Hacker News new | comments | show | ask | jobs | submit login
Battle.net authentication misconceptions (skullsecurity.org)
60 points by icehawk 1794 days ago | hide | past | web | 36 comments | favorite

I don't get what the problem is? It doesn't really make bruteforcing an account feasible, that there are only a lower Quadrillion number of combinations instead of Quintillion.


> If you fail a certain number of logins against Battle.net, your IP address is temporarily banned. This makes it fairly difficult to bruteforce most accounts.

"Yes, the passwords are converted to uppercase before hashing. That's probably a bad idea - especially in the modern world - but it really dates back to their first Battle.net game - Diablo - from 1996."

Yup, that's probably a bad idea. Thank goodness you didn't disagree that it's probably a bad idea, like I've seen a ton of nut-jobs do.

That said, I think it's only "probably a bad idea" in terms of protecting people who use the same password on multiple sites, which is "without question a bad idea."

Put me in as a nut job then. I've seen plenty of users who make no distinction whatsoever re case of characters in passwords. One day their password is working, the next day it isn't, and the organization ends up spending the custom care money to deal with it just because they started typing "af" at the end of their password instead of "Af" or whatever.

If you need more complexity in a password, better to just encourage them to use a phrase with the words being the individual complexity rather than the characters. Like it or not, we live in a world where 80% of end users can't turn their wifi radio on and off on their phone, and we need to make systems that are a pleasure to use for them.

Condescension about idiot users is never a very persuasive way to make a point.

> we live in a world where 80% of end users can't turn their wifi radio on and off on their phone

But they still manage to properly enter their case-sensitive password to buy new apps.

> But they still manage to properly enter their case-sensitive password to buy new apps.

Because they never use uppercase in their case-sensitive passwords.

This attitude makes me very angry.

Even if 80% of users don't use capitals in their passwords, the 20% who want that added security don't get it. Even if you believe this made-up statistic due to your condescending attitude towards "normal" users, the password should be case sensitive.

A (very stupid) alternative would be to notify the users that their password isn't case sensitive so that those who mind can use a more secure password.

The argument that "most" users won't be affected is absolutely negated by the fact that some are.

Your anger is based on theory, not practice.

Blizzard takes a lot of steps to ensure your password can't be bruteforced. Even with the (imho unnecessary) limit of 16 chars on the password, you can have all the security you could need, and then some. On top of that, you can get two-factor auth for free in most cases. The "added security" that those people want is in practice not significant at all, and Blizzard had other priorities driving their choices.

If I had to make an auth system I'd probably still opt for case sensitivity, no length limits, and other such best crypto practices, simply because that's the path of least resistance. But my biggest security concerns would be elsewhere.

If you care about the security of your account at all, you should be using an authenticator, and even with a poor password proper two-factor authentication is far more secure than even the best password.

"Average" users have been taught to use strong passwords for a long time now.

Why is it worse to uppercase the password before hashing for people who use the same password on multiple sites? It doesn't matter if it is a 24 character password using every character set possible, if it is the same password they use somewhere else, and that place is compromised, the attacker will be able to use that password to login to the Battle.net account.

The reason is because lowering the entropy of the password makes the blizzard version easier to crack. If blizzard is compromised, the passwords won't be disclosed - just the hashes will be, so re-use isn't immediately an issue. It becomes an issue when the hash is cracked and the attacker can now see which password is being reused, and then reuse it. Of course if the reused password is something like "hunter2", the cracked version will look like "HUNTER2", but the original case can be guessed in a few tries once the case-insensitive version is discovered.

Very roughly, case sensitivity provides about a half bit of entropy. For reference, one bit of entropy takes twice as long to crack.

And say what you want about password reuse, but 99% of users re-use passwords at least somewhat, so site owners have an obligation to protect user passwords.

And the random salt used for hashes, and the minimum length of 8 for your password, all but eliminates their database compromise as being a plausible vector of attack.

Plus, caps doesn't add that many bits of entropy, when used as people use it (first letter, alternating letters, etc).

Seems to be a spreading practice for services with huge userbases; Facebook does it: http://www.zdnet.com/blog/facebook/facebook-passwords-are-no...

Facebook does something different. They accept two extra variants of the password (first letter capitalized and case reversed). They don't uppercase the password before hashing or checking. This reduces the security slightly as opposed to uppercasing passwords which reduces the search space significantly.

facebook does a different thing. It does not allow any casing(sp?). It allows only the right and the reverse and first letter in uppercase.

Blizzard seems to uppercase the given password and hashes that. This method makes a lot of wrong passwords work. In facebooks case only two more passwords than the original are accepted.

Er, wow. That's horrendous. How in the world can they still blame the first Diablo when they made such a big deal about "Battle.net 2.0" recently? Why do they need to lump the new stuff together with legacy systems using broken security practices?

Most likely because the authentication codebase started with Starcraft, was integrated with Diablo 2, then was basically ported to WoW.

After that, WoW's system was basically integrated into the current Battle.net 2.0 system.

If they ever compromise the bnet database of hashed passwords though it may be a benefit, as the password they re-use may contain uppercase and lowercase letters, which the bnet database has no way of representing.

If the passwords are stored using proper key stretching techniques and salting, they don't need to have much entropy to withstand brute-forcing. It's not necessarily a problem that lowercase letters do not contribute. However, it is a completely unnecessary lowering of entropy.

My lesson from this is: it always pays to think about and understand even the seemingly most trivial decision. You may be stuck with it for decades.

He's actually wrong. Starcraft introduced usernames/passwords and unique names to Battle.net in early 1998. The support was then patched into Diablo 1.05. Diablo I's Battle.net functionality did not originally include usernames/passwords at all.

It was quite a strange little architecture, initially. Your displayed name was whatever you'd named your character, with the distinguishing feature being an "account number" that could be re-generated by deleting a file in your Diablo directory (the corollary being if you didn't back the file up, your account number would change upon a reformat or migration to a new computer).

Ultra minor nit-pick, but your account number was stored in a registry entry (HKEY_LOCAL_MACHINE\SOFTWARE\Battle.net\Configuration), not a file.

The account number consisted of four parts:

  Registration Version: This was always 1 for all the account numbers that I still have lying around.
  Registration Authority: I don't actually remember what this was used for.
  Client ID: The actual account number.
  Client Token: Random number used to verify the validity of the Client ID.

Or you used a tool to change your account to 1537 and nobody could ever find you because hundreds, if not thousands, of people all used that same shared account.

Hopefully this lay some of the paranoid guys to rest.

It's alright to be paranoid, but most of the security-related posts on the Diablo 3 forums I've seen have been pure FUD.

Warning: somewhat unrelated and probably a rant:

Can I just say that Blizzard's handling of the Diablo 3 launch was a travesty on so many levels? First of all, nothing worked. No one could login to play, despite their stress testing beta and having a large percentage of players sign up and predownload far before launch. Their response was the now internet famous "Error 37," an absolutely useless message for users. If everything was going to be completely broken, they could have at least provided a useful error message saying "We're getting more traffic than anticipated and will notify you when the servers are ready." or something.

Seriously one of the most disappointing end user experiences I have ever had, and there's no way for me to return my $60 download.

Really? Your is a common complaint, so perhaps I'm just weird, but I was neither surprised nor upset by the opening day crunch. It was certainly nothing compared to, for example, WoW's release day. Or some of Steam's releases, back in the day.

With D3, I logged in on release day, got the error a few times. Came back a couple hours later, and managed to log in. Played around a bit, had a good time. There were some occasional lag spikes, but nothing catastrophic. The next day, I had no problems with logging in at all (only a very occasional lag spike). All days since have been smooth sailing.

It was one day. Get over it. The game has worked very well since.

Not totally well. I still get lag spikes in a _single player game_. It's really confusing to me why they make the client rely on the server, especially when I've turned off "quick join" mode.

Diablo 3 isn't a single player game with an online component, it is an online game you can choose to play solo.

I agree with this choice, especially with games like Diablo. Yes there are that subset of players who will only play through the campaign alone and never touch it again but the majority are going to play on battlenet and there would be no reason to even play offline.

That's just not true. most people who buy Starcraft 2, for example, only use it to play the single player mode, even thought SC2 is even closer to a pure multiplayer game than Diablo.

Forcing you to be online at all times leads to terrible user experience (it is strictly worse than just disabling some features when you lose the connection like SC2 does), so I believe Blizzard is purely motivated by DRM in this matter.

Blizzard is motivated by protecting the online economy, and keeping complexity and user confusion down.

They tried allowing local machine play before, but it resulted in a few problems:

- If they allowed you to play your solo player in groups, it opened the floodgates for hacked items and gold.

- If they forbade you from playing your solo player in groups, it caused massive consumer confusion and anger because you couldn't play your character, whom you'd built up over weeks, with your friends.

If you simply store all character info server-side and keep it there, you solve both problems: No more direct hacking of the data, and no more confused users. The cost is that users can't play the game offline, but that's a less serious problem than the other two.

I disagree. Whatever you have to say about the hacked stuff in Diablo 2, it didn't really make the game much less fun, neither for people hacking it nor for people playing it straight.

The problem they're solving isn't a problem that players have. It's that they want to make money off Diablo microtransactions, and they think they can't do that in the presence of hacked characters and items.

Actually, it did make the game less fun. Same for Borderlands.

With hacked items, there was no point in playing a public game, because chances were high that one or more players had hacked items which allowed them to kill enemies in one shot, or made them virtually indestructible, thus trivializing the game. The end result was that you'd only risk playing with close friends, unless you finally gave in and used hacked items yourself just so you'd have a chance when playing with others.

Also, as rare items become as common as sand due to hacking, the marketplaces are ruined, since hacked "super rare" items depress prices to the point that it's only worthwhile to sell in bulk, which is only possible if you hack. It also causes bleed over into my previous point, as regular non-hacking users acquire hacked items via the marketplace without necessarily realizing it, and the game is further trivialized, with everyone decked out in super rares that they bought for 1000 gold each. Now you must choose between a trivial game, and a "legit" game where everyone else runs circles around you because your gear is crappy by comparison.

No. Blizzard made the right choice here, and I for one applaud their decision.

Blizzard said something about trying to avoid confusion, but I don't think anyone was actually confused about their inability to play solo characters on BNet in D2.

I played D2 with a number of non-technical people, and it took quite a bit of explaining before they finally understood why they couldn't play their solo characters online. Their usual response at the end was "well, that's stupid."

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact