Well Im assuming Steam has them encrypted pretty highly, so I doubt they'll be able to get cracked - saying that, we'll find out tomorrow they have all our passwords by using a rainbow table. Ive had money stolen from my account before though, so that worries me.
I just changed my password and I never told (and will never tell) Steam to store my Credit card information, I hope this is enough.
Err ye, they do. Will only have access to this (possibly, not sure whether he means these will be hashed and salted as well, but i doubt it): game purchases, email addresses, billing addresses The first one - who cares. Email addresses, again doesn't really matter, more spam to go with the 20 a day i already receive straight into my spam folder. The last is a bit more of a worry, but they can't exactly do a whole lot with just an address.
hashed and salted means this: a password used, is hashed into some like MD5, or SHA1 or any hashing code really (yes MD5 is way outlived). Salted means that the hash is again recoded against another random number (per password, not a generic one). As that is way harder to crack, and this giving time to any party to just let users reset their password etc before they can actually gain access. if they only have the hashes which are salted, its useless, they need the "salt" database/code to decode the hash (un-salt) and only after that they can use the rainbow table to decode it. Just make sure you use different passwords everywhere, and you will only have to change the password on 1 place.... if you use 1 password for all places... then you will find that you need to change passwords regulary on all places. Good idea's for passwords are to use: - upper case letters ABCDEFGHIJKLMNOPQRSTUVWXYZ - lower case letters abcdefghijklmnopqrstuvwxyz - numbers: 1234567890 - signs like: ~!@#$%^&*()_+-=`[]{};':"<>?,./\| - mix them up as random as possible. with above charset, that is 26 + 26 + 10 + 32 = 94 possibilities per char in your password to the power of number of chars you have in the password, a recommended size is 8 chars or more. 94^8 = 6.095.689.385.410.816 possible passwords with 8 chars, the double of that -1 is the ammount of passwords with 8 chars or less that are possible. Mix them up, and try to get the "password security" bar when changing the password as big as possible. Now, such a number of passwords can be "brute force" attacked, thats why timeouts are build in, that no more then x passwords can be tried within a certain time before the account locks out. well, say that this is 5 times a wrong password to lock out the acount for 3 minutes. (I dont know steam timeouts for this) 6.095.689.385.410.816 / 5 * 3 = 3.657.413.631.246.490 minutes = 60.956.893.854.108,16 hour = 2.539.870.577.254,507 Days = 6.958.549.526 years Takes a LONG time to brute force an account.... and then they still need to know the login name.... Also, if there are measures in place that detect such attempts, those will isolate them, denying access even if they hit the right one. Now if you use Gmail, you can add another layer to your security, by letting gmail use the possibility to use your mobile as a key (sms or message or something to your phone) that you need to login to gmail. even if they have your password, they dont have your mobile phone for that added level of security. so, one can be as close guarded with their passwords as they want, and if you use secure passwords, you need only to change the password about once a year. That raises the question: if passwords are so secure, why change them? Well, see it as "ressetting" the chances, for above brute force attack, they will have to restart the attack (if they are aware you changed it). Also, if you change your password, anybody that ever had watched you type in your password will not have that anymore, as you changed it. I know companies install measures to change passwords monthly or weekly or w/e, but that is because on average most ppl use very weak passwords, by imposing measures of changing the password and limiting it to be at least not be "near same" as the old password, they can limit the brute force attacks effectivity. Also those measures are to prevent co-workers using the same login access as yours to do things. Additional measures are passworded screensavers/locking the pc, so co-workers cannot use a PC in use by you etc.
My school forces me to change my login password every few months. These accounts can only be accessed on the school's closed network and the only thing you can access with my code is some of my homework. You can't even see my timetables with it. Now that's some serious retardation right there. For things that hold serious information I can understand, but for us it's just plain annoying because you have to come up with passwords again and again, whilest I wouldn't mind anyone having access to my account anyway. They can't do anything, except for deleting some of my papers that I've got backed up at home and on my usb drive. Well boohoo. On topic: Nice to read that Steam has some nice protection. I'd gladly change my steam forum password, if only I could remember it... xD That's the downside of using a shitload of passwords, you keep forgetting them. What I mostly do is different variations of the same password. Like only changing the numbers I've put in, or changing the position of the capital letters.
I have a truecrypt file of .. 20 gb, which is accessible with the program and a volume mounted. on that I keep my passwords, private stuff etc. ofc I have backed that up on another disk in case of failure, but nobody can access it without knowing what combination of encrypting I used and my password. I dont use the same over and over again, I use unique passwords, and save them with the login, so I dont need to re-enter them everytime. Re-entering them everytime does have some advantages (being able to remember them after punching them in a lot of times) but also disadvantages (keyloggers can see what you type, while if it is remembered, keyloggers cant snoop it off the keyboard. have a look at this: [youtube]http://www.youtube.com/watch?v=U4oB28ksiIo[/youtube]
haha nice one datastorm, but isnt he telling you that without all your encrypted pasw protection he could get his machine back I once encrypted my pasw and everything but it got thedious to use it all the time, so I dont mind. Just minor defense against mediocre hackers....its not like I posses the information to the Armageddon key
Well, see it as the key to your online life.... losing access to a load of key services you use online is quite devastating, I can tell. and its no effort really.
very nice big text you wrote there, explained the principle of hashing and salting better than the most likely uber-complex wikipedia article would have done. about that gmail thing: where can i do that? i had a quick look in my gmail options, but i couldnt find anything related to mobile phone numbers.
I'm not sure about availability and possibilities. May not be available for all countries etc. As I dont use gmail really, I dont know exactly how it works. I just changed my mail provider of my main account, so they have the wrong email address if they try to get into it.