Blizzard Bombshell: All Your Passwords Are Insecure; Deal with it!

This is one of those little tidbits that breaks like a tactical nuke, not because it's a major policy change, but because the company in question has just revealed an astonishing degree of stupidity and is blissfully ignorant of it. In the wake of massive hacks, Blizzard released a statement reassuring world+dog that it takes our account security very seriously. That's why Battle.net passwords are all case insensitive!

Wait, what?

Yup! Check this out. These screenshots brought to you buy Vasadan, official Blizzard Quality Assurance staff. The original thread is here, but we wouldn't expect it to be there very long.




The only thing better than a BS defense of an indefensible security policy is to then whine at the people who call you on it and claim that you're going to stop posting if they don't CUT IT OUT, GUYS.

Is this new? No. Blizzard Battle.net passwords have never been case-sensitive. But this issue takes on significantly different meaning when you consider that the company in question plans to launch a Real Money Auction House in...five days. And while Blizzard intends to require anyone who's hacked and whose account is used on the RAH to acquire an authenticator, the company has NO plans to make using an authenticator mandatory for those who want to spend real cash on the auction house.

Have we mentioned that the RAH will be tied to both a Battle.net account and an optional Paypal account? So if you happen to use the same email address for both functions  and the same password (which really isn't recommended, but which people do anyway), hey, you might have a problem!

So how much does having a case-sensitive password matter? Granted, the easiest way to grab someone's password is to guess or keylog it, but I've had my Battle.net account brute-forced before, even when I was using a 10-digit alphanumeric password using a made-up word with less-frequent characters and a numerical sequence.

Case sensitivity is a bit like the Authenticator itself. No, it won't save you from a dictionary attack, but it will make that attack take longer. That's a given. Assuming that Blizzard implements some sane policy of attack detection, it also increases the chance that a brute-force attack will generate a sufficiently high number of incorrect attempts to trigger the game to lock down the account. If we had to pick between case-sensitive passwords and adding an Authenticator, the Authenticator is the better way to go, but that doesn't make case-sensitive passwords a bad thing, especially when Authenticators aren't mandatory.

All of this takes on a lot more importance given Blizzard's plans to launch that Real Money Auction House we just discussed. Without access to any credit card data, losing your Battle.net account information or even your characters in WoW was a significant problem, but not one you could claim "cost" you anything directly. Now, the company looks like a bunch of security illiterates who suggest you hand them more sensitive information while smiling about their refusal to follow trivial security procedures.

Good game Blizzard. Good game. Now, less whining about how it's always been that way, and more "Hey, we're going to fix our utterly broken and dangerous security policy" please. And you'd better push back the launch of your Real Money Auction Vacuum House until you do, unless you want to come off as nominees for the sort of cluelessness awards Ubisoft takes home on a nearly constant basis.

Update:  Blizzard released a statement this morning indicating that the Real Auction House debut has now been pushed back "Beyond the May timeframe."