Create an Account
username: password:
  MemeStreams Logo

SRP won't protect stolen passwords--give me money.


My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Dagmar's topics
  Sci-Fi/Fantasy Literature
  Role Playing Games
  Video Games
   PC Video Games
   Console Video Games
   Multiplayer Online Games
Health and Wellness
Current Events
Local Information
  Politics and Law
   Internet Civil Liberties
   Intellectual Property
   Computer Security
   PC Hardware
   Computer Networking
   Computing Platforms
   Software Development
    Open Source Development
    Perl Programming

support us

Get MemeStreams Stuff!

SRP won't protect stolen passwords--give me money.
Topic: Video Games 11:49 am EDT, Aug 10, 2012

So, this is actually kind of crap, but reading it is an exercise in playing "Spot the Motive". The author goes on about how Blizzard's password breach is a terrible thing because SRP-enciphered passwords can still be brute-forced, so everyone should change their passwords immediately before their account explodes and sharp pieces of flaming shrapnel wind up in your eyes.

He wants Blizzard to actually retract their previous statements (which certainly seemed to be pretty accurate) and become equally shrill about THE DANGERZ!

Honestly, fuck this guy.

He concludes his blog post with a very limp-wristed full disclosure of sorts:

"The sad truth is that the state-of-the-art ‘best practices’ in the industry currently fail to adequately protect users’ passwords from being stolen. It is my personal mission, and the mission of my company TapLink, to ultimately provide the software, infrastructure, and education which will allow companies, large and small, to successfully defend from this sort of attack.

In other words, "I think everyone's passwords are unsafe and they should pay us money."

...which is a load of shit, because we're talking about static fucking passwords, which are nearly obsolete anyway.

At no point does he even briefly mention that Blizz has been subsidizing hardware tokens for their users for ages now, and anyone who cares enough will have gotten one (because they're a $10 one-time purchase for a game that costs $15/month anyway) which means those people do not have to give a single tinker's damn about rushing out to change their static password before goldfarmers can scatter their virtual loots to the four corners of the virtual-earth.

I implore anyone who is a member of immediately ensure your old password is not being used on any other sites, and you should never use that same password again. You should also verify your secret question/answer that you used on is not reused elsewhere as well."

So... we've been going on at people about password reuse for some time now. it's fairly shallow to act as if this were timely and accurate advice relevant to the current situation of passwords possibly being cracked. People should have already not been reusing their passwords or secret questions anywhere else. It's not something we should have to keep telling people every hour of the day--it's clear they're either listening or they aren't going to care until they've gotten their fingers burned, possibly more than once.

"To Mike Morhaime and the Blizzard security team, I would request immediate retraction or clarification on your statement about the difficulty of extracting passwords from the stolen database. The message to your users should be clear: you’re passwords have almost certainly been cracked, and you should take immediate action."

This is simply a "festering pile", and expects that you never saw what was in the Blizzard announcement, which was:

"We also know that cryptographically scrambled versions of passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well."

None of what Blizzard said was incorrect, is apparently understandable by humans with an IQ of about 100, and makes it very easy for someone to change their password immediately after getting this information.

More importantly, while Blizzard could have very subtly said "give us money--buy a hardware token and the problem goes away" they didn't. Blizzard loses a couple bucks each time someone buys a hardware token, but they save it back by not having to deal with that person having their password and virtual loots snatched up by low-hanging fruit who managed to get a keylogger onto a player's machine and the requisite customer service rep time it takes to clean up the mess.

They certainly didn't conclude with "by the way I run a company that can sell you magic passwords".

SRP won't protect stolen passwords--give me money.

Powered By Industrial Memetics