

Battle.net authentication misconceptions - icehawk
http://www.skullsecurity.org/blog/2012/battle-net-authentication-misconceptions

======
ralfd
I don't get what the problem is? It doesn't really make bruteforcing an
account feasible, that there are only a lower Quadrillion number of
combinations instead of Quintillion.

Quote:

> If you fail a certain number of logins against Battle.net, your IP address
> is temporarily banned. This makes it fairly difficult to bruteforce most
> accounts.

------
VikingCoder
"Yes, the passwords are converted to uppercase before hashing. That's probably
a bad idea - especially in the modern world - but it really dates back to
their first Battle.net game - Diablo - from 1996."

Yup, that's probably a bad idea. Thank goodness you didn't disagree that it's
probably a bad idea, like I've seen a ton of nut-jobs do.

That said, I think it's only "probably a bad idea" in terms of protecting
people who use the same password on multiple sites, which is "without question
a bad idea."

~~~
nmb
Seems to be a spreading practice for services with huge userbases; Facebook
does it: [http://www.zdnet.com/blog/facebook/facebook-passwords-are-
no...](http://www.zdnet.com/blog/facebook/facebook-passwords-are-not-case-
sensitive-update/3612)

~~~
ianburrell
Facebook does something different. They accept two extra variants of the
password (first letter capitalized and case reversed). They don't uppercase
the password before hashing or checking. This reduces the security slightly as
opposed to uppercasing passwords which reduces the search space significantly.

------
tzaman
Hopefully this lay some of the paranoid guys to rest.

~~~
Auguste
It's alright to be paranoid, but most of the security-related posts on the
Diablo 3 forums I've seen have been pure FUD.

------
alexrp
I'm just going to interject here:
[http://xtzgzorex.wordpress.com/2012/05/26/grunt-auth-
misconc...](http://xtzgzorex.wordpress.com/2012/05/26/grunt-auth-
misconceptions/)

------
bicknergseng
Warning: somewhat unrelated and probably a rant:

Can I just say that Blizzard's handling of the Diablo 3 launch was a travesty
on so many levels? First of all, nothing worked. No one could login to play,
despite their stress testing beta and having a large percentage of players
sign up and predownload far before launch. Their response was the now internet
famous "Error 37," an absolutely useless message for users. If everything was
going to be completely broken, they could have at least provided a useful
error message saying "We're getting more traffic than anticipated and will
notify you when the servers are ready." or something.

Seriously one of the most disappointing end user experiences I have ever had,
and there's no way for me to return my $60 download.

~~~
rmassie
It was one day. Get over it. The game has worked very well since.

~~~
ubercore
Not totally well. I still get lag spikes in a _single player game_. It's
really confusing to me why they make the client rely on the server, especially
when I've turned off "quick join" mode.

~~~
thehermit
Diablo 3 isn't a single player game with an online component, it is an online
game you can choose to play solo.

I agree with this choice, especially with games like Diablo. Yes there are
that subset of players who will only play through the campaign alone and never
touch it again but the majority are going to play on battlenet and there would
be no reason to even play offline.

~~~
algorias
That's just not true. most people who buy Starcraft 2, for example, only use
it to play the single player mode, even thought SC2 is even closer to a pure
multiplayer game than Diablo.

Forcing you to be online at all times leads to terrible user experience (it is
strictly worse than just disabling some features when you lose the connection
like SC2 does), so I believe Blizzard is purely motivated by DRM in this
matter.

~~~
kstenerud
Blizzard is motivated by protecting the online economy, and keeping complexity
and user confusion down.

They tried allowing local machine play before, but it resulted in a few
problems:

\- If they allowed you to play your solo player in groups, it opened the
floodgates for hacked items and gold.

\- If they forbade you from playing your solo player in groups, it caused
massive consumer confusion and anger because you couldn't play your character,
whom you'd built up over weeks, with your friends.

If you simply store all character info server-side and keep it there, you
solve both problems: No more direct hacking of the data, and no more confused
users. The cost is that users can't play the game offline, but that's a less
serious problem than the other two.

~~~
mquander
I disagree. Whatever you have to say about the hacked stuff in Diablo 2, it
didn't really make the game much less fun, neither for people hacking it nor
for people playing it straight.

The problem they're solving isn't a problem that players have. It's that they
want to make money off Diablo microtransactions, and they think they can't do
that in the presence of hacked characters and items.

~~~
kstenerud
Actually, it did make the game less fun. Same for Borderlands.

With hacked items, there was no point in playing a public game, because
chances were high that one or more players had hacked items which allowed them
to kill enemies in one shot, or made them virtually indestructible, thus
trivializing the game. The end result was that you'd only risk playing with
close friends, unless you finally gave in and used hacked items yourself just
so you'd have a chance when playing with others.

Also, as rare items become as common as sand due to hacking, the marketplaces
are ruined, since hacked "super rare" items depress prices to the point that
it's only worthwhile to sell in bulk, which is only possible if you hack. It
also causes bleed over into my previous point, as regular non-hacking users
acquire hacked items via the marketplace without necessarily realizing it, and
the game is further trivialized, with everyone decked out in super rares that
they bought for 1000 gold each. Now you must choose between a trivial game,
and a "legit" game where everyone else runs circles around you because your
gear is crappy by comparison.

No. Blizzard made the right choice here, and I for one applaud their decision.

