Less WoW Account Security Flaws

So WoW’s account security got a shot in the arm today, with the forums requiring the authenticator.

Isn’t this more of a “sorry it took so long” situation? This was so bloody obvious that it surprises me that it has taken till now. Maybe there were technical reasons why this could not be done, and as a consumer I do not appreciate the work involved. Maybe.

But maybe it is also not unreasonable to expect this level of forethought when a feature like the authenticator is introduced, and expect a change to the systems we use within a good timeframe. Say less than two years after the press release.

I think the change was implemented to help slow down account hacking. If you think about it the forums are the perfect place to brute force attack a username/password combination; as its a web based delivery system that has to be tollerant to many different interfaces, and has been around a very long time. That means it was probably installed to be a basic solution, and became the juggernaut before anyone really saw what was happening.

The follow-up question is why now rather than later or much earlier; and only Activision-Blizzard could tell you that; the cynics will say its because hacks cost too much (meh), but it could also be that it will be a legitimate and substantial improvement to the forums systems, that has been planned for a while. If the changes for RealID were being planned, it stands to reason that this was part of it.

So yes, it is a very good move, and something that has been asked for a long time.

Upper or lower case characters? Irrelevant.Update 8 Aug 2010:

Further to the account security, the WoW login screen now recommends some security measures, like letter and numbers – but still fails on the upper or lower case for those characters.

Futher on security and the authenticator: I was really wrong back in June 2008 when I said that the authenticators would not be widely adopted; very wrong. They’re great, love them.

That said; there still remains some pesky security flaws in the authentication and account systems for Warcraft.

Example One: The mobile armory app does not require an authenticator.

This moves the ideal attack point from the forums to the mobile apps. It means that proper logging is introduced it is just as easy to see where an attack may originate, and perhaps makes the interface for doing hundreds of brute force attacks much harder, because perhaps it is harder to create a web app that simulates a mobile browser and requests the information. Maybe.

Seems to me a packet capture app could be used to sniff the communications; then write some emulation for those packets, using a machine setup to spoof a cycle of internal ip addresses. All you need is an angry and skiller coder, or a coder with some proper motivation.

Now it could also be that the mobile app itself has some clever anti-attack logic, and that doing this is much harder on a mobile platform. If the app had some clever hash tags in the packets sent, then that would make it really frigging hard to fake. Like a special code [packet hour + unknown app seed value + account name = hash] all hashed and checked at the other end for authentcation purposes, checked before the password is parsed.

It is also not that silly given we already know that the app will require a re-login if you change to a previously unused IP address. So if the backend tracks a Login+IP relationship, then it is not silly to consider other checks that add only a small unseen overhead for legit use, but make flooded brute force attacks difficult.

Example Two: the wow login still ignores the case of your password.

Yes, you read that right. If your password contains upper and lower case characters, you can just type them all as lower case and it still works. So go ahead and create a complex password, with all sorts of combinations – just don’t expect all the strength that you are using to be applied by the application yet.

This worked as of approx 2 week ago, and I’d rather be playing than testing the login system. I’ll test again when the next set of huge updates is made. I’d bet a good coffee it is not fixed until Warcraft 4.0.

Here is hoping everyone’s accounts stay safe, and happy killing.