View Single Post
12-21-09, 03:53 AM   #1
Thrae
A Cyclonian
 
Thrae's Avatar
AddOn Author - Click to view addons
Join Date: Jun 2005
Posts: 42
Lightbulb How to secure your World of Warcraft / Battle.net Password

Hello everyone. You may have been wondering where I've been, if you know who I am. Well here's a little tip I found out in my hobby of increasingly securing my digital life:

http://keepass.info/

1. Download KeePass 2.x (non-Windows versions too)
2. Create a new database. Give it a decent Master Password.
3. Create a key file. This file can be any non-changing file of at least 1024KB of size.
4. Associate the key with the new database. Require both the password and key file.
5. Create entry for World of Warcraft / Battle.net.
6. Generate a random password of maximum length and strength (16 characters, a-z, A-Z, 0-9, #!%$). Remember to collect additional entropy for your password generation using mouse movement (option at the bottom).
7. Run WoW. Wait until you're at the login screen.
8. Uncheck "Remember username".
9. Tab out and go back to KeePass.
10. Edit Auto-Type property of your new entry.
11. Select the appropriate World of Warcraft window from the drop-down menu.
12. Select Two-Channel Auto-Type Obfuscation (TCATO). Keep all other defaults.
13. Save database.
14. Name the database and key something that doesn't sound like a database and key (provides little extra security, but helps).
15. For additional security, store key and/or database on USB Flash Drives, with an encrypted backup somewhere (the database and key might already be encrypted, but you don't want them lost, and you also don't want people knowing what you're backing up).
16. Change your World of Warcraft and/or Battle.net password to the newly generated KeePass entry.
17. Tab back to World of Warcraft's login screen.
18. Press CTRL+ALT+A (KeePass 2.x's default Global Auto-Type).
19. Viola! You have now logged in using a very strong password protected by another password and a key.

WHAT THE HECK IS ALL THIS?
There are plenty of password managers out there, but KeePass 2.x is the best password manager I have found. It can also be found in a PortableApp format, meaning you can run it entirely from a USB Flash Drive.

What is a password manager? Well, maybe you're using Internet Explorer and you have it remember a password to some website (say, wowinterface.com). If you do, it saves that password encrypted. Unfortunately, this encryption method is rather insecure without additional tools. Let's say you're using Firefox. It has no saved password encryption without setting a Master Password first, which is not set by default. Some people don't know that. I suggest the addon LastPass instead for non-financial website logins.

What is encryption? Well, it's a way of making something unreadable to anything without proper decryption, further securing it. There are a lot of different ways to encrypt something and not all of them are very good. KeePass 2.x does a decent job when you use a password + key file pair.

By following the above steps, you can turn a possible guessable password into the strongest password possible given the normal password restrictions set by Blizzard while also defeating standard keyloggers and clipboard spies. The Auto-Type feature of Two-Channel Auto-Type Obfuscation (TCATO) uses the clipboard to transfer only part of the username and password, defeating standard clipboard spies as well. In theory, the only effective spy would be one designed around TCATO.

Currently this has been tested by me on Windows 7 64-bit using KeePass 2.09. You're free to reply with your results if you want to try it.

KeePass 2.x also works under Linux, Mac OSX, BSD, and other platforms with support for Mono 2.2+ (it's built on .NET 2.0).

My pfSense router has not detected any abnormalities coming from the KeePass program like it trying to phone home your stored passwords. This is a long-standing FOSS project split into Classic (old branch) and Professional (new branch).

If you want to further secure your data, I'd look at making encrypted volumes (even just file containers) using the FOSS TrueCrypt, and use hidden volumes and multiple keys spread across multiple locations. But that's only if you're seriously paranoid like me.

Of course, one may ask, what about the Authenticators? Well, this method isn't really better then the Authenticators and you won't get a cool pet. However,
a) they cost money (half of the people stop here)
b) it's annoying to manually type in the random sequence (other half stop here)
c) it's annoying to manually type in the random sequence BEFORE it changes (some people are slow typers / on laptops / etc.)
d) what happens if you lose it? (need to buy a new one and wait)
e) what happens if it gets stolen? (it's like you wrote down your password)
f) it's a single token system so it doesn't defeat standard keyloggers. They can still use the inputed PIN for as long as its valid.

But to the Authenticators' defense, the KeePass method really is a PITA to setup, especially for those unfamiliar with password managers. Proper authentication security is just a well-known PITA.

Cheers.
__________________
Yes, I was a Tauren. Yes, it was bigger.
  Reply With Quote