Like I said, I could be interpreting this all wrong, but would love some input from people much much smarter than me :)
There are three ways they can get into your account.
- Hacking Blizzard
- Finding out your password
- Trying to guess your password.
Blizzard knows the first hasn't happened.
The second requires either a virus on your computer which records what you type, OR a phishing scam. Phishing would be the hackers pretending they are Blizzard, asking for your password, and then you give it to them. They can do this very creatively.
Do you see the difference between "www.battle.net" and "www.bаttle.net"? They are two different links. One uses the normal letter "a", and the other uses the cyrillic letter "а". They both look the same but to computers they are different. What can also happen is that you use a different website (lets say a diablo wiki or something) and use the same password there, then the diablo wiki gets hacked and then the hackers know your password. You don't need a virus to fall for a phishing scam. Your computer can be really really secure but if you type your password in on the wrong site without knowing it is the wrong site it doesn't matter how safe your computer is because you gave your password away.
Trying out your password is the unlikely one but still possible. If I have to guess your password like a computer I would start with; Is your password "a"? Is your password "b"?, and then when I reach "z" I ask; Is your password "aa"? I continue like this until I guess the right password. This is called brute force because you are just trying every combination. If you put letters and numbers in your password brute force takes a lot
longer. It takes even longer for them to try if you put in symbols like !@#$%^*, etc. If I want to guess a password that is 10 letters long I have to guess 26*26*26*26*26*26*26*26*26*26 times. (which is guessing 141,167,095,653,376 times)
Hackers realized that doing this takes really long, and they also realized that for normal people it is easier to remember passwords if they just make it a word. Instead of going down the list guessing every possible password they go down a list of words. They guess dictionary words instead. Now even this is a bit slow, so they decide to get lists of commonly used passwords in general, and decide to try those out. (Some stupid people use really easy passwords http://www.pcmag.com/article2/0,2817,2113976,00.asp)
When you try to guess someones password you need to have a fast computer to make many many guesses as fast as possible. What is faster than one computer? Two computers! What is faster than 2 computers? A botnet, which is a network of computers with virusses on them so that the person who put the virus on can use them. That network basically works as one big fast computer, and thousands of computers can guess faster than just one or two computers. The problem is, Blizzard only allows one guess per 5-10 seconds. This makes guessing next to impossible. It would take more than a minute to guess a password that is a single letter. It would take years
to guess a password that is 10 letters.
Now here comes the authenticator. The authenticator says that if you try to type in the code, and you get it wrong, you have to wait a little while. If you have to guess a completely random string of 8 numbers, there are 10*10*10*10*10*10*10*10 possibilities. (100 million) Lets say that someone has to wait just a single second to try again if the authentication is wrong. this would still mean that to correctly guess the authenticator code, it would take millions of minutes, or thousands of hours. The code changes every 30 seconds. Even the fastest computers can't guess the code like that. Every authenticator gives a different code so even if hackers guess the code (which is impossible) they still wouldn't be able to use it to hack more than one account.
Whenever I connect from somewhere else Blizzard asks me for an authenticator code. So if someone has your password and they connect on their computer, Blizzard will know that it isn't the same computer trying to get in my account. (they know because they aren't connecting with the same internet connection) Since it is a different computer or a different internet connection, Blizzard asks for the authenticator code. Even if I give my password to a hacker they wont be able to get in, since when they try to login Blizzard asks them for the authenticator code.
Hackers would have to go into my house and steal my authenticator to be able to hack my account.
05/30/2012 11:02 AMWell they could implement "Captchas" , though annoying, would be pretty helpful if they are just mass spamming PW's.
Posted by MYDJAXT
Captchas only help if they are trying to "guess" the password. Blizzard already has measures against the "guessing" of passwords like the time it takes if you input the wrong password