|
I am able to log into D3 even if I change the case on some of the letters in my password. This should be fixed.
|
#1
5/22/2012
|
|
Can confirm this as true for Alphabetic characters.
|
#2
5/22/2012
|
umm you guys might want to FIX that. As passwords being case sensitive is almost grade-school level Security. Starting to wonder if Blizzard is in the buisness of makeing it 'easy' for people to be hacked, specialy with the recent rush of hacked D3 accounts combined with what you just said............... |
#5
5/22/2012
|
|
|
Lawl. This is why everyone's account is getting hacked. You successfully reduced the key space by what, half? You do know that trivializes guessing, right? With just someone's e-mail address, if their password was 5 characters, I could have a program guess the associated battle-net password of in under 2 hours, while a case-sensitive password would take at least a day. We're talking an exponential decrease in strength. A longer password would take years if it was case sensitive, but only days or months as it stands.
Or, hey everyone! Buy our authenticatior for the low, low price of.... |
#6
5/22/2012
|
Free if you get the Android/Iphone one.. but yea, Its like Blizzard is simply pushing the 'security' of their accounts out of their hands, and into the hands of the Authenticator corps. |
#7
5/22/2012
|
|
|
Assuming only alphanumerics (no specials), there are usually 52 + 10 = 62 possible values per character in a password. By reducing this by even a small amount, longer password integrity is reduced significantly as it's an exponential difference. 5 characters with 62 possible values: 91,6132,832 possible combinations, expected broken by 50 million. 5 characters with 36 possible values (case insensitive): 60,466,176 possible combinations, broken by 35 million At 10 characters: 144,555,105,949,057,024 vs. 3,656,158,440,062,976 Simply put, use a password that's at least 10 characters long. Ideally 16+. The likely reason they support case insensitivity is to make it less likely that people misstype passphrases. So use one, a 50 character long passphrase is relatively secure. |
#8
5/22/2012
|
Actualy mine has both upper and lower + # and special (though now those upper/lower cases dont seem to matter anymore). But the fact still remains.. not having case sensitive checks hurts their password security. So someone forgets they capitalized a W in their password? thats why you put little reminders in the password error message for them to check their caps-lock key or such, or let them reset it if they simply forgot which one was capitol or which was lower-case. You dont compromise your own security for the sake of 'connivance'.
Edited by Rhapsody#1432 on 5/22/2012 12:17 PM PDT
|
#9
5/22/2012
|
|
|
Free if you get the Android/Iphone one... You make it sound like trading my privacy for a free app is an acceptable alternative. |
#11
5/22/2012
|
You also sniped out the following from that same thread. " Its like Blizzard is simply pushing the 'security' of their accounts out of their hands, and into the hands of the Authenticator corps. " I was not agreeing with it being 'acceptable' that their downgrading their 'own' security and pushing all the responsibility on someone else. |
#12
5/22/2012
|
|
|
This means they probably store passwords in plain text, unsalted, etc. This is unbelievable.
Edited by Qwiggalo#1407 on 5/22/2012 5:02 PM PDT
|
#13
5/22/2012
|
|
You people going on about possible number of values... that really only matters if the passwords are completely randomly chosen from all available characters. People don't do that, not when they have to remember them.
If someone wants to make the password stronger, and still memorable, they'll be just as likely, or more likely, to make it longer or add a number somewhere than to add random caps. Not having caps just makes passwords simpler and easier to use, and it's an understandable choice. It means people don't have to remember whether they capitalized a word or not for their password to work. It's usually more efficient anyway (password strength per effort to remember) to make it a little longer or more convoluted in a memorable way than scattered caps. Even if you do use caps, you're going to use one, maybe two in the password (or one or two non-caps). The exponential growth thing is kind of irrelevant since the passwords are picked by people who have to remember them, not a random pool. edit: The sony break in was system security, not cracking a few account passwords, if you didn't notice. This has absolutely nothing to do with that.
Edited by Rowan#1447 on 5/22/2012 5:40 PM PDT
|
#16
5/22/2012
|
|
|
Yes lol! |
#17
5/22/2012
|
|
|
Counterexample: Most people dont use randomly generated passwords. They use words refering to them. Lets say your password is a combination of your name and birthyear (much to often used) and the hacker knows you in reallife (or just hijacked your facebook session while you were in a cybercafé). He then makes a wordlist containing diffrent combinations of your name, birthdate, name of pets, favourite music ... Your passsword is "jMerliN1234" That single password without casesensitivity: only one possibility with casesensitivity: 2^7 = 128 possibilities For a word list with 100.000 different passwords with an averange length of 8 chars this means a reduction from 2^8*100.000 = 25.600.000 to 100.000 passes (more than 99% reduction!) this makes a HUGE difference! |
#18
5/22/2012
|
Please report any Code of Conduct violations, including:
Threats of violence. We take these seriously and will alert the proper authorities.
Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.
Harassing or discriminatory language. This will not be tolerated.
Americas - English (US)
©2013 Blizzard Entertainment, Inc. All rights reserved
Terms of Use
Legal
Privacy Policy
Copyright Infringement
