f13.net

What? Are people still not using authenticators?  :ye_gods:

It only prompts you like once a week if you always log in from the same machine.

We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

If your account has been hacked, please view the previous post (http://us.battle.net/d3/en/forum/topic/5149619846?page=1) for information on contacting our support department.

Obviously it's the public game joiners at fault. What were they thinking? They could've saved themselves a lot of pain if they had friends to play with.

1. Blizzard delays Diablo III. Again. And again.
This isn't Blizzard's fault for trying to be perfectionist. Would you play a buggy, unpolished game?

2. Blizzard demands online play only, creating instant death from lags and make offline, lagless play impossible and not an option.
Diablo is meant to be played online, rofl.

3. Blizzard can't keep a good login system to deal with the day 1 owners.
Blizzard is the victim of their own success. No one could've predicted the magnitude of the pre-order and day 1 enthusiasm. This is a good problem to have for a company of their caliber. If anything those login hoggers should blame themselves for not having patience and jamming the login servers.

4. Blizzard lets a loophole go live and enabled some hackers to steal customer's account through session ID
Blizzard can't be blamed here, online security is a big issue that is hard to cover all every loophole.

You know what ?  I'm just not prepared to accept the 'we didn't know it would be popular' line.

It's bullshit.

As this came up in a WoW thread when they made that change, you can change it to the old "prompt every login" set-up as well.  Not sure when they added that, but it was a while I have this set up permanently. For the extra 10 seconds that it takes me to log in, I don't mind a little more security on my home machine.

Still laughing, up until the point my Single Player game won't be playable anymore because my account was hacked. Has every competent person at Blizzard died from a stroke recently or have they fled after the merger? That whole lauch fiasco is so unblizzardlike.

so... if I haven't joined any public games should I be safe (for now?)

Nope, I havent joined any public games and got hit this weekend

Just as an after-thought;  what's going to be the impact on WoW ?  Surely the accounts being connected is a problem ?

You know what ?  I'm just not prepared to accept the 'we didn't know it would be popular' line.

It's bullshit.

Didnt someone say they brought servers down today to possibly correct this?  Has there been any information from them today whether this was the case?  Im blocked at work so I cant check.

Seems way too wide spread and random to be a simple issue of people having poor security. Blizzard of course will deny anything on their end because why wouldn't they? I'm not trying to stir up a controversy or anything, but for a publicly traded company like Activision/Blizzard to admit their new lovechild game has security flaws is just silly. Best course of action for them is to carry on, deny a breach, and do everything in their powers to correct it.

Newest 'rumor' is that the maintenance today was done to correct the flaw.  :roll:

edit: On a related note, I haven't seen the public forums for a Blizzard game in many years. Just checked out the General D3 forum and my god, what the fuck is wrong with gamers/people these days?

Nope, I havent joined any public games and got hit this weekend

Seems way too wide spread and random to be a simple issue of people having poor security.

I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.

I've had the sinking suspicion a lot of these may be from old hacked wow accounts that were long ago abandoned.

Wasn't this part of the problem with the hacking Rift experienced? Lot's of people having their WoW account hacked and then reusing the same username/password for the next game they played. If your WoW account got hacked and you didn't care or never noticed, it's not a stretch to think that a few years later D3 hackers would try the same username/password.

Unless we assume Blizzard is lying (or possibly incompetent), then there's nothing to the public game theory people had either.

Case-insensitive passwords.

Case-insensitive passwords.

Case-insensitive passwords.

Which has nothing to do with what I said?

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

Back in ancient computing times, there was a reason for limiting the password size.

But now, users should be encouraged to use phrases/sentences that are easy to remember but difficult to brute force dictionary attack. Special requirements (example being my bank) like having passwords no greater than 8 characters, but requiring presence of a digit, capital letter and special character (non-letter and non-digit) just delivers grief to a user.

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

I heard this recently (was it someone on f13 or some other forum)? -- person had to choose a voicemail passphrase, so they used 10 digits, random order -- when the system required they change their password some months later, it failed because it required that they use a digit that wasn't in the previous password.  Apparently the thought that somebody might use ALL the digits in one password never crossed the mind of the system designer.

This is why we need base-16 phones.

Blizzard account passwords are not case sensitive.
http://us.battle.net/d3/en/forum/topic/5152409863?page=1#4

Maybe this is a company wide IT policy and affects internal servers besides their customers. =p

As said before, doesn't matter how complicated you allow people to make passwords, people will always pick simple ones. Just waiting until we can all jack in.

We seem to be dancing around, but never quite getting to, the biggest problem with passwords:  The sheer number of them the average human being has to deal with.  Couple that with the fact there is no standard system for them (what with upper/lower, numbers and symbols, etc.), and what you get is that people tend to come up with extremely simple passwords that just meet the minimum standard, and then they use those same passwords (or simple variations on them) all over the place.  How many different places do I have to use a password?  Hell, easily a hundred, and it is made worse by the fact that some of those places I only visit rarely, which makes the use of distinct passwords a fairly ridiculous suggestion.

You can set up all the crazy requirements you want for passwords...whether it's Battlenet, your online banking, F13.net, or whatever.  We're still going to find the minimum requirement and use that same password or group of passwords everywhere.  The human brain can't manage much more than that.  Unless, of course, we are writing them all down somewhere, which presents its own obvious problems.  At the end of the day, regardless of how much we want to bitch about it, it is far easier to deal with the potential danger of a hacked Battle.net account than it is to deal with trying to remember all those different passwords.

Authenticators go some way in addressing the problem, but are you going to have a different authentication system for each of these hundred places you go to?  Yikes, screw that.  A harmonized system would be ideal, but then the system itself becomes the threat.

Somebody out there is going to make a trillion dollars on a safe, universal system that doesn't use passwords at all (or only uses them as a supplemental safeguard) and implements it into everyday use like an authenticator.  Finger printing.  Retina scanning.  Voice recognition.  Microchip/Barcode scanning.  DNA wizardry.  Some combination of these kinds things, and hell, throw in a simple password and/or pin code as an extra layer.

I'm thinking of something that actually just truncated rather than restricted you to 8 characters - it would let you think you were using a longer password but I found out later that it was only using the first 8 characters. Killing me that I can't remember what it is now.

I'm nearly certain I've used some system or another in the past that did truncate to 8 characters, now it is going to bother me all day until I remember what it was.

My laptop has a fingerprint scanner, trust me, they are awful. It seems great in theory until the scanner has a problem.

Or you have virtually unreadable fingerprints.  (pun not intended, but welcomed)

MrB: As it turns out there's no particular evidence that there was ever a real, new problem in the first place (other than "normal" password getting stolen sort of stuff.)

I don't think everything needs an authenticator, but I think companies need to be honest about what they provide and need. My bank? Should have an authenticator app or something else that isn't just a series of shit I know.

So like, Conjecture aside. Was this resolved?

Battle.net®/Diablo III Security Concerns

Over the past couple of days, players have expressed concerns over the possibility of Battle.net® account compromises. First and foremost, we want to make it clear that the Battle.net and Diablo III servers have not been compromised. In addition, the number of Diablo III players who’ve contacted customer service to report a potential compromise of their personal account has been extremely small. In all of the individual Diablo III-related compromise cases we’ve investigated, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player’s account, and we have yet to find any situation where a Diablo III player's account was accessed outside of “traditional” compromise methods (i.e. someone logging using an account's login email and password).

To that end, we’ve also seen discussions regarding the possibility of account compromises occurring in ways that didn’t involve these “traditional” methods -- for example, by “session spoofing” a player’s identity after he or she joins a public game. Regarding this specific example, we’ve looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we’ve determined the methods being suggested to do so are technically impossible. However, you have our assurance that we’ll continue to investigate reports such as these and keep you informed of important updates.

The best defense against account theft still includes smart password management (e.g. using a unique password for every site/service and keeping your password to yourself) and scanning for malware and viruses regularly, as well as following additional preventative steps found here. In the end, while no security method is 100% foolproof, the physical Battle.net Authenticator andBattle.net Mobile Authenticator app are great ways to provide your account with an extra layer of protection.

We hope this update has addressed some of the concerns you’ve had. In the end, we simply want all of our players to be able to fully enjoy Diablo III, and we’ve been working around the clock to address issues as quickly and efficiently as possible. We appreciate your continued support and enthusiasm, and we hope you and your friends are having a blast slaying Sanctuary’s demons.

Why would you click a link in any email when you can go straight to battle.net and see for yourself?