Why you need a Diablo 3 Authenticator.


A recent and depressing article on ArsTechnica details how easily and quickly crackers can break even quite lengthy and obscure passwords.

We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99” and “7c6a180b36896a0a8c02787eeafb0e4c” are the MD5 hashes for “password” and “password1” respectively. (For more details on password hashing, see the earlier Ars feature “Why passwords have never been weaker—and crackers have never been stronger.”)

…The list of “plains,” as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. “123456,” “1234567,” and “password” are there, as is “letmein,” “Destiny21,” and “pizzapizza.” Passwords of this ilk are hopelessly weak. Despite the additional tweaking, “[email protected]$$word,” “123456789j,” “letmein1!,” and “LETMEin3” are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. “:LOL1313le” is in there, as are “Coneyisland9/,” “momof3g8kids,” “1368555av,” “n3xtb1gth1ng,” “qeadzcwrsfxv1331,” “m27bufford,” “J21.redskin,” “Garrett1993*,” and “Oscar+emmy2.”

This article is mostly about a higher level of password cracking; basically how encrypted password files are broken, but it does underline and illustrate just how fragile is the security provided by your 8 or 10 letter string, especially if much/most of it is composed of real words, rather than (Lethe-inducing) alphanumeric gibberish. Hence the necessity of second level security measures, such as authenticators.

As a Blue would tell you, Blizzard sells authenticators at cost, and offers mobile authentication for free via cell phone text messaging. You’ve really got no excuse not to use one of these, given the real world value of your Diablo 3 items.

Tagged As: | Categories: Hardware & Tech, Security

Comments

You're not logged in. Register or login to post a comment.
  1. I’d love to know how they do this, just so I know how to make a more secure password etc.

    • three rules of thumb:

      the bigger the password, the better
      no words or number sequences (and changing a’s for @’s and e’s for 3’s won’t do it either)
      use an abundance of random letters, numbers, spaces and special characters.

      So:

      12345a – awful
      hello123Amsterdam – bad
      [email protected]@m – just as bad
      [email protected]_ pa! – good
      lç”*a¨|2’S655a8/ asç – fantastic, virtually uncrackable under today’s technology

      The answer? Use the god damn password manager. Let your browser save your passwords for you or use a third party password manager if you want to take them with you with ease. Let me also remind you that both Firefox and Chrome have sync features that let you access your data from remote computers. Firefox’s sync is a bit safer since it’s encrypted client-side before it’s send of the web, so there’s absolutely no way to steal your info, but Chrome’s good too, I guess.

      • If you’re old school, you can also just write them down on a piece of paper. The people looking to steal your passwords aren’t able to break into your house, and those who are able to break into your house won’t be looking for your passwords anyway.

      • Yeah no way to steal your info, but you still have your encrypted hashes in multiple places, increasing the chance of them being stolen.

  2. I’d love to know how they do this, just so I know how to make a more secure password etc. BTW, this is why I have an authenticator via my mobile

  3. All this article means, is that if a hacker gets a hold of a list of simply MD5 hashed passwords, they can crack them all relatively quickly. No matter how complex your password at that point, the only thing that will make your password harder to decrypt would be to make it longer.

    All of this takes place offline, by the way. It’s why companies who do believe their hashed lists may have been stolen will inform the public. Since no company doing any serious business would encrypt in as simple as MD5, it is hoped that all (or most) of their customers will change their passwords before some (if any) of the passwords on such a list can be decrypted.

    In other words, making a more secure password is, honestly, more about length and not complexity. Since a password cracker would have to assume you COULD use upper case and lower case and special characters and numbers, it would have to check every single possible combination of every character in every slot. And the longer the password, the more complex it gets.

    XKCD exampled it here in a comic a while ago: http://xkcd.com/936/

    • “Since no company doing any serious business would encrypt in as simple as MD5”

      Unfortunately there are many, many companies “doing serious business” that store passwords in plaintext, so of course there will also be many that do it in simple MD5.

    • Here is a response to the comic you linked, it is a quote from the article

      “Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack “momof3g8kids” because he had “momof3g” in his 111 million dict and “8kids” in a smaller dict.

      “The combinator attack got it! It’s cool,” he said. Then referring to the oft-cited xkcd comic, he added: “This is an answer to the batteryhorsestaple thing.””

      In other words complexity also matters.

  4. I have never played a console game, so I’m clueless about this

    how will the D3 console versions versions ?

    will players still need to login ?
    or is miltiplayer ties to their console or what ?
    I can’t imagine a console player using a virtual keyboard to type in the authenticator code

    • That’s why there’s no AH of any kind on consoles. And if they’re smart, no remote trading of any kind, even drop trading, or else d2jsp will come back w/ a vengeance.

      As to this, it really drives home the fact that the whole password/user system isn’t going to cut it in the near future. You can get a thumb print scanner but most places don’t support it yet. Retina scanners are even further off, but w/ smart phone cameras, not too far fetched. Just watch out for Wesley Snipes in a blonde flat top…

  5. I don’t understand why people assert that no serious company would use merely simple encryption. There was a story just last year Microsoft got hacked and it turns out password info was stored in a plan text file, completely unencrypted.

  6. Exactly. If you get hacked and you do not use authenticator, it is your and your fault only, because anyone can get authenticator and that shit is ubreakable. The odds of someone correcticly guessing the authenticator key at any moments have to close to zero.

    • I don’t own a smart phone. They don’t sell authenticators at Gamestop; I checked. I’m sure there are other ways of getting one but give me a freaking break.

  7. Does anyone know the difference between always having to use your authenticator to log in and only using it once a week? Is the latter alternative less secure in any way?

    • The option to only have it prompt you for a code once a week is fine for the most part…
      It also requests the auth code every time your IP address changes, so unless some hacker has stolen your password and is also spoofing your IP (not sure if it’s possible) he still wouldn’t be able to access your account.
      I tried the standard option of auth code every login, but it drove me nuts after a few days and I went back to the second option.
      Very happy with the smartphone authenticator, it even has a handy widget so you don’t have to open the app every time.

      • Cool, thanks – I have the phone authenticator as well and it’s quite a hassle for the reason you mentioned. I’ll give the weekly prompt a try, from the sound of it it’s almost like SteamGuard and I’ve never had any issues with that.

  8. Did Blizz ever bother to make the passwords case sensitive or are they still committed to making sure the authenticator is the only way to have a safe means of logging in.

    • Case sensitive is not a problem for the internet. It add zero to the anti hacking tools. It is only annoying for the internet customer.

      Too lazy to expain it further.

  9. Sure I’ve got an excuse, I want to lose my account so I’ll never be tempted to play any Blizzard online game again.

    😀

  10. Imho the Authenticator is the most secure thing I used in all my online games. I’m very happy with it.

  11. This isn’t why I need a diablo 3 authenticator. This is why I need a long pass phrase instead of a pass”word”. a 20-character password will never be hashed this way.

    BTW, fuck you guys for making me watch a fucking ad to do a captcha. This site has gone so far downhill this will be the last time I ever come here. I mean, you’re serious? I have to watch a commercial to enter the captcha? Fuck you guys.

  12. I can’t be arsed. Blizzard should offer free protection as part of their service. It’s the least they should do. Obviously, if you fool people into thinking that they need (extra) protection you are being very negligent in your duties. After all we’ve already bought the game. Does any of you buy ‘an authenticator’ when you open a bank account, etc.?

  13. I need an authenticator because I was put into the same online boat as all the hackers and cheats via the online only requirement.

    Even with my precious authenticator my gaming experience is marred by various hacks and cheats whether its gold botting, RMAH gold duping or anything else people with no life can think up.

    Online only does not equal security…..period.

  14. The passwords were only easy to crack because they were poorly encrypted. I’d like to see the results against a list of passwords encrypted with a better algorithm, salted, etc.

  15. I wasn’t using an authenticator when I first started playing DIII(month or so after release), but a couple days after I started I couldn’t log in and had to reset my pw(way too simple). Finally got back in and was missing all my gold(about 8K). Only had a lvl8 Barb so it’s not like I had anything worth taking anyway…. I barely have time to play on my account, much less trying to break into other people’s and I hate that I have to basically use two pws for a PC game just to make sure no one steals all my virtual stuff.

  16. Yet another reason online only DRM for folks who only want to play a single player game sucks.

Comments are closed.