Email confirmation added to authenticator setup to foil hackers
by Robin Torres 
Jul 28th 2010 at 1:00PM
Note: Changing the email address on the account requires not only your password (which the account thieves already have at this point) but also the answer to your security question. So make sure the answer to your security question is not guessable or obtainable by any phishing information. As I have suggested before, if you use a password for your security answer rather than an actual answer, you are adding a very thick level of security. Make it a separate password you use just for security questions, like p45sw0rd (don't use that one).
Of course, the best way to prevent someone from stealing your account and then adding an authenticator to it is to put an authenticator on it yourself. There are keyfob and mobile versions available.
[Thanks for the tip, Joel!]
Filed under: Blizzard, News items, Account Security
Reader Comments (Page 1 of 4)
MisterRik Jul 28th 2010 1:09PM
I believe the e-mail confirmation step was added just in the last few days. I decided a few days ago to change the e-mail address associated with my account, and logged in to see how to do that. Everything looked normal when I checked, but I didn't actually proceed with the change at that time. But I did make the change yesterday, and discovered the confirmation step had been added. (Actually, the whole look of my account management page had changed.)
jam Jul 28th 2010 7:42PM
Is it possible to change/view your security question somehow?
I can't remember what I put there years ago, I'm not even sure if I could answer that question myself today. :-p
Glaras Jul 28th 2010 1:10PM
LAME. Never, ever make a password any variant of "password", even if you go with the cutesy 'leet-speak versions. You want passwords that won't get guessed? Try something like cruqE3u#Ere5ed@ -- which I generated using an online generator I found with a simple google search. And yes, you should write it down using an archaic device known as a "pen" on some "paper". Keep it somewhere safe, and never put it online.
johnthediver Jul 28th 2010 1:32PM
I'm pretty sure that is why the author said not to use that password. He used Pa5ssw0rd as an example only. I prefer to use something like $up3rc@l1fr@g1l1$t1c3p@1d0c1u$. That is pretty secure.
Although a computer forensics class I took said a long password with out special charachters is in fact as secure or more secure than an wonky password. The instructor stated the password "dogfrogdogfrogdogfrog" would take months to bruteforce, and anybody could remember that.
Neodarkmatter Jul 28th 2010 1:33PM
Even using any sort of password generator is not good practice.
Password generators use the same algorithm every time a password is generated thus someone who could use the same application can find out how the passwords are generated and determine what your password is. Yes it is hard to guess your password but the hacker is already a step closer.
bennet Jul 28th 2010 1:49PM
Or use a passphrase instead of a password. Properly constructed they're difficult to crack, and you don't need to run the added security risk of writing them down.
Phil Jul 28th 2010 1:54PM
See i just use something like Yeathatswhatyourmomsaid
Duulket Jul 28th 2010 2:00PM
@Glaras
If only people were as smart as you. The fact you got it from an ONLINE generator means it is already online. Before you go and call someone lame you might want to think about your own response.
(cutaia) Jul 28th 2010 2:11PM
"The instructor stated the password "dogfrogdogfrogdogfrog" would take months to bruteforce, and anybody could remember that."
Son of a...now I have to change my password from dogfrogdogfrogdogfrog...
Thanks a lot, jerk.
Glaras Jul 28th 2010 4:03PM
@Duulket: The generator is online. The password's not saved there.
Passphrases are indeed better.
I never called anyone "lame". It's the idea of using a variant of "password" that's lame, and I stand by that statement.
Ishammel Jul 29th 2010 7:55AM
Glaras, stop digging.
logicalfundy Jul 29th 2010 10:27AM
"Even using any sort of password generator is not good practice.
Password generators use the same algorithm every time a password is generated thus someone who could use the same application can find out how the passwords are generated and determine what your password is."
To some extent.
What you want is something called a "cryptographically secure" password generator, or a truly random number source that relies on non-algorithmic information (random.org uses physical sources of randomness).
A "cryptographically secure" PRNG is far higher quality than most other types of PRNGs, and since they are using cryptographic technologies, it is far more difficult for a hacker to discover what the initial state of the generator was in order to reproduce the same random numbers as you did.
The key to any PRNG is to make sure the "seed" (initial state) of the generator is not easily found. One of the weaknesses of many PRNGs is how the initial state is determined.
In any case, this can be a bit complex to talk about - but suffice to say, using some random program or website to generate passwords for you is probably not the best way to do it.
I haven't done any serious research on which RNGs and PRNGs are best, but I know of two sources that produce very good results:
-random.org should work, as they are in the true RNG business. They use physical sources of randomness.
-KeePass has a strong PRNG: They use several sources of randomness and hashes them with a cryptographic hash and a counter, which should provide a source of randomness that is very difficult to reverse.
niko Jul 28th 2010 1:10PM
horray for improvements to the system!
This should also be yet another advisement on how unprotected you are if you don't have an authenticator yet... Don't let the hackers win!
iPod touch or iPhone gets a free authenticator option, keyfob is $6.50... should be a no-brainer.
Duulket Jul 28th 2010 2:00PM
It is also free from the Android Market.
slythwolf Jul 28th 2010 3:02PM
It's a no-brainer if you don't live near a military base. I do, and it shares my ZIP code. Blizzard could not ship my authenticator to me. I was able to have it shipped to a family member and go pick it up, but not everyone has that option.
Mohsus Jul 28th 2010 1:16PM
i can say that this happened in the last week or so. know why?
Tried logging in last Tuesday only to find that I had an authenticator attached to my account >_<
ultimate slap in the face? I was logging in after a month long break to add MY authenticator to the account
Vogie Jul 28th 2010 3:43PM
The next security boost will be the action bar of your max level character, and it'll ask you to punch in your boss rotation...
Brett Jul 28th 2010 4:12PM
OMG I think we are one and the same! I got hacked on 7/16 and they put one on mine. All back now thankfully and +my+ authenticator is back on.
Hal Jul 28th 2010 1:20PM
First time I read this, I thought to myself, "p45 sword? I don't know what that is, but I hope it's a tanking weapon!"
When my account was stolen, they actually took over my email account at the same time. This not only enabled them to make changes to my account, but slowed down my response time because I had to get the email under control before I could even worry about WoW.
If you use a browser-based email (such as gmail), do be careful about that. And should it happen, triple-check your security settings, as sometimes the culprits will set up "account recovery" questions so that they can get back in, even if you change your password.
Davio Jul 28th 2010 2:36PM
In the UK, a P45 is the official document for tax you get when you leave a job/get fired.
A P45 sword is thus terrifying when it procs.