Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>After a small number of failed logins, your IP is temporarily banned. That means that bruteforcing is nearly impossible.

If someone in genuinely trying to crack passwords, I'm going to go out on a limb here and say that they know what proxy servers are and how to use them.



After a certain number of attempts even the account is locked out of being logged into for a period.

Also after being logged into from multiple IP's in a short period it will be locked.

You guys seriously act like Blizzard just fell off the turnip truck here.


Unless the list of accounts you want to crack is tiny, a brute force attack easily gets around per-account rate limiting by simply switching to a different account before tripping it and coming back to the account later.


There's only say 12-15 million active accounts. Even if you had all of them you're going to run out of attempts before you reliably brute force anything. Far more likely is Blizzard looks out for large scale distributed brute force attacks and locks users to their last handful of confirmed IPs.

That's in the realm of speculation admittedly. Look I'm largely defending Blizzard here but they aren't paragons of security. For one thing they could stop a lot of actual real world keyloggers by putting in a randomized screen pin entry. They never did that but they have been pretty aggressive on many other fronts. The fact that their passwords are case insensitive is something that might surprise many people, (and I was mildly shocked when it was pointed out to me years back because I had been dutifully capitalizing 2 characters in my p/w....) but it ends up not being of much consequence imho. Almost all hacks have been keylogger or social. There's one rumored (confirmed?) MITM attack against the authenticator. There's probably some people that used 123456 etc. but the option for a more secure password probably wasn't going to help those people, ymmv.


Once you limit it to accounts actually worth hacking which don't have an authenticator you're probably looking at more like a million accounts.


Are you saying they have a number of proxy servers comparable to the keyspace? Because I'm pretty sure there aren't that many IPs.

EDIT: I just did a few calculations, there are 40 times as many elements in a 8-character password with only lowercase letters than there are IPv4 addresses.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: