Originally posted by Tortanic

 

[snip]

---

 

MSE misses alot on detection, it is clean and straight forward though.

If you've a bit of patience Comodo (https://www.comodo.com/) has a bunch of nice products.
(I use the free Firewall+AV+Sandbox thing and it's pretty lovely as far as that sort of software goes.)

Nothing is really secure or fool proof - think "resistant."

No AV is perfect, they all miss stuff. But as far as performance goes MSE actually does quite well. It has tested better than Norton, AVG, Sophos, McAfee, and other popular software in independant studies. Some programs like Panda, Avast, Kaspersky, Bitdefender and others have done better than MSE.  Not sure about how well Comodo tests. 

I personally think that of all the free stuff out there, Avast performs the best as far as detection percentage goes. It consistently places in the top few and is significantly better than paid solutions. 

Originally posted by thekid1

Eurogamer writer gets his Diablo 3 account stolen.

This Diablo 3 soap is even better then Age of Conan and WAR right after release.

 

http://www.eurogamer.net/articles/2012-05-21-diablo-3-accounts-hacked-gold-and-items-stolen

So he didn't have an Authenticator, kind of left that out didn't you? Not saying it is a panacea (look it up) but it TOTALLY helps...

Enough of this one sided "reporting", makes yourself look like you have an agenda...

I think my biggest difficulty with Blizzard's response is that they are saying absolutely nothing about the situation is their fault or within their control. The authenticators are fine enough, but to make that your only response is a bit lame. Virtual keyboards that allow you to enter a password without the use of a physical keyboard is one approach at least one other game has used, wouldn't be that hard to implement. I'm sure a security professional could come up with even more creative, yet relatively unobtrusive, ways to handle the problems they face. Internet security takes a bit of effor and creativity on the part of the defenders, but not nearly as much as some seem to think, and it shouldn't require an authenticator for a game either. If Blizzard were to actually try to seriously design and implement a security system and actually enforce it, none of the individual measures taken would have to be that drastic or that hard to maintain, yet I bet a lot of the problems would go away. They just don't seem to care about it. That is the part that concerns me. If a problem is found, it's quickly fixed and pushed under a rug as if it never happened, so  the root problem never gets dealt with. This is where Blizzard has fallen behind the curve compared to a lot of other companies and games.

Originally posted by dubyahite
@iceman

I'm not here to flaunt my knowledge. I'm here to discuss an issue of particular interest to me.

I don't understand why my knowledge of the subject is an excuse to attack me. There are plenty of people in this thread with little to no understating of security who are posting random nonsense and trying to pass it off as fact.

Should you be quoting them and accusing them of missing the point? Because they most certainly are missing the point in a big way.

Again, I'm not here to "flaunt" my knowledge. I am here because this subject is interesting to me.


I am just here to discuss the topic of security which most people dont have a clue about.


Look I don't care that your average user doesn't know how to protect themselves. Not my problem. What I do care about is when those same people go around spouting off nonsense as if they know what they are talking about.


I mean, there was a guy in this very thread flipping out because Diablo opened port 80. Seriously. Then he tries to tell people that this is some huge security flaw.

That is the person that is missing the point, not me.

Okay, so one person said that.  Thing is, just about everyone else didn't.

So why continue to erect such a straw man?  Apologies if the post I made came across as too harsh, it was more a take on how dismissive you were of everyone you wrote about.

Originally posted by MikkelB

Originally posted by iceman00

Originally posted by kreken

Originally posted by sunshadow21

Originally posted by JeroKane

And yet it's exactly these kind of gamers that SCREAM they have the perfect security on their computer and apply the best security practices, so that it only can be Blizzard's fault that they got hacked.

Rest my case.

A fair number of people have also given good reasons to question Blizzard's commitment to seriously dealing with this problem. Especially for those who have never had a problem with anyone else despite ample opportunity to have had it, the evidence is there that at some level, it is Blizzard's responsiblity to deal with it, even if it isn't directly their fault. A lot of people could do more, certainly, in the security aspect, but that does not absolve Blizzard when those users exist across the internet, and yet it always seems like Blizzard's name is at the forefront of these conversations when it comes to suspect gaming companies.

 

When a company has this serious of issues this consistently, it becomes much, much harder to simply blame the end user.

I am curious, what would you like Blizzard to do? They already have the best security practices listed on their website. It is up to the end user to follow them or not. Do you want them to implement something like NPS (Network Policy Server) that will check if updates are up to date, antivirus is installed, signature files are updated and do a quick virus scan before allowing them to login into the game?

Nowadays, there is no real excuse to be computer illiterate since the computers are an intergral part of our daily lives. If you don't spend even a little time to learn a bit about the tool you are using than you shouldn't be using it. It seems people don't realize that computer is a tool and if you don't take care of it, it will "rust" and will underpeform or do other unintended operations. If you leave your hand saw in the rain for two months, how good you think it will cut wood next time you use it?

If I was a hacker for gold selling sites, would I target an unpopular game or a game with a lot of potential market? The hackers are in this to make money and it doesn't make business sense to target small demographics game where profit margin is very small. Looks like Blizzard fell a victim to its own popularity.

 

1.)  Mandatory texts/email if you login from a different IP address.

2.)  If you have an authenticator, you gotta authenticate with every login.  Don't wanna do that?  Don't buy the authenticator.

3.)  Increased complexity with passwords. 

Really, number 3 alone goes a long way.

And really, you talk about how people "should" be computer literate.  People should also be able to change their oil or a tire on their car.  Yet the simple fact is a huge amount don't, and whining about how they should isn't going to fix the problem.  In a perfect world, IT security wouldn't be neccessary.  When dealing with the average end user, you have to operate with the assumption they really don't know a lot of what they are doing.

I actually agree with your points here. The thing is, these're games we're talking about. Blizzard is for obvious reasons interested in getting as much players to buy and play the game. Implementing the points you listed as mandatory, no matter how good they're, is not going to help the userfriendliness of the game. When it's harder to get to play the game, more people are stop playing it. Same as with DRM, people are going to opt for pirating anyway, because when you implement DRM like in Assassin's Creed 2 for example, you've less frustration playing it without the DRM then with it. Concerning Diablo 3, just look at all those complaints around the internet about the mandatory 'always online'-resctriction. Couple that with mandatory use of the authenticator and people are just not going to bother with the game, which would be a shame really.

Point 3 is interesting at the moment concerning Blizzard policies. It seems that the passwords aren't forced to be case-sensitive. That's pretty bad of them. Aside from the increased complexity, I rather have that they would allow more characters to be used and that they would stimulate users to use passphrase, instead of passwords. Win - win for both sides.

My second point, at least according to Blizzard's records, won't be needed..... yet.  But really, using the authenticator once every 7 days , really not much of a point.  Which I think brings up an interesting correlation.  Most of those who are going to use an authenticator, chances are their tech knowledge is more than satisfactory.  They probably aren't making the mistakes most people make.  So I guess I begin to wonder if "nobody who uses an authenticator had their account compromised" is one of those "true but irrelevant" statements, considering that authenticating once every 5-7 days is sorta pointless, and wouldn't stop an account from being compromised, since they operate in a span of minutes, not days.

And Blizzard needs to seriously think about tighter security in terms of the RMAH.  ONE HACK is all it will take to cause an absolute nightmare.  It wont' matter how many blizzbots screaming "the person getting hacked is a f**ktard who deserved it" there are.  So perhaps we can go on something with point 3/passphrases.  That really doesn't cost much, and is very easy to do, and there's an understandable reason.

And yeah, agree with you on the DRM.  Just wish Blizzard would see it that way.  Bad timing for me to try out the game (due to busy schedule) but their DRM is so absurd (and the attempt to corral people onto the RMAH so nakedly obvious) I'm still not sure how much I'll play the game once I have time.

Originally posted by dubyahite

Originally posted by MikkelB

Originally posted by iceman00

Originally posted by kreken

Originally posted by sunshadow21

Originally posted by JeroKane

And yet it's exactly these kind of gamers that SCREAM they have the perfect security on their computer and apply the best security practices, so that it only can be Blizzard's fault that they got hacked.

Rest my case.

A fair number of people have also given good reasons to question Blizzard's commitment to seriously dealing with this problem. Especially for those who have never had a problem with anyone else despite ample opportunity to have had it, the evidence is there that at some level, it is Blizzard's responsiblity to deal with it, even if it isn't directly their fault. A lot of people could do more, certainly, in the security aspect, but that does not absolve Blizzard when those users exist across the internet, and yet it always seems like Blizzard's name is at the forefront of these conversations when it comes to suspect gaming companies.

 

When a company has this serious of issues this consistently, it becomes much, much harder to simply blame the end user.

I am curious, what would you like Blizzard to do? They already have the best security practices listed on their website. It is up to the end user to follow them or not. Do you want them to implement something like NPS (Network Policy Server) that will check if updates are up to date, antivirus is installed, signature files are updated and do a quick virus scan before allowing them to login into the game?

Nowadays, there is no real excuse to be computer illiterate since the computers are an intergral part of our daily lives. If you don't spend even a little time to learn a bit about the tool you are using than you shouldn't be using it. It seems people don't realize that computer is a tool and if you don't take care of it, it will "rust" and will underpeform or do other unintended operations. If you leave your hand saw in the rain for two months, how good you think it will cut wood next time you use it?

If I was a hacker for gold selling sites, would I target an unpopular game or a game with a lot of potential market? The hackers are in this to make money and it doesn't make business sense to target small demographics game where profit margin is very small. Looks like Blizzard fell a victim to its own popularity.

 

1.)  Mandatory texts/email if you login from a different IP address.

2.)  If you have an authenticator, you gotta authenticate with every login.  Don't wanna do that?  Don't buy the authenticator.

3.)  Increased complexity with passwords. 

Really, number 3 alone goes a long way.

And really, you talk about how people "should" be computer literate.  People should also be able to change their oil or a tire on their car.  Yet the simple fact is a huge amount don't, and whining about how they should isn't going to fix the problem.  In a perfect world, IT security wouldn't be neccessary.  When dealing with the average end user, you have to operate with the assumption they really don't know a lot of what they are doing.

I actually agree with your points here. The thing is, these're games we're talking about. Blizzard is for obvious reasons interested in getting as much players to buy and play the game. Implementing the points you listed as mandatory, no matter how good they're, is not going to help the userfriendliness of the game. When it's harder to get to play the game, more people are stop playing it. Same as with DRM, people are going to opt for pirating anyway, because when you implement DRM like in Assassin's Creed 2 for example, you've less frustration playing it without the DRM then with it. Concerning Diablo 3, just look at all those complaints around the internet about the mandatory 'always online'-resctriction. Couple that with mandatory use of the authenticator and people are just not going to bother with the game, which would be a shame really.

Point 3 is interesting at the moment concerning Blizzard policies. It seems that the passwords aren't forced to be case-sensitive. That's pretty bad of them. Aside from the increased complexity, I rather have that they would allow more characters to be used and that they would stimulate users to use passphrase, instead of passwords. Win - win for both sides.

This is a very important issue you raise. 

 

Anyone who has worked in the IT industry can tell you that any company (not just game companies) has to weigh several factors when implementing security policies such as those suggested.  This is especially true when you are enforcing these policies on customers as opposed to employees.  

 

It would be great to add a little forced complexity to people's passwords, but it is a tougher decision than it seems at first glance. Personally I would be all for it, but I know for a fact that Blizzard (or any other company) would have to deal with a lot of issues this would cause their customers as well. 

 

Not to many MMO companies actually enforce password complexity on their users. Bioware did a decent job by forcing one uppercase letter and one number in their password, but really that is a lot more innefective than you might think.  

 

Here is an example, with Bioware's rules the password 'Tizftye7' would be an acceptable password. It's not particularly strong but at least it's not '123456'.  There are no words in it, and it appears totally random. It's not going to be in a dictionary attack so a cracker would need to use a guessing attack on it, which implies more time to crack it. 

 

What this level of password security protects against is relatively slow online brute force or guessing attacks. Repeated attempts to guess the password on the services website by attempting to log in would take months to complete all possible password guesses that would be required to guess that password. The exact search space of said password would be 5.46 x 10²³  or 546,108,599,233,516,079,517,120 possible passwords with that password length and alphabet size (characters that a cracker must account for). Seems like a big enough number.

However, with current technology, your average cracker can make about one hundred billion guesses per second offline if they have acquired a password database. This would take less than an hour to complete the attack offline. If the attacker is running the database through a botnet or something, it would be a matter of seconds.

So that level of password complexity protects against one thing, online attacks made by repeated login attempts to a website or the actual game service. The thing is, you are already protected against these attacks in most cases. After a few logins the system wants additional verification or it might even lock your account. This level of password complexity adds no security at all. 

 

To really enforce a system where users must make secure passwords would require very long lengths (at least over 12 characters), one symbol, one number, at least one uppercase letter, and lower case letters as well.

They would also need to prevent people from using common passwords and probably dictionary based passwords as well. Anything that can be found in a crackers dictionary immediately eliminates the need for a guessing attack and any and all complexity is then useless. 

 

Like MikkelB said, from a business perspective they simply can't enforce password complexity of this level. It would piss off a large portion of their users as well as create extra costs for the company in having to support these users. A person who can't remember their password is going to generate extra cost for the company in customer service and technical support on a regular basis. For a video game, it's just not realistic. I believe that it seriously would drive people away from the game.

 

Now, the whole passwords not being case sensitive thing from Blizzard is absolutely bonkers. Out of all this stuff that has been talked about that actually pisses me off a great deal. I don't understand why they would actively undermine the security of those who choose to use a complex password.  I think I might email their customer service about that and bitch today. 

 

As far as enforcing password complexity on users, it's a hopeless battle for a company. If you only do a little (like Bioware) you are not really adding any security. To actually add security to passwords through complexity would have a large impact on your busines and the usability of your software, for something that (let's face it) is not that important. It's a video game account. Most companies have the capability to restore your account to a pre-hacked status for no charge.

Ever hear of the phrase "not seeing the forrest for the trees?"

Once we get past all the fancy sounding numbers and techno speak, there are a few conclusions:

1.)  outside of a multi pronged system, if a hacker gets a pw with your name in the database, chances are you are screwed.  With the tech available, it's going to happen.  Now Blizzard can't control for that part, I think we all agree.

2.)  To create a "hack-proof" system would require so many layers that yes it would be extremely unfriendly, and would impact their sales.  I don't think anyone really disputes that.

3.)  Since you can't really stop them once they get the database, the only thing you can do is make sure your db is secure.  Blizzard has done that.

4.)  What can we do to stop the "brute force" incidents?

5.)  Don't need every layer or nothing.  That would be akin to saying that I need every layer of possible security on my computer, or I should just run without a firewall, no av/malware protection, with internet explorer with UAC disabled on my windows 7, and head to where hackers are known to have infected a site broadcasting my IP.

6.)  The argument you make about complexity..... applies to capital letters as well.  Given the way you do 5, we should then never ask for capital letters right?

Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.

As far as "its a video game account, it isn't important", most people aren't going to look at it in the stoic rational manner you just did, gotta control for those kind of things as well.  Okay, maybe I just have a really freakin pessimistic view of human nature.

Originally posted by JeroKane

I used Avast Free Home edition and a seperate Anti-malware program before.

Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.

Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!

Especially if you surf the internet a lot, it's even recommended to do it more than once a week!

cheers

 I also use Security Essentials (still have Malwarebytes on my PC if I need it).

I think after 14 pages, everything that can be said has been said, and we can all end agreeing on something.

Microsoft makes a product that actually works surprisingly well. 

LOLWTF......

Originally posted by iceman00

Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.

This is the biggest difficulty I'm having. If they can't even be bothered to implement something as basic and usually automatic as case sensitivity, why should I accept their claims that it's all the user's fault when clearly they aren't intrerested in doing the simple things that can be done on their end? Case sensitivity by itself wouldn't a major thing, but combine it with other simple things like a virtual keyboard to get around keyloggers, and other similar simple, easy to implement ideas, and the impact would be significant with fairly little cost to Blizzard.

Originally posted by iceman00

Originally posted by dubyahite

[snip]

Ever hear of the phrase "not seeing the forrest for the trees?"

Once we get past all the fancy sounding numbers and techno speak, there are a few conclusions:

1.)  outside of a multi pronged system, if a hacker gets a pw with your name in the database, chances are you are screwed.  With the tech available, it's going to happen.  Now Blizzard can't control for that part, I think we all agree.

2.)  To create a "hack-proof" system would require so many layers that yes it would be extremely unfriendly, and would impact their sales.  I don't think anyone really disputes that.

3.)  Since you can't really stop them once they get the database, the only thing you can do is make sure your db is secure.  Blizzard has done that.

4.)  What can we do to stop the "brute force" incidents?

5.)  Don't need every layer or nothing.  That would be akin to saying that I need every layer of possible security on my computer, or I should just run without a firewall, no av/malware protection, with internet explorer with UAC disabled on my windows 7, and head to where hackers are known to have infected a site broadcasting my IP.

6.)  The argument you make about complexity..... applies to capital letters as well.  Given the way you do 5, we should then never ask for capital letters right?

Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.

As far as "its a video game account, it isn't important", most people aren't going to look at it in the stoic rational manner you just did, gotta control for those kind of things as well.  Okay, maybe I just have a really freakin pessimistic view of human nature.

1.) This is not true. While no password is "uncrackable" you can make a pasword complexe enough that it will never be cracked by a cracker. This was the point of my post. They are not going to even attempt a character space that would require 13 trillion centuries to complete. Ever.

2.) Then we agree. But even then there is still risk of hacking, even if they did all this stuff.

3.) This is incorrect. Again, if your password would take 13 trillion centuries to crack, a cracker is not even going to attempt a character space that large. They are going to go for the lowest common denominator and end up with about 20% of the passwords in the database. 

4.) Make complex passwords. I explained this. My passwords will never be cracked by brute force with currently available technology. Not only that, but no cracker will even attempt a crack that would expose my passwords. 

5.) I agree here. The case sensitive crap on blizzard passwords is just inexcusable. 

6.) Yes. Capital letters are required for password complexity. I already said in previous posts that I was pissed about the case sensitive thing from blizzard. 

Originally posted by sunshadow21

Originally posted by iceman00

Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.

This is the biggest difficulty I'm having. If they can't even be bothered to implement something as basic and usually automatic as case sensitivity, why should I accept their claims that it's all the user's fault when clearly they aren't intrerested in doing the simple things that can be done on their end? Case sensitivity by itself wouldn't a major thing, but combine it with other simple things like a virtual keyboard to get around keyloggers, and other similar simple, easy to implement ideas, and the impact would be significant with fairly little cost to Blizzard.

 It's not a case of can't be bothered or cost. They used to have case sensitivity. It's a problem with their customers. They aren't morons what many of them are is children or people with no computer skills whatsoever. This is a calculation they made fully aware of what it means. While I may disagree with their decision I'm not naive enough to think Blizzard is just clueless or not listening to theit customers. It's because they are listening to their customers and doing the math. Also this hacking is fairly rare. You hear a lot about it but their customer base is huge compared to other games.

Originally posted by itgrowls

It's interesting to me that this is happening when there are free ways of dealing with it. Heck even the authenticators are cheap and free delivery. So why are people posting about this again? It's the users fault if they get hacked at this point due to the security that Blizz emplemented. It really is. I'm not a Blizz fan when it comes to the direction their company is going but i have to say they did the right thing when it comes to security for their players.

complete bull

beyond not handing out your passwords to one and all it is up to the business to protect your data - period

There is a rumor going around that a hacker can spoof your ID (obtained by joining a public game with the hacker) and bypass the need to use the authenicator.  I don't know if it's true, but some people "claim" to have been hacked even with the authenicator active.

It's probably untrue and Blizzard claims that there are no reports of accounts breached that used an authenicator.

Still, Blizzard doesn't exactly have the best security and privary protection.  Registering an e-mail account on Bnet will open you open to multiple phishing attempts even if you never used the e-mail address for anything else (or at least it did at one point).

Originally posted by gatheris

Originally posted by itgrowls

It's interesting to me that this is happening when there are free ways of dealing with it. Heck even the authenticators are cheap and free delivery. So why are people posting about this again? It's the users fault if they get hacked at this point due to the security that Blizz emplemented. It really is. I'm not a Blizz fan when it comes to the direction their company is going but i have to say they did the right thing when it comes to security for their players.

complete bull

beyond not handing out your passwords to one and all it is up to the business to protect your data - period

 

Complete bullshit.

It is up to the USER to keep their PC safe and secure. It's not Blizzard's fault somone clicked a bad link, went to a site with a bad ad, fell for a phishing attempt, etc.

How exactly is Blizzard supposed to make sure you do none of the above? The only thing they can do is warn and attempt to educate you, and that's a hell of a lot more than they are required to do. To say nothing of providing free mobile authenticators, and at-cost physical ones.

Now if Blizzard's servers get hacked (which they have not) then yes, it is their responsibility.

Originally posted by zymurgeist

 

They aren't morons what many of them are is children or people with no computer skills whatsoever. This is a calculation they made fully aware of what it means.

So, understanding the difference between an Uppercase " A " and a lowercase " a " is now a matter of "computer skills". I see the Blizzard defence club is getting desperate enough to throw out ridiculous statements since they are running out of anything substantial to say, might wanna stop before you guys start blaming the player for any leak on Blizzard's end...or wait has some fangirl already thrown that excuse out already? 

Virtual keyboard seems like a decent precautionary measure for such cases. Yea I can see it happening sometime in the near future.

"Just pay and download a VK app for $15.99 and you can be free of all your hacking woes!

But Only works if you have bought ALL our Blizzard™ Authenticator versions 1, 2, v5, x15, zz20 and special edition 2 for service pack 3(until we put out more ca-ching junk applica...err Required Software Protection)."

Online-always DRM is working as intended, yea?

But it would be funny if Anon strikes against BNet for this D3 debacle. Shit would hit the exhaust fan.

If you play blizzard games you should know by now to get an authenticator.

I've never been hacked after getting it.

For the ease of reading I'll just post it here:

Battle.net®/Diablo III Security Concerns

Over the past couple of days, players have expressed concerns over the possibility of Battle.net® account compromises. First and foremost, we want to make it clear that the Battle.net and Diablo III servers have not been compromised. In addition, the number of Diablo III players who've contacted customer service to report a potential compromise of their personal account has been extremely small. In all of the individual Diablo III-related compromise cases we've investigated, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account, and we have yet to find any situation where a Diablo III player's account was accessed outside of "traditional" compromise methods (i.e. someone logging using an account's login email and password).

To that end, we've also seen discussions regarding the possibility of account compromises occurring in ways that didn’t involve these "traditional" methods -- for example, by "session spoofing" a player’s identity after he or she joins a public game. Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technically impossible. However, you have our assurance that we’ll continue to investigate reports such as these and keep you informed of important updates.

The best defense against account theft still includes smart password management (e.g. using a unique password for every site/service and keeping your password to yourself) and scanning for malware and viruses regularly, as well as following additional preventative steps found here. In the end, while no security method is 100% foolproof, the physical Battle.net Authenticator and Battle.net Mobile Authenticator app are great ways to provide your account with an extra layer of protection.

Source: http://us.battle.net/d3/en/forum/topic/5149181449

One thing that sticks out, is the bit where he says that only a extremely small number of players reported a potential compromise. Makes me wonder if all the ragers actually did contact Customer Service and/or made a ticket, if those ragers were full of hot air as usual or if Blizzard is 'lying' here.

At least Blizzard made this statement (i.e. "We haven't been compromised"), which is more worth to me then the countless of posts going: "I've been hacked! On my clean PC, handcrafted yesterday, only Diablo 3 installed and I've never been hacked before! It's all Blizzard's fault!", without giving proof.

Originally posted by RainBringer

Originally posted by zymurgeist

 

They aren't morons what many of them are is children or people with no computer skills whatsoever. This is a calculation they made fully aware of what it means.

So, understanding the difference between an Uppercase " A " and a lowercase " a " is now a matter of "computer skills". I see the Blizzard defence club is getting desperate enough to throw out ridiculous statements since they are running out of anything substantial to say, might wanna stop before you guys start blaming the player for any leak on Blizzard's end...or wait has some fangirl already thrown that excuse out already? 

 

Virtual keyboard seems like a decent precautionary measure for such cases. Yea I can see it happening sometime in the near future.

"Just pay and download a VK app for $15.99 and you can be free of all your hacking woes!

But Only works if you have bought ALL our Blizzard™ Authenticator versions 1, 2, v5, x15, zz20 and special edition 2 for service pack 3(until we put out more ca-ching junk applica...err Required Software Protection)."

 

Online-always DRM is working as intended, yea?

But it would be funny if Anon strikes against BNet for this D3 debacle. Shit would hit the exhaust fan.

 Typing the password itself isn't the problem. Most people use passwords far to weak no matter what security options they are offered. The problem is what to do if you get locked out of your account. I'm not defending Blizzard. I don't agree with it. I'm telling you what they did and why. Put aside your hater hat  and think about it.

Oh I assure you, I keep my thinking hat on even if I wear a "hater hat" on top of it.

If a person cant remember his own password, its no excuse to NOT implement a secure system for safeguarding passwords. It just means that the person needs to write his password down somewhere (like in a 8th grade textbook). And also there are password reminders for such instances via emails so we arent talking bout ground breaking stuff here.

If a player uses a generic 'Abc123' password, then again it doesnt mean that the company responsible for safeguarding this feeble attempt from the player's end should just sit back and say "whoops easy password, not my problem, buy my safeguarding shite" and turn Abc123 into abc123, ABC123, abC123, etc and give a brute force program more than 1 liable option at breaking down such easy passes.

And you dont address the Virtual keyboard issue either. Even a child would find it fun to press a virtual button, so I dont know how Blizzard cant "cater" to the majority of their playerbase.

And sorry to say, but coming up with excuses as to why Blizzard is not at fault is pretty much on the same grounds as defending them, even though you might personally not find it agreeable, call it force of habit or fanboyism or whatever if you may. But just saying it for what it is. And only reason why I even posted here was because of that absurd excuse you came up with in Blizzard's defence, They aren't morons what many of them are is children or people with no computer skills whatsoever. So do tell us from when does knowing the difference between a Capital ' A ' and a small letter ' a ' become a matter of "computer skills"? Excuses such as these show that You arent wearing that thinking hat over those rosy tinted goggles of yours. Hillarious stuff that.

Originally posted by RainBringer

Oh I assure you, I keep my thinking hat on even if I wear a "hater hat" on top of it.

If a person cant remember his own password, its no excuse to NOT implement a secure system for safeguarding passwords. It just means that the person needs to write his password down somewhere (like in a 8th grade textbook). And also there are password reminders for such instances via emails so we arent talking bout ground breaking stuff here.

If a player uses a generic 'Abc123' password, then again it doesnt mean that the company responsible for safeguarding this feeble attempt from the player's end should just sit back and say "whoops easy password, not my problem, buy my safeguarding shite" and turn Abc123 into abc123, ABC123, abC123, etc and give a brute force program more than 1 liable option at breaking down such easy passes.

And you dont address the Virtual keyboard issue either. Even a child would find it fun to press a virtual button, so I dont know how Blizzard cant "cater" to the majority of their playerbase.

 

And sorry to say, but coming up with excuses as to why Blizzard is not at fault is pretty much on the same grounds as defending them, even though you might personally not find it agreeable, call it force of habit or fanboyism or whatever if you may. But just saying it for what it is. And only reason why I even posted here was because of that absurd excuse you came up with in Blizzard's defence, They aren't morons what many of them are is children or people with no computer skills whatsoever. So do tell us from when does knowing the difference between a Capital ' A ' and a small letter ' a ' become a matter of "computer skills"? Excuses such as these show that You arent wearing that thinking hat over those rosy tinted goggles of yours. Hillarious stuff that.

I understand your issue's, but the only thing Blizzard can do regarding the strength of passwords, is putting up some restrictions, for example, use at least:

• one capital letter
• one number
• one special character.

What would be better, is also demand that players make a passphrase, including the above named restrictions, with a length of 10 signs minimum. Passphrases are harder to crack and easier to remember. Information Security in general would benefit to some degree if everyone started supporting passphrases (not every loginsystem support long passwords). Aside from checking if the user passes the restrictions, there isn't much else Blizzard can do about it. They can hardly check if the passwords are good enough. They're meant to be secret and all

Your idea of a virtual keyboard is nice and all, but that isn't faultless as well. These keyboards still use the keyboard drivers, which keyloggers can also check/infect so to say. This is a semi-interesting read about virtual keyboards: http://ask-leo.com/will_using_an_on_screen_keyboard_stop_keyboard_loggers_and_hackers.html

It's unlikely that companies like Blizzard are going to pour money into researching the perfect virtual keyboard. Simply because it's easier to abuse then something like the authenticator.