Blizzard's Battle.net Server Intrusion: Just How Safe Are User's Passwords Now?
After the hack into Blizzard's battle.net servers last week, passwords were lifted, along with other details, such as email addresses along with other info. Blizzard claimed that user's passwords were still safe however despite the breach, due to the use of the Secure Remote Password protocol which salts and encrypts passwords. However, not all security experts agree with Blizzard's assurances.
While well known security companies such as Sophos and Intego do agree with Blizzard, TapLink founder Jeremy Spilman does not. He explains in great technical detail in his blog, that SRP is primarily designed to protect passwords in transit over the internet to foil an eavesdropper, not protect stored passwords. Since the verifier database that SRP uses was lifted by the attackers, it makes it much easier to crack the passwords using a dictionary attack, even though they're salted. In fact, using the power of a modern graphics card such as the HD 7970, passwords can be cracked in a matter of just hours or days. An unsettling thought.
In its defence however, Blizzard claims to be using a different implementation of SRP to that discussed in the blog, making those passwords much harder to crack. Blizzard declined to explain their implementation, to avoid the risk of compromising its security. "The specific implementation that is referenced in that blog is not what we use. We are aware of the whitepaper on SRP that was published in 1998, and the information therein was taken into account when we implemented our technology. For security reasons, we can't go into greater detail."
Regardless of whether those passwords are actually safe or not, after an intrusion, even a small one let alone a big one like this, everyone must change their passwords and security questions as part of basic security practice. In other words, doing this is a no-brainer.
The problem with assurances like the one in Thursday's Blizzard advisory is that they provide comfort to some portion of users who were already looking for a reason not to bother changing their passwords. As the above analysis suggests, every hour or day that an affected user doesn't change his password increases the chances it will be cracked by the intruders.
Posted by | Thu, Aug 16, 2012 - 06:16 PM