I don't get what the problem is? It doesn't really make bruteforcing an account feasible, that there are only a lower Quadrillion number of combinations instead of Quintillion.
Quote:
> If you fail a certain number of logins against Battle.net, your IP address is temporarily banned. This makes it fairly difficult to bruteforce most accounts.
"Yes, the passwords are converted to uppercase before hashing. That's probably a bad idea - especially in the modern world - but it really dates back to their first Battle.net game - Diablo - from 1996."
Yup, that's probably a bad idea. Thank goodness you didn't disagree that it's probably a bad idea, like I've seen a ton of nut-jobs do.
That said, I think it's only "probably a bad idea" in terms of protecting people who use the same password on multiple sites, which is "without question a bad idea."
Put me in as a nut job then. I've seen plenty of users who make no distinction whatsoever re case of characters in passwords. One day their password is working, the next day it isn't, and the organization ends up spending the custom care money to deal with it just because they started typing "af" at the end of their password instead of "Af" or whatever.
If you need more complexity in a password, better to just encourage them to use a phrase with the words being the individual complexity rather than the characters. Like it or not, we live in a world where 80% of end users can't turn their wifi radio on and off on their phone, and we need to make systems that are a pleasure to use for them.
Why is it worse to uppercase the password before hashing for people who use the same password on multiple sites? It doesn't matter if it is a 24 character password using every character set possible, if it is the same password they use somewhere else, and that place is compromised, the attacker will be able to use that password to login to the Battle.net account.
Er, wow. That's horrendous. How in the world can they still blame the first Diablo when they made such a big deal about "Battle.net 2.0" recently? Why do they need to lump the new stuff together with legacy systems using broken security practices?
If they ever compromise the bnet database of hashed passwords though it may be a benefit, as the password they re-use may contain uppercase and lowercase letters, which the bnet database has no way of representing.
If the passwords are stored using proper key stretching techniques and salting, they don't need to have much entropy to withstand brute-forcing. It's not necessarily a problem that lowercase letters do not contribute. However, it is a completely unnecessary lowering of entropy.
My lesson from this is: it always pays to think about and understand even the seemingly most trivial decision. You may be stuck with it for decades.
He's actually wrong. Starcraft introduced usernames/passwords and unique names to Battle.net in early 1998. The support was then patched into Diablo 1.05. Diablo I's Battle.net functionality did not originally include usernames/passwords at all.
It was quite a strange little architecture, initially. Your displayed name was whatever you'd named your character, with the distinguishing feature being an "account number" that could be re-generated by deleting a file in your Diablo directory (the corollary being if you didn't back the file up, your account number would change upon a reformat or migration to a new computer).
Can I just say that Blizzard's handling of the Diablo 3 launch was a travesty on so many levels? First of all, nothing worked. No one could login to play, despite their stress testing beta and having a large percentage of players sign up and predownload far before launch. Their response was the now internet famous "Error 37," an absolutely useless message for users. If everything was going to be completely broken, they could have at least provided a useful error message saying "We're getting more traffic than anticipated and will notify you when the servers are ready." or something.
Seriously one of the most disappointing end user experiences I have ever had, and there's no way for me to return my $60 download.
Really? Your is a common complaint, so perhaps I'm just weird, but I was neither surprised nor upset by the opening day crunch. It was certainly nothing compared to, for example, WoW's release day. Or some of Steam's releases, back in the day.
With D3, I logged in on release day, got the error a few times. Came back a couple hours later, and managed to log in. Played around a bit, had a good time. There were some occasional lag spikes, but nothing catastrophic. The next day, I had no problems with logging in at all (only a very occasional lag spike). All days since have been smooth sailing.
[+] [-] ralfd|14 years ago|reply
Quote:
> If you fail a certain number of logins against Battle.net, your IP address is temporarily banned. This makes it fairly difficult to bruteforce most accounts.
[+] [-] VikingCoder|14 years ago|reply
Yup, that's probably a bad idea. Thank goodness you didn't disagree that it's probably a bad idea, like I've seen a ton of nut-jobs do.
That said, I think it's only "probably a bad idea" in terms of protecting people who use the same password on multiple sites, which is "without question a bad idea."
[+] [-] lnanek|14 years ago|reply
If you need more complexity in a password, better to just encourage them to use a phrase with the words being the individual complexity rather than the characters. Like it or not, we live in a world where 80% of end users can't turn their wifi radio on and off on their phone, and we need to make systems that are a pleasure to use for them.
[+] [-] davis_m|14 years ago|reply
[+] [-] nmb|14 years ago|reply
[+] [-] TillE|14 years ago|reply
[+] [-] jsabo|14 years ago|reply
[+] [-] Confusion|14 years ago|reply
My lesson from this is: it always pays to think about and understand even the seemingly most trivial decision. You may be stuck with it for decades.
[+] [-] nknight|14 years ago|reply
It was quite a strange little architecture, initially. Your displayed name was whatever you'd named your character, with the distinguishing feature being an "account number" that could be re-generated by deleting a file in your Diablo directory (the corollary being if you didn't back the file up, your account number would change upon a reformat or migration to a new computer).
[+] [-] tzaman|14 years ago|reply
[+] [-] Auguste|14 years ago|reply
[+] [-] alexrp|14 years ago|reply
[+] [-] bicknergseng|14 years ago|reply
Can I just say that Blizzard's handling of the Diablo 3 launch was a travesty on so many levels? First of all, nothing worked. No one could login to play, despite their stress testing beta and having a large percentage of players sign up and predownload far before launch. Their response was the now internet famous "Error 37," an absolutely useless message for users. If everything was going to be completely broken, they could have at least provided a useful error message saying "We're getting more traffic than anticipated and will notify you when the servers are ready." or something.
Seriously one of the most disappointing end user experiences I have ever had, and there's no way for me to return my $60 download.
[+] [-] ender7|14 years ago|reply
With D3, I logged in on release day, got the error a few times. Came back a couple hours later, and managed to log in. Played around a bit, had a good time. There were some occasional lag spikes, but nothing catastrophic. The next day, I had no problems with logging in at all (only a very occasional lag spike). All days since have been smooth sailing.
[+] [-] rmassie|14 years ago|reply