Account Security

Recently, it has come to my attention that there is a major shortcoming in Blizzard's account security. In years past, a simple password has kept many people's data safe. Recently, companies have increased the rules on user passwords regarding length and alpha-numeric characters (neither of which Blizzard requires). Those types of increases in security only affect brute force attacks, where a hacker attempts to break your password by applying dictionaries or sequentially generated passwords over and over.

In scenarios where key-loggers are used, the player's password is stolen as they type it in; regardless of how good of a password they chose. How could Blizzard keep players' acounts safe when viruses, trojan horses, and other malware is stealing passwords on the user's end?

A solution Blizzard came up with was the "authenticator." The device works by counting the seconds from an arbitrary date. The device then encodes this number with an encryption key. The authenticator's serial number is registered with a blizzard account, thus informing Blizzard of which encryption key it is using. When the 6-digit code is entered along with the password, the code is compared against blizzard's records. It decrypts the 6-digit number with the key associated with the player's account. If it decodes correctly, it should have the number of seconds elapsed since some given date. It then can compare that number of seconds to the blizzard server, and tell if the code was generated within the last 60 seconds. Once used, the 6-digit code is no longer valid. If a hacker acquired the 6-digit code via key-logging, and tried to use it, the code would no longer be valid because the user had already entered the code previously, and a new code from the authenticator would be required for a subsequent login. Likewise, attempting to use a code from a different authenticator would mean that the number which was decoded would not likely be within 60 seconds of the actual time, and therefore would be interpreted as an invalid code.

So what's the big deal, you might ask. Although Blizzard has made authenticators availiable to those who wish to buy them, there are a great deal of people who do not want to purchase a piece of hardware to protect their game accounts. Unless blizzard offered an authenticator to every person free of charge, there will always be problems with account security. Why would anyone buy them if they felt their accounts were already safe? Also, consider the fact that Blizzard makes money from selling the authenticators.

The truth is that Blizzard has neglected to put in place simple measures to protect WoW accounts. Let me explain a simple solution to the problem that does not require a hardware authenticator, and probably minimal programming by Blizz:

Imagine that along with your password, you were required to enter a 4-digit pin, which you could choose. Now, instead of using the keyboard to enter the pin, a digital keypad displayed on the screen, much like the numpad or a telephone keypad. The buttons on the screen would be pressed using the mouse. For all those programmers out there who are skeptical at this point, it is true, that this alone would not defeat the ability to log mouse x,y coordinates and mouse clicks to steal a person's pin.

Here comes the truely tricky part that sells the deal. For each digit that the user needs to enter, the keypad numbers are randomly scrambled, such that the user would have to find the correct button to push each time. While this would be a minor inconvienience, it would prevent anyone snooping on mouse coordinates and mouse clicks to actually know for sure which numbers were pressed. This allows for 10! (factorial) or 3,628,800 possible combinations of digits.

The genious of it is that it uses a totally seperate processing engine (your brain) to decode the scrambled numbers. Since your brain easily does the matching of the location of the button with the desired digit, the randomization of the button locations is, in effect, encrypting the data. Since your brain does not have to evaluate the randomization of the digits, but rather find 1 digit out of ten, your brain on average only has to scan n/2 of the numbers. Most of the digits will be found after scanning 5 digits visually. 5 digit scan average * 4 digits in the pin = 20 scanned numbers to enter the pin. Not too much work for your brain.

It's obvious why this method is not used for entering passwords: The alphabet contains a significantly larger number of characters to scan through to find the letter you want to press. (26 letters + 10 numbers)! (factorial) = 1.06387358923717e+56. Yikes, that's a lot of possiblities on random aphabets. Then do that for each character in your password. (That would be some immense security!) Then your brain needs to scan the alphabet and pick out the correct letter/digit. It would find it at an average of n/2 or 18 scanned characters. 18 scan average * 8 characters minimum in a password = 144 scanned characters to enter the password. 144 is an order of magnitude larger than 20 for a 4-digit pin. It would be a major inconvienience to the user. However, when only 10-digits are used on the keypad, the user could quickly scan through them to find the appropriate number... especially if they only needed to do it for 4 digits in a pin.

Now you might ask... they could still steal your password, and then knowing that the 4-digit pin was always a number, that only allows for 10,000 possible numbers to choose from. A computer could quickly brute force a pin, especially being that the average pin would be found at n/2 or 5000 iterations. To prevent this, all Blizzard would need to do is simply lock down the account after 25 (or whatever number they chose) incorrect password attempts in a row, then brute force-ing the pin would most likely fail.

It's not foolproof, mind you. People could still hack your account using other methods. But you'd think that Blizzard would save a lot of money by eliminating all the time spent on dealing with fraud issues and hackers by implementing such a plan. It could be rolled out in a regular patch, and deployed to every WoW player in existance with absolutely no cost to the player. So why don't they do it? There must be some trade-off that I'm not considering. Either the savings don't outweigh the benefits, or that hackers would simply find some other way to cheat the system. Or perhaps blizzard makes a decent amount of money from the new accounts started by hackers and gold farmers, and they really don't want to cut out a source of revinue... after all, in-game resources are free. They can just create you new virtual items and gold at no cost to them... just to pay some GM $10/hr to do it. And at the pace they respond to such tickets... (3 day response time for me) they must not be paying too many GM's.