hahaha the password is salted with the account name in uppercase

holy **** blizzard

More like [Deeprock Salted Hash], am I right?

Their hashes are probably painfully small too...

Seriously?

Holy crap...

Bwa ha ha! You just made my day. Is at least the wow account name and not just your battle.net address?

Still, no wonder they tell you not to share your account name!


Edit: http://www.networkuptime.com/wow/page02-12.html

Source for this? Highly believable though, hah.

I was wrong, it was from a forum post talking about authentication in some third party server.

But still... a custom hashing algorithm.

and yet you have to share it to have a realID friend. (It's the same as your email..) I've RealID friended people without them ever sharing their email with me by looking their email up on facebook.

my old password was actually 10 characters long. then i changed it once i got hacked. it really was a huge pain though. i hate having to remember new passwords for things.

Then she fell for a scam. A scam that apparently she didn't even realize. You can't just get magically hacked, they have to have your password somehow. So it was either brute-forced, or scammed. Deny all you like, but we're talking reality here.

nope, i report any whispers that sound scammish and dont speak to anyone not in my guild.

Given that there is zero chance WoW's "custom hashing algorithm" is cryptographically secure, I'd say it's just as likely that their authentication algorithm amounts to a non-op. I also think the authenticator code is just a second salt. The fact that people are still able to hack accounts with strong passwords and authenticators is a 100% guarantee that Blizzard ****ed up.

Actually iirc, the authenticator hack worked using a man-in-the-middle attack. The person typed in the username, password and code and the hacker intercepted it, stopped it going to blizzard and used it themselves to log in. Of course that says nothing positive about their security either.

This is correct. It left you with ~25second vulnerability should your computer be infected with the malware that transmitted the authenticator information to the individual on the other side. it also meant that the hacker had a single use of your account, given that changing ANYTHING through battle.net requires yet another use of the authenticator. So it essentially just allows a farmer to snag your gold and shard your purps. lulz.

And as far as I'm aware, there's been nothing done about it aside from signatures being sent to various antivirus developers.

Transmitting the authenticator code is pretty much the definition of broken.

How else are they supposed to authenticate the code without transmitting it?

Devices like the authenticator work basically like a time-sensitive one time pad. The reason they work is because they're synchronized with Blizzard's servers. That is, at any given time both you and Blizzard know the authenticator code, without transmitting any information. This means the authenticator code is actually a pre-shared key.

Note that this is a much stronger contract than a password. If implemented properly, passwords are never stored in plaintext. This limits what you can accomplish with a password beyond testing the stored value against a salted hash.

The up-shot is that you could use the authenticator code directly with some symmetric encryption algorithm like AES, or concatenate it with some session-specific value to pad out the key length, or something along those lines. GoY would have better ideas than I do. What's important is that you should never need to transmit the key.

Kill it with FIIIIIIIIIIRRRE!!!!