Diablo® III

‘SRP’ WON’T PROTECT BLIZZARD STOLEN PASSWORDS

http://www.opine.me/blizzards-battle-net-hack/

To establish a password P with Blizzard, a user picks a random salt s, and computes:

x = SHA1(s | SHA(username | “:” | P))
v = g^x % N

Blizzard stores v and s as the user’s password verifier and salt. The values ‘g’ and ‘N’ are “well-known values, agreed to beforehand.” Blizzard has published these values and programmers can use them to interface with Blizzards systems. In other words, the attacker knows ‘g’ and ‘N’.

What the attacker was able to steal from Blizzard is the verifier database which is the set of { username, v, s } for each user.


A recent Intel benchmark shows performance of 1024-bit and 512-bit ME on their i7 -2600 CPU (from 2011). Based on these numbers, I would extrapolate that the attacker can probably run over 100k 256-bit ME’s per second, for each CPU core they dedicate to the attack. At this rate, for each machine dedicated to cracking these passwords, they can check 100,000 of their top passwords against 400,000 usernames, per day. Since the attack happened over 5 days ago, millions of users’ passwords have likely already been cracked.


The prospect of an attacker holding your email address, password, and security question/answer is troublesome, to put it mildly. Blizzard is incorrect in claiming that SRP “is designed to make it extremely difficult to extract the actual password.” That they would make this statement is at best misleading and inaccurate, and dangerous if users believe their passwords are still actually safe.

I implore anyone who is a member of Battle.net: immediately ensure your old Battle.net password is not being used on any other sites, and you should never use that same password again. You should also verify your secret question/answer that you used on Battle.net is not reused elsewhere as well.

To Mike Morhaime and the Blizzard security team, I would request immediate retraction or clarification on your statement about the difficulty of extracting passwords from the stolen database. The message to your users should be clear: you’re passwords have almost certainly been cracked, and you should take immediate action.


Change your passwords. Change any passwords associated with that email address.
Reply Quote
I hope everyone sees/knows about this. I'm at work, so I can't bump it all day. Good luck to you all.
Reply Quote
Most of the beginning of this post sounds unlikely, require sources.

I will immediately change what city I was born in, my father's middle name, and my favorite food.
Reply Quote
Woah, the CMs didn't lock this one?
Reply Quote
they are too busy locking relevant threads relating to poor performance issues
Reply Quote
I just hope everyone changed their passwords and double checked all other sites registered with the same email.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]