Latest Diablo 3 News
DiabloWiki Updates

Why you need a Diablo 3 Authenticator.

Discussion in 'Tech Support for Diablo 3, Battle.Net & Systems' started by Hound, Jun 9, 2013. | Replies: 25 | Views: 9463

  1. Hound

    Hound IncGamers News Service

    Joined:
    Apr 29, 2013
    Messages:
    0
    Likes Received:
    0
    Trophy Points:
    361
    A recent and depressing <a href="http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/">article on ArsTechnica</a> details how easily and quickly crackers can break even quite lengthy and obscure passwords.

    <blockquote>We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

    The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hashâ€â€for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weakerâ€â€and crackers have never been stronger.")

    ...The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. ":LOL1313le" is in there, as are "Coneyisland9/," "momof3g8kids," "1368555av," "n3xtb1gth1ng," "qeadzcwrsfxv1331," "m27bufford," "J21.redskin," "Garrett1993*," and "Oscar+emmy2."
    </blockquote>

    This article is mostly about a higher level of password cracking; basically how encrypted password files are broken, but it does underline and illustrate just how fragile is the security provided by your 8 or 10 letter string, especially if much/most of it is composed of real words, rather than (<a href="http://en.wikipedia.org/wiki/Lethe">Lethe-inducing</a>) alphanumeric gibberish. Hence the necessity of second level security measures, such as authenticators.

    As a Blue would tell you, <a href="http://us.blizzard.com/store/search.xml?q=authenticator">Blizzard sells authenticators</a> at cost, and offers <a href="http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq">mobile authentication for free</a> via cell phone text messaging. You've really got no excuse not to use one of these, given the real world value of your Diablo 3 items.
  2. Ashman23

    Ashman23 Guest

    I\'d love to know how they do this, just so I know how to make a more secure password etc.
  3. Warlordship

    Warlordship Guest

    All this article means, is that if a hacker gets a hold of a list of simply MD5 hashed passwords, they can crack them all relatively quickly. No matter how complex your password at that point, the only thing that will make your password harder to decrypt would be to make it longer.

    All of this takes place offline, by the way. It\'s why companies who do believe their hashed lists may have been stolen will inform the public. Since no company doing any serious business would encrypt in as simple as MD5, it is hoped that all (or most) of their customers will change their passwords before some (if any) of the passwords on such a list can be decrypted.

    In other words, making a more secure password is, honestly, more about length and not complexity. Since a password cracker would have to assume you COULD use upper case and lower case and special characters and numbers, it would have to check every single possible combination of every character in every slot. And the longer the password, the more complex it gets.

    XKCD exampled it here in a comic a while ago: http://xkcd.com/936/
  4. jamesL

    jamesL IncGamers Member

    Joined:
    Apr 20, 2009
    Messages:
    1,362
    Likes Received:
    0
    Trophy Points:
    255
    I have never played a console game, so I\'m clueless about this

    how will the D3 console versions versions ?

    will players still need to login ?
    or is miltiplayer ties to their console or what ?
    I can\'t imagine a console player using a virtual keyboard to type in the authenticator code
  5. three rules of thumb:

    the bigger the password, the better
    no words or number sequences (and changing a\'s for @\'s and e\'s for 3\'s won\'t do it either)
    use an abundance of random letters, numbers, spaces and special characters.

    So:

    12345a - awful
    hello123Amsterdam - bad
    h£11o123@mst3rd@m - just as bad
    kAS23@0l_ pa! - good
    lç\"*a¨|2\'S655a8/ asç - fantastic, virtually uncrackable under today\'s technology

    The answer? Use the god damn password manager. Let your browser save your passwords for you or use a third party password manager if you want to take them with you with ease. Let me also remind you that both Firefox and Chrome have sync features that let you access your data from remote computers. Firefox\'s sync is a bit safer since it\'s encrypted client-side before it\'s send of the web, so there\'s absolutely no way to steal your info, but Chrome\'s good too, I guess.
  6. trocadero

    trocadero IncGamers Member

    Joined:
    Feb 4, 2013
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    11
    That\'s why there\'s no AH of any kind on consoles. And if they\'re smart, no remote trading of any kind, even drop trading, or else d2jsp will come back w/ a vengeance.

    As to this, it really drives home the fact that the whole password/user system isn\'t going to cut it in the near future. You can get a thumb print scanner <img src=\"http://www.tutorialers.com/wp-content/uploads/2013/02/fingerprint-reader-tutorialers.jpg\"> but most places don\'t support it yet. Retina scanners <img src=\"http://farm4.staticflickr.com/3362/5743764441_6c67e8f055_z.jpg\"> are even further off, but w/ smart phone cameras, not too far fetched. Just watch out for Wesley Snipes in a blonde flat top...
  7. Fizoo

    Fizoo IncGamers Member

    Joined:
    Sep 26, 2012
    Messages:
    330
    Likes Received:
    1
    Trophy Points:
    124
    I don\'t understand why people assert that no serious company would use merely simple encryption. There was a story just last year Microsoft got hacked and it turns out password info was stored in a plan text file, completely unencrypted.
  8. Faramis

    Faramis Guest

    Exactly. If you get hacked and you do not use authenticator, it is your and your fault only, because anyone can get authenticator and that shit is ubreakable. The odds of someone correcticly guessing the authenticator key at any moments have to close to zero.
  9. TheDoc42

    TheDoc42 Guest

    The article is fairly well written, I\'d give it a try.
  10. Lanthanide

    Lanthanide IncGamers Member

    Joined:
    Aug 2, 2005
    Messages:
    684
    Likes Received:
    0
    Trophy Points:
    120
    \"Since no company doing any serious business would encrypt in as simple as MD5\"

    Unfortunately there are many, many companies \"doing serious business\" that store passwords in plaintext, so of course there will also be many that do it in simple MD5.
  11. Moonfrost

    Moonfrost IncGamers Member

    Joined:
    May 31, 2009
    Messages:
    1,254
    Likes Received:
    0
    Trophy Points:
    120
    Does anyone know the difference between always having to use your authenticator to log in and only using it once a week? Is the latter alternative less secure in any way?
  12. Moonfrost

    Moonfrost IncGamers Member

    Joined:
    May 31, 2009
    Messages:
    1,254
    Likes Received:
    0
    Trophy Points:
    120
    If you\'re old school, you can also just write them down on a piece of paper. The people looking to steal your passwords aren\'t able to break into your house, and those who are able to break into your house won\'t be looking for your passwords anyway.
  13. Mad Mantis

    Mad Mantis D2/3 Necromancer & Witch Doctor Moderator

    Joined:
    Jun 24, 2003
    Messages:
    11,018
    Likes Received:
    1
    Trophy Points:
    151
    Did Blizz ever bother to make the passwords case sensitive or are they still committed to making sure the authenticator is the only way to have a safe means of logging in.
  14. Terenas

    Terenas IncGamers Member

    Joined:
    Jun 24, 2003
    Messages:
    464
    Likes Received:
    0
    Trophy Points:
    84
    Nice reference.
    The phone authenticator is nice. If you have a webphone of any kind, why not use it ?
  15. DestinMacabre

    DestinMacabre IncGamers Member

    Joined:
    Jul 6, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Here is a response to the comic you linked, it is a quote from the article

    \"Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack \"momof3g8kids\" because he had \"momof3g\" in his 111 million dict and \"8kids\" in a smaller dict.

    \"The combinator attack got it! It\'s cool,\" he said. Then referring to the oft-cited xkcd comic, he added: \"This is an answer to the batteryhorsestaple thing.\"\"

    In other words complexity also matters.
  16. Winner

    Winner Guest

    Case sensitive is not a problem for the internet. It add zero to the anti hacking tools. It is only annoying for the internet customer.

    Too lazy to expain it further.
  17. Amake

    Amake IncGamers Member

    Joined:
    Nov 10, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Sure I\'ve got an excuse, I want to lose my account so I\'ll never be tempted to play any Blizzard online game again.

    :D
  18. Gargos

    Gargos Guest

    Imho the Authenticator is the most secure thing I used in all my online games. I\'m very happy with it.
  19. MengNa

    MengNa Banned

    Joined:
    Oct 3, 2008
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    0
    The option to only have it prompt you for a code once a week is fine for the most part...
    It also requests the auth code every time your IP address changes, so unless some hacker has stolen your password and is also spoofing your IP (not sure if it\'s possible) he still wouldn\'t be able to access your account.
    I tried the standard option of auth code every login, but it drove me nuts after a few days and I went back to the second option.
    Very happy with the smartphone authenticator, it even has a handy widget so you don\'t have to open the app every time.
  20. Moonfrost

    Moonfrost IncGamers Member

    Joined:
    May 31, 2009
    Messages:
    1,254
    Likes Received:
    0
    Trophy Points:
    120
    Cool, thanks - I have the phone authenticator as well and it\'s quite a hassle for the reason you mentioned. I\'ll give the weekly prompt a try, from the sound of it it\'s almost like SteamGuard and I\'ve never had any issues with that.

Share This Page