Tech and Talk > Gaming > World of Warcraft > Blizzard security breach?

Blizzard security breach?

I wonder how you reseed the phone authenticator.

reply to JoelC707
Well, why the hell not. The VA exposed mine and millions of other vets private info to a massive breach a few years ago (I have that letter framed) so why shouldn't Bliz miss out on all the fun. I've used an authenticator since they first came out and I wouldn't play without it.

reply to JoelC707
I just reset me and my wife's pw's. Just in case. Now pouring Mt. Dew.

reply to JoelC707
Ouch, we shall begin to reset passwords.

Fortunately my family uses unique passwords for every gaming site, different from any email or shopping password.

Though it's annoying to have to change them.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use."

reply to JoelC707
Gonna be a few days before they launch the Secret Questions section (Rather then redoing your email they are working on a easy mode fix for this) (So you can reset the Secret Questions) In the mean time reset the Password on you accounts (and if you are OCD put a new email to it to. One that is not used anywhere else or linked with your 20 yahoo email accounts) This will allow you to reset secret questions to.

By linking Yahoo/Gmail etc email accounts you in fact compromise the security of all the accounts thru secret questions on them. Thus allowing a hacker leverage to try to take a account over. Many friends of mine were hacked in this way. Even after they setup separate emails unrelated to anything, they linked them with the old accounts for recovery... "just in case".

Also roll with the Authenticator. Its a condom for your WOW account. Of coarse it never hurts to do all the above.

reply to JoelC707
Although I am not pleased they got breached, I am very pleased about their response.

This was a good response on what had happened and what they are doing about it going forward.

Good job "manning up" about the situation.

I agree with the other poster, though: I can see them revising, re-seeding and re-releasing the mobile authenticator, but what do the masses of players with plain authenticators do?

reply to JoelC707
I changed my WoW password last nite and I will probably go ahead and change the email address and password as well.

I have a mobile authenicator too but you just can't be too careful

reply to JoelC707
I use this site to generate new passwords. Obviously no one wants to type in 63 characters so I find a nice chunk of code and use that.

reply to JoelC707
Here is the official FAQ link:

»us.battle.net/support/en/article···date-faq

reply to JoelC707
Changed mine this morning. It was pretty weak, so I buffed it up. I have the authenticator so no worries. My experience with Blizzard security is that they do more to protect my game than my banks and credit card companies do, to protect my money.

As engineercarl said, I'm not happy that this happened, but the response was good and the passwords weren't plain text. I'm sure that we'll find out more later, but early indicators are good.

I still have issues getting my free copy of my credit report because of the VA breach.
--
Want the shirt? - »www.despair.com/thedestructor.html
Not afiliated or making any profit from sales

reply to kingdome74
Just use this site

»www.domain-logix.net/WiFi/Key.htm

And then get a »www.yubico.com/yubikey
Some models of the yubikey have a mode for static passwords

reply to Kilroy
Ya it looks like they did a good job though it could have been better.

Passwords should have been salted and hashed (ie non-reversible but yet capable of doing to what you type and able to verify)

if they had done this then the hackers would never be able to get the passwords, they'd have to know the salt know the hashing algorithm used and then would have to brute force till they find something that is turned into the same output.

but still Is way better than Sony or many banks.

I changed my password last night without even knowing about this security breach thing. I just felt like changing my password.

Actually relieved now that I did.
--
Good evening!

reply to DarkLogix

quote:

---

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.

---

reply to DarkLogix
The salt is traditionally stored in plaintext in the database next to each password. The point of salting is to make brute force cracking the passwords hard to do if you just have the pw hash (probably intercepted from the client directly), NOT to help out when someone gets access to the database, so its benefit is lost in this situation.

That said, the wiki page on the SRP protocol says it includes a salt and a bunch of other stuff that I am too far removed from my crypto classes in college to understand fully. I will trust Blizzard when it says that each password is computationally expensive to crack and that they are independent of each other.

reply to Tweakbl

reply to DarkLogix
I've used GRC's site as well for chunks of randomness and for passwords. I also use KeePass for bank passwords and such and considered using it for Wow as well. But I didn't want to try and memorize a chunk of randomness and instead came up with my own 14 character password that I'll easily remember. I've seen that Yubikey mentioned before, I'll have to check it out.

reply to Time

reply to JoelC707
If you have an authenticator, does it matter that your password was stolen?