Valuable target. Battle.net is the login system for Warcraft and Diablo, both games where player accounts have significant cash value. The gold and items in a serious Warcraft player's account are often worth well over $50 and are relatively easy to strip and sell on a black market. Diablo 3 has a legitimized real money auction house, only heightening the risks for Blizzard.

Is anyone familiar with the Secure Remote Password protocol, and how secure it is in comparison to hashing and salting passwords using algorithms like bcrypt and PBKDF2?

SRP is a protocol to authenticate without exchanging passwords. It has the advantage that the server only ever sees and stores a verifier based on the hashed password. However, the password is still vulnerable to brute forcing. There is an extra modulo exponentiation which may make GPU calculation harder. I think the default hash for the verifier is SHA-1. It is possible to use a slow hash, like PBKDF2, for the verifier.

It is also, unfortunately, infeasible to use in web applications without some kind of plugin, much less across many different browsers. Blizzard still needs people to be able to log into battle.net to renew their subscriptions and buy vanity mounts.

If you control the client side and it's a normal client/server-type application, absolutely, go for it. It poses much less risk to your users than any scrambling or key derivation protocol, no matter how strong. (Those do nothing to prevent getting your favorite password by snooping on ethernet traffic or memory, for example.) As you mentioned, SRP too has adjustable knobs.

FWIW, this is Battle.net's password policy. http://imgur.com/q2oPZ

It also appears that cut&paste is disabled for the change password fields which is REALLY annoying.

I suspect that's so you don't type it wrong, copy it, then lock yourself out. I have typoed passwords before, very annoying when you know the password and just need to figure out which permutation it is.

I loathe sites that disable pasting passwords (I'm looking at you, Apple!) as it makes entering that random 24 char string generated by Keepass an exercise in frustration.

Worth mentioning is that battle.net passwords are not case sensitive.

How does this affect users with Key Fobs?

http://us.blizzard.com/store/search.xml?q=authenticator

I'm be quite willing to bet that the attack vector was a compromised password that was reused to access their admin panel.

Grounds for this claim?

I'm guessing there's no basis, beside that approach being what we heard about most recently with Dropbox.

It would be a little ironic if a company that's been strongly advocating the use of multi-factor authentication for many years now didn't enforce it for their own superusers. If that's not the case, then it's double ironic that those superusers are able to access the password digests in the database through that panel.

I don't quite understand the 16 character password limit.

Or not letting people paste into the field.

I just ran into that idiocy when updating mine. Terrible. I generated a new password with 1Password and wanted to paste it in and had to type it in manually instead, twice, plus the old one.

This is one of the more annoying "security features" I've seen. Makes it a massive pain to use automatically generated passwords.

Most likely a VARCHAR(16) plaintext field.

Everybody here loves bcrypt, but you don't hear about how it has a max input size of 55 bytes >:)

There's no good reason the max should be so low, but you should not hurt your users by silently truncating input or exceeding the entropy limit of a fixed-size scrambling mechanism.

Or not.