Potential User Data Breach

"

Karunga wrote:

Damn Russian Hackers trying to influence the vote of the next High Templar!

"The longer and more complex the password, the better."
Complex, as in sticking a bunch of weird symbols, is irrelevant. Brute-forcing by design does not rely on similarity between symbols, it just means trying one symbol at a time and checking if hash becomes the target one. True, if we find that there is "1" in the password, the prbability of the next symbol being "2" or "9" is much higher, but such dependencies in dictionaties are extremely hard to account for. Here symbol dictionaties are used. Same dependency rules may be dragged onto words, as in one word being more likely to follow another, although given that we have probably infinite oportunities to create lexical links between infinite number of words, brute-forcing symbols stays the most optimal solution due to them being extremely finite.

Simply put, just having long passwords, which you can memorize is enough. 12-16 letters, all lowercase, even is there are no numbers in your password, this will take exponentially more time to crack than 6-8-random-symbols-crap. To feel safe you may want to stick a number. Everything else is irrelevant, everythign else only gives you a false sense of security. Random crap will not protect you better, but very long phrase-passwords that you can remember easily will.

Oh, and not to mention... the hash is useless by itself. Every website stores hashes. For instance, every certificate (given to you by someone to verify something) is public. The key is private.

GGG, brute-force (pun intended) your network and security specialists to read books on topics such as information theory and enthropy. They might start thinking and doing better job.

"

Rhow wrote:

Simply put, just having long passwords, which you can memorize is enough. 12-16 letters, all lowercase, even is there are no numbers in your password, this will take exponentially more time to crack than 6-8-random-symbols-crap.

This isn't necessarily true. Yes, if they are all symbols, it doesn't matter as that is still one character set.

However, from a brute-force perspective, you can determine a Charset you want to use. Whether that is lalpha, ualpha, numeric, mixedalpha-numeric, etc. The number of calculations is drastically different.

Different combinations = number of possible characters ^ password length

It's much easier to change the number of possible characters from 26 (lalpha or ualpha) to 52 (mixedalpha) by changing a single character from lalpha to an ualpha.

E.g.
16 characters in lalpha = 26^16
17 characters in lalpha = 26^17
16 characters in mixedalpha = 52^16

Far easier, and drastically more calculations to just double the character set.

Regardless, I came here to say thank you to GGG.

Thanks for the insight GGG.

I really appreciate the transparency. Not many companies would have told this to the public.

Thank you GGG. This could happen to anyone, but let's hope it was an isolated incident.

"

NanoDestiny wrote:

"

Rhow wrote:

Simply put, just having long passwords, which you can memorize is enough. 12-16 letters, all lowercase, even is there are no numbers in your password, this will take exponentially more time to crack than 6-8-random-symbols-crap.

This isn't necessarily true. Yes, if they are all symbols, it doesn't matter as that is still one character set.

However, from a brute-force perspective, you can determine a Charset you want to use. Whether that is lalpha, ualpha, numeric, mixedalpha-numeric, etc. The number of calculations is drastically different.

Different combinations = number of possible characters ^ password length

It's much easier to change the number of possible characters from 26 (lalpha or ualpha) to 52 (mixedalpha) by changing a single character from lalpha to an ualpha.

E.g.
16 characters in lalpha = 26^16
17 characters in lalpha = 26^17
16 characters in mixedalpha = 52^16

Far easier, and drastically more calculations to just double the character set.

Regardless, I came here to say thank you to GGG.

Thanks for the insight GGG.

Even easier if that 12-16 letters are actually 2-4 common words concatenated together.

"

AlexOverLord wrote:

It was blizzard trying to sabotage 3.0.0, to try save the little dignity D3 still has.

Thought about the same when I read the news.:D

Nothing will happen. My email was stolen ones and BEST SUPPORT EVER helps me to return my PoE account in 2 hrs without any problems.

"

Maybe because when I first read your interesting IGN or saw your footer here or recognized we have the same avatar, but mostly because what standpoints you always represent at forum, I really like your attitude and thinking. I myself am really interested in IT security,yet I need to learn the basics first. But seeing people with similar thoughts is a very exalting feeling :)

Thanks! That's refreshing. :-) If you're interested in IT and security, it's a hot field right now and growing, so you picked a good one!

my password is [Removed by Support]

about 10 digits been changed from original
Good luck bruteforce ! LD

So, now its fixed?