They don't (or didn't, I haven't checked in the last few months) allow special characters, either. Seriously - what? (Then again, my bank does the same thing.)
> They don't (or didn't, I haven't checked in the last few months) allow special characters, either. Seriously - what? (Then again, my bank does the same thing.)
This is not entirely correct. They do allow some types of punctuation, and have done for a very long while. I haven't tested characters like #, @, & (etc) though, but periods and the like have worked.
They also restrict it to <= 16 characters.... Yea, that's still decently secure, but there's nothing like a 50 character password that's pretty much impossible to break. I don't get why they put these restrictions on. Probably some brainless dev decided to make a SQL column 16-bytes wide.
EDIT: That doesn't even make sense, unless they're storing plain-text passwords.
There was a site I used where one password field was something like 20 chars max, the other was 50. So I could change my password but never log in with it.
That company was namecheap, if I remember rightly.
Users are put at risk because Blizzard fails to adequately impose security. Tech savvy users can just use a stronger password, but the others are put at risk by what I can only call negligence.
(based on my anecdotal evidence) Most "normal" people do not use caps letters in their passwords. If you force them to do it, they'll capitalize the first letter and that's it. Compared to this, the lower amount of password-related troubles and customer service probably results in better overall password security.
Phishing, keyloggers and various social hacks are the real problem. Blizzard has always been very active in this regard with their constant and visible reminders that "Blizzard will NEVER ask for your password", but most users disregard even that.
My fault. I didn't explain properly. I didn't mean it in the normal way- to require strict passwords. I meant in the sense that users who do add a capital in order to up their account security don't get that security added. Only users who know about this bug and go the extra mile then will benefit from the view of "So just make a better password without."
I apologize if this is worded badly. I'm not feeling up to my usual ritual of rewording my post until I'm convinced it makes perfect sense to those who don't have magical insight into my mind.
I think the point here is that if goofy capitalization is the only thing that kept your password from being trivially guessable, your password was only a little bit harder to guess. If your password isn't guessable, then it doesn't really matter if you have additional entropy, because the server smacks down brute-force attempts before they even get off the ground. In other words, it doesn't seem like capital letters make your password appreciably more secure in this context.
That's exactly the problem here. A typical user who adds capitalization to make her password more difficult to guess is basically screwed over by Blizzard who has decided that passwords don't need to be case-sensitive.
Users who opt to (I'm not talking about forcing users to use capitalization here) to use capitalization for a more secure password are unaware that their efforts are in vain.
Also, it isn't only trivially more guessable. That's nonsense. If you're using a password list and you capitalize only the first letter of every password in that list, that list is still double the size of the first list.
