Important Security Update (Battle.net user information compromised) (opens in new tab)

(us.blizzard.com)

45 pointschaud13y ago19 comments

19 comments

19 comments · 6 top-level

MordinSolus13y ago· 6 in thread

I don't quite understand the 16 character password limit.

quaunaut13y ago

Or not letting people paste into the field.

LoganCale13y ago

I just ran into that idiocy when updating mine. Terrible. I generated a new password with 1Password and wanted to paste it in and had to type it in manually instead, twice, plus the old one.

thirsteh13y ago

This is one of the more annoying "security features" I've seen. Makes it a massive pain to use automatically generated passwords.

kijin13y ago

Most likely a VARCHAR(16) plaintext field.

thirsteh13y ago

Everybody here loves bcrypt, but you don't hear about how it has a max input size of 55 bytes >:)

There's no good reason the max should be so low, but you should not hurt your users by silently truncating input or exceeding the entropy limit of a fixed-size scrambling mechanism.

tedunangst13y ago

Or not.

newman31413y ago· 3 in thread

FWIW, this is Battle.net's password policy. http://imgur.com/q2oPZ

It also appears that cut&paste is disabled for the change password fields which is REALLY annoying.

tedunangst13y ago

I suspect that's so you don't type it wrong, copy it, then lock yourself out. I have typoed passwords before, very annoying when you know the password and just need to figure out which permutation it is.

phase_913y ago

I loathe sites that disable pasting passwords (I'm looking at you, Apple!) as it makes entering that random 24 char string generated by Keepass an exercise in frustration.

tjoff13y ago

Worth mentioning is that battle.net passwords are not case sensitive.

simonbrown13y ago· 2 in thread

Is anyone familiar with the Secure Remote Password protocol, and how secure it is in comparison to hashing and salting passwords using algorithms like bcrypt and PBKDF2?

ianburrell13y ago

SRP is a protocol to authenticate without exchanging passwords. It has the advantage that the server only ever sees and stores a verifier based on the hashed password. However, the password is still vulnerable to brute forcing. There is an extra modulo exponentiation which may make GPU calculation harder. I think the default hash for the verifier is SHA-1. It is possible to use a slow hash, like PBKDF2, for the verifier.

thirsteh13y ago

It is also, unfortunately, infeasible to use in web applications without some kind of plugin, much less across many different browsers. Blizzard still needs people to be able to log into battle.net to renew their subscriptions and buy vanity mounts.

If you control the client side and it's a normal client/server-type application, absolutely, go for it. It poses much less risk to your users than any scrambling or key derivation protocol, no matter how strong. (Those do nothing to prevent getting your favorite password by snooping on ethernet traffic or memory, for example.) As you mentioned, SRP too has adjustable knobs.

talon8813y ago· 2 in thread

I'm be quite willing to bet that the attack vector was a compromised password that was reused to access their admin panel.

Cyranix13y ago

Grounds for this claim?

thirsteh13y ago

I'm guessing there's no basis, beside that approach being what we heard about most recently with Dropbox.

It would be a little ironic if a company that's been strongly advocating the use of multi-factor authentication for many years now didn't enforce it for their own superusers. If that's not the case, then it's double ironic that those superusers are able to access the password digests in the database through that panel.

NelsonMinar13y ago

Valuable target. Battle.net is the login system for Warcraft and Diablo, both games where player accounts have significant cash value. The gold and items in a serious Warcraft player's account are often worth well over $50 and are relatively easy to strip and sell on a black market. Diablo 3 has a legitimized real money auction house, only heightening the risks for Blizzard.

adamzochowski13y ago

How does this affect users with Key Fobs?

http://us.blizzard.com/store/search.xml?q=authenticator

1 more reply

j / k navigate · click thread line to collapse

19 comments

19 comments · 6 top-level

MordinSolus13y ago· 6 in thread

I don't quite understand the 16 character password limit.

quaunaut13y ago

Or not letting people paste into the field.

LoganCale13y ago

I just ran into that idiocy when updating mine. Terrible. I generated a new password with 1Password and wanted to paste it in and had to type it in manually instead, twice, plus the old one.

thirsteh13y ago

This is one of the more annoying "security features" I've seen. Makes it a massive pain to use automatically generated passwords.

kijin13y ago

Most likely a VARCHAR(16) plaintext field.

thirsteh13y ago

Everybody here loves bcrypt, but you don't hear about how it has a max input size of 55 bytes >:)

There's no good reason the max should be so low, but you should not hurt your users by silently truncating input or exceeding the entropy limit of a fixed-size scrambling mechanism.

tedunangst13y ago

Or not.

newman31413y ago· 3 in thread

FWIW, this is Battle.net's password policy. http://imgur.com/q2oPZ

It also appears that cut&paste is disabled for the change password fields which is REALLY annoying.

tedunangst13y ago

phase_913y ago

I loathe sites that disable pasting passwords (I'm looking at you, Apple!) as it makes entering that random 24 char string generated by Keepass an exercise in frustration.

tjoff13y ago

Worth mentioning is that battle.net passwords are not case sensitive.

simonbrown13y ago· 2 in thread

Is anyone familiar with the Secure Remote Password protocol, and how secure it is in comparison to hashing and salting passwords using algorithms like bcrypt and PBKDF2?

ianburrell13y ago

thirsteh13y ago

talon8813y ago· 2 in thread

I'm be quite willing to bet that the attack vector was a compromised password that was reused to access their admin panel.

Cyranix13y ago

Grounds for this claim?

thirsteh13y ago

I'm guessing there's no basis, beside that approach being what we heard about most recently with Dropbox.

NelsonMinar13y ago

adamzochowski13y ago

How does this affect users with Key Fobs?

http://us.blizzard.com/store/search.xml?q=authenticator

1 more reply

j / k navigate · click thread line to collapse