liez.

clearly the account thefts are due to lulzsec and their expert hacking efforts. they jump into bliz database daily to see which accounts they want to grab next.

 

-----signature-----

Tant, while I do not disagree with what you stated, applying the "computer generated" method to logging in an account for an MMO does not really apply.

It takes about 5 second to go through the attempted login process, no matter who or what is entering the data. Add to that the likelihood that after x amount of bad inputs, there will be a timed lockout of the account.(like 15 minutes lets say, after 3 bad attempts)

So, thats 5 seconds per attempt, plus 15 minutes every 3rd attempt... and well, its going to be years before all permutations are able to be attempted.(about 1934 years to be exact) if you can only enter 3 bad tries before a 15 minute lockout.

It's never been about brute forcing a person's password. It's about keyloggers, and always has been.

 

-----signature-----

Well I can GUARANTEE you I don't have keyloggers and my account got nailed less than 48 hours after removing my authenticator. Because if they had a keylogger, everything else could and would have been compromised. Including bank accounts, other game accounts etc..

 

-----signature-----

There is absolutely no possible way you can guarantee that.

 

-----signature-----

Fine.. but it is more likely that i would win the lottery twice, then get struck by lightning twice at the same place on 2 separate occasions.

 

-----signature-----

Odds, you do not understand them.

 

-----signature-----

Nakal,

I know to you it seems that "everything else" would be compromised...


But what would happen if your bank account was accessed through these means? Now we are talking SERIOUS felony, and serious investigation, and serious penalty for the 'hacker'.


These hackers do not want that risk. They just want your account, as there is absolutely NO PENALTY WHATSOEVER ANYWHERE for stealing your 'virtual gold' and or items, from an online game.


Your bank account: Some quick cash, very serious risk involved. Very serious penalties if caught. 100% chance of being investigated by law enforcement.

Your WOW account: Some quick cash, no risk whatsoever. No penalty if caught. 0% chance of being investigated by law enforcement.


Send blizzard an email, ask them how many times a bad password was entered before your account was successfully logged in to by the hackers. I guarantee you it was zero.

If you haven't found the key logger, you still have it.

 

-----signature-----

I do NOT have one. For one: I dont run as an admin on my computer. 2: I clean viruses and also do computer forensics for a living. 3: My RIFT account and other game accounts are fine. Sorry, but Blizzard's Shoddy password system not supporting symbols or case sensitivity is most of the problem. Check this site out about passwords to see how simple passwords can easily be hacked. That is why my curent passwords are stronger now. https://www.grc.com/haystack.htm

 

-----signature-----

Nice, probably the best article I have read on password theory. His reference articles are worth a read also.

Ok, so what is the rest of the problem?


Did you email blizzard, tell them your qualifications, and ask how many incorrect passwords were used on your account before it was accessed?


If that answer is zero, are you still going to deny the possibility that you have a keylogger? Even in these days of drive by downloads that require a user do nothing but simply visit a malicious website?

Or are you telling us that you used the password "password", but typed it as "PasSw0rD"???


Then there is the issue of knowing your email address...did the hackers just "luckily guess" that too?

I'm really not trying to but your balls on this, but the "it's impossible for me to have a keylogger" attitude is why you have a job in the first place, no?


Edit: While that site is a good read for someone who has no clue about permutations, it does not apply here. No way in hell are you going through the login process to a Blizzard server more than once every few seconds, (as opposed to 33 billion tries per second 'scenario' the article points out) and unless your password is on one of those "stupid password lists", the article really doesn't apply, and fails to address how they got your email info as well.


If you really are in the 'business', why did you have to read that article to learn about stronger passwords? Are you still going to tell us that there is zero chance that you have a keylogger?

 

-----signature-----