Authenticator Will be Mandatory for Taking Diablo III RMAH Payments Through Battle.net Balance

[Bronze_D]

incidentally that just make any reduction on the password security layer worse.

if we assume that ppl uses exact identical password for both then they would fall to it guaranteed.

but if they varied it instead, then the degree in which they vary it often times are within a certain range from the other passwords, reducing the password permutations magnify the size of password that will get pished from the insecure source.

[Tydus]

I imagine they have a very good security layer and have made the conscious chose to disable case sensitivity so that people have less trouble entering their passwords and they have less stupid tech support phone calls tickets from people being unable to log in. I find this answer makes a lot more sense then the idea that a multi-billion dollar company hasn't figured out high school level security. As i said, if they have a system in place to deal with brute force hacking, then having case sensitivity is pretty unnecessary.

Hmmm, good point, or you know... they probably also would just say, if you got hacked then you should've purchased an authenticator and while at it we have a great offer of mobile phone app premium service including auction service for the low low cost of...

incidentally it's a bit odd that they would want to cut the need of having tech support handle ppl who can't log in and spend the resource for special team to handle hacked account instead... i mean either way, you have to spend the resource.

not really sure what your saying here, are you saying that it makes financial sense for blizzard to let people get hacked? I've heard from wow gm's on reddit ama's that a lot of what they do, 80-85% or something directly relates to account compromises and item restoration blizzard could save a lot of man hours and directly increase customer satisfaction if they could eliminate account hacking.

Well, where I was coming from is that in the case of Blizzard, dictionary cracking and third party website hacking is far more significant than brute force. I expect Blizzard to have basic protections against brute force, but they can't guard against user error.

Spot on. As i said earlier accounts are phished/ given out be the user/ stolen from 3rd parties like fan sites, from people that use the same log-info. I cant see that blizzard would gain anything by having case sensitivity except a few thousand tickets from people who didn't realize that caps lock was on when they entered their password.

Unique passwords is the safest bet.

Also spot on. this is probably the single best thing you can do to improve your account security short of having an authenticator, would be even safer if blizzard allowed separate passwords for in game and in forum-online account.

[Bluefire]

Lets face it "guessable" passwords are hardly the problem.. you look at most account hacks and the owner has logged in on a public non-secure system (ie has a keylogger on it), work system or have installed something stupid on their own system with the same result.
You go to a gold/bot site or whatever..it requires you to sign up.. so you do it using your battlenet email..same password.. get hacked.. and wonder why.
Passwords dont need to be overly complex if noone knows your user name let alone your password if you dont do stupid ****.

I have over 20 different email addresses... each with their own password... and each password to the game they unlock is different to their email password.
I sign up for something like the GW2 beta... First thing I do is go make a new email address to sigh up with.
And that is the ONLY thing that email address is used for.
All email address + password + game password are written down twice. One copy stored at my place, one copy in a fireproof safe at my folks..

Sure.. maybe someone breaks in and steals my lists..
No way they break in, steal the lists and get to change username and password before I can tho

[Tydus]

incidentally that just make any reduction on the password security layer worse.

if we assume that ppl uses exact identical password for both then they would fall to it guaranteed.

but if they varied it instead, then the degree in which they vary it often times are within a certain range from the other passwords, reducing the password permutations magnify the size of password that will get pished from the insecure source.

I think what your failing to grasp here is that these passwords are not getting cracked. They are getting stolen through keyloggers and phishing. As such, HeLLoKity11!AlphaNINERsecuityBoner! is just as safe as passworddiablo. The people who steal these passwords don't have that much in the way of resources and training, they rely on stupid people clicking on fake email links, buying gold, and installing keyloggers. They don't have a supercomputer in the basement cracking stolen password hashes. The rely on getting into 100's of accounts a day not cracking 2 passwords a month. As such, this is all blizzard really have to protect themselves from.

[Bronze_D]

Oh i am sure a good portion of them are cracked in that manner with identical passwords, but as i said if they vary the passwords from one place to another, the common pattern ppl use is to vary it within certain range (with case sensitivity being one of the permutations), so let's say 100 ppl have their passwords identical, those accounts r goner essentially, another 50 say vary theirs with extra upper/lower case pattern (gone as well now since blizzard have no case sensitivity), and another 50 may have further modifications to their passwords with modified alphabets (safe until breached using permutations generator), and the rest with completely different password are safe.

Whether it makes financial sense to them or not is anyone's guess, but chances are they are not exactly concerned either way on how the case ends up as long as it can be moved to final state ie: recoverable, or not. Beyond that they have no need to care what happens next of course.

Either way though, non case sensitivity would just make it that much more vulnerable to dictionary attack as well so frankly i am still at a loss as to why they would open the gap there.

I mean perhaps i am missing something here, but logically you would've just setup a deeper recovery system to avoid the tech support from having to deal with the missing password cases rather than opening the password barrier wider especially to dictionary attack, but that's just from my angle i can see here.

[Tydus]

Oh i am sure a good portion of them are cracked in that manner with identical passwords, but as i said if they vary the passwords from one place to another, the common pattern ppl use is to vary it within certain range (with case sensitivity being one of the permutations), so let's say 100 ppl have their passwords identical, those accounts r goner essentially, another 50 say vary theirs with extra upper/lower case pattern (gone as well now since blizzard have no case sensitivity), and another 50 may have further modifications to their passwords with modified alphabets (safe until breached using permutations generator), and the rest with completely different password are safe.

Whether it makes financial sense to them or not is anyone's guess, but chances are they are not exactly concerned either way on how the case ends up as long as it can be moved to final state ie: recoverable, or not. Beyond that they have no need to care what happens next of course.

Either way though, non case sensitivity would just make it that much more vulnerable to dictionary attack as well so frankly i am still at a loss as to why they would open the gap there.

I mean perhaps i am missing something here, but logically you would've just setup a deeper recovery system to avoid the tech support from having to deal with the missing password cases rather than opening the password barrier wider especially to dictionary attack, but that's just from my angle i can see here.

Sure, why not I'll agree. Of the people who get their account compromised we can break them into 3 groups. Those that got phished by entering their account info into fake blizzard website/email. Those that got key logged. And those that signed up to another website where their information was compromised. Of that last subset, people would use either the same password or change it slightly. Of those that changed it slightly some might do so by changing it in a common theme(ie. from apple to orange or banana) or by adding words and/or letters or changing it in other ways. Then there's the tiny fraction that will only change capital letters. The people that would benefit from this tiny subset of what i imagine is the smallest portion of passwords stolen, obviously isn't worth the increase in people not entering their passwords properly.

Also dictionary attacks are just a refined brute force attack and would be tripped up just as fast, far before they had long enough to crack a password.

[Bronze_D]

or at least we pray they do...

normally the number of attempts allowed before the system locks the attempt out shouldn't be anywhere near enough to realistically do this (god forbid i certainly hope there is a limit since i never tested this before), at least not within realistic time frame (since eventually if there was a limit and it locks it down it would either reset or otherwise, and ideally it should just lock it down until further authentication can be applied).

that same ideal security level however also don't use case insensitive pass... so i don't know anymore what to expect from their security.

[samurai047]

I think this is great. Because it will stop the whole "I got hacked and lost real money, blizzard servers are hacked, etc". The only way someone is going to get hacked through an authenticator is if there is a keylogger that collects 3 codes with time stamps. It will force people to get the proper authenticator too. Every single thread I see about people getting hacked through an authenticator was that they actually had the dial-in authenticator (which I had no idea what it was before then).

[Yurtles]

People will still lose real money. The story says it's for money going into battle.net, not money going out to paypal.

Unless we hear it's incuding paypal transfers as well the only thing these authenticators will be doing is helping make sure the money Blizzard so helpfully holds onto for customers (and is no doubt investing elsewhere) is more securely theirs and one step further removed from any potential disputes about ownership.

[André Axe'm]

Good to know that nobody will be able to add to my battle.net balance without my consent.
Wait, what?

[Otto-matic]

Nice to know that the effort I went to to include a mix of upper and lower case characters in my Battle.net password means precisely nothing.

Does Blizzard have an official reason anywhere why they have disabled this? Sure most passwords get stolen through loggers and social engineering, but reducing complexity just seems silly.

As to the support call emails for hard passwords, people who go to the effort of complex passwords generally don't forget them unless they forget the password entirely.

[Tydus]

With 10.5million wow players, 4million d3 player and about 2 million sc2 players that's roughly ~17million gamers. Assuming people log into their game twice per week that's ~1.75billion log in's and if 0.001% of those people accidentally make a mistake when creating their password or when logging in and cant get in because of wrong capitals, or simply forget where they placed that capital then they have roughly 17.5 thousand tickets high priority tickets. Seeing as these people can no longer access their battle net accounts that means they'll most likely require phone calls. Assuming a 5 minute phone call to fix that's 1500hours of phone calls just fixing this 1 particular issue. And its probably a lot higher, i like to think iv been pretty conservative with these numbers. Not to mention peoples dissatisfaction at not being able to play any of their blizzard games.

Complex passwords are only good when people are trying to crack a password. This however is not the case here as blizzard have other means of preventing against that, mainly blocking and flagging the account after x many guesses. I very much doubt that any passwords are cracked at blizzard each year, I mean 0. It would be a very complex and time consuming task and the only people interested in doing it wouldn't bother as they have far easier and faster ways of getting account information. The increase to security in this particular case is ~0, where as it may provide a small but significant increase to complex customer support.

[Tydus]

double post

[Otto-matic]

There's a lot of assumptions there that I don't think are quite accurate. I doubt most of those who use complex passwords forget them as often as you claim.

There's also the people who tick 'Remember my details' that you haven't accounted for. That would make up for the majority of people who are likely to forget a password they use twice a week.

I would suggest the amount of people who forget their password entirely will be far far greater than those who misplace a capital.

I'm sure all those security experts who say at least partially complex passwords are a good thing are just deluding themselves. That would include me who works in ICT security.

Let's be generous and say 0.1% of passwords are broken by force. That's 10,500 accounts - quite a lot. Never mind if the seemingly inevitable happens and somebody gets a hold of the hashed Blizzard password tables. There's also other man in the middle attacks that would be able to grab and crack simple passwords. Blizzard have just gone for a lazy implementation without bothering to let anyone know, including why they have done it. I noticed they also locked the thread of people complaining about it since they were lazy on purpose.

[Cyrinno]

The problem began when usernames to login to things became your email address.