step one
excluding those based in China,
well its a starting point :)
nothing like a litte national honour
Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hackers. The gaming outfit said in a lengthy statement …
This post has been deleted by its author
I don't think that they should be mentioned in the same breath, ever since I spotted that the passwords were case independent - ABC123 was the same as abc123...
It may have changed now, I haven't played WoW or similar for about 3 years, but it shows a less than stringent attitude to account security
Case insensitive - I'd call that real-world user friendly (remember, gamers!) I'd like to not have to remember whether I typed snowstorm1212 or Snowstorm1212 when setting my password (not a real example, unless it is), and, while I'm at it, I don't like to use any word that is bad enough to describe the system administrators who think that the network security is somehow improved by rejecting a password of "thankyoukindly" and accepting "IHateDoingThis". They'd better just hope that hackers can't read my writing after I graffitied my password onto the wall of the building across the road for convenience.
I assume, of course, that they are case-casting, super-salting, and heuristically hashing these passwords.
A game I recently took part in the beta for made a big thing during sign-up about the fact their password system would accept anything from 8 to 512 characters, case sensitive and including spaces, and as we all know it's length rather than weird characters that make a password secure. That's why "8h&n3!LP" is nowhere near as secure as "Thisgamesucksdonkeyballs" when it comes to brute force attacks, as written about on El Reg not all that long ago.
I pondered for a while and came up with "I hate making up passwords for games 2012" (since they said it still had to have a capital and numbers in it) and it stuck in memory better than my usual crop of 8-character passwords, but as you said, not only is it more user friendly to be case-insensitive but makes as much sense as the opposite
I assume, of course, that they are case-casting, super-salting, and heuristically hashing these passwords.
No, they're using SRP, if the article and Blizzard's statement are accurate. SRP is a ZKP (zero-knowledge proof) authentication mechanism. The verifying party (the server, in this case) has a verifier which can be used to confirm the validity of the password, but which cannot be used to reconstruct the password. It also offers perfect forward secrecy, among other things.
The main advantage of a ZKP authentication protocol over password hashing is that the password is never sent to the verifying party. If an attacker takes over the server, they can authenticate clients, but they can't get the clients' passwords from logon requests.
An aside: for password storage, you wouldn't want a heuristic hash. You'd want one with well-understood, carefully-designed hashing behavior, in particular image and preimage collision resistance.
As a precaution I never use the same security questions on really important accounts more than once. I do wonder if they hash the security question answers though, because they don't mention it. Whilst it looks like I've not been affected by this, it did spur me to alter my password structure and swap over to supergenpass. I wish more places had two factor authentication, but I'm happy enough that my really important sites do have that and my email is about as hardened as I can get it now.
The thing with security questions is that anyone who can find out about you will have a high chance of being able to answer questions like mother's maiden name, place of birth etc. To get around this I've started answering security questions with completely unrelated answers. The questions may be set in stone but that doesn't mean you have to answer them truthfully :)
The "unrelated answer" method is very good from a security perspective, but does make it hard to remember which answer was used for a given question.
That leads to repetition of the same answer or to writing down the question/answer combinations, which reduce the security a bit again.
Personally I think these security questions generally bring about a lower level of security. Guessing or researching the answers to security questions is typically the main method used in hacking online mailboxes of celebrities and politicians.
The practice would be improved quite a bit, if more institutions allowed the users to also state the questions, since that would at least prevent a hacker from researching a list of answqers to all the usual questions before trying to persuade the helpdesk that he or she has been shut out of Paris Hilton's account by mistake.
This would also open the way for some more interesting support debates:
Supporter > So lets check your security questions... (long pause) ... "would you like to go out with me?"
Me > "Yes, but only if you pay for the beer"
Supporter > That is correct
etc...
"The "unrelated answer" method is very good from a security perspective, but does make it hard to remember which answer was used for a given question."
Keep in mind that 'unrelated to the question' doesn't mean unrelated to the person who answers it.
For example; "the name of your mother". Someone could easily answer with a name who has always been a mother-like figure to him/her. Within the context of the question totally unrelated, same for outsiders. But I bet the user won't have any problem remembering the answer.
This post has been deleted by its author
Negative, in case of emergencies such as the one you mentioned as well as power or internet outages my girlfriend and I have the World of Warcraft trading card game to tide us over.
Outside? Hah, we don't even have a lift we have to walk up THREE flights of stairs. That'll be the day.
With the recent Amazon/Apple thing, and now this...
Every website needs to either drastically improve their security (or 2 form authentication) or make it less strict.
I'm not going to risk my hard-learned security question answers and passwords to websites, if they keep losing them. I'd rather have a unique really simple password so when it's hacked I've not lost much.
How many of us work for companies that don't implement a proper password policy in their software?
(at my last company passwords were in plain text, new company at least they're encrypted but still not hashed).
Why don't I do anything? What can be done, I only go to work so I can afford food and clothes, If I had any say it would have been done correctly first time.
Sadly I fear you are correct. *sigh* this is not rocket science, and if companies would just hire one person to do this properly instead of outsourcing it to India, that would be one more person earning money paying taxes and making the economy go around. cant have that in Engand though.
You are so right, they spend all their money sending teenage muggers on holidays and filling prisons with playstations and drugs. And those fucking teachers who are too lazy to spend their free time running after school sports clubs. And all the 13 year old mums that have all that fake tan and watch celebrity big brother and the jeremy kyle show. And no one's allowed to go to church anymore and all the women have to wear burkas. And you're not even allowed to do a comedy "sieg heil" at a black athlete without the police arresting you, humourless bastards.
Sorry, what were we talking about again?
Depends wether your company ever needs to have its software pentested by a third party...
If you sell it into government, to companies that need things like PCI compliance, or even to a client who just happens to be security conscious chances are they will have the software tested, and such problems *should* be flagged up.
Better to fix what you know about now, otherwise it could get quite embarrassing later and might result in lost business.
"Blizzard also plans to automatically prompt its players on North American servers to change their secret questions and answers."
Which it can't do until it implements the ability to change the questions and answers. D'oh.
https://us.battle.net/support/en/blog/6940803
Usually, I'm very critical of Blizzard, but I have to admit they've done several things right here. On the plus side, I'm glad that the information taken doesn't look like it could actually be used to access an account as-is. They did a good job by working quickly to seal the breach & notify users. Unlike my usual experiences with their website, the notices make it easy to find what to do (change your password).
Ironically, I had to remove the authenticator from my account recently because it stopped working. In this case, it would not have protected me anyway. I had been using the Android authenticator app, and the security tokens just stopped being accepted one day. I tried re-syncing it but to no avail. The "support" process was broken in a few key ways.
- I couldn't contact support online. You have to log into your account to do that, and I couldn't log in without the authenticator token being accepted.
- I couldn't use their web form for resetting my authenticator. The Serial Number field did not accept all the digits from the SN in the authenticator app Blizzard had provided.
At least they will be getting up to date with other institutions that have managed to provide the ability to change your own Q&A. :p
So I've had e-mails telling me to change my password from...
LastFM
But not from Sony after their grand hack, but I changed it anyway on my ancient PSN account.
I have a trial WoW account, so maybe I can expect and e-mail from them too, or I'll do it myself.
With these on-line services, many of which even keep your credit card details, (Google Play want to keep a copy of my passport too because I updated an expired credit card), leaking credentials like a sieve, this is becoming tiresome.
The future, a digital economy where the gates are left open every so often for a quick mass account grab by some thieves.
So their announcement that the users need to change passwords is almost identical to announcements sent out by scammers - INCLUDING the "click this link"? What a wonderful way to inspire confidence!
Did they hire a bunch of untrained monkeys at Blizzard? Or are they just really, really stupid?
Hacking battlenet and WoW accounts in general has been an issue since our Chinese brethren started selling gold to those gullible enough to swap real money for the pretend kind (often obtained from hacked accounts). It is the reason I purchased a regular authenticator for the princely sum of $6 and steadfastly refused to switch that to the mobile version, especially as Blizzard have the gall to charge a second subscription if you go that route.
The way they work is if your IP changes you have to supply an authentication number sent to your authenticator (or mobile) by Blizzard, which prevents someone from China using your credentials a couple minutes after you login. This authentication number changes every 15s or so, so it can't be guessed. It also requires you to authenticate your password if you don't loggon for a few days and at least once a fortnight if you do happen to be so addicted to "The Game" that you login every day.
It doesn't require you to authenticate every time you logon because that is both annoying and pointless, given the ways an authentication is already triggered.
All in all, if you care about your account then a one time payment of $6 is a reasonable expense to secure it. If you don't care, then that's fine too, just don't be surprised if your friends get pissed off at you when some Chinese fucker empties the guild bank.
They do NOT charge a second subscription to use a Mobile authenticator, we both use them and I assure you I feel stupid enough giving them $15 a month. There is NOTHING that could induce me to get a second subscription.
And the mobile based one is FREE. What more can you ask?
And BTW you can set your account to require authentication EVERY log in.
The "lock your account if your IP address changes" is one of the most fscking goddamn stupid ideas. I play irregularly, and I don't play online games, only in single player mode. That I have to login to somewhere to play locally is already stupid enough, but to lock it everytime I start the game up is beyond stupid.
And yes, Verizon FIOS changes your IP address regularly, and their range is huge.
And you cannot just unlock your account - you have to perform a damned password reset as well. Apparently screwing the customer over every few days is a good business practice nowadays.
And if you call them up, they want your damned first name and last name. I used a first and last name that is visibly not real (say, Captain America). The bastard on the phone kept asking for my "real name".
And of course, now we see that checking for a first and last name on a phone call is such a security win *MWAHAHAHA*
DAMNED IDIOTS.
GAH