So, this is actually kind of crap, but reading it is an exercise in playing "Spot the Motive". The author goes on about how Blizzard's password breach is a terrible thing because SRP-enciphered passwords can still be brute-forced, so everyone should change their passwords immediately before their account explodes and sharp pieces of flaming shrapnel wind up in your eyes. He wants Blizzard to actually retract their previous statements (which certainly seemed to be pretty accurate) and become equally shrill about THE DANGERZ! Honestly, fuck this guy. He concludes his blog post with a very limp-wristed full disclosure of sorts: "The sad truth is that the state-of-the-art ‘best practices’ in the industry currently fail to adequately protect users’ passwords from being stolen. It is my personal mission, and the mission of my company TapLink, to ultimately provide the software, infrastructure, and education which will allow companies, large and small, to successfully defend from this sort of attack.
In other words, "I think everyone's passwords are unsafe and they should pay us money." ...which is a load of shit, because we're talking about static fucking passwords, which are nearly obsolete anyway. At no point does he even briefly mention that Blizz has been subsidizing hardware tokens for their users for ages now, and anyone who cares enough will have gotten one (because they're a $10 one-time purchase for a game that costs $15/month anyway) which means those people do not have to give a single tinker's damn about rushing out to change their static password before goldfarmers can scatter their virtual loots to the four corners of the virtual-earth. I implore anyone who is a member of Battle.net: immediately ensure your old Battle.net password is not being used on any other sites, and you should never use that same password again. You should also verify your secret question/answer that you used on Battle.net is not reused elsewhere as well."
So... we've been going on at people about password reuse for some time now. it's fairly shallow to act as if this were timely and accurate advice relevant to the current situation of passwords possibly being cracked. People should have already not been reusing their passwords or secret questions anywhere else. It's not something we should have to keep telling people every hour of the day--it's clear they're either listening or they aren't going to care until they've gotten their fingers burned, possibly more than once. "To Mike Morhaime and the Blizzard security team, I would request immediate retraction or clarification on your statement about the difficulty of extracting passwords from the stolen database. The message to your users should be clear: you’re passwords have almost certainly been cracked, and you should take immediate action."... [ Read More (0.2k in body) ]
|