1. The trade part of Lethal Zone has fully been taken over by FoG (Fortress of Gamers) and this site can no longer be used to make appeals. If you feel that your tag is unjust, please file an appeal over at https://f-o-g.eu.trade instead.

Gabe Newell: Intruders Accessed Steam Database

Discussion in 'Lethal Chat' started by Jer9, Nov 10, 2011.

  1. Jer9

    Jer9 Registered

    Joined:
    Sep 7, 2008
    Messages:
    4,524
    Likes Received:
    0
     
  2. 300_Angry_Kittens

    300_Angry_Kittens Registered

    Joined:
    Jul 27, 2010
    Messages:
    2,304
    Likes Received:
    5
    Ohhhh shiiit

    Least the passwords were not stored in plain text...
     
  3. Alias

    Alias Registered

    Joined:
    Jun 6, 2009
    Messages:
    2,959
    Likes Received:
    0
    Well Im assuming Steam has them encrypted pretty highly, so I doubt they'll be able to get cracked - saying that, we'll find out tomorrow they have all our passwords by using a rainbow table.

    Ive had money stolen from my account before though, so that worries me.
     
  4. Anonymous

    Anonymous Guest

    I just changed my password and I never told (and will never tell) Steam to store my Credit card information, I hope this is enough.
     
  5. 300_Angry_Kittens

    300_Angry_Kittens Registered

    Joined:
    Jul 27, 2010
    Messages:
    2,304
    Likes Received:
    5
    Changed my password and de-authorized access on all other computers using steamgaurd.
     
  6. Anonymous

    Anonymous Guest

    I just hope Valve isn't like Sony and have everything well encrypted.
     
  7. 300_Angry_Kittens

    300_Angry_Kittens Registered

    Joined:
    Jul 27, 2010
    Messages:
    2,304
    Likes Received:
    5
    Err ye, they do.

    Will only have access to this (possibly, not sure whether he means these will be hashed and salted as well, but i doubt it): game purchases, email addresses, billing addresses

    The first one - who cares. Email addresses, again doesn't really matter, more spam to go with the 20 a day i already receive straight into my spam folder. The last is a bit more of a worry, but they can't exactly do a whole lot with just an address.
     
  8. Anonymous

    Anonymous Guest

    Well, I already receive like 5 WoW spam e-mails a day, no big problem.
     
  9. Anonymous

    Anonymous Guest

    Good guy Gabe, giving us an update on the situation as usual.
     
  10. Anonymous

    Anonymous Guest

    serious stuff

    the "hashed and salted"-part is nice, though.

    changing my steam pw...
     
  11. DataStorm

    DataStorm Registered

    Joined:
    Jan 5, 2010
    Messages:
    2,014
    Likes Received:
    64
    hashed and salted means this:

    a password used, is hashed into some like MD5, or SHA1 or any hashing code really (yes MD5 is way outlived). Salted means that the hash is again recoded against another random number (per password, not a generic one). As that is way harder to crack, and this giving time to any party to just let users reset their password etc before they can actually gain access.

    if they only have the hashes which are salted, its useless, they need the "salt" database/code to decode the hash (un-salt) and only after that they can use the rainbow table to decode it.

    Just make sure you use different passwords everywhere, and you will only have to change the password on 1 place.... if you use 1 password for all places... then you will find that you need to change passwords regulary on all places.

    Good idea's for passwords are to use:
    - upper case letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
    - lower case letters abcdefghijklmnopqrstuvwxyz
    - numbers: 1234567890
    - signs like: ~!@#$%^&*()_+-=`[]{};':"<>?,./\|
    - mix them up as random as possible.

    with above charset, that is 26 + 26 + 10 + 32 = 94 possibilities per char in your password to the power of number of chars you have in the password, a recommended size is 8 chars or more.

    94^8 = 6.095.689.385.410.816 possible passwords with 8 chars, the double of that -1 is the ammount of passwords with 8 chars or less that are possible.
    Mix them up, and try to get the "password security" bar when changing the password as big as possible.

    Now, such a number of passwords can be "brute force" attacked, thats why timeouts are build in, that no more then x passwords can be tried within a certain time before the account locks out. well, say that this is 5 times a wrong password to lock out the acount for 3 minutes. (I dont know steam timeouts for this)
    6.095.689.385.410.816 / 5 * 3 = 3.657.413.631.246.490 minutes = 60.956.893.854.108,16 hour = 2.539.870.577.254,507 Days = 6.958.549.526 years

    Takes a LONG time to brute force an account.... and then they still need to know the login name....
    Also, if there are measures in place that detect such attempts, those will isolate them, denying access even if they hit the right one.

    Now if you use Gmail, you can add another layer to your security, by letting gmail use the possibility to use your mobile as a key (sms or message or something to your phone) that you need to login to gmail. even if they have your password, they dont have your mobile phone for that added level of security.

    so, one can be as close guarded with their passwords as they want, and if you use secure passwords, you need only to change the password about once a year.

    That raises the question: if passwords are so secure, why change them?
    Well, see it as "ressetting" the chances, for above brute force attack, they will have to restart the attack (if they are aware you changed it). Also, if you change your password, anybody that ever had watched you type in your password will not have that anymore, as you changed it. I know companies install measures to change passwords monthly or weekly or w/e, but that is because on average most ppl use very weak passwords, by imposing measures of changing the password and limiting it to be at least not be "near same" as the old password, they can limit the brute force attacks effectivity. Also those measures are to prevent co-workers using the same login access as yours to do things. Additional measures are passworded screensavers/locking the pc, so co-workers cannot use a PC in use by you etc.
     
  12. Killvion

    Killvion Registered

    Joined:
    Aug 31, 2008
    Messages:
    10,172
    Likes Received:
    0
    My school forces me to change my login password every few months. These accounts can only be accessed on the school's closed network and the only thing you can access with my code is some of my homework. You can't even see my timetables with it. Now that's some serious retardation right there. For things that hold serious information I can understand, but for us it's just plain annoying because you have to come up with passwords again and again, whilest I wouldn't mind anyone having access to my account anyway. They can't do anything, except for deleting some of my papers that I've got backed up at home and on my usb drive. Well boohoo.

    On topic: Nice to read that Steam has some nice protection. I'd gladly change my steam forum password, if only I could remember it... xD That's the downside of using a shitload of passwords, you keep forgetting them. What I mostly do is different variations of the same password. Like only changing the numbers I've put in, or changing the position of the capital letters.
     
  13. DataStorm

    DataStorm Registered

    Joined:
    Jan 5, 2010
    Messages:
    2,014
    Likes Received:
    64
    I have a truecrypt file of .. 20 gb, which is accessible with the program and a volume mounted.

    on that I keep my passwords, private stuff etc.

    ofc I have backed that up on another disk in case of failure, but nobody can access it without knowing what combination of encrypting I used and my password.

    I dont use the same over and over again, I use unique passwords, and save them with the login, so I dont need to re-enter them everytime. Re-entering them everytime does have some advantages (being able to remember them after punching them in a lot of times) but also disadvantages (keyloggers can see what you type, while if it is remembered, keyloggers cant snoop it off the keyboard.

    have a look at this:

    [youtube]http://www.youtube.com/watch?v=U4oB28ksiIo[/youtube]
     
  14. nemonorm

    nemonorm Registered

    Joined:
    Dec 5, 2009
    Messages:
    592
    Likes Received:
    0
    Brilliant
     
  15. ReX.be

    ReX.be Registered

    Joined:
    Apr 22, 2007
    Messages:
    3,071
    Likes Received:
    0
    haha nice one datastorm, but isnt he telling you that without all your encrypted pasw protection he could get his machine back :D

    I once encrypted my pasw and everything but it got thedious to use it all the time, so I dont mind. Just minor defense against mediocre hackers....its not like I posses the information to the Armageddon key
     
  16. DataStorm

    DataStorm Registered

    Joined:
    Jan 5, 2010
    Messages:
    2,014
    Likes Received:
    64
    Well, see it as the key to your online life.... losing access to a load of key services you use online is quite devastating, I can tell. and its no effort really.
     
  17. Anonymous

    Anonymous Guest

    very nice big text you wrote there, explained the principle of hashing and salting better than the most likely uber-complex wikipedia article would have done.

    about that gmail thing: where can i do that? i had a quick look in my gmail options, but i couldnt find anything related to mobile phone numbers.
     
  18. DataStorm

    DataStorm Registered

    Joined:
    Jan 5, 2010
    Messages:
    2,014
    Likes Received:
    64
    I'm not sure about availability and possibilities. May not be available for all countries etc.

    As I dont use gmail really, I dont know exactly how it works.

    I just changed my mail provider of my main account, so they have the wrong email address if they try to get into it.