Blizzard Bombshell: All Your Passwords Are Insecure; Deal with it!

rated by 0 users
This post has 7 Replies | 0 Followers

Top 10 Contributor
Posts 26,699
Points 1,207,610
Joined: Sep 2007
News Posted: Thu, May 24 2012 8:49 AM
This is one of those little tidbits that breaks like a tactical nuke, not because it's a major policy change, but because the company in question has just revealed an astonishing degree of stupidity and is blissfully ignorant of it. In the wake of massive hacks, Blizzard released a statement reassuring world+dog that it takes our account security very seriously. That's why passwords are all case insensitive!

Wait, what?

Yup! Check this out. These screenshots brought to you buy Vasadan, official Blizzard Quality Assurance staff. The original thread is here, but we wouldn't expect it to be there very long.

The only thing better than a BS defense of an indefensible security policy is to then whine at the people who call you on it and claim that you're going to stop posting if they don't CUT IT OUT, GUYS.

Is this new? No. Blizzard passwords have never been case-sensitive. But this issue takes on significantly different meaning when you consider that the company in question plans to launch a Real Money Auction House in...five days. And while Blizzard intends to require anyone who's hacked and whose account is used on the RAH to acquire an authenticator, the company has NO plans to make using an authenticator mandatory for those who want to spend real cash on the auction house.

Have we mentioned that the RAH will be tied to both a account and an optional Paypal account? So if you happen to use the same email address for both functions  and the same password (which really isn't recommended, but which people do anyway), hey, you might have a problem!

So how much does having a case-sensitive password matter? Granted, the easiest way to grab someone's password is to guess or keylog it, but I've had my account brute-forced before, even when I was using a 10-digit alphanumeric password using a made-up word with less-frequent characters and a numerical sequence.

Case sensitivity is a bit like the Authenticator itself. No, it won't save you from a dictionary attack, but it will make that attack take longer. That's a given. Assuming that Blizzard implements some sane policy of attack detection, it also increases the chance that a brute-force attack will generate a sufficiently high number of incorrect attempts to trigger the game to lock down the account. If we had to pick between case-sensitive passwords and adding an Authenticator, the Authenticator is the better way to go, but that doesn't make case-sensitive passwords a bad thing, especially when Authenticators aren't mandatory.

All of this takes on a lot more importance given Blizzard's plans to launch that Real Money Auction House we just discussed. Without access to any credit card data, losing your account information or even your characters in WoW was a significant problem, but not one you could claim "cost" you anything directly. Now, the company looks like a bunch of security illiterates who suggest you hand them more sensitive information while smiling about their refusal to follow trivial security procedures.

Good game Blizzard. Good game. Now, less whining about how it's always been that way, and more "Hey, we're going to fix our utterly broken and dangerous security policy" please. And you'd better push back the launch of your Real Money Auction Vacuum House until you do, unless you want to come off as nominees for the sort of cluelessness awards Ubisoft takes home on a nearly constant basis.

Update:  Blizzard released a statement this morning indicating that the Real Auction House debut has now been pushed back "Beyond the May timeframe."
  • | Post Points: 110
Top 200 Contributor
Posts 385
Points 3,845
Joined: Jun 2011
RTietjens replied on Thu, May 24 2012 11:21 AM

Is HotHardware only just learning this? I've known it for several years, and figured it out all by myself without asking Blizzard.

The clueless people are the ones who aren't using multi-factor authentication (e.g., the Authenticator app or keyfob). Case-sensitivity merely doubles security. The Authenticator increases security by a couple of orders of magnitude, which is huge if you know anything about network security.

Of course, nothing is perfect, but Blizzard is at least *trying*. That's more than Microsoft ever did (did you know there are security holes in Windows that over a decade old?).

  • | Post Points: 5
Top 100 Contributor
Posts 1,081
Points 11,700
Joined: Jul 2009
Joel H replied on Thu, May 24 2012 11:41 AM


No. Not following security practices is not "trying." Especially not when launching a real money service that's tied to a account but doesn't require an Authenticator.

You seem to be missing the underlying point. If Blizzard required Authenticators, this wouldn't be an issue. If Blizz required Authenticators for the RAH, this would be dramatically less of an issue. Authenticators aren't perfect, but as you note, they significantly increase security. I've said as much.

Allowing people to use the RAH (as they currently plan to do ) without following minimum security procedures? No. Not cool. And furthermore, even less cool to convey smugly at a time when complaints about hacking, lost characters/gear, and terrible latency problems are all plaguing the game.

Having a good security solution available is no excuse for leaving a bad one in place. Ever. From any company. And "It's been bad a long time," isn't a defense.

  • | Post Points: 5
Not Ranked
Posts 6
Points 45
Joined: May 2012
Location: Sacramento, CA
TBallard replied on Thu, May 24 2012 2:21 PM

I read somewhere else a couple days ago that some users that were using authenticator devices got hacked as well, or at least they claimed it. There was no confirmation at the time, but maybe the hackers found a way around that even.

I like a lot of Blizzard titles but they need to get their shiznit together. The diablo III launch was so bad, servers constantly down and then after they stabilized that after a couple days, super high pings and lag spikes that caused the game to be very annoying at times, death causing at times.

Now the whole world knows passwords are easier to hack then a lot of places that have stricter password software / storage. Everyone knows hacking accounts on various games and platforms is a big problem and if you or anyone you know has fell victim you have some idea how much it might suck. They are now planning a real money auction which will obviously be tied to your bank account some way or another. They need to step up security. They've been counting their WOW dough and lax in a lot of ways it would seem to me. Blizzard, stop being cheap asses and get your D3 servers fixed and implement better password security like the vast majority of modern online companies.

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: May 2012
RMasters replied on Thu, May 24 2012 2:22 PM

If you want to talk about real stupidity, how about the fact that THERE IS NO LOCKOUT upon multiple wrong password login attempts. Talk about inviting brute force attempts..

  • | Post Points: 5
Top 100 Contributor
Posts 1,081
Points 11,700
Joined: Jul 2009
Joel H replied on Thu, May 24 2012 3:16 PM


That's because lockouts are thought to be "user hostile." Why they don't have a "We're locking your account after X number of tires," where X is an extremely high value (like, say, 20) is beyond me.

  • | Post Points: 20
Top 100 Contributor
Posts 1,110
Points 11,240
Joined: Jun 2010
Location: Pennsylvania
CDeeter replied on Thu, May 24 2012 10:10 PM

Agreed, after that many attempts, it would be obvious even to a moron that this is a hacker not a user.

  • | Post Points: 5
Not Ranked
Posts 31
Points 405
Joined: Mar 2010
barmmer replied on Fri, May 25 2012 12:02 PM

I'm going to be "brutally" honest here. This sh#! is getting old. Intel needs to support Vpro in every enthusiast rig by providing Vpro compatible motherboards at an affordable price tag to the mass market so that the dual authenticating technology is equipped in every LEGITIMATE connection either for online retail, banking, or as in this case, online gaming. As we speak, i7 Vpro chips (2600) are being pasted into unsupported motherboards and customers are being cheated of an extra layer of superior protection. So in other words, they want you to believe that using Anti-

Virus Security Suites are enough to ensure that your passwords won't get lifted or hacked which extends to your PC system as a whole.

It's time for change. Real change.

  • | Post Points: 5
Page 1 of 1 (8 items) | RSS