It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now... At this point it really is the users fault.
Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost
I'm going to say something that will upset some people on this thread but...
I knowingly and willingly don't adhere to best security practices. I only use an admin account, and the first thing I do is disable UAC.
And why? Because that crap is annoying. I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.
I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.
Despite all this though, I miraculously never really get viruses or get hacked. Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.
Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice. As such, my approach is "mid-range" security. I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.
To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.
As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience.
I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot.
It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software.
It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now... At this point it really is the users fault.
Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost
I'm going to say something that will upset some people on this thread but...
I knowingly and willingly don't adhere to best security practices. I only use an admin account, and the first thing I do is disable UAC.
And why? Because that crap is annoying. I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.
I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.
Despite all this though, I miraculously never really get viruses or get hacked. Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.
Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice. As such, my approach is "mid-range" security. I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.
To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.
As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience.
I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot.
It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software.
Give it a shot, you might be surprised.
I used Avast Free Home edition and a seperate Anti-malware program before.
Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.
Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!
Especially if you surf the internet a lot, it's even recommended to do it more than once a week!
Originally posted by wormywyrmIt is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now... At this point it really is the users fault.
Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost
I'm going to say something that will upset some people on this thread but...I knowingly and willingly don't adhere to best security practices. I only use an admin account, and the first thing I do is disable UAC.And why? Because that crap is annoying. I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.Despite all this though, I miraculously never really get viruses or get hacked. Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice. As such, my approach is "mid-range" security. I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.
To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience. I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot. It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software. Give it a shot, you might be surprised.
I used Avast Free Home edition and a seperate Anti-malware program before.
Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.
Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!
Especially if you surf the internet a lot, it's even recommended to do it more than once a week!
cheers
MSE misses alot on detection, it is clean and straight forward though.
If you've a bit of patience Comodo (https://www.comodo.com/) has a bunch of nice products. (I use the free Firewall+AV+Sandbox thing and it's pretty lovely as far as that sort of software goes.)
Nothing is really secure or fool proof - think "resistant."
It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now... At this point it really is the users fault.
Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost
I'm going to say something that will upset some people on this thread but...
I knowingly and willingly don't adhere to best security practices. I only use an admin account, and the first thing I do is disable UAC.
And why? Because that crap is annoying. I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.
I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.
Despite all this though, I miraculously never really get viruses or get hacked. Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.
Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice. As such, my approach is "mid-range" security. I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.
To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.
As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience.
I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot.
It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software.
Originally posted by wormywyrmIt is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now... At this point it really is the users fault.
Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost
I'm going to say something that will upset some people on this thread but...I knowingly and willingly don't adhere to best security practices. I only use an admin account, and the first thing I do is disable UAC.And why? Because that crap is annoying. I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.Despite all this though, I miraculously never really get viruses or get hacked. Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice. As such, my approach is "mid-range" security. I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.
To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience. I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot. It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software. Give it a shot, you might be surprised.
I used Avast Free Home edition and a seperate Anti-malware program before.
Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.
Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!
Especially if you surf the internet a lot, it's even recommended to do it more than once a week!
cheers
MSE misses alot on detection, it is clean and straight forward though.
If you've a bit of patience Comodo (https://www.comodo.com/) has a bunch of nice products. (I use the free Firewall+AV+Sandbox thing and it's pretty lovely as far as that sort of software goes.)
Nothing is really secure or fool proof - think "resistant."
The best protection tho, is from yourself!
Stay clear from suspicious websites, like Online CD key websites that offer games for prices too good to be true! Or any RMT site!
Don't auto open emails! Inspect every link in emails as to what the "REAL" url is, before clicking it! Phising emails are the NUMBER 1 cause of getting keyloggers and so getting your accounts hacked!
Clearing your browser cache on regular basis! And use different passwords on Account sites that contain personal and credit data (like bank, MMO's, etc) and regular far less secure sites like fansites, (public) forums, etc.
MSE misses alot on detection, it is clean and straight forward though.
If you've a bit of patience Comodo (https://www.comodo.com/) has a bunch of nice products. (I use the free Firewall+AV+Sandbox thing and it's pretty lovely as far as that sort of software goes.)
Nothing is really secure or fool proof - think "resistant."
No AV is perfect, they all miss stuff. But as far as performance goes MSE actually does quite well. It has tested better than Norton, AVG, Sophos, McAfee, and other popular software in independant studies. Some programs like Panda, Avast, Kaspersky, Bitdefender and others have done better than MSE. Not sure about how well Comodo tests.
I personally think that of all the free stuff out there, Avast performs the best as far as detection percentage goes. It consistently places in the top few and is significantly better than paid solutions.
I think my biggest difficulty with Blizzard's response is that they are saying absolutely nothing about the situation is their fault or within their control. The authenticators are fine enough, but to make that your only response is a bit lame. Virtual keyboards that allow you to enter a password without the use of a physical keyboard is one approach at least one other game has used, wouldn't be that hard to implement. I'm sure a security professional could come up with even more creative, yet relatively unobtrusive, ways to handle the problems they face. Internet security takes a bit of effor and creativity on the part of the defenders, but not nearly as much as some seem to think, and it shouldn't require an authenticator for a game either. If Blizzard were to actually try to seriously design and implement a security system and actually enforce it, none of the individual measures taken would have to be that drastic or that hard to maintain, yet I bet a lot of the problems would go away. They just don't seem to care about it. That is the part that concerns me. If a problem is found, it's quickly fixed and pushed under a rug as if it never happened, so the root problem never gets dealt with. This is where Blizzard has fallen behind the curve compared to a lot of other companies and games.
I'm not here to flaunt my knowledge. I'm here to discuss an issue of particular interest to me.
I don't understand why my knowledge of the subject is an excuse to attack me. There are plenty of people in this thread with little to no understating of security who are posting random nonsense and trying to pass it off as fact.
Should you be quoting them and accusing them of missing the point? Because they most certainly are missing the point in a big way.
Again, I'm not here to "flaunt" my knowledge. I am here because this subject is interesting to me.
I am just here to discuss the topic of security which most people dont have a clue about.
Look I don't care that your average user doesn't know how to protect themselves. Not my problem. What I do care about is when those same people go around spouting off nonsense as if they know what they are talking about.
I mean, there was a guy in this very thread flipping out because Diablo opened port 80. Seriously. Then he tries to tell people that this is some huge security flaw.
That is the person that is missing the point, not me.
Okay, so one person said that. Thing is, just about everyone else didn't.
So why continue to erect such a straw man? Apologies if the post I made came across as too harsh, it was more a take on how dismissive you were of everyone you wrote about.
And yet it's exactly these kind of gamers that SCREAM they have the perfect security on their computer and apply the best security practices, so that it only can be Blizzard's fault that they got hacked.
Rest my case.
A fair number of people have also given good reasons to question Blizzard's commitment to seriously dealing with this problem. Especially for those who have never had a problem with anyone else despite ample opportunity to have had it, the evidence is there that at some level, it is Blizzard's responsiblity to deal with it, even if it isn't directly their fault. A lot of people could do more, certainly, in the security aspect, but that does not absolve Blizzard when those users exist across the internet, and yet it always seems like Blizzard's name is at the forefront of these conversations when it comes to suspect gaming companies.
When a company has this serious of issues this consistently, it becomes much, much harder to simply blame the end user.
I am curious, what would you like Blizzard to do? They already have the best security practices listed on their website. It is up to the end user to follow them or not. Do you want them to implement something like NPS (Network Policy Server) that will check if updates are up to date, antivirus is installed, signature files are updated and do a quick virus scan before allowing them to login into the game?
Nowadays, there is no real excuse to be computer illiterate since the computers are an intergral part of our daily lives. If you don't spend even a little time to learn a bit about the tool you are using than you shouldn't be using it. It seems people don't realize that computer is a tool and if you don't take care of it, it will "rust" and will underpeform or do other unintended operations. If you leave your hand saw in the rain for two months, how good you think it will cut wood next time you use it?
If I was a hacker for gold selling sites, would I target an unpopular game or a game with a lot of potential market? The hackers are in this to make money and it doesn't make business sense to target small demographics game where profit margin is very small. Looks like Blizzard fell a victim to its own popularity.
1.) Mandatory texts/email if you login from a different IP address.
2.) If you have an authenticator, you gotta authenticate with every login. Don't wanna do that? Don't buy the authenticator.
3.) Increased complexity with passwords.
Really, number 3 alone goes a long way.
And really, you talk about how people "should" be computer literate. People should also be able to change their oil or a tire on their car. Yet the simple fact is a huge amount don't, and whining about how they should isn't going to fix the problem. In a perfect world, IT security wouldn't be neccessary. When dealing with the average end user, you have to operate with the assumption they really don't know a lot of what they are doing.
I actually agree with your points here. The thing is, these're games we're talking about. Blizzard is for obvious reasons interested in getting as much players to buy and play the game. Implementing the points you listed as mandatory, no matter how good they're, is not going to help the userfriendliness of the game. When it's harder to get to play the game, more people are stop playing it. Same as with DRM, people are going to opt for pirating anyway, because when you implement DRM like in Assassin's Creed 2 for example, you've less frustration playing it without the DRM then with it. Concerning Diablo 3, just look at all those complaints around the internet about the mandatory 'always online'-resctriction. Couple that with mandatory use of the authenticator and people are just not going to bother with the game, which would be a shame really.
Point 3 is interesting at the moment concerning Blizzard policies. It seems that the passwords aren't forced to be case-sensitive. That's pretty bad of them. Aside from the increased complexity, I rather have that they would allow more characters to be used and that they would stimulate users to use passphrase, instead of passwords. Win - win for both sides.
My second point, at least according to Blizzard's records, won't be needed..... yet. But really, using the authenticator once every 7 days , really not much of a point. Which I think brings up an interesting correlation. Most of those who are going to use an authenticator, chances are their tech knowledge is more than satisfactory. They probably aren't making the mistakes most people make. So I guess I begin to wonder if "nobody who uses an authenticator had their account compromised" is one of those "true but irrelevant" statements, considering that authenticating once every 5-7 days is sorta pointless, and wouldn't stop an account from being compromised, since they operate in a span of minutes, not days.
And Blizzard needs to seriously think about tighter security in terms of the RMAH. ONE HACK is all it will take to cause an absolute nightmare. It wont' matter how many blizzbots screaming "the person getting hacked is a f**ktard who deserved it" there are. So perhaps we can go on something with point 3/passphrases. That really doesn't cost much, and is very easy to do, and there's an understandable reason.
And yeah, agree with you on the DRM. Just wish Blizzard would see it that way. Bad timing for me to try out the game (due to busy schedule) but their DRM is so absurd (and the attempt to corral people onto the RMAH so nakedly obvious) I'm still not sure how much I'll play the game once I have time.
Here is what bothers me about this authenticator thing.
First off and most importantly I was playing open beta weekend I was hacked. I just did not realize it until the other day but the same thing happened to me as others. “you have logged in from another location’ Insta disconnect. Try to log in. ‘account in use’. try to log in again ‘your password is invalid’ Shut down and restart and everything is OK. Nothing missing out of characters. Did not know where to write a bug report but then forgot about it. I though it was a bug.
Now here is why I have problems with this authentication shit and if did I have a key logger active just for a hack to get some gold?
I log in ‘every day’ to my BANK account from this computer. I do most of my business through this computer with credit cards. I have done all my business through websites spending money and all the accounts in 5 years I have yet to be breached and NOT one of them requires an authenticator. ZERO. Why does a game require a device that government officials require to log in to VPN?
If any suspicious activity was to happen I would know about it in under 24 hours. I have a website and it has no activity other than what I do with it. I have a domain and can have a million email addresses if I want them and I have 3 specific emails targeting game sites so I can find out who sells off my information. Not one has to this day sent me a phishing mail because even when it get to me it gets deleted by security scans. I don’t sign up for anything game related directly except news letters. I get most of my mail from this site about topics I read and have interest in. In other words I do not get spammed with garbage just normal 5 to 10 emails a week or in cases of MMORPG.com 10 to 20 mails a day because I selected the subject.
And yet it's exactly these kind of gamers that SCREAM they have the perfect security on their computer and apply the best security practices, so that it only can be Blizzard's fault that they got hacked.
Rest my case.
A fair number of people have also given good reasons to question Blizzard's commitment to seriously dealing with this problem. Especially for those who have never had a problem with anyone else despite ample opportunity to have had it, the evidence is there that at some level, it is Blizzard's responsiblity to deal with it, even if it isn't directly their fault. A lot of people could do more, certainly, in the security aspect, but that does not absolve Blizzard when those users exist across the internet, and yet it always seems like Blizzard's name is at the forefront of these conversations when it comes to suspect gaming companies.
When a company has this serious of issues this consistently, it becomes much, much harder to simply blame the end user.
I am curious, what would you like Blizzard to do? They already have the best security practices listed on their website. It is up to the end user to follow them or not. Do you want them to implement something like NPS (Network Policy Server) that will check if updates are up to date, antivirus is installed, signature files are updated and do a quick virus scan before allowing them to login into the game?
Nowadays, there is no real excuse to be computer illiterate since the computers are an intergral part of our daily lives. If you don't spend even a little time to learn a bit about the tool you are using than you shouldn't be using it. It seems people don't realize that computer is a tool and if you don't take care of it, it will "rust" and will underpeform or do other unintended operations. If you leave your hand saw in the rain for two months, how good you think it will cut wood next time you use it?
If I was a hacker for gold selling sites, would I target an unpopular game or a game with a lot of potential market? The hackers are in this to make money and it doesn't make business sense to target small demographics game where profit margin is very small. Looks like Blizzard fell a victim to its own popularity.
1.) Mandatory texts/email if you login from a different IP address.
2.) If you have an authenticator, you gotta authenticate with every login. Don't wanna do that? Don't buy the authenticator.
3.) Increased complexity with passwords.
Really, number 3 alone goes a long way.
And really, you talk about how people "should" be computer literate. People should also be able to change their oil or a tire on their car. Yet the simple fact is a huge amount don't, and whining about how they should isn't going to fix the problem. In a perfect world, IT security wouldn't be neccessary. When dealing with the average end user, you have to operate with the assumption they really don't know a lot of what they are doing.
I actually agree with your points here. The thing is, these're games we're talking about. Blizzard is for obvious reasons interested in getting as much players to buy and play the game. Implementing the points you listed as mandatory, no matter how good they're, is not going to help the userfriendliness of the game. When it's harder to get to play the game, more people are stop playing it. Same as with DRM, people are going to opt for pirating anyway, because when you implement DRM like in Assassin's Creed 2 for example, you've less frustration playing it without the DRM then with it. Concerning Diablo 3, just look at all those complaints around the internet about the mandatory 'always online'-resctriction. Couple that with mandatory use of the authenticator and people are just not going to bother with the game, which would be a shame really.
Point 3 is interesting at the moment concerning Blizzard policies. It seems that the passwords aren't forced to be case-sensitive. That's pretty bad of them. Aside from the increased complexity, I rather have that they would allow more characters to be used and that they would stimulate users to use passphrase, instead of passwords. Win - win for both sides.
This is a very important issue you raise.
Anyone who has worked in the IT industry can tell you that any company (not just game companies) has to weigh several factors when implementing security policies such as those suggested. This is especially true when you are enforcing these policies on customers as opposed to employees.
It would be great to add a little forced complexity to people's passwords, but it is a tougher decision than it seems at first glance. Personally I would be all for it, but I know for a fact that Blizzard (or any other company) would have to deal with a lot of issues this would cause their customers as well.
Not to many MMO companies actually enforce password complexity on their users. Bioware did a decent job by forcing one uppercase letter and one number in their password, but really that is a lot more innefective than you might think.
Here is an example, with Bioware's rules the password 'Tizftye7' would be an acceptable password. It's not particularly strong but at least it's not '123456'. There are no words in it, and it appears totally random. It's not going to be in a dictionary attack so a cracker would need to use a guessing attack on it, which implies more time to crack it.
What this level of password security protects against is relatively slow online brute force or guessing attacks. Repeated attempts to guess the password on the services website by attempting to log in would take months to complete all possible password guesses that would be required to guess that password. The exact search space of said password would be 5.46 x 1023 or 546,108,599,233,516,079,517,120 possible passwords with that password length and alphabet size (characters that a cracker must account for). Seems like a big enough number.
However, with current technology, your average cracker can make about one hundred billion guesses per second offline if they have acquired a password database. This would take less than an hour to complete the attack offline. If the attacker is running the database through a botnet or something, it would be a matter of seconds.
So that level of password complexity protects against one thing, online attacks made by repeated login attempts to a website or the actual game service. The thing is, you are already protected against these attacks in most cases. After a few logins the system wants additional verification or it might even lock your account. This level of password complexity adds no security at all.
To really enforce a system where users must make secure passwords would require very long lengths (at least over 12 characters), one symbol, one number, at least one uppercase letter, and lower case letters as well.
They would also need to prevent people from using common passwords and probably dictionary based passwords as well. Anything that can be found in a crackers dictionary immediately eliminates the need for a guessing attack and any and all complexity is then useless.
Like MikkelB said, from a business perspective they simply can't enforce password complexity of this level. It would piss off a large portion of their users as well as create extra costs for the company in having to support these users. A person who can't remember their password is going to generate extra cost for the company in customer service and technical support on a regular basis. For a video game, it's just not realistic. I believe that it seriously would drive people away from the game.
Now, the whole passwords not being case sensitive thing from Blizzard is absolutely bonkers. Out of all this stuff that has been talked about that actually pisses me off a great deal. I don't understand why they would actively undermine the security of those who choose to use a complex password. I think I might email their customer service about that and bitch today.
As far as enforcing password complexity on users, it's a hopeless battle for a company. If you only do a little (like Bioware) you are not really adding any security. To actually add security to passwords through complexity would have a large impact on your busines and the usability of your software, for something that (let's face it) is not that important. It's a video game account. Most companies have the capability to restore your account to a pre-hacked status for no charge.
Ever hear of the phrase "not seeing the forrest for the trees?"
Once we get past all the fancy sounding numbers and techno speak, there are a few conclusions:
1.) outside of a multi pronged system, if a hacker gets a pw with your name in the database, chances are you are screwed. With the tech available, it's going to happen. Now Blizzard can't control for that part, I think we all agree.
2.) To create a "hack-proof" system would require so many layers that yes it would be extremely unfriendly, and would impact their sales. I don't think anyone really disputes that.
3.) Since you can't really stop them once they get the database, the only thing you can do is make sure your db is secure. Blizzard has done that.
4.) What can we do to stop the "brute force" incidents?
5.) Don't need every layer or nothing. That would be akin to saying that I need every layer of possible security on my computer, or I should just run without a firewall, no av/malware protection, with internet explorer with UAC disabled on my windows 7, and head to where hackers are known to have infected a site broadcasting my IP.
6.) The argument you make about complexity..... applies to capital letters as well. Given the way you do 5, we should then never ask for capital letters right?
Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.
As far as "its a video game account, it isn't important", most people aren't going to look at it in the stoic rational manner you just did, gotta control for those kind of things as well. Okay, maybe I just have a really freakin pessimistic view of human nature.
Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.
This is the biggest difficulty I'm having. If they can't even be bothered to implement something as basic and usually automatic as case sensitivity, why should I accept their claims that it's all the user's fault when clearly they aren't intrerested in doing the simple things that can be done on their end? Case sensitivity by itself wouldn't a major thing, but combine it with other simple things like a virtual keyboard to get around keyloggers, and other similar simple, easy to implement ideas, and the impact would be significant with fairly little cost to Blizzard.
Ever hear of the phrase "not seeing the forrest for the trees?"
Once we get past all the fancy sounding numbers and techno speak, there are a few conclusions:
1.) outside of a multi pronged system, if a hacker gets a pw with your name in the database, chances are you are screwed. With the tech available, it's going to happen. Now Blizzard can't control for that part, I think we all agree.
2.) To create a "hack-proof" system would require so many layers that yes it would be extremely unfriendly, and would impact their sales. I don't think anyone really disputes that.
3.) Since you can't really stop them once they get the database, the only thing you can do is make sure your db is secure. Blizzard has done that.
4.) What can we do to stop the "brute force" incidents?
5.) Don't need every layer or nothing. That would be akin to saying that I need every layer of possible security on my computer, or I should just run without a firewall, no av/malware protection, with internet explorer with UAC disabled on my windows 7, and head to where hackers are known to have infected a site broadcasting my IP.
6.) The argument you make about complexity..... applies to capital letters as well. Given the way you do 5, we should then never ask for capital letters right?
Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.
As far as "its a video game account, it isn't important", most people aren't going to look at it in the stoic rational manner you just did, gotta control for those kind of things as well. Okay, maybe I just have a really freakin pessimistic view of human nature.
1.) This is not true. While no password is "uncrackable" you can make a pasword complexe enough that it will never be cracked by a cracker. This was the point of my post. They are not going to even attempt a character space that would require 13 trillion centuries to complete. Ever.
2.) Then we agree. But even then there is still risk of hacking, even if they did all this stuff.
3.) This is incorrect. Again, if your password would take 13 trillion centuries to crack, a cracker is not even going to attempt a character space that large. They are going to go for the lowest common denominator and end up with about 20% of the passwords in the database.
4.) Make complex passwords. I explained this. My passwords will never be cracked by brute force with currently available technology. Not only that, but no cracker will even attempt a crack that would expose my passwords.
5.) I agree here. The case sensitive crap on blizzard passwords is just inexcusable.
6.) Yes. Capital letters are required for password complexity. I already said in previous posts that I was pissed about the case sensitive thing from blizzard.
It's interesting to me that this is happening when there are free ways of dealing with it. Heck even the authenticators are cheap and free delivery. So why are people posting about this again? It's the users fault if they get hacked at this point due to the security that Blizz emplemented. It really is. I'm not a Blizz fan when it comes to the direction their company is going but i have to say they did the right thing when it comes to security for their players.
complete bull
beyond not handing out your passwords to one and all it is up to the business to protect your data - period
There is a rumor going around that a hacker can spoof your ID (obtained by joining a public game with the hacker) and bypass the need to use the authenicator. I don't know if it's true, but some people "claim" to have been hacked even with the authenicator active.
It's probably untrue and Blizzard claims that there are no reports of accounts breached that used an authenicator.
Still, Blizzard doesn't exactly have the best security and privary protection. Registering an e-mail account on Bnet will open you open to multiple phishing attempts even if you never used the e-mail address for anything else (or at least it did at one point).
It's interesting to me that this is happening when there are free ways of dealing with it. Heck even the authenticators are cheap and free delivery. So why are people posting about this again? It's the users fault if they get hacked at this point due to the security that Blizz emplemented. It really is. I'm not a Blizz fan when it comes to the direction their company is going but i have to say they did the right thing when it comes to security for their players.
complete bull
beyond not handing out your passwords to one and all it is up to the business to protect your data - period
Complete bullshit.
It is up to the USER to keep their PC safe and secure. It's not Blizzard's fault somone clicked a bad link, went to a site with a bad ad, fell for a phishing attempt, etc.
How exactly is Blizzard supposed to make sure you do none of the above? The only thing they can do is warn and attempt to educate you, and that's a hell of a lot more than they are required to do. To say nothing of providing free mobile authenticators, and at-cost physical ones.
Now if Blizzard's servers get hacked (which they have not) then yes, it is their responsibility.
They aren't morons what many of them are is children or people with no computer skills whatsoever. This is a calculation they made fully aware of what it means.
So, understanding the difference between an Uppercase " A " and a lowercase " a " is now a matter of "computer skills". I see the Blizzard defence club is getting desperate enough to throw out ridiculous statements since they are running out of anything substantial to say, might wanna stop before you guys start blaming the player for any leak on Blizzard's end...or wait has some fangirl already thrown that excuse out already?
Virtual keyboard seems like a decent precautionary measure for such cases. Yea I can see it happening sometime in the near future.
"Just pay and download a VK app for $15.99 and you can be free of all your hacking woes!
But Only works if you have bought ALL our Blizzard™ Authenticator versions 1, 2, v5, x15, zz20 and special edition 2 for service pack 3(until we put out more ca-ching junk applica...err Required Software Protection)."
Online-always DRM is working as intended, yea?
But it would be funny if Anon strikes against BNet for this D3 debacle. Shit would hit the exhaust fan.
Over the past couple of days, players have expressed concerns over the possibility of Battle.net® account compromises. First and foremost, we want to make it clear that the Battle.net and Diablo III servers have not been compromised. In addition, the number of Diablo III players who've contacted customer service to report a potential compromise of their personal account has been extremely small. In all of the individual Diablo III-related compromise cases we've investigated, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account, and we have yet to find any situation where a Diablo III player's account was accessed outside of "traditional" compromise methods (i.e. someone logging using an account's login email and password).
To that end, we've also seen discussions regarding the possibility of account compromises occurring in ways that didn’t involve these "traditional" methods -- for example, by "session spoofing" a player’s identity after he or she joins a public game. Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technically impossible. However, you have our assurance that we’ll continue to investigate reports such as these and keep you informed of important updates.
The best defense against account theft still includes smart password management (e.g. using a unique password for every site/service and keeping your password to yourself) and scanning for malware and viruses regularly, as well as following additional preventative steps found here. In the end, while no security method is 100% foolproof, the physical Battle.net Authenticator and Battle.net Mobile Authenticator app are great ways to provide your account with an extra layer of protection.
One thing that sticks out, is the bit where he says that only a extremely small number of players reported a potential compromise. Makes me wonder if all the ragers actually did contact Customer Service and/or made a ticket, if those ragers were full of hot air as usual or if Blizzard is 'lying' here.
At least Blizzard made this statement (i.e. "We haven't been compromised"), which is more worth to me then the countless of posts going: "I've been hacked! On my clean PC, handcrafted yesterday, only Diablo 3 installed and I've never been hacked before! It's all Blizzard's fault!", without giving proof.
Oh I assure you, I keep my thinking hat on even if I wear a "hater hat" on top of it.
If a person cant remember his own password, its no excuse to NOT implement a secure system for safeguarding passwords. It just means that the person needs to write his password down somewhere (like in a 8th grade textbook). And also there are password reminders for such instances via emails so we arent talking bout ground breaking stuff here.
If a player uses a generic 'Abc123' password, then again it doesnt mean that the company responsible for safeguarding this feeble attempt from the player's end should just sit back and say "whoops easy password, not my problem, buy my safeguarding shite" and turn Abc123 into abc123, ABC123, abC123, etc and give a brute force program more than 1 liable option at breaking down such easy passes.
And you dont address the Virtual keyboard issue either. Even a child would find it fun to press a virtual button, so I dont know how Blizzard cant "cater" to the majority of their playerbase.
And sorry to say, but coming up with excuses as to why Blizzard is not at fault is pretty much on the same grounds as defending them, even though you might personally not find it agreeable, call it force of habit or fanboyism or whatever if you may. But just saying it for what it is. And only reason why I even posted here was because of that absurd excuse you came up with in Blizzard's defence, They aren't morons what many of them are is children or people with no computer skills whatsoever. So do tell us from when does knowing the difference between a Capital ' A ' and a small letter ' a ' become a matter of "computer skills"? Excuses such as these show that You arent wearing that thinking hat over those rosy tinted goggles of yours. Hillarious stuff that.
Oh I assure you, I keep my thinking hat on even if I wear a "hater hat" on top of it.
If a person cant remember his own password, its no excuse to NOT implement a secure system for safeguarding passwords. It just means that the person needs to write his password down somewhere (like in a 8th grade textbook). And also there are password reminders for such instances via emails so we arent talking bout ground breaking stuff here.
If a player uses a generic 'Abc123' password, then again it doesnt mean that the company responsible for safeguarding this feeble attempt from the player's end should just sit back and say "whoops easy password, not my problem, buy my safeguarding shite" and turn Abc123 into abc123, ABC123, abC123, etc and give a brute force program more than 1 liable option at breaking down such easy passes.
And you dont address the Virtual keyboard issue either. Even a child would find it fun to press a virtual button, so I dont know how Blizzard cant "cater" to the majority of their playerbase.
And sorry to say, but coming up with excuses as to why Blizzard is not at fault is pretty much on the same grounds as defending them, even though you might personally not find it agreeable, call it force of habit or fanboyism or whatever if you may. But just saying it for what it is. And only reason why I even posted here was because of that absurd excuse you came up with in Blizzard's defence, They aren't morons what many of them are is children or people with no computer skills whatsoever. So do tell us from when does knowing the difference between a Capital ' A ' and a small letter ' a ' become a matter of "computer skills"? Excuses such as these show that You arent wearing that thinking hat over those rosy tinted goggles of yours. Hillarious stuff that.
I understand your issue's, but the only thing Blizzard can do regarding the strength of passwords, is putting up some restrictions, for example, use at least:
one capital letter
one number
one special character.
What would be better, is also demand that players make a passphrase, including the above named restrictions, with a length of 10 signs minimum. Passphrases are harder to crack and easier to remember. Information Security in general would benefit to some degree if everyone started supporting passphrases (not every loginsystem support long passwords). Aside from checking if the user passes the restrictions, there isn't much else Blizzard can do about it. They can hardly check if the passwords are good enough. They're meant to be secret and all
It's unlikely that companies like Blizzard are going to pour money into researching the perfect virtual keyboard. Simply because it's easier to abuse then something like the authenticator.
I understand your issue's, but the only thing Blizzard can do regarding the strength of passwords, is putting up some restrictions, for example, use at least:
one capital letter
one number
one special character.
What would be better, is also demand that players make a passphrase, including the above named restrictions, with a length of 10 signs minimum. Passphrases are harder to crack and easier to remember. Information Security in general would benefit to some degree if everyone started supporting passphrases (not every loginsystem support long passwords). Aside from checking if the user passes the restrictions, there isn't much else Blizzard can do about it. They can hardly check if the passwords are good enough. They're meant to be secret and all
It's unlikely that companies like Blizzard are going to pour money into researching the perfect virtual keyboard. Simply because it's easier to abuse then something like the authenticator.
Yes, I do agree with the points you make. There is nothing that would be absolutely perfectly undeniably secure over the internet. And even if there ever was, then its not going to be a system to keep safe the login information for a...single player game like this one.
But for (one of) the biggest gaming corporation like Blizzard to sit back and not enforce heuristics governed forms of password security is downright BS.
Others have already mentioned other cheap, readily available means of providing increased security layers (like being prompted to enter a code sent to the designated email ID if logging in from another IP/region) so I dont need to rehash all that, but Blizzard showing that it cant be arsed to even do something as simple as this says a lot.
I got nothing else to add to this topic, only waiting to see how the situation stands when RMAH goes into full spring. If people start to lose "their" money via hacking or whatever, then we might see some entertaining threads out here
EDIT: Also I dont know if BNet logins have a lockdown after a particular number of failed authentications (havent logged into BNET for little over 7 years now so I dunno how the situation stands) in case of a brute force attack, but if it doesnt then shame on Blizzard for skimping off this rudimentary security measure.
Yes, I do agree with the points you make. There is nothing that would be absolutely perfectly undeniably secure over the internet. And even if there ever was, then its not going to be a system to keep safe the login information for a...single player game like this one.
But for (one of) the biggest gaming corporation like Blizzard to sit back and not enforce heuristics governed forms of password security is downright BS.
Others have already mentioned other cheap, readily available means of providing increased security layers (like being prompted to enter a code sent to the designated email ID if logging in from another IP/region) so I dont need to rehash all that, but Blizzard showing that it cant be arsed to even do something as simple as this says a lot.
I got nothing else to add to this topic, only waiting to see how the situation stands when RMAH goes into full spring. If people start to lose "their" money via hacking or whatever, then we might see some entertaining threads out here
EDIT: Also I dont know if BNet logins have a lockdown after a particular number of failed authentications (havent logged into BNET for little over 7 years now so I dunno how the situation stands) in case of a brute force attack, but if it doesnt then shame on Blizzard for skimping off this rudimentary security measure.
They already do this, though not through a e-mail service, but through a SMS service. A SMS service is somewhat safer I think, though I can't magically conjure up some statistics right now. An argument against doing this through the use of e-mail, is that it's not waterproof if a system has been compromised already. Not saying that a SMS service is uncompromisable (with everybody rooting their phones and installing apps without regarding their phones security).
I'm not entering another discussion about the 'single player'-aspect of Diablo 3. I'm frankly getting tired of it right now. I'm curious what the effect on the compromised accounts will be on the RMAH. I know that the SMS service also functions as a conformationsystem for RMAH transactions, but since the RMAH isn't live yet, it's hard to say how this will work out.
I can't say how Battle.net handles multiple wrong login/password entries in a set amount of time. I can't imagine that there isn't a limit, but seeing that they don't enforce strong passwords, I'm not willing to place a bet on it.
Comments
To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.
As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience.
I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot.
It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software.
Give it a shot, you might be surprised.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
I used Avast Free Home edition and a seperate Anti-malware program before.
Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.
Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!
Especially if you surf the internet a lot, it's even recommended to do it more than once a week!
cheers
MSE misses alot on detection, it is clean and straight forward though.
If you've a bit of patience Comodo (https://www.comodo.com/) has a bunch of nice products.
(I use the free Firewall+AV+Sandbox thing and it's pretty lovely as far as that sort of software goes.)
Nothing is really secure or fool proof - think "resistant."
I'll give it a shot, thanks for the tip
.
Are you team Azeroth, team Tyria, or team Jacob?
The best protection tho, is from yourself!
Stay clear from suspicious websites, like Online CD key websites that offer games for prices too good to be true! Or any RMT site!
Don't auto open emails! Inspect every link in emails as to what the "REAL" url is, before clicking it! Phising emails are the NUMBER 1 cause of getting keyloggers and so getting your accounts hacked!
Clearing your browser cache on regular basis! And use different passwords on Account sites that contain personal and credit data (like bank, MMO's, etc) and regular far less secure sites like fansites, (public) forums, etc.
Cheers
No AV is perfect, they all miss stuff. But as far as performance goes MSE actually does quite well. It has tested better than Norton, AVG, Sophos, McAfee, and other popular software in independant studies. Some programs like Panda, Avast, Kaspersky, Bitdefender and others have done better than MSE. Not sure about how well Comodo tests.
I personally think that of all the free stuff out there, Avast performs the best as far as detection percentage goes. It consistently places in the top few and is significantly better than paid solutions.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
So he didn't have an Authenticator, kind of left that out didn't you? Not saying it is a panacea (look it up) but it TOTALLY helps...
Enough of this one sided "reporting", makes yourself look like you have an agenda...
That Guild Wars 2 login screen knocked up my wife. Must be the second coming!
I think my biggest difficulty with Blizzard's response is that they are saying absolutely nothing about the situation is their fault or within their control. The authenticators are fine enough, but to make that your only response is a bit lame. Virtual keyboards that allow you to enter a password without the use of a physical keyboard is one approach at least one other game has used, wouldn't be that hard to implement. I'm sure a security professional could come up with even more creative, yet relatively unobtrusive, ways to handle the problems they face. Internet security takes a bit of effor and creativity on the part of the defenders, but not nearly as much as some seem to think, and it shouldn't require an authenticator for a game either. If Blizzard were to actually try to seriously design and implement a security system and actually enforce it, none of the individual measures taken would have to be that drastic or that hard to maintain, yet I bet a lot of the problems would go away. They just don't seem to care about it. That is the part that concerns me. If a problem is found, it's quickly fixed and pushed under a rug as if it never happened, so the root problem never gets dealt with. This is where Blizzard has fallen behind the curve compared to a lot of other companies and games.
Okay, so one person said that. Thing is, just about everyone else didn't.
So why continue to erect such a straw man? Apologies if the post I made came across as too harsh, it was more a take on how dismissive you were of everyone you wrote about.
My second point, at least according to Blizzard's records, won't be needed..... yet. But really, using the authenticator once every 7 days , really not much of a point. Which I think brings up an interesting correlation. Most of those who are going to use an authenticator, chances are their tech knowledge is more than satisfactory. They probably aren't making the mistakes most people make. So I guess I begin to wonder if "nobody who uses an authenticator had their account compromised" is one of those "true but irrelevant" statements, considering that authenticating once every 5-7 days is sorta pointless, and wouldn't stop an account from being compromised, since they operate in a span of minutes, not days.
And Blizzard needs to seriously think about tighter security in terms of the RMAH. ONE HACK is all it will take to cause an absolute nightmare. It wont' matter how many blizzbots screaming "the person getting hacked is a f**ktard who deserved it" there are. So perhaps we can go on something with point 3/passphrases. That really doesn't cost much, and is very easy to do, and there's an understandable reason.
And yeah, agree with you on the DRM. Just wish Blizzard would see it that way. Bad timing for me to try out the game (due to busy schedule) but their DRM is so absurd (and the attempt to corral people onto the RMAH so nakedly obvious) I'm still not sure how much I'll play the game once I have time.
If you are interested in making a MMO maybe visit my page to get a free open source engine.
Ever hear of the phrase "not seeing the forrest for the trees?"
Once we get past all the fancy sounding numbers and techno speak, there are a few conclusions:
1.) outside of a multi pronged system, if a hacker gets a pw with your name in the database, chances are you are screwed. With the tech available, it's going to happen. Now Blizzard can't control for that part, I think we all agree.
2.) To create a "hack-proof" system would require so many layers that yes it would be extremely unfriendly, and would impact their sales. I don't think anyone really disputes that.
3.) Since you can't really stop them once they get the database, the only thing you can do is make sure your db is secure. Blizzard has done that.
4.) What can we do to stop the "brute force" incidents?
5.) Don't need every layer or nothing. That would be akin to saying that I need every layer of possible security on my computer, or I should just run without a firewall, no av/malware protection, with internet explorer with UAC disabled on my windows 7, and head to where hackers are known to have infected a site broadcasting my IP.
6.) The argument you make about complexity..... applies to capital letters as well. Given the way you do 5, we should then never ask for capital letters right?
Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.
As far as "its a video game account, it isn't important", most people aren't going to look at it in the stoic rational manner you just did, gotta control for those kind of things as well. Okay, maybe I just have a really freakin pessimistic view of human nature.
I also use Security Essentials (still have Malwarebytes on my PC if I need it).
I think after 14 pages, everything that can be said has been said, and we can all end agreeing on something.
Microsoft makes a product that actually works surprisingly well.
LOLWTF......
This is the biggest difficulty I'm having. If they can't even be bothered to implement something as basic and usually automatic as case sensitivity, why should I accept their claims that it's all the user's fault when clearly they aren't intrerested in doing the simple things that can be done on their end? Case sensitivity by itself wouldn't a major thing, but combine it with other simple things like a virtual keyboard to get around keyloggers, and other similar simple, easy to implement ideas, and the impact would be significant with fairly little cost to Blizzard.
1.) This is not true. While no password is "uncrackable" you can make a pasword complexe enough that it will never be cracked by a cracker. This was the point of my post. They are not going to even attempt a character space that would require 13 trillion centuries to complete. Ever.
2.) Then we agree. But even then there is still risk of hacking, even if they did all this stuff.
3.) This is incorrect. Again, if your password would take 13 trillion centuries to crack, a cracker is not even going to attempt a character space that large. They are going to go for the lowest common denominator and end up with about 20% of the passwords in the database.
4.) Make complex passwords. I explained this. My passwords will never be cracked by brute force with currently available technology. Not only that, but no cracker will even attempt a crack that would expose my passwords.
5.) I agree here. The case sensitive crap on blizzard passwords is just inexcusable.
6.) Yes. Capital letters are required for password complexity. I already said in previous posts that I was pissed about the case sensitive thing from blizzard.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
complete bull
beyond not handing out your passwords to one and all it is up to the business to protect your data - period
There is a rumor going around that a hacker can spoof your ID (obtained by joining a public game with the hacker) and bypass the need to use the authenicator. I don't know if it's true, but some people "claim" to have been hacked even with the authenicator active.
It's probably untrue and Blizzard claims that there are no reports of accounts breached that used an authenicator.
Still, Blizzard doesn't exactly have the best security and privary protection. Registering an e-mail account on Bnet will open you open to multiple phishing attempts even if you never used the e-mail address for anything else (or at least it did at one point).
Complete bullshit.
It is up to the USER to keep their PC safe and secure. It's not Blizzard's fault somone clicked a bad link, went to a site with a bad ad, fell for a phishing attempt, etc.
How exactly is Blizzard supposed to make sure you do none of the above? The only thing they can do is warn and attempt to educate you, and that's a hell of a lot more than they are required to do. To say nothing of providing free mobile authenticators, and at-cost physical ones.
Now if Blizzard's servers get hacked (which they have not) then yes, it is their responsibility.
So, understanding the difference between an Uppercase " A " and a lowercase " a " is now a matter of "computer skills". I see the Blizzard defence club is getting desperate enough to throw out ridiculous statements since they are running out of anything substantial to say, might wanna stop before you guys start blaming the player for any leak on Blizzard's end...or wait has some fangirl already thrown that excuse out already?
Virtual keyboard seems like a decent precautionary measure for such cases. Yea I can see it happening sometime in the near future.
"Just pay and download a VK app for $15.99 and you can be free of all your hacking woes!
But Only works if you have bought ALL our Blizzard™ Authenticator versions 1, 2, v5, x15, zz20 and special edition 2 for service pack 3(until we put out more ca-ching junk applica...err Required Software Protection)."
Online-always DRM is working as intended, yea?
But it would be funny if Anon strikes against BNet for this D3 debacle. Shit would hit the exhaust fan.
If you play blizzard games you should know by now to get an authenticator.
I've never been hacked after getting it.
For the ease of reading I'll just post it here:
Battle.net®/Diablo III Security Concerns
Over the past couple of days, players have expressed concerns over the possibility of Battle.net® account compromises. First and foremost, we want to make it clear that the Battle.net and Diablo III servers have not been compromised. In addition, the number of Diablo III players who've contacted customer service to report a potential compromise of their personal account has been extremely small. In all of the individual Diablo III-related compromise cases we've investigated, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account, and we have yet to find any situation where a Diablo III player's account was accessed outside of "traditional" compromise methods (i.e. someone logging using an account's login email and password).
To that end, we've also seen discussions regarding the possibility of account compromises occurring in ways that didn’t involve these "traditional" methods -- for example, by "session spoofing" a player’s identity after he or she joins a public game. Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technically impossible. However, you have our assurance that we’ll continue to investigate reports such as these and keep you informed of important updates.
The best defense against account theft still includes smart password management (e.g. using a unique password for every site/service and keeping your password to yourself) and scanning for malware and viruses regularly, as well as following additional preventative steps found here. In the end, while no security method is 100% foolproof, the physical Battle.net Authenticator and Battle.net Mobile Authenticator app are great ways to provide your account with an extra layer of protection.
Source: http://us.battle.net/d3/en/forum/topic/5149181449
One thing that sticks out, is the bit where he says that only a extremely small number of players reported a potential compromise. Makes me wonder if all the ragers actually did contact Customer Service and/or made a ticket, if those ragers were full of hot air as usual or if Blizzard is 'lying' here.
At least Blizzard made this statement (i.e. "We haven't been compromised"), which is more worth to me then the countless of posts going: "I've been hacked! On my clean PC, handcrafted yesterday, only Diablo 3 installed and I've never been hacked before! It's all Blizzard's fault!", without giving proof.
Oh I assure you, I keep my thinking hat on even if I wear a "hater hat" on top of it.
If a person cant remember his own password, its no excuse to NOT implement a secure system for safeguarding passwords. It just means that the person needs to write his password down somewhere (like in a 8th grade textbook). And also there are password reminders for such instances via emails so we arent talking bout ground breaking stuff here.
If a player uses a generic 'Abc123' password, then again it doesnt mean that the company responsible for safeguarding this feeble attempt from the player's end should just sit back and say "whoops easy password, not my problem, buy my safeguarding shite" and turn Abc123 into abc123, ABC123, abC123, etc and give a brute force program more than 1 liable option at breaking down such easy passes.
And you dont address the Virtual keyboard issue either. Even a child would find it fun to press a virtual button, so I dont know how Blizzard cant "cater" to the majority of their playerbase.
And sorry to say, but coming up with excuses as to why Blizzard is not at fault is pretty much on the same grounds as defending them, even though you might personally not find it agreeable, call it force of habit or fanboyism or whatever if you may. But just saying it for what it is. And only reason why I even posted here was because of that absurd excuse you came up with in Blizzard's defence, They aren't morons what many of them are is children or people with no computer skills whatsoever. So do tell us from when does knowing the difference between a Capital ' A ' and a small letter ' a ' become a matter of "computer skills"? Excuses such as these show that You arent wearing that thinking hat over those rosy tinted goggles of yours. Hillarious stuff that.
I understand your issue's, but the only thing Blizzard can do regarding the strength of passwords, is putting up some restrictions, for example, use at least:
What would be better, is also demand that players make a passphrase, including the above named restrictions, with a length of 10 signs minimum. Passphrases are harder to crack and easier to remember. Information Security in general would benefit to some degree if everyone started supporting passphrases (not every loginsystem support long passwords). Aside from checking if the user passes the restrictions, there isn't much else Blizzard can do about it. They can hardly check if the passwords are good enough. They're meant to be secret and all
Your idea of a virtual keyboard is nice and all, but that isn't faultless as well. These keyboards still use the keyboard drivers, which keyloggers can also check/infect so to say. This is a semi-interesting read about virtual keyboards: http://ask-leo.com/will_using_an_on_screen_keyboard_stop_keyboard_loggers_and_hackers.html
It's unlikely that companies like Blizzard are going to pour money into researching the perfect virtual keyboard. Simply because it's easier to abuse then something like the authenticator.
Yes, I do agree with the points you make. There is nothing that would be absolutely perfectly undeniably secure over the internet. And even if there ever was, then its not going to be a system to keep safe the login information for a...single player game like this one.
But for (one of) the biggest gaming corporation like Blizzard to sit back and not enforce heuristics governed forms of password security is downright BS.
Others have already mentioned other cheap, readily available means of providing increased security layers (like being prompted to enter a code sent to the designated email ID if logging in from another IP/region) so I dont need to rehash all that, but Blizzard showing that it cant be arsed to even do something as simple as this says a lot.
I got nothing else to add to this topic, only waiting to see how the situation stands when RMAH goes into full spring. If people start to lose "their" money via hacking or whatever, then we might see some entertaining threads out here
EDIT: Also I dont know if BNet logins have a lockdown after a particular number of failed authentications (havent logged into BNET for little over 7 years now so I dunno how the situation stands) in case of a brute force attack, but if it doesnt then shame on Blizzard for skimping off this rudimentary security measure.
They already do this, though not through a e-mail service, but through a SMS service. A SMS service is somewhat safer I think, though I can't magically conjure up some statistics right now. An argument against doing this through the use of e-mail, is that it's not waterproof if a system has been compromised already. Not saying that a SMS service is uncompromisable (with everybody rooting their phones and installing apps without regarding their phones security).
I'm not entering another discussion about the 'single player'-aspect of Diablo 3. I'm frankly getting tired of it right now. I'm curious what the effect on the compromised accounts will be on the RMAH. I know that the SMS service also functions as a conformationsystem for RMAH transactions, but since the RMAH isn't live yet, it's hard to say how this will work out.
I can't say how Battle.net handles multiple wrong login/password entries in a set amount of time. I can't imagine that there isn't a limit, but seeing that they don't enforce strong passwords, I'm not willing to place a bet on it.