Latest Diablo 3 News
DiabloWiki Updates
Page 1 of 3 123 LastLast
Results 1 to 10 of 26
  1. #1
    IncGamers News Service
    Join Date
    Apr 2013

    Why you need a Diablo 3 Authenticator.

    A recent and depressing article on ArsTechnica details how easily and quickly crackers can break even quite lengthy and obscure passwords.

    We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

    The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")

    ...The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. ":LOL1313le" is in there, as are "Coneyisland9/," "momof3g8kids," "1368555av," "n3xtb1gth1ng," "qeadzcwrsfxv1331," "m27bufford," "J21.redskin," "Garrett1993*," and "Oscar+emmy2."

    This article is mostly about a higher level of password cracking; basically how encrypted password files are broken, but it does underline and illustrate just how fragile is the security provided by your 8 or 10 letter string, especially if much/most of it is composed of real words, rather than (Lethe-inducing) alphanumeric gibberish. Hence the necessity of second level security measures, such as authenticators.

    As a Blue would tell you, Blizzard sells authenticators at cost, and offers mobile authentication for free via cell phone text messaging. You've really got no excuse not to use one of these, given the real world value of your Diablo 3 items.

  2. #2
    I\'d love to know how they do this, just so I know how to make a more secure password etc.

  3. #3
    All this article means, is that if a hacker gets a hold of a list of simply MD5 hashed passwords, they can crack them all relatively quickly. No matter how complex your password at that point, the only thing that will make your password harder to decrypt would be to make it longer.

    All of this takes place offline, by the way. It\'s why companies who do believe their hashed lists may have been stolen will inform the public. Since no company doing any serious business would encrypt in as simple as MD5, it is hoped that all (or most) of their customers will change their passwords before some (if any) of the passwords on such a list can be decrypted.

    In other words, making a more secure password is, honestly, more about length and not complexity. Since a password cracker would have to assume you COULD use upper case and lower case and special characters and numbers, it would have to check every single possible combination of every character in every slot. And the longer the password, the more complex it gets.

    XKCD exampled it here in a comic a while ago:

  4. #4
    IncGamers Member
    Join Date
    Apr 2009
    I have never played a console game, so I\'m clueless about this

    how will the D3 console versions versions ?

    will players still need to login ?
    or is miltiplayer ties to their console or what ?
    I can\'t imagine a console player using a virtual keyboard to type in the authenticator code

  5. #5
    Tiago Sá
    three rules of thumb:

    the bigger the password, the better
    no words or number sequences (and changing a\'s for @\'s and e\'s for 3\'s won\'t do it either)
    use an abundance of random letters, numbers, spaces and special characters.


    12345a - awful
    hello123Amsterdam - bad
    h£11o123@mst3rd@m - just as bad
    kAS23@0l_ pa! - good
    lç\"*a¨|2\'S655a8/ asç - fantastic, virtually uncrackable under today\'s technology

    The answer? Use the god damn password manager. Let your browser save your passwords for you or use a third party password manager if you want to take them with you with ease. Let me also remind you that both Firefox and Chrome have sync features that let you access your data from remote computers. Firefox\'s sync is a bit safer since it\'s encrypted client-side before it\'s send of the web, so there\'s absolutely no way to steal your info, but Chrome\'s good too, I guess.

  6. #6
    IncGamers Member trocadero's Avatar
    Join Date
    Feb 2013
    That\'s why there\'s no AH of any kind on consoles. And if they\'re smart, no remote trading of any kind, even drop trading, or else d2jsp will come back w/ a vengeance.

    As to this, it really drives home the fact that the whole password/user system isn\'t going to cut it in the near future. You can get a thumb print scanner <img src=\"\"> but most places don\'t support it yet. Retina scanners <img src=\"\"> are even further off, but w/ smart phone cameras, not too far fetched. Just watch out for Wesley Snipes in a blonde flat top...

  7. #7
    IncGamers Member
    Join Date
    Sep 2012
    BattleTag Fizoo-1366
    I don\'t understand why people assert that no serious company would use merely simple encryption. There was a story just last year Microsoft got hacked and it turns out password info was stored in a plan text file, completely unencrypted.

  8. #8
    Exactly. If you get hacked and you do not use authenticator, it is your and your fault only, because anyone can get authenticator and that **** is ubreakable. The odds of someone correcticly guessing the authenticator key at any moments have to close to zero.

  9. #9
    The article is fairly well written, I\'d give it a try.

  10. #10
    IncGamers Member
    Join Date
    Aug 2005
    \"Since no company doing any serious business would encrypt in as simple as MD5\"

    Unfortunately there are many, many companies \"doing serious business\" that store passwords in plaintext, so of course there will also be many that do it in simple MD5.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts