Hacker News new | ask | show | jobs
by g0su 5134 days ago
Actually, I don't see that as a big deal. Maybe it could be tweaked to have only the first one sensitive or try the all-caps/no-caps. But still, it's all in the length of the password. I prefer to have that rather than someone forcing me to use a 6-8 characters password with at least one cap, one special or any of this bullshit.
2 comments
Zimahl 5134 days ago
You are correct, this is less than a big deal. In fact it's pretty irrelevant.

Third parties hacking battle.net accounts aren't doing so through brute force, they are doing it through phishing and viruses with keyloggers.

link
lawnchair_larry 5133 days ago
This is kind of important. I will reserve "big deal" for other infractions, but it's far from harmless. It's important to protect your users passwords regardless of whether phishing them directly is the more popular attack. If you don't know why, just ask Sony and Valve.
link
frio 5134 days ago
I would be very interested, however, to know what this implies about the way they store their passwords. If, on submission, they normalise the case it and then hash it (and then for all checks, normalise the supplied pw)... then, it's still not really acceptable, but at least the password I've given them is encrypted.
link
baddox 5133 days ago
Why isn't that technique (normalizing then hashing) acceptable? There is always a compromise between user experience and security. Why allow three character passwords, or passwords of "password", but not case insensitive passwords?
link
ubercore 5134 days ago
Pedant alert! Hashing is not encryption.
link
SquareWheel 5134 days ago
Hashing is one way, and encryption is two way -- correct?

edit: Might as well look it up. The user "bestsss" at Stack overflow confirms this is the case.

http://stackoverflow.com/questions/4948322/fundamental-diffe...

link
lawnchair_larry 5133 days ago
Pedant alert, hashing is still a form of encryption. Take a look at what crypt(3) used to do ;)
link
GuiA 5134 days ago
Why isn't it acceptable to normalise the password and then hash it, compared to just hashing it?
link
frio 5133 days ago
Because the search space for brute-forcing a password is massively reduced :). Suddenly, instead of having 62 possibilities per password character (assuming alphanumeric + no specials), there's only 36. Whereas a password like "PassWord123" might have gotten past a wordlist (well, that's unlikely, but...), "password123" certainly wouldn't.
link
GuiA 5129 days ago
Thanks!
link