Are you kidding? How is it NOT going to help against keyloggers? Is the keylogger going to magically find your keychain and read your token? So what if it gets your username and pin? Its still not going to have the third piece of the puzzle.
The keylogger will get the password when it's typed in, not from the authenticator. A person who wants in to your account will be patient enough for the keylogger to report the authenticator password.
Quote from "SlickSTi" »
Complex password vs keylogger? Do you even understand the concept of a keylogger? You could have a 200 character password case sensitive with special characters and the keylogger is going to record it and send it back to the author.
Why yes I do understand keyloggers I have edited and used them in the past. When I said it wouldn't help complex passwords I meant this: Brute forcers will crack easy passwords in seconds, if not sooner(words, numbers[like the ones on the token], simple things). A person with such a simple password would be the only person to benefit from the authenticator simply because their password wouldn't be a static, easily crackable sequence...it would change often. If you use a complex string for a password, the authenticator adds nothing. Cracking a difficult password without a quantum computer could take seconds(theoretically, if the password was guessed quickly) or centuries. I already said the device wouldn't help protect against keyloggers, so when I went on, I went on the assumption the reader would understand the rest of it wasn't conditional on whether a keylogger would be stumped or not. Sorry to confuse you.
Quote from "SlickSTi" »
You don't sound like a "hacker" to me. You sound like someone who runs kiddy scripts or maybe dabbles with scripting utilities to compile simple keylogging scripts and posts them up on a website as a wow addon or new version of maphack.
Keylogging "scripts" by nature are simple. You can make it look purdy. But all you really need to log is the active window and the keys being typed, the extra stuff just keeps the keylogger from being viewed as an active process easily...and the code for that isn't specific to any one program(as in...re-useable code). I don't write hacks for games. I don't post hacks on the internet(edit yes, but I don't start from scratch and post it). Sorry to disappoint you. I can hack, but that doesn't mean I'll find a system and search for XSS exploits, buffer overflow potentials or DDoS it. Not everyone who understands computers is a malicious user.
Quote from "SlickSTi" »
You can take apart as many RSA tokens as you want. The problem is that they are ALL unique. Obviously if you get your hands on someone's token you aren't going to need to dissect it when you can just read the screen. You don't think RSA already though of that?
If someone were to crack the code on a single RSA token, and write a program that could replicate the process for another(the process of getting the code from the RSA token), then all they would need is a brief moment with the token. If you were to get your hands on a token and STEAL it, the original user would most likely call Blizzard and get the device deactivated(or do it online or what have you). If someone is capable of ripping the algorithm quickly and crack it later, it would be beneficial to merely touch the device for a few moments, and leave it looking as if it were untouched(thus not alerting the user to knowing they're vulnerable). I'm not spelling out every little detail though because that isn't necessary. I was just pointing out where some of the vulnerabilities of the system arise(I assure you there are plenty more). Many of the places these things are used are for business who probably have few, if any, hackers trying to get in to their systems. Blizzard on the other hand will need to fight against thousands, if not millions, of people trying to break through. As it is currently only optional for WoW, it didn't draw much attention yet. I was saying if it was MANDATORY, then the amount of focus hackers would have would be unrivaled for the given technology.
The tokens will stop basic hackers from getting basic information and getting through basic passwords, but if the device is mandatory for every, then eventually someone is going to find a gaping hole in the process and passwords will be cracked through the authenticators left and right. Unless you believe this is a flawless system?
Making it mandatory for D3 would be suicide for the technology. Enough hackers are going to get their hands on these simply to dissect them and see how they work(me being one of them, sorry everyone...). If it's MANDATORY, then cracking the code(so to speak) will also be mandatory. The blizzard site says it helps vs. keyloggers...except keyloggers will get your password...or your Blizzard Authenticator password...and your account name. It won't do anything against keyloggers.
This will only help people who use basic passwords like 'baseball981' that can be brute forced in seconds. people who use passwords more akin to !K293Q><32udH))Cc would only be wasting their money, especially if they had an easy way to remember such a string.
Storing the information on the keychain isn't necessarily the problem. RFID chips are really small(about the size of the the end of a sharpened pencil) and they can hold your entire medical history, dental history, and personal information(SSN, CC#s, felonies, etc). There is actually an 8GB jump drive available for around $50-$60(USD) and its not larger than a fingertip.
Anywho, size isn't a problem. The problem is this. There is one of two possiblities for what the keychain does to update passwords.
1. The keychain somehow links up to a network and receives a code from Battle.net to tell it what the password is. This method means whoever wants to hack the code will get a chance to view its transmission every 10 minutes. During the 10 minute waits, hackers will probably decipher what information they can.
End result: Hackers may be able to easily crack this type of password method.
Cons: people who can't see the satellies Blizzard uses can't play Battle.net games.
2. An algorithm is stored on the keychain. When the keychain is synced up with the online blizzard account, this algorithm is set in motion. At the same time, Blizzard's servers run the same algorithm for the same account. Regardless of connectivity, the keychain will always have the same password Blizzard has set up for the account. Couple bad things here. One, is the keychain needs to run indefinitely to work right, even a minute offline ruins the system. Meaning a battery warning needs to be given well in advance(I wouldn't be surprised if this could be usb-rechargeable). Another problem though. Running the algorithm securely would require a hefty encryption process. Running this process for millions of users? That would require Blizzard to have server farms just for password maintenance.
End Result: Hackers have access to an algorithm that will always run. Even if the encryption is 1 GB or larger, it CAN and most likely WOULD be cracked eventually.
Cons: Battery life, and server requirements
Naturally those are just two options that come to mind for me.
This idea isn't new, but Blizzard would definately be pushing the envelope in terms of scaleability. And whereas the other areas this technology is used may not necessarily have hackers working to crack the system, Blizzard will be constantly fighting not only hackers, but the farms of servers some hackers have in order to keep the code safe from being understood.
As far as Diablo III goes it's a little too fantastical to believe this system will be used to log people in.
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
Why yes I do understand keyloggers I have edited and used them in the past. When I said it wouldn't help complex passwords I meant this: Brute forcers will crack easy passwords in seconds, if not sooner(words, numbers[like the ones on the token], simple things). A person with such a simple password would be the only person to benefit from the authenticator simply because their password wouldn't be a static, easily crackable sequence...it would change often. If you use a complex string for a password, the authenticator adds nothing. Cracking a difficult password without a quantum computer could take seconds(theoretically, if the password was guessed quickly) or centuries. I already said the device wouldn't help protect against keyloggers, so when I went on, I went on the assumption the reader would understand the rest of it wasn't conditional on whether a keylogger would be stumped or not. Sorry to confuse you.
Keylogging "scripts" by nature are simple. You can make it look purdy. But all you really need to log is the active window and the keys being typed, the extra stuff just keeps the keylogger from being viewed as an active process easily...and the code for that isn't specific to any one program(as in...re-useable code). I don't write hacks for games. I don't post hacks on the internet(edit yes, but I don't start from scratch and post it). Sorry to disappoint you. I can hack, but that doesn't mean I'll find a system and search for XSS exploits, buffer overflow potentials or DDoS it. Not everyone who understands computers is a malicious user.
If someone were to crack the code on a single RSA token, and write a program that could replicate the process for another(the process of getting the code from the RSA token), then all they would need is a brief moment with the token. If you were to get your hands on a token and STEAL it, the original user would most likely call Blizzard and get the device deactivated(or do it online or what have you). If someone is capable of ripping the algorithm quickly and crack it later, it would be beneficial to merely touch the device for a few moments, and leave it looking as if it were untouched(thus not alerting the user to knowing they're vulnerable). I'm not spelling out every little detail though because that isn't necessary. I was just pointing out where some of the vulnerabilities of the system arise(I assure you there are plenty more). Many of the places these things are used are for business who probably have few, if any, hackers trying to get in to their systems. Blizzard on the other hand will need to fight against thousands, if not millions, of people trying to break through. As it is currently only optional for WoW, it didn't draw much attention yet. I was saying if it was MANDATORY, then the amount of focus hackers would have would be unrivaled for the given technology.
The tokens will stop basic hackers from getting basic information and getting through basic passwords, but if the device is mandatory for every, then eventually someone is going to find a gaping hole in the process and passwords will be cracked through the authenticators left and right. Unless you believe this is a flawless system?
This will only help people who use basic passwords like 'baseball981' that can be brute forced in seconds. people who use passwords more akin to !K293Q><32udH))Cc would only be wasting their money, especially if they had an easy way to remember such a string.
Anywho, size isn't a problem. The problem is this. There is one of two possiblities for what the keychain does to update passwords.
1. The keychain somehow links up to a network and receives a code from Battle.net to tell it what the password is. This method means whoever wants to hack the code will get a chance to view its transmission every 10 minutes. During the 10 minute waits, hackers will probably decipher what information they can.
End result: Hackers may be able to easily crack this type of password method.
Cons: people who can't see the satellies Blizzard uses can't play Battle.net games.
2. An algorithm is stored on the keychain. When the keychain is synced up with the online blizzard account, this algorithm is set in motion. At the same time, Blizzard's servers run the same algorithm for the same account. Regardless of connectivity, the keychain will always have the same password Blizzard has set up for the account. Couple bad things here. One, is the keychain needs to run indefinitely to work right, even a minute offline ruins the system. Meaning a battery warning needs to be given well in advance(I wouldn't be surprised if this could be usb-rechargeable). Another problem though. Running the algorithm securely would require a hefty encryption process. Running this process for millions of users? That would require Blizzard to have server farms just for password maintenance.
End Result: Hackers have access to an algorithm that will always run. Even if the encryption is 1 GB or larger, it CAN and most likely WOULD be cracked eventually.
Cons: Battery life, and server requirements
Naturally those are just two options that come to mind for me.
This idea isn't new, but Blizzard would definately be pushing the envelope in terms of scaleability. And whereas the other areas this technology is used may not necessarily have hackers working to crack the system, Blizzard will be constantly fighting not only hackers, but the farms of servers some hackers have in order to keep the code safe from being understood.
As far as Diablo III goes it's a little too fantastical to believe this system will be used to log people in.