
Blizzard Network Breached; Change Your Battle.Net Passwords - evo_9
http://kotaku.com/5933454/blizzard-network-breached-change-your-passwords
======
swang
"Some data was illegally accessed, including a list of email addresses for
global Battle.net users, outside of China. For players on North American
servers (which generally includes players from North America, Latin America,
Australia, New Zealand, and Southeast Asia) the answer to the personal
security question, and information relating to Mobile and Dial-In
Authenticators were also accessed. Based on what we currently know, this
information alone is NOT enough for anyone to gain access to Battle.net
accounts."

The part where it says, "answer to the personal security question" were
accessed should be EXTREMELY ALARMING. This combined with an email addresses
is usually enough to get your password reset on lots of sites. I believe this
will reset your password on Google (assuming you're not using 2 factor).

~~~
famousactress
Do these have to be human-confirmable? Wondering why they're stored in
plaintext.. I've been curious about this before. Do you-folks store your
challenge-question-answers in plaintext?

~~~
elithrar
> Do these have to be human-confirmable? Wondering why they're stored in
> plaintext.. I've been curious about this before. Do you-folks store your
> challenge-question-answers in plaintext?

I would hazard a guess that most sites store "Secret Questions/Answers" in
plain text, or a two-way hash (that their support app reverses), as they are
used to confirm identity along with the basics (DOB, address, email, etc).

~~~
duaneb
They can confirm identity with a one-way hash - the only reason I could think
of not supporting this would be fuzzy matching.

~~~
danso
Well, that would be thhe reason, I think...

Example:

For: "Who was your favorite high school teacher."

\- Mr. Berners-Lee \- Mr. Berners Lee \- Tim Berners-Lee \- Mr. Lee

Never mind if you had two different teachers who were great, and you switch
them interchangeably depending on whether you're in an English mood or a Music
mood

~~~
dhimes
Of course, your answer should NEVER match the question. But that's beside the
point.

"Whose was your favorite high school teacher?"

-Pecan pie.

~~~
smsm42
The only problem is that in 5 years you'd have no idea what you answered
there. And that's exactly when you'd need it.

~~~
wlievens
Yeah, unless you do it consistently everywhere, which again defeats the
purpose.

Maybe you could do something like consistently answer the previous question
from the dropdown?

~~~
roc
Or use a tool like 1password to generate and store the 'answers'.

~~~
smsm42
You need those answers exactly when you don't have the password, which means
your 1password failed for some reason (otherwise you'd have the password from
it). For me it usually happens with sites that generate their own passwords
which I for some reason failed to enter into 1password some time ago (probably
because I didn't use the site for a long time).

------
DigitalSea
This is ridiculous. Maybe the world is ending, because it feels like every
major website/provider of some popular service is getting hacked these days. A
company of Blizzard's stature and wallet size has no excuse for this kind of
thing happening, no excuse at all. If you're charging people exorbitant
amounts of cash to buy your games and then charging some of your customers a
fee for the privilege of using your so-called "secure" servers every month
then you should be providing a certain level of security in return, it's not
rocket science - employ someone who knows how to secure a server.

This is certainly not limited to Blizzard, it seems like everyday there is a
new story about some kind of security breach and then we're told to change our
passwords and some details may have been stolen. As an owner of both Starcraft
2 and Diablo III and I am heavily disappointed especially considering how much
I paid for both of those games here in Australia (bought digitally as well).

~~~
alanfalcon
Blizzard is _literally_ under _constant_ attack and has an incredible security
team in place. Obviously the only acceptable result is 100% attack deflection,
but the idea that this could be or could have been anything short of an
absolute top priority for the company is a ridiculous assertion that I'd
expect on any other site, but not HN.

I'm a former Blizzard employee with knowledge of the situation and internal
workings. EDIT: I am, of course, not remotely qualified to speak for Blizzard
or the security team.

~~~
DigitalSea
Security has nothing to do with preventing the attack, it's more so protecting
the data much like a bank protects it's assets. It's pretty easy to break into
a bank (they're merely glass and brick after all), but there is no way you're
getting into that vault once inside and even so, if you get into the vault
there are secondary security procedures in place to ensure that nothing is
easily taken.

So regardless of whether or not Blizzard is under constant attack, just
because someone can get in doesn't mean they should be able to take anything..
I really do hope Blizzard don't go into the banking industry because everyone
will be lining up to steal what they can from the easily penetrable building
and vault inside. There is no excuse.

If Blizzard is under constant attack, you'd think they'd be smarter about how
data is stored and just what an attacker could see if they gained access to a
database of any kind. So once again, my point was not about deflecting attacks
because that's impossible, it's about making it almost impossible for the
hacker to use any of the information he can access.

~~~
mojowo11
Just curious, are you actually a data security professional? Because while you
have a very nice metaphor with the whole bank vault thing, you haven't offered
any actual examples, or any specific criticisms of Blizzard's setup (not that
we know what it was), or even examples of what you're talking about.

I know nothing about data security myself, but I'm not exactly learning
anything about it from your posts. Sorry to be rudely blunt, but I've seen a
lot of people who have no idea what Blizzard is up against, the
difficulty/feasibility of protecting digital data, what Blizzard has in place,
or even what Blizzard could/should have in place really criticizing Blizzard
for incompetence here, and that's odd to me.

~~~
DigitalSea
I may or may not be a data security professional, but I hardly see how that
would make anything I've said more or less credible. Without knowing how
Blizzard have set up their infrastructure, I can't really give any examples
because each environment is different and requires different forms of security
and protocols in place.

While Blizzard were apparently using SRP and while I can't say for sure I am
guessing Blizzard are using the SRP authentication algorithm out-of-the-box
which is bad for a number of reasons, but the main one being SRP by default is
an over-glorified way of SHA1 encrypted and salting a password and by the
sounds of it the hackers were able to access those salts and could
theoretically brute force the passwords which by todays hardware capabilities
is not very hard at all, this is LinkedIn all over again.

Take a look at the SRP design specification:
<http://srp.stanford.edu/design.html> \- if Blizzard didn't modify the
algorithm, I think we've yet to see the full effects of this breach. LinkedIn
learned the hard way and now one of the worlds largest multiplayer gaming
companies is about to find out what a simple mistake like this can do. I hope
for their sakes they customised SRP and if they didn't, I think we have the
right to know.

As a Battle.net account holder, I have the right to voice my concerns about
this. I paid money for the privilege of playing Blizzard's games - fortunately
my Battle.net password is separate to that of any other account I have, but I
feel sorry for the millions who re-use their password for their email
accounts, Internet banking and other various accounts that could have all
kinds of effects.

~~~
comex
Would you mind stating what weaknesses you see in the unmodified SRP? Against
a server compromise it's equivalent to salted hash storage, but it's
impossible, in general, to do better without losing the ability to
authenticate using the password (only).

Edit: do you mean the weakness of salted SHA-1? SRP is not defined for SHA-1
only.

------
dsl
From my time reverse engineering the WoW client, I can tell you Blizzard uses
SRP6 [1] for authentication. You'd have to really try hard to be storing
anything other than a hash on the backend.

1\. <http://srp.stanford.edu/design.html>

~~~
StavrosK
Oh wow, I wasn't aware of that. So the password (or a hash of it) never leaves
the client, so an eavesdropper can never get any information? That's very
interesting.

It looks like both parties end up with a session key, too, which is an added
bonus.

~~~
dsl
Pretty much. The Blizzard guys know their shit. You wouldn't go wrong
replicating anything they have done security wise, which is why this breach is
surprising to me.

------
BadassFractal
I'm concerned that this is happening so often that it is no longer raising
eyebrows. It's becoming one of those "just how things work on the Internet,
get used to it".

~~~
revx
Either that or 2-factor authentication will catch on and stealing passwords
won't be worth anything.

~~~
NelsonMinar
Blizzard has 2 factor; the secrets for the mobile authenticator seem to have
been compromised as well as the hashed passwords.

~~~
jrockway
But secrets for the mobile authenticator are much less sensitive than
passwords, which are prone to reuse. It does, however, defeat the security
advantage of two-factor authentication.

(I always thought the really smart crackers would break in, modify the
application code to weaken the password encryption, and then re-encrypt every
password when the user logs in. Come back a few weeks later and collect a
bunch of working passwords, with nobody the wiser.)

------
zaroth
SRP is great at many things, but terrible at securing the server-side password
database from brute force attacks.

A quick look at <http://srp.stanford.edu/design.html> and
<http://srp.stanford.edu/demo/demo.html> and you can see that SRP uses simple
SHA1 plus a Salt to store the hashed passwords.

With the hashes and salts stolen, please assume your password has been brute
forced by the attacker (1 billion hashes per second with SHA1 is not
expensive). This is LinkedIn all over again.

If Blizzard customized their SRP algorithm to use a more expensive hash than
SHA1, they should come out and say it.

Otherwise, we should assume their statement that using SRP "means that each
password would have to be deciphered individually" is nothing more than a
salted SHA1. Combined with their reduced entropy password policy, all stored
passwords are likely brute forced already.

~~~
mindslight
I haven't studied SRP, but a quick look at it and it seems that one also needs
to perform the v = g^x. While still vulnerable to brute forcing due to lack of
entropy in a password, this is more expensive than bare SHA1. The opine.me
post you linked elsewhere completely glosses this over.

edit: okay, just to give you some very rough numbers from 'openssl speed' on
my machine. 16 byte SHA1 is about 1M/sec. Projected dsa256 (based on dsa512
and its ratio to dsa1024) signatures (most of which is an exponentiation) is
about 3k/sec. It's certainly not a purpose-built tunable KDF, but it's orders
of magnitude harder than SHA1.

~~~
zaroth
See below, the algorithm is clearly specified in the RFC, and it's no better
than plain SHA1 in terms of preventing dictionary attacks once the database is
stolen.

~~~
tedunangst
Whatever logic you are using to prove that performing g^x is the same as
computing plain sha1 would also prove that bcrypt and pbkdf2 are no better
than sha1.

~~~
zaroth
v = g^x % N

Finding 'x' given g, v, and N is HARD. Calculating g^x is EASY. O(log X)

This is crypto 101 man...

This is why SRP is said to be verifier based and not password or password-
equivalent based, because you cannot retrieve X from v.

But this is ALSO why the CREATOR of SRP Thomas Wu specifically states in his
presentations on SRP that it does _not_ resist dictionary attacks when the
verifier database is stolen.

~~~
tedunangst
Your point is taken, but saying "you cannot retrieve X from v" in a thread
about doing exactly that is kind of funny. :)

~~~
zaroth
Right :-) Brute force is 'hard' - dictionary is not.

Calculating 'v' is a bit harder than SHA1 - there is a lot of research on
performance of modular exponentiation since it is the foundation of crypto,
but most of the current benchmarks are at 1024 or 2048 bit N.

Given that we have a mere 256-bit N, it looks like between 10k - 100k
operations / sec is achievable with a modest budget. I should go benchmark
this on Google Compute or EC2 GPU, but I need to sleep at some point.

Intel released a benchmark here:
<http://download.intel.com/design/intarch/PAPERS/324952.pdf> claiming they can
do 1024-bit ME in 2m cycles, and 512-bit ME in 250k cycles on an i7-2600.
Assuming that means you can do 256-bit ME in 32k cycles, that's 100k / sec at
3.4GHz.

So an attacker takes a dictionary with 100k passwords in it (or just the top
10k, that works almost as well...) and tests them for each { username, salt, v
}.

If you can do 100k tests per second, you can test 100k passwords for 100k
users (10B tests total) in a little over a day. You won't successfully crack
every password, but a well formed dictionary with top 100k passwords will
crack a majority of them.

So don't tell me it's too slow to dictionary attack, ok?! :-)

------
ChuckMcM
For a long time World of Warcraft accounts sold for more money on the black
market than credit card numbers [1]. It was said that this was due to the fact
that you could make money using those accounts (primarily through selling
'gold' or in game items) which could not get 'clawed back' by credit card
companies.

So having battle.net get hit is a pretty cherry target.

That said, what is the current crack rate for SRP on a GPU for 7, 8 and 10
character passwords?

[1] This was one example but I've also seen other more credible reports on the
eset blog. "WoW login I might want to check if they also have Diablo 3 on
their account and vice versa. WoW accounts are already more valuable than
credit card numbers on the black market, this will only increase their value."
-- [http://www.gosugamers.net/diablo/news/17557-it-s-the-
economy...](http://www.gosugamers.net/diablo/news/17557-it-s-the-economy-
stupid-how-the-real-money-auction-house-will-affect-diablo-3-part-1)

~~~
thechut
> That said, what is the current crack rate for SRP on a GPU for 7, 8 and 10
> character passwords?

That is a really good question, SRP is actually pretty serious. Based on the
small amount I know about SRP, a simple rainbow table brute force attack would
take a VERY VERY long time per hash; even on an extremely fast multiple gpu
rig. Somebody with more specific knowledge about SRP could probably calculate
an exact number.

However, since they have stolen other information (perhaps even some, like the
modifier, salt or modulo data, that they have not disclosed) they could
possibly create a more advanced and targeted rainbow table attack which would
greatly reduce the time it would take per account.

------
feefie
How is a breach like this detected and how would they determine what data was
accessed? How likely is is that that other sites on the internet are breached
but don't detect it? If the answer is too long and you could recommend a book
or website I could read up on this topic, that would be awesome.

~~~
talon88
Breach is generally detected in one of two ways - information is sold and that
leads to scrutiny when users write in, and/or you have auditing mechanisms (ip
geolocation, for example) which points out behavior that does not seem to be
correct.

Once you see this, you run through a full audit of all of your accesses,
searching for things that don't fit a pattern. Logins of your admins — did
they login at some time that they don't usually? Was there a login from a
Russian/Chinese/Unusual IP? Did someone go into something they usually
shouldn't? It's not an exact science, which is why it's really hard to do —
you may never be sure what exactly was compromised.

Finally, how likely it is that other sites are breached: highly likely. The
problem is that when you have leaked email/passwords, there's a large number
of people that reuse passwords, and those people can be working at Blizzard,
banks, or other companies. Unless they have proactive intrusion detection
scanning in place, you don't know until after they've come in, looked at what
they wanted to, and left.

------
SeanDav
Great, in Diablo 3, the only game I play, Blizzard forces you to be online at
all times, even to play single player and they can't even look after your
passwords.

Just great.

------
cowpewter
So why am I finding out about this via HN/Kotaku? Why haven't I gotten an
email from Blizzard yet? I haven't logged into my Battle.net account in the
past few days, so maybe they're alerting people on login, but you know, a lot
of people don't have the time to game every day, or even every week. An email
alerting me to the need to change my password would be appreciated.

~~~
alanfalcon
I know that marketing messages can take days to weeks to send out because of
the incredible number of customers Blizzard has (and avoiding being flagged as
spam an other considerations). It may be that an e-mail has started going out,
but in the meantime the website and game launcher have been updated with
messaging and Kotaku/WoW Insider/etc. is a pretty good way to get info to
Blizzard's core player base.

------
Steko
Here's the last big thread from when people freaked out about Blizzard's lower
case passwords:

<http://news.ycombinator.com/item?id=4022145>

There's a lot of information about Blizzard's security safeguards, worth the
time to read through.

------
duaneb
Also, Blizzard has a 16-character password limit... seriously disappointing.

~~~
Steko
Blizzard has numerous server side protections that prevent your lower case 16
character p/w from ever being brute forced. It's not that big of a deal.

~~~
natesm
Any password length limitation (within reason, not allowing a 1MB password is
reasonable) says to me "we are not using hashes". That may or may not be the
actual case, but it's the only reason I can think of for limiting password
length. Hashes used for passwords have fixed lengths regardless of input, so
any length password will "fit" in a database column.

If you're using hashes, limiting the lengths of passwords is _extra_ work.

~~~
Steko
"That may or may not be the actual case"

It is not the actual case so I guess your blanket assumption was completely
wrong.

~~~
natesm
I'm not talking about Battle.net specifically. I'm talking about _in general_.
That's merely the impression that a password length limit gives to me, on any
site. Can you think of any another "rational" reason for limiting password
length? I see two possibilities:

1\. They're not using hashes.

2\. They are using hashes, but they don't understand what that actually does,
and that there's no reason to have a limit on input length. The passwords
might be more secure, but it calls into question the general competency of
their security (do they salt? per user?).

This also applies to character restrictions (no ____ characters). I can
understand requiring at least N instances of a class of characters, but the
entire UTF-8 character set should be valid input. If I want an emoji password,
there's no reason to disallow it. bcrypt will be happy to take those bytes.

So, here's a comparison of site purposes and security practices. This is
largely unrelated, but it gives better insight as to what I was talking about,
not just making a random assumption about Battle.net (which I theoretically
have an account at, but I don't really care about it anymore, I don't play
video games anymore).

Chase is a bank. They handle money. They allow up to 32 character passwords,
with no "special" (whatever that means) characters whatsoever.

Twitter is a social networking site. I have a 50 character password of various
character types, because that's how far 1Password will go.

Bank of America is also a bank. Twenty characters. Twenty. Characters. And
none of those are allowed to be "special".

Facebook is user for the same purpose Twitter. I have a 50 character password
there as well.

Why do I trust social sites more than my banks? Security is so messed up.

~~~
Steko
[http://security.stackexchange.com/questions/17949/why-are-
pa...](http://security.stackexchange.com/questions/17949/why-are-passwords-
limited-to-16-characters)

 _If you are to abide by CWE-521: Weak Password Requirements. Then all
passwords must have a min and max password length.

There are two reasons for this. For one, hashing a large amount of data can
cause significant resource consumption on behalf of the server and would be an
easy target for Denial of Service. Especially if the server is using key
stretching such as PBKDF2.

The other concerns is hash length-extension attacks or the prefixing attack
against MD5. However If you are using a hash function that isn't broken, such
as bcrypt or sha-256 and you aren't using an HMAC, then this shouldn't be a
concern._

------
john2x
Tried resetting my password. Blizzard limits it to 16 characters. Why?!

------
Digitalxero
So I went to update my password for my World of Warcraft account after I saw
this.

And guess what I discovered, my current password is more secure than their
current password policy will allow. So I filled out a support ticket with the
following question (which all Blizzard account holders should ask them)

I was wondering why even after you discovered a security breach you have not
updated your password policy to actually allow secure passwords. Your current
password policy only allows password that will take a day or two to brute
force crack. see <http://xkcd.com/936/>

These two rules totally nullify any security of your passwords

"Your password must be between 8–16 characters in length. Your password may
only contain alphabetic characters (A–Z), numeric characters (0–9), and
punctuation."

In fact my current password is better since I apparently created it before
your policy changed to not allow non alpha-numeric characters.

The only reason to have those two rules is because you are storing the
password in plain text so anyone who gets access to the database can read them
freely. Please update your password policy to

"Your password must be at least 20 characters long."

That is it, let me make a 400 character password if I want, let me use
cyrillic, chinese, or whatever other unicode characters I want to use. If you
truly care about security you will fix your broken password policy!

~~~
elithrar
> "The only reason to have those two rules is because you are storing the
> password in plain text so anyone who gets access to the database can read
> them freely."

That is certainly not the only reason to have those rules; in fact, it's
probably one of the least popular reasons.

It's done to keep customers creating short-ish passwords, which are likely to
be more memorable, and therefore reduce the support load for password resets.

Whether this is actually effective or not is another thing entirely.

~~~
Digitalxero
they have a "I am an idiot and forgot my password" button so people forgetting
their passwords is no additional support, and if they allow longer password it
actually makes them easier for people to remember and harder to crack, win
win.

------
Auguste
How can I change my security questions? I can't find them in the account
settings.

~~~
StevenRayOrr
As far as I can tell, you can't. But Blizzard has announced that they will be
putting something in place for users to do that in the next few days. Keep an
eye on your B.Net email.

------
akandiah
I'm not surprised - Blizzard don't understand the meaning of security in the
first place! For instance: the passwords that a user chooses are case-
insensitive. Feel free to try this one out on your battlenet account!

------
hanapbuhay
Here's some detailed information on what happened [1]. A press release from
Mike Morhaime [2]. Also, they're currently working on allowing users update
their secret question and answers [3].

[1]: [http://us.battle.net/support/en/article/important-
security-u...](http://us.battle.net/support/en/article/important-security-
update-faq)

[2]: <http://us.blizzard.com/en-us/securityupdate.html>

[3]: <http://us.battle.net/support/en/blog/6940803>

~~~
LOLvis
Until the secret-answer fix is ready, users are advised to change their the
names of their first pets and/or favorite teachers.

------
suresk
> and information relating to Mobile and Dial-In Authenticators were also
> accessed.

I don't know a ton about 2 factor auth implementation details, but I'm
assuming that if you were able to access the serial # or whatever is used to
uniquely identify an authenticator, you could generate valid tokens,
essentially rendering the 2 factor auth useless?

If so, and if they were also able to access information about the key fob
authenticators, that could be messy. Hopefully that isn't the case.

------
duaneb
Why is it OK to have the security answers not hashed? They are just secondary
passwords, and there is absolutely no reason someone else needs to know it.

~~~
dangrossman
Because they need to do really fuzzy matching for call-in support, which is
where the security question gets most used. Hashing makes that impossible and
raises the average call length since the agent would have to type each
response rather than simply compare to the answer on screen. No amount of
normalization would make "The Blue Dragons" match "Dragons" or "Warwick
Elementary School" match "Warwick", or whatever the answers to the questions
are. Security questions aren't precise like passwords.

------
tterrace
I still haven't received an email about this. My last email from blizzard was
three months ago when I bought D3. I hope they plan on sending out something
soon with a good explanation on why hackers having your ASQ is a really bad
thing.

~~~
tterrace
Also a detailed post-mortem would be neat but I'm not holding my breath on
that one.

------
shadowmint
Hm... I'm getting persistent login failures here now.

Maybe they've disabled something?

"<https://sea.battle.net/login/login.frag> is not available" Error 501
(net::ERR_INSECURE_RESPONSE): Unknown error.

------
vitalique
Looks like Vivendi should have moved quicker with their plans on selling
Activision Blizzard. Poor guys. I wonder how much this sad news will impact
the success of the _WoW: Mists of Pandaria_ (launch planned on 09/25).

~~~
alanfalcon
My guess: almost zero impact, long term.

------
hxf148
Bring on touch screens with print scanners. I really hate login/pass. I
realize in away the more secure the token the more private it can become but
the screens could at least check for a pulse too. (it's late)

------
staunch
Probably explains why the credit card I used there was canceled. Last time was
a few months ago for Steam.

Hackers play games. Hackers hack game companies.

------
smokinjoe
So, what about us with inactive accounts? Is there some sort of action we
should take place?

------
jaredstenquist
I feel much more productive knowing I have no idea what a "battle.net" account
is.

------
Karunamon
16 character max password with no special characters allowed.

.. Are you people _high_ or something? This is 2012, when every major provider
has been owned at least once. Not AOL circa 1995. Get with the program,
Blizzard!

~~~
ZoFreX
While that is bad, according to my napkin calculations that still gives you 82
bits of entropy for your password (if you randomly generate it, taking into
account that they aren't case-sensitive {seriously}).

82 bits is actually "good enough" so, for now, not too big a deal. The bigger
deal is the SHA1 + salt hash they're using to store them!

------
tomkit
They're after my 150K DPS Demon Hunter.

