Blizzard Sued For Trying To Make Accounts More Secure
from the oh-come-on dept
We've discussed in the past how the class action lawsuit system these days seems often to be more about a legal shakedown for lawyers, rather than anything really designed to help protect the public. The latest crazy lawsuit involves a class action lawsuit (pdf and embedded below) filed against Activision Blizzard... because the company is offering two-factor authentication. You see, Blizzard's Battle.net was hacked a few months back, leading to some email addresses being revealed. Also, like many other security minded places, Blizzard has been pushing two factor authentication to better secure your accounts. Blizzard's two-factor authentication can be downloaded for free on any iOS, Android or Windows Phone smartphone. If you don't happen to have any of those, but still want to use two-factor authentication, they will sell you a $6.50 fob. None of this seems out of the ordinary. Until you read the lawsuit, where these class action lawyers try to make it sound like some horrible scam.Defendants' acts have not only harmed Plaintiffs and Class members by subjecting their Private Information to hackers, they have harmed Plaintiffs and Class members by devaluing their video games -- purchased from Defendants under certain assurances of security -- by adding elements of risk to each and every act of playing said games.Yeah, notice how they gloss over the fact that the system is free for anyone with a smartphone? And let's not even get into the fact that no system can be perfectly secure and, eventually, every system is going to get hacked. Just being hacked doesn't make you negligent. And, as we've seen, courts have time and time again refused to find any legal claims against sites that are hacked unless actual harm is shown to the users. The idea that providing two-factor authentication -- and charging the basic cost of the fob for the few folks who don't have a smartphone -- is some sort of sneaky business practice is just ridiculous.
Moreover, rather than shouldering the burden of adopting sufficient security measures to prevent these repeated hacks and to protect the Private Information of their customers, Defendants instead have informed their customers, after the point of sale, that they must purchase additional security products in order to ensure the sanctity of their Private Information. These additional, post-purchase costs for security products -- which Defendants assert are the only measures that may be taken to ensure something even approximating account security when playing their video games -- were not disclosed to Plaintiffs and Class members prior to the purchase of Defendants' products.
Blizzard has hit back and slammed the lawsuit as being based on "patently false information."
The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed. You can read our letter to players and a comprehensive FAQ related to the situation on our website.Hopefully the court understands just how ridiculous this case is and dumps it quickly.
The suit also claims that the Battle.net Authenticator is required in order to maintain a minimal level of security on the player’s Battle.net account information that’s stored on Blizzard’s network systems. This claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose. The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard’s network infrastructure. Available as a physical device or as a free app for iOS or Android devices, it offers players an added level of security against account-theft attempts that stem from sources such as phishing attacks, viruses packaged with seemingly harmless file downloads, and websites embedded with malicious code.
When a player attaches an Authenticator to his or her account, it means that logging in to Battle.net will require the use of a random code generated by the Authenticator in addition to the player’s login credentials. This helps our systems identify when it’s actually the player who is logging in and not someone who might have stolen the player’s credentials by means of one of the external theft measures mentioned above, or as a result of the player using the same account name and password on another website or service that was compromised. Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account. However, we always strongly encourage it, and we try to make it as easy as possible to do.
Many players have voiced strong approval for our security-related efforts. Blizzard deeply appreciates the outpouring of support it has received from its players related to the frivolous claims in this particular suit."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: battle.net, class action, security, two factor authentication
Companies: blizzard
Reader Comments
Subscribe: RSS
View by: Time | Thread
But like you said the case is dumb and shouldn't go anywhere. It's like sueing your carmaker for not giving you free gas for life or some other nonsense.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
If you mean that most compromised accounts happen because the attacker obtains the password some other way (not a brute force attack), then yes, I'd agree.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
If you choose a stupid simple password that's just a basic word, that's not the fault of the security and leaving it all the same case makes it even more pathetic. An ideal password would possess no common language words at all (forcing dictionary based attacks to be useless), utilize special case characters (increasing the possibility pool), and be as long as possible (increasing the possibility pool per character). Of course it should then be further secured by the system using a SALT and such.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
While technically true, this is not really a factor any longer. With the speed of processors (and GPUs), extensive wordlists and rainbow tables, brute-force cracking of a password hash is relatively easy and not time consuming for average 7 or 8 character passwords, mixed case or additonal numbers/symbols not withstanding.
There are a few things Blizzard can do to for effective account security.
-Secure the storage of their password files through various means - they have done about as well as they can here, and better than many others.
-Offer two factor authentication for their users - they have, and in a more accessible manner than many of their competitors
There are some things that users can do to make their accounts secure.
-Make use of the offered two-factor authentication
-Do not reuse the same passwor/account info for multiple sites
-Use longer passwords - a 14 or 20 character pass-phrase is (generally) more secure than a 7 character password using mixed case/numbers/symbols.
[ link to this | view in chronology ]
Re: Re: Re: Re:
That is assuming that the online authentication will allow the computer to try every combination at the max speed without locking the account for a fixed time. If you can try 5 passwords then be locked out for 5 minutes assuming no caps an 8 alphanumeric password will take 36^8 minutes to complete all combos. That is 1min(if first answer is correct) to 5,367,408.499 years last one is correct.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
They're not trying to login via Blizzard's servers.
They're testing passwords based on a password file that contains a "one-way" hash value of the password.
They don't attempt to login via Blizzard's servers until they're relatively sure they have a correct password.
Instead of using a lockpick on the locked door monitored by the a security camera, they learn the lock manufacturer, and figure out which key is used by glancing at the number stamped into it by watching when the guy pulls out his keychain in the parking lot. They get a copy of that key, then walk in and unlock the door without alerting security beforehand.
[ link to this | view in chronology ]
Re: Re:
This is not just wrong, but it is wrong by many, many orders of magnitude. Case sensitivity adds 26 more possible symbols the password may contain, and each additional possible symbol dramatically increases the total number of permutations. The more permutations, the more time it takes to crack the password. It's basic math.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Different password Lengths:
Mono 1 char: 26 combinations
Sensitive 1 char: 52 combinations
2x stronger
Mono 8 chars: 208,827,064,576 combinations
Sensitive 8 chars: 53,459,728,531,456 combinations
256x stronger
Mono 12 chars: 95,428,956,661,682,176 combinations
Sensitive 12 chars: 390,877,006,486,250,192,896 combinations
4,096x stronger
Being case sensitive quickly becomes much stronger.
[ link to this | view in chronology ]
Re:
Something along the lines of 8 micro seconds or less.
After all we are not talking about a kid banging on a keyboard.
[ link to this | view in chronology ]
Re: Re:
more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9
Steve Gibson speaks about Password Haystacks: https://www.grc.com/haystack.htm
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
26**8 = 208827064576 possible passwords
Whereas, if you allow both upper and lower case characters, you can have:
(26*2)**8 = 53459728531456 possible passwords
It's somewhat significant, assuming that we are using brute-force attacks. A dictionary attack (which can be surprisingly effective) can cut down the search space considerably, even if we toss in 1337-speak and wacky characters (like, using @ instead of a).
Best thing to do, though, is to use pass-phrases, which are MUCH STRONGER due to their size, even without wackyness.
Still, there is no reason for Blizzard not to allow mixed case. If the reason truly is a matter of tech-support, then players of Blizzard games are even dumber than I expected.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
People who fall for phishing emails, or download a virus, or visit a dodgy porn site, etc
It wouldn't matter if Blizzard required a 200 character, alphanumeric password with a random mix of capitals, lowercase, numbers and symbols.
The idiots would still give it up.
And of course then take to the forums and ingame chat to rip Blizzard for not protecting them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
For example, Duck-Duck-Goose doesn't have any similarities to Risk at all. Heck there's not even dice involved.
[ link to this | view in chronology ]
But suing over the authenticator is a dumb move and I hope this person gets laughed out of court.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Totally missed the lawsuit.
In other words, they provide the product with no marginal manufacture and distribution cost for free while they charge costs for the piece of hardware that costs them money? All for an optional extra security method that nobody is forced to participate in to play most of their games? What monsters.
What's the alternative? Are you saying that Blizzard should be forced to offer extra security methods (that most of their competitors aren't offering at all) at a direct cost to them? That no company should charge for physical security options even if a free digital option is available?
[ link to this | view in chronology ]
Re: Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Re: Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Totally missed the lawsuit.
The key word being "optional."
[ link to this | view in chronology ]
Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Re: Totally missed the lawsuit.
Would you like to quote the sentences that state that? I see nothing of the sort.
[ link to this | view in chronology ]
Re: Re: Totally missed the lawsuit.
But I bet the % of people who have smartphones vs regular phones (or no phone) would be substantially higher than the general population if you only look at those that:
A) A PC and internet connection
B) $15 a month to spend on a game subscription
C) Don't mind forking out $60 a year for the latest expansion
[ link to this | view in chronology ]
Re: Totally missed the lawsuit.
There is no grounds for this class-action suit.
[ link to this | view in chronology ]
Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
Re: Totally missed the lawsuit.
[ link to this | view in chronology ]
So if Blizzard gets nailed for this, it will be the most back-asswards precedent EVER.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
The reason Blizzard looks so bad and also like a very good company to me is that they are totally not experienced in class action lawsuits such as this. I've played Blizzard games since I got Warcraft running on my Quadra 605 better than ANY DOS version on the PC. The fact that until now, they've never experienced a class action lawsuit is the ONLY reason they look bad.
I mean really, who can name a more ballanced RTS game series than Starcraft??? Or who has a game that STILL has people playing in its spinoff's (Warcraft)???
[ link to this | view in chronology ]
Insecure by design.
[ link to this | view in chronology ]
Re: Insecure by design.
[ link to this | view in chronology ]
Re: Re: Insecure by design.
Number of possible 4 character passwords using letters only when case doesn't matter (A=a): 456976
Number of possible 4 character passwords using letters only when case DOES matter(A!=a): 14776336
I chose 4 characters to keep the numbers manageable for this example. I recognize 4 characters is ridiculously short for a password. The math works the same adding numbers, special characters, or increasing length.
Using case sensitive passwords makes brute forcing on the order of 32 times harder, and additionally makes it that much more difficult for someone to shoulder-surf a password.
Keep in mind that Blizzard uses this same insensitive password scheme for the battle.net store, where they keep payment information around for you. So we aren't just talking about a login for a game.
That's why it matters.
I'm a developer. I'm pretty sure I'd lose my job if I designed a system that allowed a successful login with a case-mismatched password, and none of the systems I'm responsible for even store payment information for any of their users.
[ link to this | view in chronology ]
Re: Re: Re: Insecure by design.
http://xkcd.com/936/
Thanks, hope it was enlightening.
[ link to this | view in chronology ]
Re: Re: Re: Re: Insecure by design.
I believe he is referring to this same very type of.. uhm... case.
[ link to this | view in chronology ]
Re: Re: Re: Re: Insecure by design.
http://www.explainxkcd.com/wiki/index.php?title=936
[ link to this | view in chronology ]
Re: Re: Re: Re: Insecure by design.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Insecure by design.
[ link to this | view in chronology ]
Re: Re: Re: Insecure by design.
That is, of course, assuming that they get a hold of an unsalted hash in the first place.
[ link to this | view in chronology ]
Re: Re: Re: Re: Insecure by design.
[ link to this | view in chronology ]
Re: Re: Re: Insecure by design.
Besides, the increased number of permutations is only realized if users actually use arbitrarily mixed-case passwords. Even when forced to use both upper- and lowercase letter by the system, most users will just capitalize the first letter. And since the attacker knows the system requires users to do this, it does not actually make the password any less guessable.
[ link to this | view in chronology ]
Re: Re: Re: Insecure by design.
Most passwords are stolen when you log into a malicious website which steals your credentials, you download some sort of keylogging software, or when you use the same password on multiple sites and one of them is hacked and your credentials stolen.
Brute force attacks are completely useless against services like Blizzard's authentication service which uses those timeouts.
You might be a developer, but you don't have your facts straight. Stop appealing to authority and get your ducks in a row instead.
[ link to this | view in chronology ]
Re: Re: Re: Re: Insecure by design.
I showed you mathematically how a case-insensitive password system leads to more frequent collisions.
Everyone replying has hand-waved away that being an issue, with the exception of one appeal to authority in the form of XKCD which I've seen and will raise you with an appeal to StackExchange:
http://security.stackexchange.com/questions/17824/is-there-any-explanation-other-t han-storing-plaintext-for-case-insensitive-pas/17825#17825
[ link to this | view in chronology ]
[ link to this | view in chronology ]
also bliz has been excellent in their QoS, and security, IMO.
[ link to this | view in chronology ]
Not such a dumb lawsuit
#1 Fobs would be the one way to make sure people actually BUY their game.
#2 Fobs are a great way to authenticate. Businesses have done it with certain software for a long time now.
Because not ALL people own a smartphone that has internet connectivity or rather even own a smartphone, means THOSE people are inconvenienced by "purchasing" their protection. THAT is against the law. This means another product has to be purchased to use something a provider has already agreed full access to upon purchase. Just because they add a clause that says "we can change the rules at any time" doesn't mean it's right. Sure it's 6.50 or whatever... what's next? Your next $80 special edition doesn't come with all items promised and you have to dish out another $20 to get the rest?
Think about it people... it's entertainment publishers and developers taking consumers for a ride once again, seeing how far they can push the envelope... when is enough, enough?
[ link to this | view in chronology ]
Re: Not such a dumb lawsuit
And that $80 purchase with $20 to buy later to get the rest?
Isn't that the current Xbox/PS3 AAA developers business model these days?
[ link to this | view in chronology ]
Re: Re: Not such a dumb lawsuit
These are common best practices anyway, so you should just be doing them in the first place.
I played WoW for 4 years, through all kinds of periods of "OMG TEH HACKARZ ARE STEELING OUR GOLDZ" and only got an authenticator in the last year. I got it for the pet (hellhound pup) more than anything else.
[ link to this | view in chronology ]
Re: Not such a dumb lawsuit
No they wouldn't. The fobs do nothing to stop piracy, and in fact having to use an extra piece of hardware that can easily be lost just to log into the game would be a turn off for many people. Especially if they're forced to use something that was previously optional and available on the phone they use every day. That translates to lost sales in my mind, especially with products like WoW where people are buying things other than the software itself (e.g. access to public servers).
"#2 Fobs are a great way to authenticate. Businesses have done it with certain software for a long time now."
I've never used one for my business software. Maybe I prefer other methods of authentication that don't involve me having a drawer full of crap?
"Because not ALL people own a smartphone that has internet connectivity or rather even own a smartphone, means THOSE people are inconvenienced by "purchasing" their protection"
So your alternative is to force Blizzard to mass produce an extra piece of hardware that the smartphone owners don't want and many would be inconvenienced by far more than fob users are now? At their own cost, no less (read: costs passed on to the customer through higher subscription fees)?
Not thought this through, have you?
[ link to this | view in chronology ]
Re: Re: Not such a dumb lawsuit
[ link to this | view in chronology ]
Re: Not such a dumb lawsuit
You think that if Blizzard would be forced to provide a fob to everyone with an account that wanted one, they wouldn't cover those costs elsewhere? Higher account activation fees? Higher monthly fees? Less developers working on content?
Charging the marginal cost of the fob to those that want one, while providing free mobile authenticator software to anyone with a smartphone, is considerably more efficient - and thus results in lower costs for everyone.
[ link to this | view in chronology ]
Re: Not such a dumb lawsuit
Yes, and those fobs have caused untold losses of blood, sweat, and tears -- not to mention money -- over that long time. It's why you used to see machines that had two or three fobs daisy chained to computers, but you don't see that anymore.
However, those fobs are different in kind from the random key generator that Blizzard sells, so it's not a good comparison.
[ link to this | view in chronology ]
For even more icing on the cake, Blizzard has actually broken news of other company's security breaches to warn users to make sure that they changed their passwords if they were the same (I seem to recall them sending out notices regarding the security breaches for Sony PSN and Gawker before either of those two companies informed their users).
[ link to this | view in chronology ]
They should offer it for free. It was their security measures that failed. So yes, they should be improved, but not at the expense of the already paying customer.
Why not make a free Windows version if they can make free mobile ones?
How many billions did Blizzard make last year? Yeah. Greedy bastards. Fail, fix, make people pay for our failure. Awesome plan.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I don't think you understand the "two" in two-factor authentication.
One of the things the mobile authenticator protects you from is password harvesting malware on the computer you play the game from. Even if your computer is infected, someone still can't login to your account because they can't get the code from the authenticator.
The way the fobs and authenticators work is that a seed value is generated on the device. That seed value, along with the current time, is used to generate that changing code. As long as both the login server and your device know the seed value and the correct time, they both can generate the same code - and allow you to login.
What happens when the malware running on your PC gets that seed value, and your password? They can now impersonate you, login to your account, and steal all your stuff.
Do you want the illusion of security, or real security?
[ link to this | view in chronology ]
Re: Re:
"a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")."
This can all be done from within Windows.
[ link to this | view in chronology ]
Re: Re: Re:
Because you're not logging into the fucking WoW account with your phone.
[ link to this | view in chronology ]
Re: Re: Re:
If you have the software running that generates the code on the same computer you use to run the game it is not standalone.
The phone is an entirely seperate channel - malware running on your computer will not effect your phone*. Again you're missing the point of the "two" in two-factor authentication.
I'm not saying that it is impossible to make software that will run on Windows to generate the codes - I'm saying from a security perspective, there would be no point to doing so as it does not increase security.
*Yes, I know there are situations where this is not strictly correct (ie phone syncing could introduce an attack vector on the phone).
[ link to this | view in chronology ]
Re: Re: Re: Re:
A different software (standalone mind you) is a different channel since it's not tied into any blizzard software, it would just generate what it needs to... like you phone does.
But judging from Blizzard's way of handling this, I think it's safe to assume, yes, that that software would probably be useless, because, Blizzard developed it after proving they were not security conscious.
Bottom line is, they just want more money, as OP stated.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Standalone means a different piece of software handles it, just like on your smart phone.
No. Fucking no. Again, missing the fucking point of two-factor authentication.
You're implying that the user could get hacked this way... but just like any other way.
What the fuck is this even supposed to mean?
Don't want to get hacked? Well, don't use a computer, right?
Never go full retard.
A different software (standalone mind you) is a different channel since it's not tied into any blizzard software, it would just generate what it needs to... like you phone does.
No. It's not a different channel if it's on the same machine. It's the same fucking channel, because if the machine gets compromised, everything gets compromised. Are you being purposely fucking dense?
But judging from Blizzard's way of handling this, I think it's safe to assume, yes, that that software would probably be useless, because, Blizzard developed it after proving they were not security conscious.
Bravo. Fucking moron.
Bottom line is, they just want more money, as OP stated.
They want more money so they're supplying something at cost and not earning revenue from it? How the fuck does this work in your world?
Your expertise is clearly not security, so how about you stop pretending to understand what's going on here? Your post is one of the stupidest things I've ever read, and I say that having spent a substantial amount of time on /b/.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I may as well jump in here since you're demonstrating a complete lack of technical understanding here. let's see if I can make it clearer:
Blizzard's software is running in an open environment - Windows. If Windows gets compromised, everything gets compromised. Programs share drivers, libraries, etc. Once Windows gets compromised, nothing can be trusted. Spyware, viruses, trojans affect the whole system, not simply the program they happen to be targeting at the time.
Get that? Now, it's possible that this didn't happen with previous breaches and it was only a single Blizzard program that was affected. But, Blizzard would just be asking for trouble if they assumed that this would never be the case and so they need to make sure that a hack or compromise on one part of the system can never compromise the whole thing.
That's where two-factor authentication comes in. By having the authenticator located on a completely separate piece of hardware, a Windows breach can never affect the second part of the code. Since both parts of the code are required, even a virus-riddled system that logs every keystroke and mouse movement you make can never get the whole code. That is *impossible* to achieve with a program running on the same hardware as the game code. If the OS it's running on is compromised, all software is compromised.
Do you get that? It's weird that you're trying to distort a fairly logical security system into some kind of conspiracy or profiteering, but then I'd guess you'd be the first to whine about Blizzard's poor security if the Windows program you demand failed to provide adequate security (which it would, by design).
[ link to this | view in chronology ]
Mike, I disagree for once
I for one cannot stand lawsuits, but to me there is some validity to this claim.
[ link to this | view in chronology ]
Re: Mike, I disagree for once
[ link to this | view in chronology ]
Re: Re: Mike, I disagree for once
[ link to this | view in chronology ]
Re: Re: Mike, I disagree for once
[ link to this | view in chronology ]
Re: Re: Re: Mike, I disagree for once
Ever.
[ link to this | view in chronology ]
You say that Mike, but the "free" account sec. provided by phone isn't the same as the FOB security, and they are requiring it for some in game actions. Real money AH springs to mind. And they certainly didn't say anything about that back when I had bought the thing.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
(╯�□�)╯︵ ┻━┻
[ link to this | view in chronology ]
Fun with math.
26 (n)letters from a (r)4 character string
C(26,4) = 26! / ( 4! (26 - 4)! ) =
14950
If you wish to allow a letter to be used twice in one string, square the result!!
223,502,500 possible combinations!!!
[ link to this | view in chronology ]
Re: Fun with math.
C(52,4) = 52! / ( 4! (52 - 4)! ) =
270725
Square it to allow for the use of a character twice:
7.3292025625E+10
Note that's well over a trillion combinations already.
So it is extremely secure to say the least to have Case Sensitive passwords.
[ link to this | view in chronology ]
There are for example some major places, that shall remain nameless, that feel 6-letter passwords are just fine and dandy, as long as they contain at least one upper case letter and one number - but at the same time they decide to reject 20+ long lower case password because it's apparently "insecure" in comparison, which of course is a load of dingo's kidneys.
The obsession with special characters in passwords stems from the old days when passwords were 8 letters or shorter. In todays day and age you are much better of with "greenthumbtreehuggerpetflies" than "1eE4ad", not to mention that your strange little word-riddles are a lot easier to actually fucking remember... Of course, you have to use "Gr33nthumbtreehuggerperflies" instead because you have to use numbers and caps, and that makes it slow to type and much more annoying to remember, even when you do the obvious leetspeak letter replacements.
[ link to this | view in chronology ]
No need for a lawsuit for christ sake
I appreciate the security measures but I assume that hackers can hack again if they want too and balancing between security and user hassle will always be a balancing act. All major companies gaming companies have been hacked ie. Steam and PS3, etc.
[ link to this | view in chronology ]