BioWare / EA password (un)security



  • HELLo!

    Just got the following e-mail from BioWare, telling me about their latest misfortune EA saddled them with:

    We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers’ data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from these forum accounts on the system may have been compromised, as well as other information (if any) that you may have associated with your EA Account. In an abundance of caution, we have changed your password to ensure account security. Please visit this [snip]

    If your link has expired, click here to generate a new email.

    We take the security of your information very seriously and regret any inconvenience this may have caused you. If your username, email address and/or password on your EA account are similar to those you use on other sites, we recommend changing the password at those sites as well. We advise all of our fans to always be aware of any suspicious emails or account activity and report any suspicious emails and account activity to Customer Support at 1-877-357-6007.

    If you have questions, please visit our FAQ at http://support.ea.com/app/answers/detail/a_id/5367/ or contact Customer Support at the phone number above.

    Now, I note that they've explicitly stated that password were encrypted, so I'm not too scared about that bit. Though, the rest of the data is quite bad enough, on its own.

    In any case, I decided to follow up on their advice and reset my password (since I apparently have to do so). This time, I went for a properly secure and random password, only to be greeted with this:

    I'm speechless....

    PS: Crossing my fingers that CS won't barf at my HTML, though the preview looks good...



  • @Hellkeepa said:

    This time, I went for a properly secure and random password

    Holy shit, is that a password or a fricken novel?

    Also, if they want to limit password length, why do they allow to enter a longer one in the first place?

    But no, the actual reason for limiting password length is, of course, disk usage. Imagine you have a customer base of a billion people, and you're storing the passwords encrypted (encryption usually only increases the length of the passwords. Hashes are unacceptable in our case, because they ultimately limit password length as well), and each user has a 43 characters long password, that'd be more than 40 GiB of data!! Only for the passwords!



  • @derula said:

    @Hellkeepa said:
    This time, I went for a properly secure and random password

    Holy shit, is that a password or a fricken novel?

    Also, if they want to limit password length, why do they allow to enter a longer one in the first place?

    But no, the actual reason for limiting password length is, of course, disk usage. Imagine you have a customer base of a billion people, and you're storing the passwords encrypted (encryption usually only increases the length of the passwords. Hashes are unacceptable in our case, because they ultimately limit password length as well), and each user has a 43 characters long password, that'd be more than 40 GiB of data!! Only for the passwords!

    As far as my research goes, the only game with a 1bln user base is Minesweeper, and I don't think they have a dedicated forum.



  • @derula said:

    Holy shit, is that a password or a fricken novel?

    I'm guessing it's the twitter version of War and Peace. Let's see ... nope. Is it the Bible then?Ah yes, I can log in to his BIoWare account.Now I'm going to cast a really expensive +20 SDFK backwards troll spell.



  • Hey! Welcome to EA!

    Now hopefully people will stop buying their shit and they'll go out of business! Oh who am I fucking kidding, video game monopoly ahoy.



  • @blakeyrat said:

    Now hopefully people will stop buying their shit and they'll go out of business!

    Last EA game I bought was the Sims and various add-ons, and I re-sold these later. Oh wait, Mirror's Edge is also EA… Okay so I bought two EA games and kept one. DEFINITELY NOT MY FAULT THEY'RE BIG!



  • @Hellkeepa said:

    HELLo!

    Just got the following e-mail from BioWare, telling me about their latest misfortune EA saddled them with:

    ... encrypted passwords ...
     
    I just threw up in my mouth a little bit when I read that. No doubt the means to decrypt those passwords was readily available on the compromised system. Why does this situation still seem so common....

     



  • HELLo!

    @derula said:

    Also, if they want to limit password length, why do they allow to enter a longer one in the first place?

    This part I can actually agree with, the rest... I prefer not to share my delicious food.

    @blakeyrat said:

    Hey! Welcome to EA!

    Now hopefully people will stop buying their shit and they'll go out of business! Oh who am I fucking kidding, video game monopoly ahoy.

    I've been boycotting them for a while now, only relenting for one particular series (which I didn't even know EA had anything to do with until after I bought it). That, however, turned into a complete boycott after I had a run-in with their customer service.
    That story, I think I'll have to send in to Alex, as I suspect that would be front-side material. *shudders*

    @dr spock said:

    @Hellkeepa said:

    HELLo!

    Just got the following e-mail from BioWare, telling me about their latest misfortune EA saddled them with:

    ... encrypted passwords ...  
    I just threw up in my mouth a little bit when I read that. No doubt the means to decrypt those passwords was readily available on the compromised system. Why does this situation still seem so common....
    I almost did the same, but I was willing to give them the benefit of the doubt, and assume they really meant to say that they've salted and hashed the passwords. Laymen reading the mail and all.
    After trying to change the password, not so much... Sent them a mail where I expressed my concerns, and pointed out that salting (w/individual salts) & hashing is the only acceptable solution when it comes to passwords. Encryption is OK for everything else, and required for financial data. I mean, after Gawker, Sony, MySPace and all of the other high profile cracks one would think that the lesson was learned. Apparently not...

    Knowing EA support, however, I'm betting that the mail will just go ignored without even a single reply for weeks/months. If at all. *rolleyes*

    Happy codin'!


  • @derula said:

    Hashes are unacceptable in our case, because they ultimately limit password length as well

    What? No, any sane hash function will take as much data as you can throw at it; it will just take longer to calculate hashes for longer strings of data. How else can I sha1sum this multi-gigabyte file I have?

    @derula said:

    and each user has a 43 characters long password, that'd be more than 40 GiB of data!! Only for the passwords!

    Every SHA-1 hash will be 40 characters long, regardless of the input string, but that's still only... 38MB (40B * 1,000,000,000 divided by 1,024 for KB divided by 1,024 for MB). Not quite your 40GB, there, even after database overhead.







  • Well, the rest of your post was "hashes don't limit passwords".  While technically true, since the hashspace is limited, your 10MB password is going to hash the same as a 40-character one, so it's not any more secure.

    (This is not to say I agree with the post that your comment was directed at)



  •  [quote user="derula"]

    Imagine you have a customer base of a billion people, and you're
    storing the passwords encrypted (encryption usually only increases the
    length of the passwords. Hashes are unacceptable in our case, because
    they ultimately limit password length as well), and each user has a 43
    characters long password, that'd be more than 40 GiB of data!! Only for
    the passwords!

    								    </p><p>[/quote]</p><p>&nbsp;If you have 1 billion customers you can probably afford a few dedicated machines with 64GB+ of ram, solely for handling authentication :P</p><p>All the other user data you likely have to store will far outweight the storage space of password hashes... <br></p><p>&nbsp;</p>


  • @Sutherlands said:

    While technically true, since the hashspace is limited, your 10MB password is going to hash the same as a 40-character one, so it's not any more secure.

    That's what I meant. Also, I wasn't 100% serious with that "using hashes is nonsense".



  • @dr spock said:

     If you have 1 billion customers you can probably afford a few dedicated machines with 64GB+ of ram, solely for handling authentication 😛

    All the other user data you likely have to store will far outweight the storage space of password hashes...

    That was basically my point: there's absolutely no excuse for limiting password lengths, not even the only one I could imagine, which was that you'd have to store too much data if you had ridiculously many users with a ridiculous sense for security each. If there's another "reason" for limiting password length, I'd like to hear that. It doesn't improve security, it doesn't force the user to make a longer password (i.e. possible annoyance factor); I just can't think of anything that would favor the forcing of a maximum password length.



  • A shorter password will be transmitted to the server faster, making the web form more responsive.

    OK, I can't think of anything either. The only case where that requirement makes any sort of sense is storing actual passwords, not just hashes. (One hopes that they would at least be encrypted, but one would probably be wrong.) And if you're storing passwords, you almost certainly shouldn't be.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.