Diablo® III

Passwords NOT case-sensitive.

(Locked)

90 Blood Elf Paladin
5630
I am able to log into D3 even if I change the case on some of the letters in my password. This should be fixed.
Can confirm this as true for Alphabetic characters.
05/22/2012 09:55 AMPosted by Derpvan
Can confirm this as true for Alphabetic characters.


Whew, I'm glad my uppercase numbers are safe then.
Blizzard Employee
This is actually consistent with all of our Blizzard games. Try it in WoW and SC2 :)
05/22/2012 10:18 AMPosted by Vasadan
This is actually consistent with all of our Blizzard games. Try it in WoW and SC2 :)

umm you guys might want to FIX that. As passwords being case sensitive is almost grade-school level Security. Starting to wonder if Blizzard is in the buisness of makeing it 'easy' for people to be hacked, specialy with the recent rush of hacked D3 accounts combined with what you just said...............
Lawl. This is why everyone's account is getting hacked. You successfully reduced the key space by what, half? You do know that trivializes guessing, right? With just someone's e-mail address, if their password was 5 characters, I could have a program guess the associated battle-net password of in under 2 hours, while a case-sensitive password would take at least a day. We're talking an exponential decrease in strength. A longer password would take years if it was case sensitive, but only days or months as it stands.

Or, hey everyone! Buy our authenticatior for the low, low price of....
05/22/2012 10:43 AMPosted by Daxos
Or, hey everyone! Buy our authenticatior for the low, low price of....


Free if you get the Android/Iphone one.. but yea, Its like Blizzard is simply pushing the 'security' of their accounts out of their hands, and into the hands of the Authenticator corps.
05/22/2012 10:22 AMPosted by Rhapsody
This is actually consistent with all of our Blizzard games. Try it in WoW and SC2 :)

umm you guys might want to FIX that. As passwords being case sensitive is almost grade-school level Security. Starting to wonder if Blizzard is in the buisness of makeing it 'easy' for people to be hacked, specialy with the recent rush of hacked D3 accounts combined with what you just said...............


Assuming only alphanumerics (no specials), there are usually 52 + 10 = 62 possible values per character in a password. By reducing this by even a small amount, longer password integrity is reduced significantly as it's an exponential difference.

5 characters with 62 possible values: 91,6132,832 possible combinations, expected broken by 50 million.

5 characters with 36 possible values (case insensitive): 60,466,176 possible combinations, broken by 35 million

At 10 characters:
144,555,105,949,057,024
vs.
3,656,158,440,062,976

Simply put, use a password that's at least 10 characters long. Ideally 16+.

The likely reason they support case insensitivity is to make it less likely that people misstype passphrases. So use one, a 50 character long passphrase is relatively secure.

Simply put, use a password that's at least 10 characters long. Ideally 16+.

The likely reason they support case insensitivity is to make it less likely that people misstype passphrases. So use one, a 50 character long passphrase is relatively secure.


Actualy mine has both upper and lower + # and special (though now those upper/lower cases dont seem to matter anymore).

But the fact still remains.. not having case sensitive checks hurts their password security. So someone forgets they capitalized a W in their password? thats why you put little reminders in the password error message for them to check their caps-lock key or such, or let them reset it if they simply forgot which one was capitol or which was lower-case. You dont compromise your own security for the sake of 'connivance'.
Edited by Rhapsody#1432 on 5/22/2012 12:17 PM PDT
05/22/2012 10:18 AMPosted by Vasadan
This is actually consistent with all of our Blizzard games. Try it in WoW and SC2 :)
what
Free if you get the Android/Iphone one...


You make it sound like trading my privacy for a free app is an acceptable alternative.
05/22/2012 01:04 PMPosted by Daxos
Free if you get the Android/Iphone one...


You make it sound like trading my privacy for a free app is an acceptable alternative.


You also sniped out the following from that same thread.

" Its like Blizzard is simply pushing the 'security' of their accounts out of their hands, and into the hands of the Authenticator corps. "

I was not agreeing with it being 'acceptable' that their downgrading their 'own' security and pushing all the responsibility on someone else.
This means they probably store passwords in plain text, unsalted, etc. This is unbelievable.
Edited by Qwiggalo#1407 on 5/22/2012 5:02 PM PDT
05/22/2012 10:18 AMPosted by Vasadan
This is actually consistent with all of our Blizzard games. Try it in WoW and SC2 :)

Post of the year.
You people going on about possible number of values... that really only matters if the passwords are completely randomly chosen from all available characters. People don't do that, not when they have to remember them.

If someone wants to make the password stronger, and still memorable, they'll be just as likely, or more likely, to make it longer or add a number somewhere than to add random caps. Not having caps just makes passwords simpler and easier to use, and it's an understandable choice. It means people don't have to remember whether they capitalized a word or not for their password to work. It's usually more efficient anyway (password strength per effort to remember) to make it a little longer or more convoluted in a memorable way than scattered caps.

Even if you do use caps, you're going to use one, maybe two in the password (or one or two non-caps). The exponential growth thing is kind of irrelevant since the passwords are picked by people who have to remember them, not a random pool.

edit: The sony break in was system security, not cracking a few account passwords, if you didn't notice. This has absolutely nothing to do with that.
Edited by Rowan#1447 on 5/22/2012 5:40 PM PDT
05/22/2012 05:30 PMPosted by Cyborgmatt
This is actually consistent with all of our Blizzard games. Try it in WoW and SC2 :)

Post of the year.


Yes lol!
05/22/2012 11:20 AMPosted by jMerliN

umm you guys might want to FIX that. As passwords being case sensitive is almost grade-school level Security. Starting to wonder if Blizzard is in the buisness of makeing it 'easy' for people to be hacked, specialy with the recent rush of hacked D3 accounts combined with what you just said...............


Assuming only alphanumerics (no specials), there are usually 52 + 10 = 62 possible values per character in a password. By reducing this by even a small amount, longer password integrity is reduced significantly as it's an exponential difference.

5 characters with 62 possible values: 91,6132,832 possible combinations, expected broken by 50 million.

5 characters with 36 possible values (case insensitive): 60,466,176 possible combinations, broken by 35 million

At 10 characters:
144,555,105,949,057,024
vs.
3,656,158,440,062,976

Simply put, use a password that's at least 10 characters long. Ideally 16+.

The likely reason they support case insensitivity is to make it less likely that people misstype passphrases. So use one, a 50 character long passphrase is relatively secure.


Counterexample:

Most people dont use randomly generated passwords. They use words refering to them. Lets say your password is a combination of your name and birthyear (much to often used) and the hacker knows you in reallife (or just hijacked your facebook session while you were in a cybercafé). He then makes a wordlist containing diffrent combinations of your name, birthdate, name of pets, favourite music ...

Your passsword is "jMerliN1234"
That single password without casesensitivity: only one possibility
with casesensitivity: 2^7 = 128 possibilities

For a word list with 100.000 different passwords with an averange length of 8 chars this means a reduction from 2^8*100.000 = 25.600.000 to 100.000 passes (more than 99% reduction!)

this makes a HUGE difference!
Blizzard Employee
Please leave discussions like this to the General Discussion forums. I'm not going to keep posting on threads if my answer to someone's bug report is a huge discussion about something that isn't a bug.
Edited by Vasadan on 5/22/2012 6:10 PM PDT
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]