Battle.NET account + Blizzard Authenticator + today = fail

[Souca]

Supposedly this was how it was supposed to have been working all along, and they FIXED what they considered a bug and not introduced one.

As Souca stated, this doesn't completely negate the possibility of a man-in-the-middle attack, but it reduces the window of opportunity from 30 seconds down to how ever long it takes for you to press enter after typing the last digit of the code. More security for 99% of authenticators vs 2 minutes of hassle for 5-boxers... it's not too hard to see why Blizzard made the choice they did in fixing the bug.

If they are in the middle, they will just prevent you from even logging in. If it's been a bug for over a year, it's now called a feature. Ask MS how many bugs they have to keep in their versions of Windows because software counts on it working the same way. It adds no security for those 99% of the people in this scenario.

- Souca -

[Oswyn]

Yeah it's a pain, but in the scale of things it's a minor inconvenience. Heck, my ritual now is to login while I'm catching up on emails or doing other productive things. If anything, the game is waiting on me to put in the code. Not a big deal.

[Khatovar]

IMO, if they wanted to ensure security, they wouldn't have decided that tying every single Blizzard product a person owns to one single e-mail address and password instead of multiple userids was a great way to do things.

[Ualaa]

I see your point, Khat.

However, to guess my (up to) 14 letter/digit/symbol username and then my (up to) 14 letter/digit/symbol password is pretty strong security. Passwords should be case sensitive, but unfortunately they're not.

Unless I'm keylogged, its not at all likely they'll randomly guess a username and a password.

If I am keylogged, then one account or five accounts, they'll have the information as it is entered, or whenever it transmits the logged info.

[Simulacra]

True the authenticator login is a pita, but having been hacked on numerous occasions I don't mind the extra hassle, I'm just wondering hopw long the batteries last given I'm now pressing the button 5+ times >.<

[Khatovar]

It's not exactly guessing if, as the majority of users do, you use the same email address for everything. It's all well and good when dealing with smart people who use good userids and passwords...like mine USED to be, but we're talking about people who repeatedly fail at their own security.

People who look at a post like "lol, so funy! look for self sexleg hot! omg.kennylogginsyourkeys.here/ufackinnewb.exe " and post back "i went like 4 time???? i din't see nuthin? lawlz?"

People who make an account name like HoserMcLuvin and troll all over Curse, WoW, MMOChampion, anywhere WoW related with the avatar name...HoserMcLuvin...with links to their armory and facebook and Twitter and anything else that has their e-mail address {HoserMcLuvin-at-gmail, of course, same password as they use for everything} and random WoW info.

People who will get their butt keylogged over and over again because they don't run anti-virus and don't scan all the random crap they download and don't even know what anti-spyware is or how to format, and share their account with thier friends who are just as stupid.

Blizzard didn't do anyone any favors by moving to e-mail address form. Especially considering how much some of these sites just LOVE to sell e-mail addresses.

[Ualaa]

Definitely see your point there too.

I get 10 email addresses through my service provider.
I'm planning to use 5 of them for B.Net accounts.
They won't be used for any other purpose ever.

I'm not sure how many characters you can have in a B.Net email address, but I'll want close to the maximum.
The usual mix of numbers, letters and symbols, without more then 2-3 of one type in a row.
Chances are I won't be able to remember the email long term.
But will have them entered into IS as my user names, and saved somewhere for copy/paste if needed.

Most likely, they'll be a tad harder to get (without a keylogger) then someone who clicks a link like the one you posted above. I really like the logger name you picked, it unfortunately shows the mentality of a lot of the player base...

[BobGnarly]

Regardless of whether or not you are "kinda sure they didn't change it because of some man in the middle attack", it is vulnerable to that, so that's as good a reason as any to believe that they chaged it. Your assertion that wow isn't serious enough to warrant a change like this is silly considering that the discussion we are having is regarding a rotating token security system already implemented for wow, which isn't just thrown around for the fun of it. Somebody (both at Blizzard, and their customer base) clearly thinks security is important here, so yeah, they should fix vulnerabilities.

My biggest gripe is the email thing. I don't want my wow subscription email associated with anything else in my life. Call me paranoid, but I know where it can lead and I want no part of it. So, I'm going to have to create one or more new ones just for this, and it irks me - primarily because there's no good reason they couldn't let your bnet account be whatever you want, just like your current wow account. If they are so serious about security, they should hire a good security consultant who would tell them so.

BTW, one thing to keep in mind everybody...creating multiple accounts may get you around the this issue *for now*, but they've been talking about things like allowing heritage items to be passed around all your bnet accounts, so you would lose out on future features like that. Just thought I'd mention it.

[alcattle]

I missed your point. Your E-mail is already tied to an account. Making your Email into your account name, what changes? WoW players still only know toon names not account names. No one can get your account name except Blizzard, nothing changed. In my case, it will help as I set up account on different Emails so they could be problems. Bnet will fix them.

[mebben]

Is it just me or did they change something with the authenticator? I used to be able to log on with all five accounts at once, now it seems the code is only accepted by two windows at most, then I have to enter a new code for two others and so on. Very annoying.