How Secure is Your Password Following the Battle.Net Hack?


Last week was a bad week for Blizzard and Battle.Net with the security being compromised and players passwords being nabbed. Blizzard were reasonably quick to inform everyone, but now the data is in the hands of hackers, how safe are the passwords with Blizzard’s method of encryption?

In a new article on ArsTechnica, they take an in-depth look at the possible encryption methods used by Blizzard and how long it would take a hacker to decrypt the passwords based on the information we do know about the encryption.

Mike Morhaime stated that the system was “designed to make it extremely difficult to extract the actual password” and also “NOT enough for anyone to gain access to Battle.net accounts”, but as we all know nothing is impossible and it’s not just your BattleNet account you need protect. Hackers will try information gained on email services for example on the off chance you use the same password, so let’s hope all user’s passwords are unique to Battle.Net.

When we posted the the news up of the hack, we urged you all to change your passwords which I hope you have all now done after you’d removed your face from your palm.

Read the article and then get your password changed as soon as possible just to be safe if you have not done so already.

Comments

You're not logged in. Register or login to post a comment.
  1. That article is technically correct, but it is speculating. It admits that Blizzard was doing the right thing by salting and hashing the passwords. But it casts doubt on the strength of the protection because Blizzard won’t say what the hash method is. Was Blizzard using weak SHA1, or one of the three methods that the article endorses? It then spends a lot of time on math that only matters if the hash method is weak.

    I think it’s wise for Blizzard to not specify which hash method they used. Assume that the hackers have a couple personal accounts that they obviously know the password for. Right now I don’t think they can calculate their own passwords. The article mentions how the hackers will need to create new tools to process these passwords. Security through obscurity is bad, but don’t give them a hand either.

    The article is definitely right that celebrity users are at a higher risk. Assuming that any passwords are ever calculated, it will still be an expensive task. Since cracking them all is as “expensive” s cracking all of them individually, the hackers are going to go for the known good targets first. That is guild leaders, streamers, Mr. T (lol), competitive players, ladder climbers, etc.

    • So, question. How are they going to bypass all the famous good people’s authenticators?

      Not being snarky, genuinely curious.

      • I dont think they can bypass the physical authenticators, the physical ones dont access the internet (to my knowledge) to generate the random codes it provides, only the mobile one does (which obviously makes it a bit easier to crack it).

        Physical Authenticators are obviously the best choice to have at this point since they cannot be compromised unless someone had physically came to you and stole it from ya but that would be pretty hard to do if you never carry it with you.

    • The essence of the article is that Blizzard should not have stated that it is “extremely difficult to extract the actual password”, giving users a false sense of security, but more something like: “we can only speculate what exactly has been stolen and what technology is available to the hackers to extract the passwords, so it is best for everyone to change their passwords right now! Also, we will be looking at our security measures/policy, such as the 16-letter limit and the (non) usage of capitals in the battle.net passwords, since we recognize that this will actually make it easier for hackers to extract the passwords faster. Again, change your password right now!”.

    • Saying ‘don’t give the hackers a hand’ and ‘security through obscurity is bad’ are contradictory statements.

      Security through obscurity is bad precisely because if it is secure it doesn’t need to be obscure. The corollary of this is that if it is not secure, you’re better off having it out in the open so that people can point out exactly where it’s broken so that you can fix it.

      In other words, if Blizzard had published their entire login scheme prior to the theft then flaws like the lack of an adaptive hash function could have been pointed out and we wouldn’t be worrying about SHA1 (which is NOT weak, it just isn’t ideal for passwords).

      Further, publishing the hash function now would not particularly aid the hackers. Although the hackers can’t ‘calculate’ their own passwords, they can perform a 1 word (eg their password) dictionary attack on the database using a handful of hash functions until they find the right function. This wouldn’t take long. It also assumes that the hash function used isn’t provided in the formatting of the data they retrieved or in some other data they managed to get while on Blizzard’s servers.

    • They sent out an internal email about it. Here’s straight from the mouth of an employee:

      “It hasn’t, just this one time. They didn’t get any billing, credit card info. They got your email, encrypted version of your password that takes who knows how long to crack (days-weeks). They got your secret question, and apparently somehow got part of the authenticator. At least it’s not your most important part which is your billing/CC, plain text password which the other several people that got hacked gave out.

      ‘save all my cc info for wow subscription now this happens’

      That wasn’t compromised. They have authorities, experts etc, to help confirm all this.”

      Why would they give out the encryption type? They have nothing to gain by doing that.

      • At this point the only thing they have to gain or lose is customer respect. They’d gain it if they showed they did everything right, they’d lose it otherwise. Note that ‘otherwise’ includes not fessing up to doing it wrong, though admitting they did it wrong might result in even more of a loss.

        At any rate, they certainly don’t have any security to gain or lose; figuring out what hash function they’re using is not difficult for the hackers.

        • And again, I’d have to reiterate, that they have no reason to give out the encryption type because it’s completely irrelevant.

          • Irrelevant to what? If they used a computationally expensive hash function, and they give that information out, it builds customer confidence. That is a gain. There is no loss in this case.

            As such we are forced to conclude that they are either:
            A) Stupid for not seeing that they have nothing to do but gain, or,
            B) Stupid for using an outdated password protection scheme. Less stupid than certain other companies, but still stupid.

  2. I didn’t change it. And I won’t. I just don’t care anymore. Paid $300 to get my hands on my CE + Digital copy to play at day one because “come on, they can’t screw fucking Diablo 3 up, for Pete’s sake!”. I was so terribly wrong… But that’s okay, I learned my lesson. Not pre-ordering based only on fucking extremely high hype and absolutely renowned names anymore. Okay, I must confess… I did just preordered CS:GO, but, come on, for 10 bucks I felt like stealing Valve…

    Meh, I’m just venting… Sorry about that. Have fun with my account, hackers. Someone should.

  3. Unfortunately its come down to having to have unique passwords for every site if you want to ensure you don’t become overly exposed in each organization’s data breach. Then again, it does encourage those users who do share passwords across sites to change them more often. The sad reality is that many users aren’t as educated or read fansites/forums all day, so they may still be unaware of a their data exposure.

    I’m greatly saddened to see a force password change e-mail campaign has not been initiated!! Further, that the password is case insensitive at the database level is an unfortunate learning experience. There is much we will not know regarding this data breach, unless the intruders themselves come forward with that information…

    With the Armory the thief’s can target specific accounts both high profile or high value to try and get the most out of their efforts. We’ve already seen articles on how far farmers go to be profitible, don’t underestimate what these skilled wrong-doers are capable of.

    I always encourage users looking to have more complex passwords without the risk of trying to remember them all look to well respected, open source free tools available:
    http://passwordsafe.sourceforge.net/
    http://keepass.info/

    • What stinks is that hackers can use this opportunity to send out their own mass password-change emails. I got an email yesterday saying my account was locked and I need to verify that it is mine…just hours after changing my password manually. Of course it was a phishing attempt and the email’s own links led to spoof Blizzard websites.

      If I didn’t know to take a look at the URL of the links before going to them I could easily have fallen for the “Oh Bliz got hacked, now my account is compromised? I should follow “Bliz’s” instructions and verify through the email link!”

  4. Sounds like he needs to get an authenticator

  5. They probably can solve all 30 million passwords at once with a simple seven sided strike bit flip technique runed for hex specialty.

  6. “Blizzard were reasonably quick to inform everyone, …”

    I read somewhere that it happened 5 days before they released the blog. I dont call that quick, but I guess they did need gather info before compiling the blog.

  7. They can’t do anything if you use the hardware authenticator.

    I wonder why people would still refuse to use it.

    It is a breeze to use and every bank has them by now to do your home banking.

    • not true. an authenticator also has a serial number and must be checked server side and client side. much much more difficult, but not impossible. the 2step verification method like in gmail with a number send to phone is better for example.

  8. As far as I know, the more ciphered passwords you have, the easier it is to crack them (I may be terrible wrong; please correct me!).

    I changed my password. So should everyone. Even if the intruders crack a handful of accounts it may be yours. In a case like this better safe than sorry.

    PS.
    Notice they had a legitimate break-in and let everyone know. This is required by law, as has been discussed, and apparently is nice enough to adhere to the law and let us know.

    • Your first statement, if I am interpreting it correctly, is incorrect.

      Three things:
      1) Cipher implies a 1:1 function. It is assumed that Blizzard is using a hash function, which is many:1. A (weak) cipher could be replace all 0s with 1s and all 1s with 0s, clearly you can go back from the cipher text to the plain text by doing the opposite. A (weak) hash could be to sum the digits in the password and output ‘1’ if the sum is even and ‘0’ otherwise. Clearly you can find a password that hashes to ‘1’, but you can’t be sure that the password you found is actually another user’s password.

      2) Blizzard has stated that their hashes are salted. This means they pick a number, say 42, and instead of storing hash(“password”), they store hash(“42:password”). If hashes are not salted, and I have a lot of stolen passwords to crack, then I can crack multiple passwords at once. I can do this by calculating hash(“password”) and checking the value against every hash value stored in the stolen database. Salting prevents me from doing this because hash(“42:password”) and hash(“41:password”) give very different values so if I want to check who is using the password “password” I have to do the calculation once for every unique salt. If all the salts are unique, this effectively means that I have to crack each password individually.

      3) For certain encryption / hashing functions, it may be possible to crack what you want to crack if you’re given more encrypted / hashed values. This is not (to the best of public knowledge) true of any current standard schemes. It is assumed that whatever hash function Blizzard is using it is a a standard one and as such should not be vulnerable to such an attack.

  9. If you use the exact same password on sites with sensitive data then you will eventually get burned regardless of the actions of this particular hacker. Hopefully this will convince a few people out there to use different passwords from this point forward. Losing the answers to security questions hurts but it will happen over time if not this site then elsewhere. Thankfully most sites are linking your account to your cellphone nowadays or allowing you to create your own personalized security question which can be changed from site to site. Taking those few extra steps with your accounts is better than playing the stolen identity game for the next ten years.

  10. The email address I use as my battle.net ID was also hacked into and my password was changed on that email account. Luckily, bank statements, etc go to other email addresses, but seriously, WTF.

  11. I can’t help but think of this xkcd strip:
    http://xkcd.com/936/

  12. Is my passwords safe: Diablo3suxhairynuts665

  13. I think Blizzard has added to the level of account hacking by their beta invites campaign before launch. I bet many people left their details on obscure gaming sites (or even fake game(fish)ing sites) for a chance to get into the beta. Of course, you shouldn’t use the same pwd everywhere, but a lot of ppl do. Getting your hotmail hacked for a chance to get into the alpha of a mediocre game – priceless!

  14. MoUsE_WiZ, you are an idiot.

    Even if they had a very secure process, there would still be plenty of people out there criticising it that it’s not secure enough. The n00bs would read the criticism and be convinced that Blizzard is being irresponsible. No good would come of it, only bad things.

    And that’s before we get to the crackers. Giving them intimate information on how your system works makes it the job of cracking you security much much easier. The truth of the matter is that no system is 100% secure and when security systems get cracked it’s usually because of many attempts at probing for weaknesses until you get lucky. It’s like giving a detailed floor plan with the location of all your valiables and security details to someone interested in breaking into your house and stealing from you. Your security might be good, but now the theif knows exactly what to watch out for and what has the best chance of working.

    One of the worst things a company like Blizzard can do with security is to use off the shelf standard set ups. This is something crackers will be very familiar with and know what tends to work and what doesn’t. Using customised security systems based on worlds best practice but with significant differences whose details are not available to the public is the best defence you can do.

Comments are closed.