Electronic Arts Hates Strong Passwords

On the midnight of June 25 LulzSec released yet another truckload of user/password combinations, including from the Electronic Arts game Battlefield Heroes. I used to play Battlefield Heroes as I am a huge Battlefield fan since the dawn of the series. Interested to see whether I am present in the hacked database, I immediately downloaded the CSV file and searched for my account name. Sure enough, there I was along with a familiar looking hash. I quickly threw the hash into a MD5 hash-to-source dictionary service. Boom! Unsalted MD5 and my password was staring me into my face. It was an old password of mine, one of the first I had chosen after upgrading from short all lower case passwords. This meant that I didn’t need to panic, as I have different passwords in most places. Still, it was my password for Battlefield Heroes and more crucially it was also the username/password combination for my EA account, which controlled a bunch of other games like Battlefield: Bad Company 2. I quickly set myself a goal to change the EA account password so I launched Origin. Origin is EA’s quarter-assed wannabe clone of Steam. I carefully looked around, into every corner and sub-dialog I could find. There was no password changing option. Amazed at how bad Origin is I went straight to EA.com as surely there must be a way to change my password there. Nope, even less account configuration than Origin provided. I then proceeded to log out from EA.com and claim I had lost my password. This worked fairly well until I tried to actually set a new password. What the fuck? Flabbergasted, I decided to log back in with my old password and dig around the help section to find some documentation on what sort of passwords they allow, as the error is very opaque. While looking around in the help section I stumbled upon a My Account link. Yes, I had finally found the web based account management section, nicely hidden away from users. I tried to change the password again, this time from the account management page.

16 characters maximum for new password.

At least this error tells me the exact length limit, but 16 characters? A maximum of sixteen characters? This must be a joke. OK, I tried with a shorter password then. Invalid characters? It was getting ridiculous. I decided to do some research with some of the symbols that I could easily access on my keyboard. Here are the results: Allowed: ! # % & ( ) = ` ‘ + ; : – _ < > [ ] { } $ @ * Not allowed: ” ¤ / ? ´ ˇ ~ , . | \ £ € § ü õ ö ä ž š What about the minimum limits? I tried changing my password to asd. No luck, 4 characters minimum! What about cool? Success! In summary, EA doesn’t want people using strong passwords like y756V3~J|d242~s89k75;37x-544df. It also doesn’t want people using cute but decent passwords like ´[~.~]`. It is completely acceptable however to use passwords like cool, pass, love. Also the passwords will be stored using unsalted MD5 in easily hackable servers. Amazing.

Leave a Reply

Your email address will not be published. Required fields are marked *