Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Why not do this? Passwords are dumb.

Forum Avatar
Faustus.2069
#1 - Sept. 21, 2012, 8:16 a.m.
Blizzard Post

This has bothered me for a long time, and I’ve mentioned it to many, many people in positions of high authority at software development only to be ignored. Why are we trying to create and remember horribly long, complex passwords that, with today’s technology, are really meaningless?

I write this now after I read the recently posted article on Account Security by Michael O’Brien. Why have a single password? Why not a passphrase? It is incredibly easy to memorize a random series of four, simple words, and that will be a much more effective password than an 18-character long, archaic password, no matter how many letters you switch to numerals. Honestly, this has bothered me for a long time. The strength of a passphrase, even one using simple common words, would be much greater than any current hacking software could reasonable break or solve. It would be a simple, easy fix and protect your gaming population. Also, it would be innovative and trend-setting (I hope).

Just a suggestion, but I see no reason why this would not want to be done. Thank you for your time. :-)

Forum Avatar
MikeLewis
#6 - Sept. 21, 2012, 10:45 a.m.
Blizzard Post

Password strength is a complete red herring in most modern account compromises. Keyloggers also are a popular scapegoat but are actually not used as widely as some claim; the fact is that scraping the data from a keylogger to find passwords is actually very manual-labor intensive and not cost-effective for hackers.

The reality is that attackers are not using brute-force methods to obtain credentials. They already know the credentials, because they have them from other leaks and breaches from around the internet.

As the blog post states (better than I could), the problem is that people reuse their passwords/passphrases/magic tokens/etc. and that leaves them vulnerable to precisely this kind of compromise.

Forum Avatar
MikeLewis
#8 - Sept. 21, 2012, 10:56 a.m.
Blizzard Post

Usually it goes something like this:

- Joe Example signs up for SketchyWebsite.com and uses his “standard” password
– SketchyWebsite gets hacked or otherwise leaks their password data
– Hackers take this and recover Joe’s “standard” password
– They then may sell this data to any number of additional parties
– Someone decides to attack GW2, and acquires a large number of stolen account passwords
– They then proceed to use every single one of them to see if any line up with a valid account

The thing to realize is that there is a very active black market for stolen account information. The original leak may have nothing to do with video games at all; but the accounts are valuable, and the data can change hands any number of times before it finds its way to someone who wants to specifically hit GW2 (or any other online service).

Forum Avatar
MikeLewis
#12 - Sept. 21, 2012, 11:33 a.m.
Blizzard Post

We of course have such limitations in place. The difficulty with that is that hackers have access to a virtually unlimited supply of new IPs to try from.