it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bane of every network administrator everywhere.
|
On August 10 2012 20:21 multiversed wrote:
it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
|
On August 10 2012 20:26 paralleluniverse wrote:Show nested quote +On August 10 2012 20:21 multiversed wrote:
it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere. Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway? In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
please don't waste the effort put into this post.
On August 10 2012 20:07 Morfildur wrote:Show nested quote +On August 10 2012 19:39 Na_Dann_Ma_GoGo wrote:
@ Morfildur
Aye thanks.
But then there shouldn't be much to worry about at the moment since acquiring the algorithm should be night impossible right?
I mean it shouldn't be straight away available to the hackers and reverse engineering is one hell of a task I'd imagine.
Companies all use standard algorithms and with some practice you can limit the amount of possible algorithms by just looking at the hash, the only factor that can make it hard is the salt and the password complexity. The more complex the password is, the less likely it's in a rainbow table and the harder it is to brute force. A more in-depth Explanation: A password of length 1 that consists of only lowercase characters (a-z) has a complexity of 26^1, i.e. 26. A password of length 1 that consists of lower- & uppercase has a complexity of 52 A password of length 1 that consists of lower- & uppercase & numbers and a selection of 50 special characters has a complexity of 112. A password with those properties but of length 2 has a complexity of 112^2, i.e. 12 544 A password of length 10 with only lowercase characters just has a complexity of 26^10, i.e. 141 167 095 653 376 A password of length 10 with the 112 characters has a complexity of 112^10, i.e. 310 584 820 834 420 916 224 complexity means the range of possible passwords that have to be hashed to find the correct password. If you add a salt of 10 characters from a selection of 112 characters, it suddenly becomes 112^20 which is a 40 digit number. Now as for the actual time it takes to hash the password and brute force it, the stronger algorithms take longer than simple algorithms like MD5. You can calculate several million up to several billion ( http://www.codinghorror.com/blog/2012/04/speed-hashing.html ) MD5 hashes per second depending on your PC, so to definitively crack the lowercase-only password, it takes a few hours or at most a few days. To crack the complex password it still takes a few weeks. Other algorithms like SHA256, etc. are slower, so it takes 10-100 times longer to brute force passwords. Add the salt and it suddenly becomes an eternity. That is why the rainbow tables exist. Basically each lower- & uppercase only combination for passwords of up to 10-15 characters in length is included in rainbow tables which makes a search for it a matter of seconds. Most of those that steal a huge amount of password hashes don't bother brute forcing, if it's not in the rainbow tables, they ignore those but still might sell or release those users&hashes. That means that someone who targets a specific user/group can still try to brute force the passwords. So in summary the best way to protect your password is: 1. Have long password using special characters, numbers and a mix of upper and lower characters to maximize it's complexity 2. Hope that the one storing your password uses a strong salt 3. Hope that the one storing your password uses a strong&slow algorithm.
|
France9034 Posts
On August 10 2012 20:26 paralleluniverse wrote:Show nested quote +On August 10 2012 20:21 multiversed wrote:
it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere. Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway? In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
It pisses you off when they force you to use 1 upper-case letter, and still, it makes your password gain a few magnitudes of security. They don't do that just to piss you off actually...
An uppercase letter doesn't have the same ASCII code than a lowercase letter.
And actually, if you use a 12 character long password with only lowercase letters, it will be less secured than say a 10 character long password with mixed characters. It's just maths.
EDIT : the previous repost explains way better with numbers, if you don't trust this...
|
Ugh. I was hit by this. My account had been locked and all my game accounts were locked as well. I needed to unlock ALL my game accounts, one by one. I had to bind my account with an authenticator because those blizzard folks won't let me unlock my accounts without one. There you go.
|
On August 10 2012 20:19 paralleluniverse wrote:Show nested quote +On August 10 2012 20:10 Ganondorf wrote:On August 10 2012 20:01 paralleluniverse wrote:
This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data. If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime. The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc.. Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack. And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about. Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever.
Previous flawless history?
http://www.qj.net/mmorpg/titles/warcraftnet-and-battlenet-get-hacked-by-polite-hacker.html
http://suite101.com/article/wow-gets-hacked-in-korea-a48293
|
On August 10 2012 20:33 Ragnarork wrote:Show nested quote +On August 10 2012 20:26 paralleluniverse wrote:On August 10 2012 20:21 multiversed wrote:
it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere. Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway? In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters. It pisses you off when they force you to use 1 upper-case letter, and still, it makes your password gain a few magnitudes of security. They don't do that just to piss you off actually... An uppercase letter doesn't have the same ASCII code than a lowercase letter. And actually, if you use a 12 character long password with only lowercase letters, it will be less secured than say a 10 character long password with mixed characters. It's just maths. EDIT : the previous repost explains way better with numbers, if you don't trust this...
Yes, it is just math, and it's well known that an exponential function, x^a, increases more rapidly as a function of the exponent, a, than it does as a function of the base, x.
On my keyboard I count 32 symbols, 26 letters, and 10 numbers, which is a total of 68. So there are 68^x passwords of length x if we don't allow for upper case. If we do allow for upper case, there are 94 characters, so 94^x passwords of length x.
Now, how much more characters does a password excluding upper case characters need to have before it becomes stronger than one with upper case characters? Well, just solve 68*(x+e) > 94^x for e. The solution is e > x*log(94/68)/log(68) = 0.0767x.
So a 10 letter password allowing for upper case characters has equal strength as a 10.767 password disallowing upper case characters, which means an 11 letter password not allowing upper case characters is better.
|
On August 10 2012 20:50 paralleluniverse wrote:Show nested quote +On August 10 2012 20:33 Ragnarork wrote:On August 10 2012 20:26 paralleluniverse wrote:On August 10 2012 20:21 multiversed wrote:
it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere. Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway? In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters. It pisses you off when they force you to use 1 upper-case letter, and still, it makes your password gain a few magnitudes of security. They don't do that just to piss you off actually... An uppercase letter doesn't have the same ASCII code than a lowercase letter. And actually, if you use a 12 character long password with only lowercase letters, it will be less secured than say a 10 character long password with mixed characters. It's just maths. EDIT : the previous repost explains way better with numbers, if you don't trust this... Yes, it is just math, and it's well known that an exponential function, x^a, increases more rapidly as a function of the exponent, a, than it does as a function of the base, x. On my keyboard I count 32 symbols, 26 letters, and 10 numbers, which is a total of 68. So there are 68^x passwords of length x if we don't allow for upper case. If we do allow for upper case, there are 94 characters, so 94^x passwords of length x. Now, how much more characters does a password excluding upper case characters need to have before it becomes stronger than one with upper case characters? Well, just solve 68*(x+e) > 94^x for e. The solution is e > x*log(94/68)/log(68) = 0.0767x. So a 10 letter password allowing for upper case characters has equal strength as an 10.767 password disallowing upper case characters, which means an 11 letter password without upper case is better.
thus not making you an idiot. the math checks out.
|
On August 10 2012 20:46 Broodwurst wrote:Show nested quote +On August 10 2012 20:19 paralleluniverse wrote:On August 10 2012 20:10 Ganondorf wrote:On August 10 2012 20:01 paralleluniverse wrote:
This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data. If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime. The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc.. Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack. And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about. Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever. Previous flawless history? http://www.qj.net/mmorpg/titles/warcraftnet-and-battlenet-get-hacked-by-polite-hacker.htmlhttp://suite101.com/article/wow-gets-hacked-in-korea-a48293
First link is essentially as impressive as a DDoS:
![[image loading]](http://imgs.xkcd.com/comics/cia.png)
Second link: A bunch of idiots got keylogged.
|
what if the hackers need the password resets for their true masterplan, and this is exactly what they want
|
On August 10 2012 20:56 paralleluniverse wrote:Show nested quote +On August 10 2012 20:46 Broodwurst wrote:On August 10 2012 20:19 paralleluniverse wrote:On August 10 2012 20:10 Ganondorf wrote:On August 10 2012 20:01 paralleluniverse wrote:
This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data. If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime. The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc.. Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack. And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about. Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever. Previous flawless history? http://www.qj.net/mmorpg/titles/warcraftnet-and-battlenet-get-hacked-by-polite-hacker.htmlhttp://suite101.com/article/wow-gets-hacked-in-korea-a48293 First link is essentially as impressive as a DDoS: Second link: A bunch of idiots got keylogged.
Still not flawless.
Also
http://www.teamliquid.net/forum/viewmessage.php?topic_id=79222
(:
|
Meh, even if they got everything from the Europe users it wouldnt effect me much, my account has no payment info linked to it because i bought a physical copy of SC2, the only blizzard game i own.
Also pretty sure i registered it with an email account i almost never use.
|
On August 10 2012 21:08 Broodwurst wrote:Show nested quote +On August 10 2012 20:56 paralleluniverse wrote:On August 10 2012 20:46 Broodwurst wrote:On August 10 2012 20:19 paralleluniverse wrote:On August 10 2012 20:10 Ganondorf wrote:On August 10 2012 20:01 paralleluniverse wrote:
This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data. If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime. The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc.. Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack. And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about. Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever. Previous flawless history? http://www.qj.net/mmorpg/titles/warcraftnet-and-battlenet-get-hacked-by-polite-hacker.htmlhttp://suite101.com/article/wow-gets-hacked-in-korea-a48293 First link is essentially as impressive as a DDoS: Second link: A bunch of idiots got keylogged. Still not flawless. Also http://www.teamliquid.net/forum/viewmessage.php?topic_id=79222(:
Flawless or not (define 'flawless' in the context first...), your attempts at taking cheap points by posting links about any possible Blizzards mistakes are quite petty. The last one isnt even about Blizzard but about Blizzards employees. Do yourself a favor and stop.
Of course Blizz arent perfect, no one is. But flawless or not, Blizz has very good security in place.
|
edit: sry, was writing in wrong thread and thus even double posted >.<
|
|
|
On August 10 2012 19:28 Fuchsteufelswild wrote:I only just changed my password a couple of months ago and I'm not playing SC2 often nowadays, so stuff it until I get reason to get them to lock it.  I have no money on the account.
The people who need to be most concerned are those who use 1 password for everything. At this point, you should consider your username/email and password in the property of criminals, which means you now should change that password everywhere you've used it where you don't want to lose personal data.
I don't care too much, for example, if someone hacks my team liquid account, but if I believed someone had the capability of accessing my banking data I would be remiss to not change that password.
|
On August 10 2012 21:31 Na_Dann_Ma_GoGo wrote:
Hmm he adds more Queens instead of using spores, interesting.
yet, slightly irrelevant to the topic
|
with patch 1.5 no one cares stolen data cause no one play after this highly game ruiner patch sc2.....case locked.....
|
Are we supposed to change our secret question/answer? It is not immediately obvious to me on how to do it myself, does Blizzard expect we contact them and do it or will that not be necessary?
|
|
|
|
|
|
EPT
