Battle.net Hack May Be More Serious Than Blizzard Lets On
-
Category: News ArchiveHits: 3536
Unless Blizzard has previously strengthened their verifier database by selecting their own, more expensive hashing algorithm such as bcrypt set at an onerous difficulty then each users' password can be individually dictionary attacked at well over 100k guesses per second. Combined with Blizzard's reduced entropy password policy (all lower-case, no symbols), this means that it is highly likely that the vast majority of passwords stored in their database have already been cracked by the attacker.Spilman goes on to ask that Blizzard be more open about the details of the attack, and suggests they outright admit that passwords have been compromised. While it might sound a bit like Spilman is looking to bring more traffic to his own site, it's also believable Blizzard would understate the severity of the hack.
The prospect of an attacker holding your email address, password, and security question/answer is troublesome, to put it mildly. Blizzard is incorrect in claiming that SRP (is designed to make it extremely difficult to extract the actual password.) That they would make this statement is at best misleading and inaccurate, and dangerous if users believe their passwords are still actually safe.
I implore anyone who is a member of Battle.net: immediately ensure your old Battle.net password is not being used on any other sites, and you should never use that same password again. You should also verify your secret question/answer that you used on Battle.net is not reused elsewhere as well.
Meanwhile, Blizzard have released an FAQ on the security breach, though it doesn't appear to deny any of the claims made by Spilman outright.