The silver lining in Thursday's news that hackers extracted significant user information from online gaming empire Blizzard was that passwords were protected by an encryption scheme the company said is "extremely difficult" to crack. We reported that the use of cryptographic "salts" made it "extremely unlikely" that plaintext passwords could be derived from the cryptographic hashes. Security researchers, including those at Sophos and Intego, agreed.
But other researchers warned that Blizzard's advisory overstates the case and may give users a false sense of security. The researchers noted that the Secure Remote Password protocol used to convert plaintext into cryptographic hashes is a decade-old scheme that is focused on protecting passwords as they traverse the Internet, rather than when they're "at rest"—that is, when they're stored in a database on a website server. One blogger who took the time to read the official SRP whitepaper written by the protocol author has gone so far as to request a retraction or clarification from Blizzard President Mike Morhaime.
"Blizzard is incorrect in claiming that SRP 'is designed to make it extremely difficult to extract the actual password' after the verifier database is stolen," Jeremy Spilman, the founder of a company called TapLink, wrote in a blog post titled "SRP Won’t Protect Blizzard’s Stolen Passwords," which was published on Friday. "That they would make this statement is at best misleading and inaccurate, and dangerous if users believe their passwords are still actually safe."
Read 11 remaining paragraphs | Comments
DIGITAL JUICE
No comments:
Post a Comment
Thank's!