Blizzard Bombshell: All Your Passwords Are Insecure; Deal with it!

Is HotHardware only just learning this? I've known it for several years, and figured it out all by myself without asking Blizzard.

The clueless people are the ones who aren't using multi-factor authentication (e.g., the Authenticator app or keyfob). Case-sensitivity merely doubles security. The Authenticator increases security by a couple of orders of magnitude, which is huge if you know anything about network security.

Of course, nothing is perfect, but Blizzard is at least *trying*. That's more than Microsoft ever did (did you know there are security holes in Windows that over a decade old?).

Trying?

No. Not following security practices is not "trying." Especially not when launching a real money service that's tied to a Battle.net account but doesn't require an Authenticator.

You seem to be missing the underlying point. If Blizzard required Authenticators, this wouldn't be an issue. If Blizz required Authenticators for the RAH, this would be dramatically less of an issue. Authenticators aren't perfect, but as you note, they significantly increase security. I've said as much.

Allowing people to use the RAH (as they currently plan to do ) without following minimum security procedures? No. Not cool. And furthermore, even less cool to convey smugly at a time when complaints about hacking, lost characters/gear, and terrible latency problems are all plaguing the game.

Having a good security solution available is no excuse for leaving a bad one in place. Ever. From any company. And "It's been bad a long time," isn't a defense.

I read somewhere else a couple days ago that some users that were using authenticator devices got hacked as well, or at least they claimed it. There was no confirmation at the time, but maybe the hackers found a way around that even.

I like a lot of Blizzard titles but they need to get their shiznit together. The diablo III launch was so bad, servers constantly down and then after they stabilized that after a couple days, super high pings and lag spikes that caused the game to be very annoying at times, death causing at times.

Now the whole world knows Battle.net passwords are easier to hack then a lot of places that have stricter password software / storage. Everyone knows hacking accounts on various games and platforms is a big problem and if you or anyone you know has fell victim you have some idea how much it might suck. They are now planning a real money auction which will obviously be tied to your bank account some way or another. They need to step up security. They've been counting their WOW dough and lax in a lot of ways it would seem to me. Blizzard, stop being cheap asses and get your D3 servers fixed and implement better password security like the vast majority of modern online companies.

If you want to talk about real stupidity, how about the fact that THERE IS NO LOCKOUT upon multiple wrong password login attempts. Talk about inviting brute force attempts..

RMasters,

That's because lockouts are thought to be "user hostile." Why they don't have a "We're locking your account after X number of tires," where X is an extremely high value (like, say, 20) is beyond me.

Agreed, after that many attempts, it would be obvious even to a moron that this is a hacker not a user.

I'm going to be "brutally" honest here. This sh#! is getting old. Intel needs to support Vpro in every enthusiast rig by providing Vpro compatible motherboards at an affordable price tag to the mass market so that the dual authenticating technology is equipped in every LEGITIMATE connection either for online retail, banking, or as in this case, online gaming. As we speak, i7 Vpro chips (2600) are being pasted into unsupported motherboards and customers are being cheated of an extra layer of superior protection. So in other words, they want you to believe that using Anti-

Virus Security Suites are enough to ensure that your passwords won't get lifted or hacked which extends to your PC system as a whole.

It's time for change. Real change.