The silver lining in Thursday's news that hackers extracted significant user information from online gaming empire Blizzard was that passwords were protected by an encryption scheme the company said is "extremely difficult" to crack. We reported that the use of cryptographic "salts" made it "extremely unlikely" that plaintext passwords could be derived from the cryptographic hashes. Security researchers, including those at Sophos and Intego, agreed.

But other researchers warned that Blizzard's advisory overstates the case and may give users a false sense of security. The researchers noted that the Secure Remote Password protocol used to convert plaintext into cryptographic hashes is a decade-old scheme that is focused on protecting passwords as they traverse the Internet, rather than when they're "at rest"—that is, when they're stored in a database on a website server. One blogger who took the time to read the official SRP whitepaper written by the protocol author has gone so far as to request a retraction or clarification from Blizzard President Mike Morhaime.

"Blizzard is incorrect in claiming that SRP 'is designed to make it extremely difficult to extract the actual password' after the verifier database is stolen," Jeremy Spilman, the founder of a company called TapLink, wrote in a blog post titled "SRP Won’t Protect Blizzard’s Stolen Passwords," which was published on Friday. "That they would make this statement is at best misleading and inaccurate, and dangerous if users believe their passwords are still actually safe."

In a statement issued to Ars, Blizzard representatives wrote, "The specific implementation that is referenced in that blog is not what we use. We are aware of the whitepaper on SRP that was published in 1998, and the information therein was taken into account when we implemented our technology. For security reasons, we can’t go into greater detail."

Indeed, a Battle.net 2.0 emulator suggests that at least some of the hashed Blizzard's passwords were generated with an SRP implementation that uses a 1024-bit modulus, rather than the 256-bit modulus described in the whitepaper. The tweak makes password cracking take about 64 times longer than it would using the lower-bit setting. No doubt, these measures far exceed those protecting the password lists dumped for LinkedIn and eHarmony in June or even for private intelligence firm Strategic Forecasting Inc. last year. That said, without the "greater detail" Blizzard is declining to offer, its assurance about the difficulty of cracking the compromised hashes is meaningless. Here's why.

Yes, the default SRP scheme described in the white paper uses cryptographic salt. Salting works by adding a unique, random string of characters to a user’s password before it has passed through a cryptographic hash function such as SHA1 algorithm, so that even if two users happen to have the same password, they still will have unique password hashes. When cracking salted hashes, password cracking programs like Hashcat and John the Ripper are forced to hash each plaintext candidate one by one, rather than attacking all of them at once. This means a cracker attempting to crack a password database containing 1 million unique salts will incur a slowdown by a factor of roughly 1 million. That kind of performance penalty can buy a breached website time before a large percentage of the hashes are cracked, particularly in cases where there are millions of unique salts.

A 1 million- or even 10 million-fold increase sounds like a lot, but that's not always the case, particularly in the rarefied world of password cracking. A PC running a single AMD Radeon HD 7970 GPU can try on average an astounding 1 billion password guesses per second for large SHA1 hash lists. With 1 million unique salts, an attacker with an HD 7970 can still burn through a 1 million-word wordlist in just over 16 minutes. Hackers with additional resources would have little trouble cracking a significant percentage of Blizzard passwords in a week or two. Using Amazon's EC2 cloud-based service, for example, a cracker armed with a 100,000-word dictionary could take a swipe at 400,000 of the 1024-bit modulus Blizzard passwords per day for just $350.

To be sure, a 100,000-word dictionary won't crack every password, but it will crack a significant percentage of them. That's particularly true given the fact that Blizzard passwords are case insensitive, a decision that probably reduces calls to the company's support team but also reduces by a large margin the number of words a cracker needs to load into an attack dictionary. Further, any passwords that were hashed using the weaker, 256-bit modulus would be about 64 times faster to crack.

Also missing from Blizzard's advisory is this: salting does nothing to increase the time it takes to crack any single hash, so if the attackers want to target one of Blizzard's many celebrity users—former World of Warcraft pitchman Mr. T, for instance—the measure has no effect at all. And since the leaked data includes user e-mail addresses in plaintext, it's not inconceivable that crackers are doing just that.

To be fair, SRP is one of the lesser-known hashing methods that isn't supported by Hashcat or John the Ripper. But that may be about to change. Less than 24 hours after word of the Blizzard compromise, John the Ripper Lead Developer Alexander Peslyak, aka Solar Designer, was already entertaining thoughts of augmenting the program with the ability to crack "verifier databases," which is Secure Remote Password parlance for a hash table. "Here's our opportunity to start supporting SRP verifiers," he wrote on Friday. It wouldn't be surprising to see SRP support added to Hashcat, either.

Far more important than Blizzard hashes being salted is a crucial detail the company won't discuss—the specific cryptographic function used to generate them. Algorithms such as SHA1, which is what the SRP whitepaper calls for, were designed to convert plaintext into hashes very quickly and with a minimal amount of computing power. That's precisely what someone out to crack millions of hashes wants most. A far better algorithm is Bcrypt, scrypt, or PBKDF2. Unlike SRP, these functions were specifically designed to protect passwords while they're at rest. They use a variety of methods to increase the time it takes a computer to generate the final hash. Bcrypt, for example, passes the plaintext through multiple iterations of the Blowfish hashing algorithm, alternately using the salt and password as a key. By making the hashing process arbitrarily slow, it helps deter cracking attacks against large numbers of hashes. If a site like Twitter can use Bcrypt, Blizzard, LinkedIn, and others surely can do the same.

The problem with assurances like the one in Thursday's Blizzard advisory is that they provide comfort to some portion of users who were already looking for a reason not to bother changing their passwords. As the above analysis suggests, every hour or day that an affected user doesn't change his password increases the chances it will be cracked by the intruders.

It's great that Blizzard's hashing scheme uses salt. And if, as suspected, Blizzard's SRP implementation uses a slower 1024-bit modulus, we should applaud that, too. But given what we know about the default version of SRP and the tweaks Blizzard appears to have made to its implementation, there's no support for the statement that it's "extremely difficult" to crack those hashed passwords. To the contrary, users should operate out of an abundance of caution and assume that a large percentage of them have already been extracted.

Mr. Morhaime, we await your clarification.