TechEcho

Valuable target. Battle.net is the login system for Warcraft and Diablo, both games where player accounts have significant cash value. The gold and items in a serious Warcraft player's account are often worth well over $50 and are relatively easy to strip and sell on a black market. Diablo 3 has a legitimized real money auction house, only heightening the risks for Blizzard.

Is anyone familiar with the Secure Remote Password protocol, and how secure it is in comparison to hashing and salting passwords using algorithms like bcrypt and PBKDF2?

FWIW, this is Battle.net's password policy. <a href="http://imgur.com/q2oPZ" rel="nofollow">http://imgur.com/q2oPZ</a><p>It also appears that cut&paste is disabled for the change password fields which is REALLY annoying.

How does this affect users with Key Fobs?<p><a href="http://us.blizzard.com/store/search.xml?q=authenticator" rel="nofollow">http://us.blizzard.com/store/search.xml?q=authenticator</a>

I'm be quite willing to bet that the attack vector was a compromised password that was reused to access their admin panel.

I don't quite understand the 16 character password limit.

Is anyone familiar with the Secure Remote Password protocol, and how secure it is in comparison to hashing and salting passwords using algorithms like bcrypt and PBKDF2?

How does this affect users with Key Fobs?<p><a href="http://us.blizzard.com/store/search.xml?q=authenticator" rel="nofollow">http://us.blizzard.com/store/search.xml?q=authenticator</a>

I'm be quite willing to bet that the attack vector was a compromised password that was reused to access their admin panel.

I don't quite understand the 16 character password limit.

Important Security Update (Battle.net user information compromised)

6 comments

Important Security Update (Battle.net user information compromised)

6 comments