Authenticator Will be Mandatory for Taking Diablo III RMAH Payments Through Battle.net Balance

[Mekon]

The problem began when usernames to login to things became your email address.

Agreed.

[DooDee1]

To be honest, I didn't even realise that there was no case sensitivity. My password is 13 characters long, including numbers, capital and lower case letters and even symbols, and yet, it has been hacked.

This needs to be fixed.

[>XaartaX<]

ahhhh. tbh why the hell does it matter. i imagine none of the passwords are brute forced hacked because im pretty sure blizzard will have a system in place to cancel the login and flag/lock an account after 20 thousand wrong guesses.

Dunno, I wouldn't be so sure about that. Apparently you can cancel auctions if you play about with your system date. Yes, that's right, auction times aren't based on the server time.

[CrazyMonkey]

Apparently you can cancel auctions if you play about with your system date. Yes, that's right, auction times aren't based on the server time.

heh, saw a video on youtube yesterday about that...just wow, haha...

[Mugsy]

Apparently you can cancel auctions if you play about with your system date. Yes, that's right, auction times aren't based on the server time.

heh, saw a video on youtube yesterday about that...just wow, haha...

Best tip ever!

[Tydus]

There's a lot of assumptions there that I don't think are quite accurate. I doubt most of those who use complex passwords forget them as often as you claim.

mine might not be quite accurate but yours seems just plain wrong.

There's also the people who tick 'Remember my details' that you haven't accounted for. That would make up for the majority of people who are likely to forget a password they use twice a week.

irreverent, doesn't remember password. no way you can tell it to remember password.

I would suggest the amount of people who forget their password entirely will be far far greater than those who misplace a capital.

I would agree completely and never stated any differently, but when your talking of hundreds of billions of logins a year, every step to make it as simple for people the better. Not to mention its a very serious problem to not be able to access your account, as it locks you out of all account services and online customer support, support forums and game master tickets. Any amount of reducing this would be a benefit i imagine.

I'm sure all those security experts who say at least partially complex passwords are a good thing are just deluding themselves. That would include me who works in ICT security

As far as im aware, its much better practice to advise people away from complex alphanumeric passwords and into phrases, people have a much better time remembering a simple personal phrase then some complex combination of numbers/capitols/letters and the benefit it provides to security is massive.
But sure a complex password beats a simple password of the same length any day when your talking about cracking passwords.

Let's be generous and say 0.1% of passwords are broken by force. That's 10,500 accounts - quite a lot. Never mind if the seemingly inevitable happens and somebody gets a hold of the hashed Blizzard password tables. There's also other man in the middle attacks that would be able to grab and crack simple passwords.

Its like you haven't read any other post I've wrote in this thread.
I don't accept your 0.1% of passwords being hacked by brute force, there has never been any evidence of ANY account being broken by brute force, ever at least to my knowledge.
Wow has been around for how long now, 7-8 years? with about 10million subscribers on average? that is one massive sample of trillions of logins.
As an ICT professional you must be aware that there are plenty of ways to prevent brute force hacks AND that brute force hacking is much harder and much slower to accomplish at the best of times. As far as im aware nothing more then the odd ddos from b-tards has affected the wow log in servers since there establishment. Nobody spends hours upon hours trying to crack into a single account when they can dupe hundreds out of their passwords in that same time.

Blizzard have just gone for a lazy implementation without bothering to let anyone know, including why they have done it. I noticed they also locked the thread of people complaining about it since they were lazy on purpose

Firstly, that isint why the thread was locked, it was in the wrong part of the forum, the mod that locked it told them to take it to general chat if they wanted to continue, which I imagine is a much more frequented part of the forum so i doubt there were trying to hide it.

Secondly I can't believe people have the stupidity to think that they know better then the hundreds of much higher trained, much more experienced professionals at blizzard. It really astounds me the size of some peoples egos. Do you really think that this wasn't by design? every part of the wow system from game servers to loggin servers have had massive software and hardware overhauls over the years, blizzard have had plenty of opportunity to fix their so called oversight and plenty of motive. Some 80+% of all online customer support is related to account compromises and restoring accounts/items. That is millions of dollars of wages they could save, it makes very good business sense for them to make their system as secure as possible, evidenced by the free authenticator app and other systems(sms, dial in etc) they have provided. All these systems i might add a very good at stopping keyloggers/ phishing and duping. They dont go round telling people to use stupid long stupid complex passwords to stop those hackers! They are a multi billion dollar company with whole teams of programmers and "ICT security experts", the notion that this wasn't put in because they were "lazy", as if blizzards security is 1 fat guy eating donuts all day and browsing reddit, is absolutely ridiculous. There is plenty of evidence to suggest this is setup exactly how they want it.

Im going to stop now, have gone waaay off track

[Otto-matic]

Could have sworn there was a 'Remember my password' box when logging in to play Starcraft II, that was sometime last year now.

I'm also sure the real reason they went this way is lowering costs for Blizzard, not protecting their customers. Much like you say in your reply.

Proving it was done by brute force is quite difficult without actually asking the hackers. Doesn't mean it doesn't happen. Yes there are ways to mitigate this, complex passwords being among them, but also doesn't mean Blizzard haven't dropped some of these in the name of saving money. Anybody ever checked to see how many times you can try to log in before they lock your account?

With the recent trouble they seem to have had with the Diablo login servers, it wouldn't surprise me if they've turned down a lot of security options to take load off the servers. A lot of companies with angry users at their door will go with the 'Get it working' route before they go to the 'Make it secure' route.

As for the locked thread, is their forum software so outdated they can't move a thread?

Edit: Agreed gone off track a bit. Guess I'm annoyed that people are willing to cut them some slack purely because it's Blizzard.

[Marius]

I'm not cutting them slack, I just don't see hackers going to overly-elaborate measures to get user data when they can just get it from cracking third party sites much easier.

Remember, business goes both ways. The hackers are doing so for business reasons - they run gold selling businesses. They're not going to hack individual accounts for days on end for the fun of it.

Usually, people are quick to accuse Blizzard of poor security when they themselves (the player) probably did something at some time or another to compromise their own account.

[PalZer0]

Guess I'm annoyed that people are willing to cut them some slack purely because it's Blizzard.

The problem is that this sort of attitude is spread by the very news sites that they comment on (whether it's here, Kotaku, IGN or somewhere else).

More info on this can be found here and here.

[Marius]

Not really relevant if referring to GoN commentating though... we don't do that sort of stuff. I don't think we cut Blizzard any undeserved slack. I recall some parts of our review being very negative.

[PalZer0]

Not really relevant if referring to GoN commentating though... we don't do that sort of stuff. I don't think we cut Blizzard any undeserved slack. I recall some parts of our review being very negative.

Wasn't referring to the news/editorial people on GON. I was more referring to the community that seem to let obvious dumb decisions go just because it's Blizzard. Remember the article on VG247 about how people shouldn't care if they can't log in to Diablo 3? That and others like it are what I'm talking about when I say that they tend to brainwash people into giving Blizzard a free pass.

[Vashta]

*snort* Last time I checked Diablo 3 didn't have a lockout system to prevent brute force attacks.

Check out this thread: http://us.battle.net/d3/en/forum/topic/ ... 000?page=1
It gets really interesting from page 3 or so onwards.

It took about 10 minutes for them to find three or more different basic security flaws which are pathetic for any company or individual to have let alone one the size of Blizzard. The hardcore fanboys need a reality check if they think Blizzard is completely free from blame when it comes to security breaches.

[spawneh]

OMG you are so right, I can't believe we've let blizzard get away with it for 8 years. 8 YEARS. No, this is only a problem now, how dare they! Why didn't the internet hero brigade catch on sooner and start complaining about massive security flaws EIGHT YEARS AGO.

Its trendy to hate blizzard, join in or you're just a dumb fanboy!

(I don't know if the way they handled passwords back then was the same as now, I'm just making an assumption that it is.)

[PalZer0]

8 years ago security breaches of magnitude weren't all that common. Ever since the PSN hack (and more recently with the LinkedIn hack) security measures have been on the radar for quite a while.

The only reason these flaws didn't get blasted wide open earlier is because Blizzard hadn't been the victim of a serious attack like PSN or LinkedIn were. With the increase in reports of Diablo 3 accounts getting hacked (even with authenticators in some cases - or so it's claimed) and this announcement that an authenticator will be required to use the RMAH, people have been trying to find out why the accounts are getting hacked.

[Ralph Wiggum]

Anyone using internet banking in Australia require the use of an authenticator as well? You'd think our banks would definitely be on board with this authenticator bizzo given the potential scamming that could happen. My brother who lives in Singapore is supplied a keyring authenticator for his internet banking.