Usa Forum - Blizzard password security

ScratchMonkey

1/18/2012 2:04:00 AM

I discovered today that passwords are NOT case-sensitive. That makes them
much easier to guess by cycling through a list of possible entries.

It also looks like there's no delay between failed attempts. My Linux
system penalizes failed attempts with a long and growing delay so a
guessing attack would take forever to crack into an account.

I just found this excuse for why they use case-insensitive passwords:

http://eu.battle.net/wow/en/forum/topic/...

17 Answers

twk

1/18/2012 5:31:00 AM

In article <Xns9FDDB7C057DAscratchmonkey@88.198.244.100>,
ScratchMonkey <ScratchMonkey.blacklist@sewingwitch.com> wrote:

> I discovered today that passwords are NOT case-sensitive. That makes them
> much easier to guess by cycling through a list of possible entries.
>
> It also looks like there's no delay between failed attempts. My Linux
> system penalizes failed attempts with a long and growing delay so a
> guessing attack would take forever to crack into an account.
>
> I just found this excuse for why they use case-insensitive passwords:
>
> http://eu.battle.net/wow/en/forum/topic/...

Strangely enough, this goes against everything I've been told about
passwords...

For those that can't check because you're at work, it says:
Having a password in capitals may feel more secure but in the end a
keylogger will still be able to obtain the data.

I knew our passwords weren't case sensitive, but I never knew the cheesy
excuse.

If you have a key logger, well, you're screwed. It will get your
password no matter what. This has _nothing_ to do with guessing a
password. Damn, just having a single capitol letter, or more, greatly
reduces guessing a password. Get me a shovel, Blizzard is spreading the
shit pretty deep.

--
For all you know this message was...
Sent via an exclusive network, on a snobby portable computing device.

Catriona R

1/18/2012 11:55:00 AM

On Wed, 18 Jan 2012 00:31:20 -0500, twk <twk@sleepless.knights.com>
wrote:

>In article <Xns9FDDB7C057DAscratchmonkey@88.198.244.100>,
> ScratchMonkey <ScratchMonkey.blacklist@sewingwitch.com> wrote:
>
>> I discovered today that passwords are NOT case-sensitive. That makes them
>> much easier to guess by cycling through a list of possible entries.
>>
>> It also looks like there's no delay between failed attempts. My Linux
>> system penalizes failed attempts with a long and growing delay so a
>> guessing attack would take forever to crack into an account.
>>
>> I just found this excuse for why they use case-insensitive passwords:
>>
>> http://eu.battle.net/wow/en/forum/topic/...
>
>Strangely enough, this goes against everything I've been told about
>passwords...
>
>For those that can't check because you're at work, it says:
>Having a password in capitals may feel more secure but in the end a
>keylogger will still be able to obtain the data.
>
>I knew our passwords weren't case sensitive, but I never knew the cheesy
>excuse.
>
>If you have a key logger, well, you're screwed. It will get your
>password no matter what. This has _nothing_ to do with guessing a
>password. Damn, just having a single capitol letter, or more, greatly
>reduces guessing a password. Get me a shovel, Blizzard is spreading the
>shit pretty deep.

So, what's actually wrong with this "excuse"? If you care about
security enough to consider using capitals in a password then you
obviously possess a brain, will use a long string of letters, numbers,
symbols, and use an authenticator which makes the password irrelevant
anyway (if someone gets past the authenticator either it's
man-in-the-middle, meaning they keylogged your password too, or they
tricked Blizz into removing it, meaning they could've got your
password just as easily). So, what difference does it actually make?

I'd have more of a problem if they didn't offer an authenticator, yes
(like my bank, who I'm always shouting at when they ask for feedback;
it's pathetic that my virtual money is more secure than my real
money), but since they do, then the password strength is rather less
crucial. Not hard to still do a strong password, and being frank,
"guessing" passwords applies much more to "password" "passw0rd",
"abc123" kinda passwords than anything which people who aren't stupid
would come up with.
--
EU-Draenor:
Sagart (85 Undead Priest) Tairbh (85 Tauren Druid)
Buinne (85 Troll Shaman) Eilnich (85 Blood Elf Warlock)
Ruire (85 Blood Elf Paladin) Balgair (82 Human Rogue)
Dubh (80 Orc Death Knight) Rosad (73 Human Warlock)

Frank E

1/18/2012 12:36:00 PM

On Wed, 18 Jan 2012 11:55:29 +0000, Catriona R
<catrionarNOSPAM@totalise.co.uk> wrote:

>
>On Wed, 18 Jan 2012 00:31:20 -0500, twk <twk@sleepless.knights.com>
>wrote:
>
>>In article <Xns9FDDB7C057DAscratchmonkey@88.198.244.100>,
>> ScratchMonkey <ScratchMonkey.blacklist@sewingwitch.com> wrote:
>>
>>> I discovered today that passwords are NOT case-sensitive. That makes them
>>> much easier to guess by cycling through a list of possible entries.
>>>
>>> It also looks like there's no delay between failed attempts. My Linux
>>> system penalizes failed attempts with a long and growing delay so a
>>> guessing attack would take forever to crack into an account.
>>>
>>> I just found this excuse for why they use case-insensitive passwords:
>>>
>>> http://eu.battle.net/wow/en/forum/topic/...
>>
>>Strangely enough, this goes against everything I've been told about
>>passwords...
>>
>>For those that can't check because you're at work, it says:
>>Having a password in capitals may feel more secure but in the end a
>>keylogger will still be able to obtain the data.
>>
>>I knew our passwords weren't case sensitive, but I never knew the cheesy
>>excuse.
>>
>>If you have a key logger, well, you're screwed. It will get your
>>password no matter what. This has _nothing_ to do with guessing a
>>password. Damn, just having a single capitol letter, or more, greatly
>>reduces guessing a password. Get me a shovel, Blizzard is spreading the
>>shit pretty deep.
>
>So, what's actually wrong with this "excuse"? If you care about
>security enough to consider using capitals in a password then you
>obviously possess a brain, will use a long string of letters, numbers,
>symbols, and use an authenticator which makes the password irrelevant
>anyway (if someone gets past the authenticator either it's
>man-in-the-middle, meaning they keylogged your password too, or they
>tricked Blizz into removing it, meaning they could've got your
>password just as easily). So, what difference does it actually make?

It makes your account a lot more succeptible to a brute force or
dictionary attack. Unless they changed something recently, Blizzard
also doesn't lock your account after X number of loggin attempts.
Combine that with a very insecure use name (your e-mail address) and
blizzard has a relatively insecure system unless you use an
authenticator.

Rgds, Frank

Catriona R

1/18/2012 12:44:00 PM

On Wed, 18 Jan 2012 07:35:33 -0500, Frank E <fakeaddress@hotmail.com>
wrote:

>On Wed, 18 Jan 2012 11:55:29 +0000, Catriona R
><catrionarNOSPAM@totalise.co.uk> wrote:
>
>>
>>On Wed, 18 Jan 2012 00:31:20 -0500, twk <twk@sleepless.knights.com>
>>wrote:
>>
>>>In article <Xns9FDDB7C057DAscratchmonkey@88.198.244.100>,
>>> ScratchMonkey <ScratchMonkey.blacklist@sewingwitch.com> wrote:
>>>
>>>> I discovered today that passwords are NOT case-sensitive. That makes them
>>>> much easier to guess by cycling through a list of possible entries.
>>>>
>>>> It also looks like there's no delay between failed attempts. My Linux
>>>> system penalizes failed attempts with a long and growing delay so a
>>>> guessing attack would take forever to crack into an account.
>>>>
>>>> I just found this excuse for why they use case-insensitive passwords:
>>>>
>>>> http://eu.battle.net/wow/en/forum/topic/...
>>>
>>>Strangely enough, this goes against everything I've been told about
>>>passwords...
>>>
>>>For those that can't check because you're at work, it says:
>>>Having a password in capitals may feel more secure but in the end a
>>>keylogger will still be able to obtain the data.
>>>
>>>I knew our passwords weren't case sensitive, but I never knew the cheesy
>>>excuse.
>>>
>>>If you have a key logger, well, you're screwed. It will get your
>>>password no matter what. This has _nothing_ to do with guessing a
>>>password. Damn, just having a single capitol letter, or more, greatly
>>>reduces guessing a password. Get me a shovel, Blizzard is spreading the
>>>shit pretty deep.
>>
>>So, what's actually wrong with this "excuse"? If you care about
>>security enough to consider using capitals in a password then you
>>obviously possess a brain, will use a long string of letters, numbers,
>>symbols, and use an authenticator which makes the password irrelevant
>>anyway (if someone gets past the authenticator either it's
>>man-in-the-middle, meaning they keylogged your password too, or they
>>tricked Blizz into removing it, meaning they could've got your
>>password just as easily). So, what difference does it actually make?
>
>It makes your account a lot more succeptible to a brute force or
>dictionary attack. Unless they changed something recently, Blizzard
>also doesn't lock your account after X number of loggin attempts.
>Combine that with a very insecure use name (your e-mail address) and
>blizzard has a relatively insecure system unless you use an
>authenticator.

I'd imagine anyone sensible about security doesn't use their main
email address though. Nor anything that can be guessed from the
dictionary. Brute force is the only thing that can be a problem and it
makes little enough difference if you already use a sensible pasword
and an authenticator that I fail to see the problem. Only people
likely to be affected are the ones who don't take security seriously
so wouldn't use a capital letter.

I'm not saying that it wouldn't be a good option to havre available,
I'm just failing to see why the lack of the option is a big deal to
some people - if they care about security, they won't get hurt by it
anyway!
--
EU-Draenor:
Sagart (85 Undead Priest) Tairbh (85 Tauren Druid)
Buinne (85 Troll Shaman) Eilnich (85 Blood Elf Warlock)
Ruire (85 Blood Elf Paladin) Balgair (82 Human Rogue)
Dubh (80 Orc Death Knight) Rosad (73 Human Warlock)

usenet

1/18/2012 1:20:00 PM

Frank E <fakeaddress@hotmail.com> wrote:

> On Wed, 18 Jan 2012 11:55:29 +0000, Catriona R
> <catrionarNOSPAM@totalise.co.uk> wrote:
>
> >
> >On Wed, 18 Jan 2012 00:31:20 -0500, twk <twk@sleepless.knights.com>
> >wrote:
> >
> >>In article <Xns9FDDB7C057DAscratchmonkey@88.198.244.100>,
> >> ScratchMonkey <ScratchMonkey.blacklist@sewingwitch.com> wrote:
> >>
> >>> I discovered today that passwords are NOT case-sensitive. That makes them
> >>> much easier to guess by cycling through a list of possible entries.
> >>>
> >>> It also looks like there's no delay between failed attempts. My Linux
> >>> system penalizes failed attempts with a long and growing delay so a
> >>> guessing attack would take forever to crack into an account.
> >>>
> >>> I just found this excuse for why they use case-insensitive passwords:
> >>>
> >>> http://eu.battle.net/wow/en/forum/topic/...
> >>
> >>Strangely enough, this goes against everything I've been told about
> >>passwords...
> >>
> >>For those that can't check because you're at work, it says:
> >>Having a password in capitals may feel more secure but in the end a
> >>keylogger will still be able to obtain the data.
> >>
> >>I knew our passwords weren't case sensitive, but I never knew the cheesy
> >>excuse.
> >>
> >>If you have a key logger, well, you're screwed. It will get your
> >>password no matter what. This has _nothing_ to do with guessing a
> >>password. Damn, just having a single capitol letter, or more, greatly
> >>reduces guessing a password. Get me a shovel, Blizzard is spreading the
> >>shit pretty deep.
> >
> >So, what's actually wrong with this "excuse"? If you care about
> >security enough to consider using capitals in a password then you
> >obviously possess a brain, will use a long string of letters, numbers,
> >symbols, and use an authenticator which makes the password irrelevant
> >anyway (if someone gets past the authenticator either it's
> >man-in-the-middle, meaning they keylogged your password too, or they
> >tricked Blizz into removing it, meaning they could've got your
> >password just as easily). So, what difference does it actually make?
>
> It makes your account a lot more succeptible to a brute force or
> dictionary attack. Unless they changed something recently, Blizzard
> also doesn't lock your account after X number of loggin attempts.
> Combine that with a very insecure use name (your e-mail address) and
> blizzard has a relatively insecure system unless you use an
> authenticator.
>

It really doesn't make much difference to brute force attacks. The
power of the average desktop these days makes the extra order of
magnitude added by using capitals a non issue. Adding in captial
letters means it takes 3 seconds to crack, rather than 2...

There was an excellent xkcd cartoon about it recently, let me see if I
can find it...

.... which I can't as xkcd is supporting the SOPA protest today!

T.

steve.kaye

1/18/2012 1:20:00 PM

On Wed, 18 Jan 2012 11:55:29 +0000, Catriona R
<catrionarNOSPAM@totalise.co.uk> wrote:

>
>On Wed, 18 Jan 2012 00:31:20 -0500, twk <twk@sleepless.knights.com>
>wrote:
>
>>In article <Xns9FDDB7C057DAscratchmonkey@88.198.244.100>,
>> ScratchMonkey <ScratchMonkey.blacklist@sewingwitch.com> wrote:
>>
>>> I discovered today that passwords are NOT case-sensitive. That makes them
>>> much easier to guess by cycling through a list of possible entries.
>>>
>>> It also looks like there's no delay between failed attempts. My Linux
>>> system penalizes failed attempts with a long and growing delay so a
>>> guessing attack would take forever to crack into an account.
>>>
>>> I just found this excuse for why they use case-insensitive passwords:
>>>
>>> http://eu.battle.net/wow/en/forum/topic/...
>>
>>Strangely enough, this goes against everything I've been told about
>>passwords...
>>
>>For those that can't check because you're at work, it says:
>>Having a password in capitals may feel more secure but in the end a
>>keylogger will still be able to obtain the data.
>>
>>I knew our passwords weren't case sensitive, but I never knew the cheesy
>>excuse.
>>
>>If you have a key logger, well, you're screwed. It will get your
>>password no matter what. This has _nothing_ to do with guessing a
>>password. Damn, just having a single capitol letter, or more, greatly
>>reduces guessing a password. Get me a shovel, Blizzard is spreading the
>>shit pretty deep.
>
>So, what's actually wrong with this "excuse"?

The excuse is silly because the same also applies to numbers but they
still allow them in your password. I don't know if you can have
symbols in your password but it would apply to them too.

>If you care about
>security enough to consider using capitals in a password then you
>obviously possess a brain, will use a long string of letters, numbers,
>symbols,

I don't think that that's necessarily true. I can imagine some people
using capitals without numbers or symbols - my Mum for one :P

>and use an authenticator which makes the password irrelevant
>anyway (if someone gets past the authenticator either it's
>man-in-the-middle, meaning they keylogged your password too, or they
>tricked Blizz into removing it, meaning they could've got your
>password just as easily). So, what difference does it actually make?

It makes no difference if you have an authenticator. I have an
authenticator so I don't really care that they don't distinguish
between upper and lower case.

>I'd have more of a problem if they didn't offer an authenticator, yes
>(like my bank, who I'm always shouting at when they ask for feedback;
>it's pathetic that my virtual money is more secure than my real
>money),

I'd strongly consider moving my bank account if I were you. Some
banks even handle changing your direct debits and standing orders for
you so all you'd need to do is contact people who pay you to change
the account details that they have.

steve.kaye
--
Jelan, 85 Priest Clokk, 81 Druid Belugar, 76 Warrior
Kibbs, 83 Paladin Jengu, 81 Death Knight Mingan, 76 Shaman
Miho, 83 Rogue Jaille, 80 Warlock Yopp, 73 Hunter
[ Ravenholdt-EU (Horde) ] Aloola, 70 Mage

Catriona R

1/18/2012 2:22:00 PM

On Wed, 18 Jan 2012 13:19:50 +0000, Steve Kaye
<nospam@giddy-kippers.co.uk> wrote:

>On Wed, 18 Jan 2012 11:55:29 +0000, Catriona R
><catrionarNOSPAM@totalise.co.uk> wrote:
>>If you care about
>>security enough to consider using capitals in a password then you
>>obviously possess a brain, will use a long string of letters, numbers,
>>symbols,
>
>I don't think that that's necessarily true. I can imagine some people
>using capitals without numbers or symbols - my Mum for one :P

Heh, well, I'm assuming most folk would use numbers rather than
capitals - it never actually occurred to me for many years that
passwords *could* be case sensitive, since websites aren't, email
addresses aren't, etc etc, so I just never used capitals (I now have
them on a few of my more important passwords)

>>and use an authenticator which makes the password irrelevant
>>anyway (if someone gets past the authenticator either it's
>>man-in-the-middle, meaning they keylogged your password too, or they
>>tricked Blizz into removing it, meaning they could've got your
>>password just as easily). So, what difference does it actually make?
>
>It makes no difference if you have an authenticator. I have an
>authenticator so I don't really care that they don't distinguish
>between upper and lower case.

Yeah that's why I'm finding it hard to understand why this is a big
deal :-)

>>I'd have more of a problem if they didn't offer an authenticator, yes
>>(like my bank, who I'm always shouting at when they ask for feedback;
>>it's pathetic that my virtual money is more secure than my real
>>money),
>
>I'd strongly consider moving my bank account if I were you. Some
>banks even handle changing your direct debits and standing orders for
>you so all you'd need to do is contact people who pay you to change
>the account details that they have.

I would if it wasn't for the fact that I'm on disability benefits. Any
time I've ever changed anything relating to payments, address, etc,
the DSS stop paying me for weeks/months while they check it out. One
time they even randomly (connected to no change I'd made) started
paying my money into my parents' account (my parents had NEVER
received my money: it went into my own account right from the start).
So you can probably understand that I don't trust them any more and
just will not ever change anything I can possibly avoid, in the hopes
of actually still getting my money to pay the bills with...

Plus the bank *claims* its security meausres are good enough that an
authenticator is unnecessary, they reckon they have some kind of login
pattern checking or somesuch and they do have an extra key beyond the
password. I'm sceptical but it's better than nothing, I guess. Still
think WoW is more secure though.
--
EU-Draenor:
Sagart (85 Undead Priest) Tairbh (85 Tauren Druid)
Buinne (85 Troll Shaman) Eilnich (85 Blood Elf Warlock)
Ruire (85 Blood Elf Paladin) Balgair (82 Human Rogue)
Dubh (80 Orc Death Knight) Rosad (73 Human Warlock)

twk

1/18/2012 2:56:00 PM

In article
<1ke2i1t.1czl66f1mnujj9N%usenet@trooperlooper.co.uk.invalid>,
usenet@trooperlooper.co.uk.invalid (Trooper) wrote:

> Frank E <fakeaddress@hotmail.com> wrote:
>
> > On Wed, 18 Jan 2012 11:55:29 +0000, Catriona R
> > <catrionarNOSPAM@totalise.co.uk> wrote:
> >
> > >
> > >On Wed, 18 Jan 2012 00:31:20 -0500, twk <twk@sleepless.knights.com>
> > >wrote:
> > >
> > >>In article <Xns9FDDB7C057DAscratchmonkey@88.198.244.100>,
> > >> ScratchMonkey <ScratchMonkey.blacklist@sewingwitch.com> wrote:
> > >>
> > >>> I discovered today that passwords are NOT case-sensitive. That makes
> > >>> them
> > >>> much easier to guess by cycling through a list of possible entries.
> > >>>
> > >>> It also looks like there's no delay between failed attempts. My Linux
> > >>> system penalizes failed attempts with a long and growing delay so a
> > >>> guessing attack would take forever to crack into an account.
> > >>>
> > >>> I just found this excuse for why they use case-insensitive passwords:
> > >>>
> > >>> http://eu.battle.net/wow/en/forum/topic/...
> > >>
> > >>Strangely enough, this goes against everything I've been told about
> > >>passwords...
> > >>
> > >>For those that can't check because you're at work, it says:
> > >>Having a password in capitals may feel more secure but in the end a
> > >>keylogger will still be able to obtain the data.
> > >>
> > >>I knew our passwords weren't case sensitive, but I never knew the cheesy
> > >>excuse.
> > >>
> > >>If you have a key logger, well, you're screwed. It will get your
> > >>password no matter what. This has _nothing_ to do with guessing a
> > >>password. Damn, just having a single capitol letter, or more, greatly
> > >>reduces guessing a password. Get me a shovel, Blizzard is spreading the
> > >>shit pretty deep.
> > >
> > >So, what's actually wrong with this "excuse"? If you care about
> > >security enough to consider using capitals in a password then you
> > >obviously possess a brain, will use a long string of letters, numbers,
> > >symbols, and use an authenticator which makes the password irrelevant
> > >anyway (if someone gets past the authenticator either it's
> > >man-in-the-middle, meaning they keylogged your password too, or they
> > >tricked Blizz into removing it, meaning they could've got your
> > >password just as easily). So, what difference does it actually make?
> >
> > It makes your account a lot more succeptible to a brute force or
> > dictionary attack. Unless they changed something recently, Blizzard
> > also doesn't lock your account after X number of loggin attempts.
> > Combine that with a very insecure use name (your e-mail address) and
> > blizzard has a relatively insecure system unless you use an
> > authenticator.
> >
>
> It really doesn't make much difference to brute force attacks. The
> power of the average desktop these days makes the extra order of
> magnitude added by using capitals a non issue. Adding in captial
> letters means it takes 3 seconds to crack, rather than 2...

It makes a significant difference. For example:
password Password pAssword paSsword pasSword passwOrd passwoRd passworD

The above are all the same to Blizzard. A dictionary type attack would
crack that on the first attempt with "password". If upper case letters
actually meant something, those would be 8 different passwords, add a
few more upper case letters and you increase the difficulty in guessing
the password.

Of course this is an example. No one should be using "password" as their
password. No one should be using words found in any dictionary of any
kind. And don't spell a word backwards... Arg!

Damn, getting off track here.

You should be mixing in upper case letters... Just not in WoW apparently.

> There was an excellent xkcd cartoon about it recently, let me see if I
> can find it...
>
> ... which I can't as xkcd is supporting the SOPA protest today!
>
> T.
>

--
For all you know this message was...
Sent via an exclusive network, on a snobby portable computing device.

Frank E

1/18/2012 3:15:00 PM

On Wed, 18 Jan 2012 13:19:30 +0000, usenet@trooperlooper.co.uk.invalid
(Trooper) wrote:

>Frank E <fakeaddress@hotmail.com> wrote:
>
>> On Wed, 18 Jan 2012 11:55:29 +0000, Catriona R
>> <catrionarNOSPAM@totalise.co.uk> wrote:
>>
>> >
>> >On Wed, 18 Jan 2012 00:31:20 -0500, twk <twk@sleepless.knights.com>
>> >wrote:
>> >
>> >>In article <Xns9FDDB7C057DAscratchmonkey@88.198.244.100>,
>> >> ScratchMonkey <ScratchMonkey.blacklist@sewingwitch.com> wrote:
>> >>
>> >>> I discovered today that passwords are NOT case-sensitive. That makes them
>> >>> much easier to guess by cycling through a list of possible entries.
>> >>>
>> >>> It also looks like there's no delay between failed attempts. My Linux
>> >>> system penalizes failed attempts with a long and growing delay so a
>> >>> guessing attack would take forever to crack into an account.
>> >>>
>> >>> I just found this excuse for why they use case-insensitive passwords:
>> >>>
>> >>> http://eu.battle.net/wow/en/forum/topic/...
>> >>
>> >>Strangely enough, this goes against everything I've been told about
>> >>passwords...
>> >>
>> >>For those that can't check because you're at work, it says:
>> >>Having a password in capitals may feel more secure but in the end a
>> >>keylogger will still be able to obtain the data.
>> >>
>> >>I knew our passwords weren't case sensitive, but I never knew the cheesy
>> >>excuse.
>> >>
>> >>If you have a key logger, well, you're screwed. It will get your
>> >>password no matter what. This has _nothing_ to do with guessing a
>> >>password. Damn, just having a single capitol letter, or more, greatly
>> >>reduces guessing a password. Get me a shovel, Blizzard is spreading the
>> >>shit pretty deep.
>> >
>> >So, what's actually wrong with this "excuse"? If you care about
>> >security enough to consider using capitals in a password then you
>> >obviously possess a brain, will use a long string of letters, numbers,
>> >symbols, and use an authenticator which makes the password irrelevant
>> >anyway (if someone gets past the authenticator either it's
>> >man-in-the-middle, meaning they keylogged your password too, or they
>> >tricked Blizz into removing it, meaning they could've got your
>> >password just as easily). So, what difference does it actually make?
>>
>> It makes your account a lot more succeptible to a brute force or
>> dictionary attack. Unless they changed something recently, Blizzard
>> also doesn't lock your account after X number of loggin attempts.
>> Combine that with a very insecure use name (your e-mail address) and
>> blizzard has a relatively insecure system unless you use an
>> authenticator.
>>
>
>It really doesn't make much difference to brute force attacks. The
>power of the average desktop these days makes the extra order of
>magnitude added by using capitals a non issue. Adding in captial
>letters means it takes 3 seconds to crack, rather than 2...
>
Remember, the limiting factor here isn't computer speed, it's the
speed that you can get a reply from their log-in servers. At best,
you'll get 2 or 3 attempts a second.

Rgds, Frank

usenet

1/18/2012 3:34:00 PM

ftwk <twk@sleepless.knights.com> wrote:

> In article
> <1ke2i1t.1czl66f1mnujj9N%usenet@trooperlooper.co.uk.invalid>,
> usenet@trooperlooper.co.uk.invalid (Trooper) wrote:
>

> >
> > It really doesn't make much difference to brute force attacks. The
> > power of the average desktop these days makes the extra order of
> > magnitude added by using capitals a non issue. Adding in captial
> > letters means it takes 3 seconds to crack, rather than 2...
>
> It makes a significant difference. For example:
> password Password pAssword paSsword pasSword passwOrd passwoRd passworD
>
> The above are all the same to Blizzard. A dictionary type attack would
> crack that on the first attempt with "password". If upper case letters
> actually meant something, those would be 8 different passwords, add a
> few more upper case letters and you increase the difficulty in guessing
> the password.
>

I agree that is a significant difference in the order of magnitude of
compexity of the passwords when cpaitals are used. However, as
mentioned, the speed on machines these days means it takes an extra few
seconds to crack, hence not making much difference to the actual result
in human terms.

The only limiting factor, as mentioned in another post, is the speed of
response from the server, but I don't know enough about the API to see
if that is restricted. I know it is slow from the client, but you
wouldn't use the client to do a brute force.

T.

alt.games.warcraft

Blizzard password security

ScratchMonkey

twk

Catriona R

Frank E

Catriona R

usenet

steve.kaye

Catriona R

twk

Frank E

usenet

x Login to ForumsZone