
Diablo 3 bug report: "Passwords not case-sensitive." - ryanf
http://us.battle.net/d3/en/forum/topic/5152409863
======
loup-vaillant

      Entropy of    [a-z0-9] per character : 5,1  bits
      Entropy of [A-Za-z0-9] per character : 5,95 bits
      Entropy lost by case insensitivity
                            (per character): 0,85 bits (15%)
    

Bottom line: add 2 characters, and your password stays strong. Still, it would
cool to warn users, or at least explicitly advise them to use longer
passwords.

~~~
speleding
Not only is the entropy difference small, there is also an added benefit in
less users having to reset their password. Forgetting how their password was
capitalized is a big problem for people.

Letting improved user experience trump a tiny bit of extra security is a good
tradeoff for Blizzard. They're not a bank.

~~~
JackC
FWIW, I think I read at one point that WoW accounts were worth more on the
black market than credit card numbers. So security isn't totally unimportant.

------
karlshea
Facebook does sort of the same thing:

[http://www.zdnet.com/blog/facebook/facebook-passwords-are-
no...](http://www.zdnet.com/blog/facebook/facebook-passwords-are-not-case-
sensitive-update/3612)

Yes, it's possibly less secure. But for both Facebook and all of the Blizzard
games there are other options if you are concerned.

~~~
tylermenezes
Facebook's is a little better - you can't disregard case entirely. Blizzard
just cut the search space by a lot.

Then again, it would be pretty difficult to brute force a password in
Battle.net, to be honest. I'm assuming they'd lock out the account after just
a handful of tries.

~~~
duaneb
Yea, until someone steals their hashes.

~~~
willvarfar
But there are plenty of password stretching algorithms like bcrypt.

A very reduced keyspace, but we all knew people's password choices are poor
anyway right?

------
Steko
Not a bug.

If you're worried about security as a user, d/l the free authenticator.

If you're worried about Blizzard, don't -- they're big kids. You can run your
10+ million user game platform the way you want, Blizzard will run theirs the
way they want.

~~~
rcgs
Just like how we shouldn't worry about big kids Sony and their 70+ million
network being compromised?

Telling people not to worry about security works until they, inevitably, have
their data compromised. Technically aware consumers have a responsibility to
put pressure on companies to be secure with information.

~~~
Groxx
Precisely the same way, yes. Sony's network being compromised had absolutely
nothing to do with password case sensitivity, and absolutely everything to do
with shoddy practices elsewhere that opened a massive hole into their
database, allowing them to download millions of accounts worth of data.

Millions of accounts from a single breach somewhere. Not millions of accounts
individually brute forced because their case-insensitive passwords made them
trivially guessable.

We _should_ be worried that Blizzard will get hacked like PSN was. That would
be potentially catastrophic. But case sensitivity has almost no effect on
password security unless your users ALL use random passwords.

------
vibrunazo
Complete security newbie here. Doesn't it make brute force attacks almost
worthless when you just have a minimum time between each login request after
too many attempts per IP ? So you can only try to login every 30sec after
you've failed 10 times in a row? I thought brute-forcing logins were a thing
of the past after people started implementing this min time between requests
strategy.

The only weakness I can imagine would be a massive botnet forcing logins, but
even then it would be severely limited. Am I missing something silly?

~~~
bluecalm
>Am I missing something silly?

Yes. It's not that the bad guys try bruteforce to login multiple times and
wait to be banned. They could (will/might) steal db with hashed passwords, do
their decrypting at home and then login with what they got. The stronger the
password (or better, ie slower to calculate hash used) the more time they need
for that thus giving more time for Blizzard to realize passwords were
compromised and block all accounts/force global password change. Really clever
bad guys can do their homework before they have a chance to put their hands on
hashed passwords by preparing hashes for say all passwords which are simple
combination of words [1]. Now, once password db is compromised they just look
for matching hashes and have instant access to some accounts. This is why you
are told to use "strong" passwords, if they just try to "bruteforce log-in"
that really wouldn't matter much.

[1] <http://en.wikipedia.org/wiki/Rainbow_table>

~~~
Steko
This assumes they aren't salting the hashes. But Blizzard apparently[1] uses
SRP 6+ which does salt the hashes meaning if you and me have the same password
we will still have unique hashes.

[1]
[http://www.reddit.com/r/netsec/comments/u2168/blizzard_inten...](http://www.reddit.com/r/netsec/comments/u2168/blizzard_intentionally_makes_passwords_noncase/c4rtmae)

~~~
vibrunazo
That's cool, I had never heard of this.

How is the salt stored to make sure attackers won't just steal your salt
anyway? Wikipedia says "the salt is stored along with the output of the one-
way function" [1]. Does it means the server needs to store the salt for each
user so it can authenticate the password?

[1] <http://en.wikipedia.org/wiki/Salt_(cryptography)>

~~~
jarito
As the defender, you don't care if the salt is obtained by the attacker. The
salt is not a secret. It's only use is to ensure that each password is hashed
as unique, even if the users chose the same password. Basically, it is for
defeating precomputed databases (rainbow tables), nothing more.

------
Bud
Although this is a really silly bug, I did already know about it (it's the
same in WoW), so frankly at the moment, I'm more concerned about the Diablo 3
bug which is causing a lot of us to not be able to successfully login and
play, at all.

Really not good.

~~~
elithrar
> Although this is a really silly bug,

Personally, I don't believe it is a bug at all. They have obviously made the
decision to not enforce case in an effort to reduce customer service
load/player frustration.

Yes, it reduces the time needed to brute force your password if someone got
hold of their user DB. But 1) we are still talking an excessively long time
(their min. password length is 8) and 2) once they have that, you may have
bigger problems.

Whilst this is only anecdotal (over several years of WoW/SC2), the majority of
compromised Battle.net accounts are through keyloggers/malware and phishing
scams. In those cases, you can have a 40 character password with all the case
sensitivity you like and it won't matter at all.

~~~
drivebyacct2
I don't think anyone's nearly as concerned about case enforcement as they are
about backend storage of passwords. I can assume some (plausibly safe) ways of
storing/verifying passwords that are case insensitive, but I'm not naive
enough to assume _they do_.

~~~
Steko
From reddit:

 _I've reversed Battle.net protocols in full. Here's some facts:

Your plaintext password is never sent in plaintext. Old Battle.net clients
(Diablo 2 and earlier) use what we call the 'old login system' (OLS), which
uses Broken-SHA1 (SHA1 implemented with small bugs). Since Warcraft 3, the
'new login system' (NLS) is used, which uses SRPv6 (a standard for password
exchange using public keys + RSA).

Under OLS, the Broken-SHA1 of the password is stored. Under NLS, a value
called the verifier is stored, which is derived from the (actual) SHA1 of the
password.

The protocols (both OLS and NLS) support case sensitivity just fine - the case
insensitivity is a client-side issue. If you implement the protocol yourself,
you can use a case sensitive password, but the game client won't be able to
log in with it. We used to use that as a security feature in bots.

After a small number of failed logins, your IP is temporarily banned. That
means that bruteforcing is nearly impossible.

Honestly, I don't understand why they have case insensitive passwords; but, at
the same time, it doesn't make that much difference considering only a few
password attempts are allowed before you're banned._

[http://www.reddit.com/r/netsec/comments/u2168/blizzard_inten...](http://www.reddit.com/r/netsec/comments/u2168/blizzard_intentionally_makes_passwords_noncase/c4rtmae)

~~~
chives
>After a small number of failed logins, your IP is temporarily banned. That
means that bruteforcing is nearly impossible.

If someone in genuinely trying to crack passwords, I'm going to go out on a
limb here and say that they know what proxy servers are and how to use them.

~~~
Steko
After a certain number of attempts even the account is locked out of being
logged into for a period.

Also after being logged into from multiple IP's in a short period it will be
locked.

You guys seriously act like Blizzard just fell off the turnip truck here.

~~~
furyofantares
Unless the list of accounts you want to crack is tiny, a brute force attack
easily gets around per-account rate limiting by simply switching to a
different account before tripping it and coming back to the account later.

~~~
Steko
There's only say 12-15 million active accounts. Even if you had all of them
you're going to run out of attempts before you reliably brute force anything.
Far more likely is Blizzard looks out for large scale distributed brute force
attacks and locks users to their last handful of confirmed IPs.

That's in the realm of speculation admittedly. Look I'm largely defending
Blizzard here but they aren't paragons of security. For one thing they could
stop a lot of actual real world keyloggers by putting in a randomized screen
pin entry. They never did that but they have been pretty aggressive on many
other fronts. The fact that their passwords are case insensitive is something
that might surprise many people, (and I was mildly shocked when it was pointed
out to me years back because I had been dutifully capitalizing 2 characters in
my p/w....) but it ends up not being of much consequence imho. Almost all
hacks have been keylogger or social. There's one rumored (confirmed?) MITM
attack against the authenticator. There's probably some people that used
123456 etc. but the option for a more secure password probably wasn't going to
help those people, ymmv.

~~~
plorkyeran
Once you limit it to accounts actually worth hacking which don't have an
authenticator you're probably looking at more like a million accounts.

------
gte910h
Use a passphrase then if this bothers you?

If you want to be serious about security of your account, use one of the two
factor authentication systems available that they offer.

The faster passwords stop looking like: C@tV0m!t

And start looking like: correct battery horse staple

the better for security and actually remembering the phrase rather than
writing it down.

(XKCD on this: <http://xkcd.com/936/>)

~~~
TWAndrews
One has to imagine that the actual phrase "correct battery horse staple" is a
fairly poor choice of password, at this point though...

~~~
zobzu
I'm using "archaic hello dog waterpool" so i'm safe.

------
tylermenezes
They don't (or didn't, I haven't checked in the last few months) allow special
characters, either. Seriously - what? (Then again, my bank does the same
thing.)

~~~
nodata
So use a long password without them: password strength is what counts, not
funny rules about special characters and minimum characters.

~~~
duaneb
They also restrict it to <= 16 characters.... Yea, that's still decently
secure, but there's nothing like a 50 character password that's pretty much
impossible to break. I don't get why they put these restrictions on. Probably
some brainless dev decided to make a SQL column 16-bytes wide.

EDIT: That doesn't even make sense, unless they're storing plain-text
passwords.

~~~
Steko
If you're at the point of needing a 50 character passcode for your blizzard
game maybe you should just _download the free authenticator_.

~~~
icebraining
OK, where can I download that _free authenticator_ for my Nokia S60?

~~~
estel
Well, they do offer [http://us.battle.net/support/en/article/battlenet-sms-
protec...](http://us.battle.net/support/en/article/battlenet-sms-protect)
which provides an extra (but different) layer of security.

~~~
icebraining
Assuming you're from one of the "supported countries", though, which aren't
listed.

------
chetan51
That seemed like a pretty bad way to handle it by Blizzard, though.

~~~
karlshea
I agree, the mods on that forum seem like they forgot where their last straw
went.

------
gregcmartin
If there is brute force protection on the login function blocking a username
or IP from attempting x times in y hours AND there is a minimum of 8
characters then I can say thats strong protection on the backend. You are much
more vulnerable to having your password phished rather than bruteforced.

------
TomGullen
This isn't a bug at all. I would question the assumption that case sensitivity
increases the actual search space significantly, theoretically it does but in
practise most users will:

\- Uppercase first letter only

\- All lowercase

It's a usability decision from Blizzard, not a bug.

~~~
peeters
Also, to address this comment in the thread:

> This means they probably store passwords in plain text, unsalted, etc. This
> is unbelievable.

It absolutely does not make that any more likely. All you have to do is
normalize it to upper/lower case before hashing and you have case
insensitivity.

------
tszming
Not sure about Diablo but one of the reasons I can think of why some web
site's password is case in-sensitive (it is not uncommon) - they are checking
the user password directly with MySQL, e.g.

select * from users where user = 'john' and password = 'PASSWORD'; \-- the
password is actually case in-sensitive if your table collation is ci (which is
the default)

Of course this also implies the site is storing the password as plain text..

~~~
gizzlon
is that true if "password" is char or varchar as well? Or only for text
fields?

~~~
tszming
For nonbinary strings (CHAR, VARCHAR, TEXT), string searches use the collation
of the comparison operands

The default character set and collation are latin1 and latin1_swedish_ci, so
nonbinary string comparisons are case insensitive by default.

<http://dev.mysql.com/doc/refman/5.1/en/case-sensitivity.html>

------
zeroonetwothree
This wouldn't be so bad if they didn't restrict their passwords to at most 16
characters :(.

------
blindhippo
When are we, as a society, going to solve the password problem?

Passwords are a terrible mechanism for solving security - to make them
"secure" you have to enforce stringent policies creating passwords that are
not memorable to many users, leading to passwords being written down. Add in
the fun of needed to know far too many passwords (my daily count is at 17...).

Honestly I don't know enough about cryptography or security in general, but
could an application be locked down using a public/private key (ala, SSH)? I'd
love the ability to generate my own key (with my own password) and assign it
to any application.

~~~
dclowd9901
Probably when bio-based methods of authentication become cheaper and more
commonplace. The problem is the passwords themselves: having to remember
something arbitrary and outside the normal context of your day.

Hell, their sole purpose _is_ to be cumbersome.

------
kecebongsoft
I am interested to know how are they storing case insensitive passwords if
they were not plain text, they only way I could imagine is by converting them
in a full lower/upper case before hashing is performed.

~~~
Jare
I'm curious, why would you doubt that your "only way" would not be what they
do? It works, it's simple, it has no downsides.

~~~
rmc
Some people think that they must be storing the passwords in plain text (
<http://news.ycombinator.com/item?id=4022765>)

------
Shivetya
What about, battletags do not obey real id preferences in your battlnet
account? As in, I was in Diablo 3 beta. I joined numerous public groups.

Apparently anyone who was in those groups can now see if I play World of
Warcraft, which server I am on, and even what zone I am in.

and there is nothing I can do about it. Zero, zilch, oh except buy Diablo 3
and change my settings from there because it can access features of my account
the standard account management system cannot.

------
scoot
Is it completely beyond the bounds of possibility that they're storing the
password as originally entered (salted & hashed), but trying all combinations
of upper / lower case at login-time (only after the entered password fails)?
It would only be for a small subset of logins, and for the majority of
passwords, a manageable number of combinations (2^num-alpha-chars-in-passwd).
I believe Facebook do something similar.

------
Freestyler_3
I run a phone emulator and run the blizzard authenticator app on it.Works
great for me and adds some security.

~~~
ufo
Doesn't that kind of defeat the purpose of two-factor authentication?

------
soccerdave
Also, most banks don't enforce case-sensitivity. I just logged in to my Chase
account ignoring the case.

------
RKearney
This has been the case since as long as I can remember. Not sure why it's an
issue all of a sudden.

------
fffggg
The following banks and financial institutions also silently discard case-
sensitivity:

Citibank

Chase

Wells Fargo

E-Trade

US Bank

Fidelity Investments

SECU

HSBC

TechCU

~~~
alirov
I just tried my American Express account and you can add that to the list of
financial institutions discarding case-sensitivity.

