Blizzard passwords could be theoretically reverse engineered

Blizzard Entertainment may not yet be in the clear of its latest breach, with the attackers potentially having enough information to reverse engineer weakly constructed passwords.

As Jeremy Spilman pointed out on his blog, the information stolen from Blizzard is likely to be the server-side database used as part of the Secure Remote Password (SRP) protocol.

If Blizzard's implementation of SRP is standard, its stolen SRP database contains the username and salts for each account and their hashed password verifiers.

In his post, Spilman drew on a previous paper, written by the widely accepted father of SRP, Thomas Wu, who stated that if certain information were known — such as the password verifiers that were stolen from Blizzard — an attacker would be able to perform a dictionary attack.

Although an attacker cannot "unhash" the information, in simplistic terms, they can still attempt to combine a username with a dictionary list of common passwords, and then attempt to use the salts in the database to generate a verifier. These generated verifiers can then be matched up against those stolen verifiers. The presence of the salts in the stolen information means that the additional strength normally provided to mitigate weak passwords is hampered. Additionally, Blizzard passwords are case-insensitive, which significantly reduces the number of passwords that need to be tested.

Blizzard has also been criticised by the SANS Institute's Internet Storm Centre for not addressing the issue of resetting security questions. SANS contributor Kevin Liston warned that the recommendation for users to change their passwords may be ineffective, as attackers armed with security questions could use them to reset passwords in a similar fashion to what happened to Mat Honan last week.

Blizzard has so far stated that it will roll out a method for users to change their security questions and answers soon, but until then, users are unable to do so. In the meantime, the games publisher has said that its customer service staff will use additional measures to verify player identities and not simply rely on the security questions and answers. Concerned users are able to set up SMS notifications if account details have changed, however.

ZDNet contacted Blizzard for comment, but did not receive a response at the time of writing.