> If you fail a certain number of logins against Battle.net, your IP address is temporarily banned. This makes it fairly difficult to bruteforce most accounts.
Yup, that's probably a bad idea. Thank goodness you didn't disagree that it's probably a bad idea, like I've seen a ton of nut-jobs do.
That said, I think it's only "probably a bad idea" in terms of protecting people who use the same password on multiple sites, which is "without question a bad idea."
If you need more complexity in a password, better to just encourage them to use a phrase with the words being the individual complexity rather than the characters. Like it or not, we live in a world where 80% of end users can't turn their wifi radio on and off on their phone, and we need to make systems that are a pleasure to use for them.
> we live in a world where 80% of end users can't turn their wifi radio on and off on their phone
But they still manage to properly enter their case-sensitive password to buy new apps.
Because they never use uppercase in their case-sensitive passwords.
Even if 80% of users don't use capitals in their passwords, the 20% who want that added security don't get it. Even if you believe this made-up statistic due to your condescending attitude towards "normal" users, the password should be case sensitive.
A (very stupid) alternative would be to notify the users that their password isn't case sensitive so that those who mind can use a more secure password.
The argument that "most" users won't be affected is absolutely negated by the fact that some are.
Blizzard takes a lot of steps to ensure your password can't be bruteforced. Even with the (imho unnecessary) limit of 16 chars on the password, you can have all the security you could need, and then some. On top of that, you can get two-factor auth for free in most cases. The "added security" that those people want is in practice not significant at all, and Blizzard had other priorities driving their choices.
If I had to make an auth system I'd probably still opt for case sensitivity, no length limits, and other such best crypto practices, simply because that's the path of least resistance. But my biggest security concerns would be elsewhere.
Very roughly, case sensitivity provides about a half bit of entropy. For reference, one bit of entropy takes twice as long to crack.
And say what you want about password reuse, but 99% of users re-use passwords at least somewhat, so site owners have an obligation to protect user passwords.
Plus, caps doesn't add that many bits of entropy, when used as people use it (first letter, alternating letters, etc).
Blizzard seems to uppercase the given password and hashes that. This method makes a lot of wrong passwords work. In facebooks case only two more passwords than the original are accepted.
After that, WoW's system was basically integrated into the current Battle.net 2.0 system.
My lesson from this is: it always pays to think about and understand even the seemingly most trivial decision. You may be stuck with it for decades.
It was quite a strange little architecture, initially. Your displayed name was whatever you'd named your character, with the distinguishing feature being an "account number" that could be re-generated by deleting a file in your Diablo directory (the corollary being if you didn't back the file up, your account number would change upon a reformat or migration to a new computer).
The account number consisted of four parts:
Registration Version: This was always 1 for all the account numbers that I still have lying around.
Registration Authority: I don't actually remember what this was used for.
Client ID: The actual account number.
Client Token: Random number used to verify the validity of the Client ID.
Can I just say that Blizzard's handling of the Diablo 3 launch was a travesty on so many levels? First of all, nothing worked. No one could login to play, despite their stress testing beta and having a large percentage of players sign up and predownload far before launch. Their response was the now internet famous "Error 37," an absolutely useless message for users. If everything was going to be completely broken, they could have at least provided a useful error message saying "We're getting more traffic than anticipated and will notify you when the servers are ready." or something.
Seriously one of the most disappointing end user experiences I have ever had, and there's no way for me to return my $60 download.
With D3, I logged in on release day, got the error a few times. Came back a couple hours later, and managed to log in. Played around a bit, had a good time. There were some occasional lag spikes, but nothing catastrophic. The next day, I had no problems with logging in at all (only a very occasional lag spike). All days since have been smooth sailing.
I agree with this choice, especially with games like Diablo. Yes there are that subset of players who will only play through the campaign alone and never touch it again but the majority are going to play on battlenet and there would be no reason to even play offline.
Forcing you to be online at all times leads to terrible user experience (it is strictly worse than just disabling some features when you lose the connection like SC2 does), so I believe Blizzard is purely motivated by DRM in this matter.
They tried allowing local machine play before, but it resulted in a few problems:
- If they allowed you to play your solo player in groups, it opened the floodgates for hacked items and gold.
- If they forbade you from playing your solo player in groups, it caused massive consumer confusion and anger because you couldn't play your character, whom you'd built up over weeks, with your friends.
If you simply store all character info server-side and keep it there, you solve both problems: No more direct hacking of the data, and no more confused users. The cost is that users can't play the game offline, but that's a less serious problem than the other two.
The problem they're solving isn't a problem that players have. It's that they want to make money off Diablo microtransactions, and they think they can't do that in the presence of hacked characters and items.
With hacked items, there was no point in playing a public game, because chances were high that one or more players had hacked items which allowed them to kill enemies in one shot, or made them virtually indestructible, thus trivializing the game. The end result was that you'd only risk playing with close friends, unless you finally gave in and used hacked items yourself just so you'd have a chance when playing with others.
Also, as rare items become as common as sand due to hacking, the marketplaces are ruined, since hacked "super rare" items depress prices to the point that it's only worthwhile to sell in bulk, which is only possible if you hack. It also causes bleed over into my previous point, as regular non-hacking users acquire hacked items via the marketplace without necessarily realizing it, and the game is further trivialized, with everyone decked out in super rares that they bought for 1000 gold each. Now you must choose between a trivial game, and a "legit" game where everyone else runs circles around you because your gear is crappy by comparison.
No. Blizzard made the right choice here, and I for one applaud their decision.