A recent and depressing article on ArsTechnica details how easily and quickly crackers can break even quite lengthy and obscure passwords.
We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.
The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")
...The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. ":LOL1313le" is in there, as are "Coneyisland9/," "momof3g8kids," "1368555av," "n3xtb1gth1ng," "qeadzcwrsfxv1331," "m27bufford," "J21.redskin," "Garrett1993*," and "Oscar+emmy2."
This article is mostly about a higher level of password cracking; basically how encrypted password files are broken, but it does underline and illustrate just how fragile is the security provided by your 8 or 10 letter string, especially if much/most of it is composed of real words, rather than (Lethe-inducing) alphanumeric gibberish. Hence the necessity of second level security measures, such as authenticators.
As a Blue would tell you, Blizzard sells authenticators at cost, and offers mobile authentication for free via cell phone text messaging. You've really got no excuse not to use one of these, given the real world value of your Diablo 3 items.
Results 1 to 10 of 26
09-06-2013, 04:13 #1
- Join Date
- Apr 2013
Why you need a Diablo 3 Authenticator.
09-06-2013, 04:48 #2Ashman23Guest
I\'d love to know how they do this, just so I know how to make a more secure password etc.
09-06-2013, 05:03 #3WarlordshipGuest
All this article means, is that if a hacker gets a hold of a list of simply MD5 hashed passwords, they can crack them all relatively quickly. No matter how complex your password at that point, the only thing that will make your password harder to decrypt would be to make it longer.
All of this takes place offline, by the way. It\'s why companies who do believe their hashed lists may have been stolen will inform the public. Since no company doing any serious business would encrypt in as simple as MD5, it is hoped that all (or most) of their customers will change their passwords before some (if any) of the passwords on such a list can be decrypted.
In other words, making a more secure password is, honestly, more about length and not complexity. Since a password cracker would have to assume you COULD use upper case and lower case and special characters and numbers, it would have to check every single possible combination of every character in every slot. And the longer the password, the more complex it gets.
XKCD exampled it here in a comic a while ago: http://xkcd.com/936/
09-06-2013, 05:22 #4
- Join Date
- Apr 2009
I have never played a console game, so I\'m clueless about this
how will the D3 console versions versions ?
will players still need to login ?
or is miltiplayer ties to their console or what ?
I can\'t imagine a console player using a virtual keyboard to type in the authenticator code
09-06-2013, 05:28 #5Tiago SáGuest
three rules of thumb:
the bigger the password, the better
no words or number sequences (and changing a\'s for @\'s and e\'s for 3\'s won\'t do it either)
use an abundance of random letters, numbers, spaces and special characters.
12345a - awful
hello123Amsterdam - bad
h£11o123@mst3rd@m - just as bad
kAS23@0l_ pa! - good
lç\"*a¨|2\'S655a8/ asç - fantastic, virtually uncrackable under today\'s technology
The answer? Use the god damn password manager. Let your browser save your passwords for you or use a third party password manager if you want to take them with you with ease. Let me also remind you that both Firefox and Chrome have sync features that let you access your data from remote computers. Firefox\'s sync is a bit safer since it\'s encrypted client-side before it\'s send of the web, so there\'s absolutely no way to steal your info, but Chrome\'s good too, I guess.
09-06-2013, 05:40 #6
That\'s why there\'s no AH of any kind on consoles. And if they\'re smart, no remote trading of any kind, even drop trading, or else d2jsp will come back w/ a vengeance.
As to this, it really drives home the fact that the whole password/user system isn\'t going to cut it in the near future. You can get a thumb print scanner <img src=\"http://www.tutorialers.com/wp-content/uploads/2013/02/fingerprint-reader-tutorialers.jpg\"> but most places don\'t support it yet. Retina scanners <img src=\"http://farm4.staticflickr.com/3362/5743764441_6c67e8f055_z.jpg\"> are even further off, but w/ smart phone cameras, not too far fetched. Just watch out for Wesley Snipes in a blonde flat top...
09-06-2013, 07:53 #7
- Join Date
- Sep 2012 BattleTag Fizoo-1366
I don\'t understand why people assert that no serious company would use merely simple encryption. There was a story just last year Microsoft got hacked and it turns out password info was stored in a plan text file, completely unencrypted.
09-06-2013, 08:01 #8FaramisGuest
Exactly. If you get hacked and you do not use authenticator, it is your and your fault only, because anyone can get authenticator and that **** is ubreakable. The odds of someone correcticly guessing the authenticator key at any moments have to close to zero.
09-06-2013, 08:03 #9TheDoc42Guest
The article is fairly well written, I\'d give it a try.
09-06-2013, 09:57 #10
- Join Date
- Aug 2005
\"Since no company doing any serious business would encrypt in as simple as MD5\"
Unfortunately there are many, many companies \"doing serious business\" that store passwords in plaintext, so of course there will also be many that do it in simple MD5.