Here's one thing not a lot of people know about battle.net passwords: They suck. They are NOT case sensitive and they are length-capped - only the first (12?) characters of a password are counted.
So if your password is something "Strong" like:
DevilCard99FOUR!!33--
Any brute force of:
devilcard99f
DEVILCARD99F
DeviLCaRD99f
will work. The rest is truncated.
If they JUST made their passwords case-sensitive, that would go a long way towards preventing this from happening.
(Don't believe me? Try your password with various caps, etc.)
@Lincoln This. I even did a bunch of research on it at my last job (to prove to my bosses that their password system was BS. Did not get promotion. Teach me to busybody).
Also, brute force must be done using an offline version of something that might required your password to work - in the case of a linux operating system, for instance, if you had the shadow password, you'd be set. For an encryption key, all you'd need is a small encrypted packet. I'm not sure any vulnerability like that exists on battle.net's systems, because they're BIG HONKING OBVIOUS PROBLEMS... I don't think they can brute force your password. They CAN, however, catch you with a keylogger or rootkit - social engineering is TREMENDOUSLY easier than any other method.
Another important thing to note that sadly Randall Munroe doesn't talk about in his comic is the use of dictionary crackers (but he DOES mention this in the mouseover text) - you can use something like Cain and Abel to try it yourself, but if your password is made up of common dictionary words (or even common misspellings or substitution), brute forcing suddenly becomes much easier. Many password cracking dictionaries include things proper names, text-speech, or leetspeak. Sadly, CorrectHorseBatteryStaple is easily cracked with a dictionary, but C0rrectHorseBttryStaple would thwart dictionaries that didn't include "C0rrect" or "Bttry"... which is most of them.
Same exact thing just happened to me again. Game froze, logged out. I powered down and re-scanned for malware (nothing found). I have an authenticator now so I don't know.
0
ChoochK-Pop authority™, Pho KingMadison Heights, MIIcrontian
It happened to me too. I changed my pw just in case. Something is going on.
Someone (and by someone I mean some group of Chinese hackers) probably have a zero day exploit for WoW itself. Malware scanners won't detect something that they don't know to look for.
FYI, make sure you write down the serial number and such for your phone code on the authenticator (Like they tell you to) or else you are not getting back into your account without a photo id. Make sure you do the SMS Protect as well.
Sincerely, guy who can't get into his battle.net account right now.
1
midga"There's so much hot dog in Rome" ~digi(> ^.(> O_o)>Icrontian
FYI, make sure you write down the serial number and such for your phone code on the authenticator (Like they tell you to) or else you are not getting back into your account without a photo id. Make sure you do the SMS Protect as well.
Sincerely, guy who can't get into his battle.net account right nowwon't send Blizzard a photo of his ID.
FYI, make sure you write down the serial number and such for your phone code on the authenticator (Like they tell you to) or else you are not getting back into your account without a photo id. Make sure you do the SMS Protect as well.
Sincerely, guy who can't get into his battle.net account right now won't send Blizzard the NSA a photo of his ID.
I presume the issue is with Blizzard having your ID? Because thinking the NSA doesn't already have a copy of your government issued ID would just be... silly.
He could be using cash paid game time cards and using a fake name on his account while using a laptop at a random internet bar, the NSA might not know how much sugar he likes in his coffee quite yet.
I presume the issue is with Blizzard having your ID? Because thinking the NSA doesn't already have a copy of your government issued ID would just be... silly.
So what is the concern there?
The concern being the less people having my id the better. Because we all know companies never make a mistake and lose our info to the darkest corner of the web. Right? Guys?
0
JBoogalooThis too shall pass...Alexandria, VAIcrontian
I ran into this same issue and wasn't going to send my ID. I hopped on the chat function, ten minutes later after answering a couple questions, boom...done. I'm assuming you already tried this and it wasn't successful huh? Bleh...bummer.
I ran into this same issue and wasn't going to send my ID. I hopped on the chat function, ten minutes later after answering a couple questions, boom...done. I'm assuming you already tried this and it wasn't successful huh? Bleh...bummer.
Comments
Here's one thing not a lot of people know about battle.net passwords: They suck. They are NOT case sensitive and they are length-capped - only the first (12?) characters of a password are counted.
So if your password is something "Strong" like:
DevilCard99FOUR!!33--
Any brute force of:
devilcard99f
DEVILCARD99F
DeviLCaRD99f
will work. The rest is truncated.
If they JUST made their passwords case-sensitive, that would go a long way towards preventing this from happening.
(Don't believe me? Try your password with various caps, etc.)
My most-referenced XKCD:
Also, brute force must be done using an offline version of something that might required your password to work - in the case of a linux operating system, for instance, if you had the shadow password, you'd be set. For an encryption key, all you'd need is a small encrypted packet. I'm not sure any vulnerability like that exists on battle.net's systems, because they're BIG HONKING OBVIOUS PROBLEMS... I don't think they can brute force your password. They CAN, however, catch you with a keylogger or rootkit - social engineering is TREMENDOUSLY easier than any other method.
Another important thing to note that sadly Randall Munroe doesn't talk about in his comic is the use of dictionary crackers (but he DOES mention this in the mouseover text) - you can use something like Cain and Abel to try it yourself, but if your password is made up of common dictionary words (or even common misspellings or substitution), brute forcing suddenly becomes much easier. Many password cracking dictionaries include things proper names, text-speech, or leetspeak. Sadly, CorrectHorseBatteryStaple is easily cracked with a dictionary, but C0rrectHorseBttryStaple would thwart dictionaries that didn't include "C0rrect" or "Bttry"... which is most of them.
Theses guys will probably spend a good part of their sentence trying to hack stuff for the Chinese government.
http://kotaku.com/blizzard-identifies-malware-targeting-world-of-warcraf-1494050450?utm_campaign=Socialflow_Kotaku_Facebook&utm_source=Kotaku_Facebook&utm_medium=Socialflow
The authenticator coupled with their beta client launcher thing ... it's awesome.
never got hacked.
Sincerely, guy who can't get into his battle.net account right now.
So what is the concern there?
THEY KNOW EVERYTHING!