By Jim Rossignol on November 10th, 2011 at 10:45 pm.
We’ve just had a note from Gabe Newell saying: “Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.”
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
It might be a good idea to change your Steam password, clearly. Full text below.
The following is being IM’d to the Steam user base.
———————-
Dear Steam Users and Steam Forum Users,
Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.
While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.
We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.
We will reopen the forums as soon as we can.
I am truly sorry this happened, and I apologize for the inconvenience.
Gabe.
10/11/2011 at 22:50 westyfield says:
Shit.
10/11/2011 at 23:12 Tomkan says:
Not good. Not good at all.
11/11/2011 at 01:14 Starky says:
Ninja’ing a top comment reply because I think it bears everyone knowing (cut and paste from page 2 comments)…
8 Digits IS NOT ENOUGH!
Hell 10 digits isn’t – but 8 is a joke.
Any standard “human” password (as in not random ascii; a few letters [1 or 2 upper case], a couple of numbers and 1 or 2 common punctuations [fullstop is the most common]) can be broken in 2 seconds.
Yes, 2 seconds based on GPU driven brute forcing software and an average GPU.
Hell even fully random 8 char gibberish (full ascii) passwords can be GPU broken in hours or days rather than the years a CPU would take.
12 will give you years, but faster GPUs are quickly (frighteningly quickly) making even 12 digit alphanumeric passwords useless.
I’d highly recommend everyone to use 1 highly complex master password (a complex mnemonic of at least 15 characters with at least 3-4 numbers and 3-4 punctuation)
Say something like:
I WANT ten BIG apple pies for my (50th) birthday (remembering the capitals by stressing the words)
iW10Ba3.14sfm(50th)bd
Easy phrase to remember (with some practice), solid 21 digit alphanumeric (+) password.
Heck even just “iwant10applepiesformybirthday” is exponentially stronger than any 8-10 digit utterly random ASCII password.
Then use that with a password manager – hell a 256 bit AES encrypted 7-zip with a text file to cut and paste from in works in a pinch.
11/11/2011 at 01:42 FataMorganaPseudonym says:
http://xkcd.com/936/
11/11/2011 at 01:54 TWeaK says:
^^^^
Read that comic above. It makes passwords fun!!
11/11/2011 at 01:59 Starky says:
The only problem with that method is if it catches on, hacker will develop faster methods of calculating them – for now it is the easiest way of remembering complex passwords, but in 5 years time it might be as useless as “word + 2 numbers” but by then you could just start adding extra complexity to defeat that.
Constant arms race.
By 2020 All of us will have 100 digit word and number sequences, hell either that or personal password managing devices that use biometrics as their key.
11/11/2011 at 02:09 dsi1 says:
It’s pretty obvious that, eventually at least, biometrics is going to be how security is done.
As of now, four 4 letter+ random words is more than enough, and probably will be for a good amount of time.
11/11/2011 at 02:23 stupid_mcgee says:
All of this aside, Valve is also probably having to deal with Secret Service and FBI agents right now. First: I’m sure Valve reported to the proper authorities. Second: even if they didn’t, the proper authorities are, I’m sure, going to want to look into this.
11/11/2011 at 03:44 Kaira- says:
OK, I gotta say I don’t know US law enforcement very well, but this sounds pretty… overkill? Secret service? Aren’t they mainly considered about congress members and president’s lives and such?
11/11/2011 at 04:00 skittles says:
Now not to say that I am an expert or anything. But the argument that 8 digits is not enough is complete crap to me. Sure your GPU may brute force guess my password in 2 seconds – but so what? It does not know that it has guessed the correct password, to actually be of any use it has to test the guesses against the server that holds the password. And there are plenty of failsafes in place at most places to stop such activity, or monitor it and shut it down.
I have had accounts broken into where I have used simple passwords – i.e. a word and a number – two or three times. I have never had anything broken into that uses a random string of even more then 5 characters. Because to break such a password takes extra time, and more likely to be detected. Usually to warrant such extra effort they would be trying to break into a Steam database, rather than attempting to break into some random account which is potentially going to get them no reward whatsoever.
11/11/2011 at 04:39 Reefpirate says:
Secret Service protects the President and other politicians, yes… But they also have other duties. For example they handle counterfeit operations on behalf of the Treasury I think.
11/11/2011 at 04:39 Jason Moyer says:
Kaira – the Secret Service used to handle identify theft and similar cases. I think that area of law enforcement is actually part of Homeland Security now (not sure, last time I dealt with them was in 03, and it was still handled by the Secret Service).
11/11/2011 at 07:04 MadTinkerer says:
“I have never had anything broken into that uses a random string of even more then 5 characters. Because to break such a password takes extra time, and more likely to be detected.”
Indeed. If you have a character limit or otherwise can’t use the tons-of-characters method, I recommend using words that are not in any dictionary. They’re a bit tougher to remember (because you’re making up or deriving words that you better remember how to spell), so try to invent a “keychain” of unique words that only you know and use. If you want to go even more advanced, try to remember a short string of nonsense symbols to go along with it, such as @23% or m00# that might have some significance to you but don’t mean anything.
Of all my internet accounts, only one has been hacked, and that’s because it was a six character plain English word that I never changed since 1997.
11/11/2011 at 07:12 snv says:
That xkcd comic is amusing (as usually) but wrong. Dictionary attacks are a very old refinement of the brute force approach.
11/11/2011 at 07:44 LionsPhil says:
The XKCD comic allows for dictionary attacks. Note that the number of bits of entropy assigned to each word are way way lower than the number of bits required to represent the sequence of characters which comrpise the word.
11/11/2011 at 08:51 stahlwerk says:
Biometrics are a thoroughly unsafe authentication method, trumped by social engineering, intimidation, exploits of faulty scanning devices and if all else fails, sharp knives. The good thing about passwords is that they are hidden inside a vault that can not be externally decrypted without destroying it (your brain).
And the xkcd method is sound, but only if the cracker can not know if parts of the password he tries are correct. If there’s no feedback from the system about that, then it’s as safe as a randomized string of the same length.
11/11/2011 at 09:02 PoulWrist says:
The only way you can leverage a GPU against a password is when you have the database like this. Otherwise it’s not possible.
11/11/2011 at 09:48 coldvvvave says:
best xkcd comic strip
http://xkcd.com/538/
11/11/2011 at 10:14 noxxit says:
Usage of more than one language (type a word into Google Translator if you don’t know anything besides Schnitzel) and non-standard delimiters (e.g. Apple+Nashi=Schnitzel) is sufficient imo.
11/11/2011 at 10:18 Carr0t says:
R.E: Dictionary attacks and the XKCD comic: Not quite true.
How many possible characters are there on your keyboard for password use? 26 letters, both cases, 10 numbers, 35 or so other characters? So maybe 100 different usable characters, tops? So an 8 character utterly random password has 100^8 different combinations that it could be (very roughly), so about 10^16.
Now look at the XKCD example. He’s using full words, so even if you only have 4 words in your password your search space for attempting a dictionary attack is dictionary size^4. The OED has about 170’000 words. That’s a *much* bigger search space. Sure, in reality that’s a lot lower. Say that you expect people to only use words that are individually 8 characters or fewer. Most people don’t know anything like all those words in the dictionary. A quick almost completely unscientific google search finding an article on the BBC and a few others with similar figures suggests that people have a vocabulary of something like 40-50’000 words in their native tongue. So take 1/2 of that as the number of words people know with 8 characters or less (and it’s probably actually more than that). Now you’re looking at 20’000^4 as your search space to do a dictionary attack. That’s still a larger search space. You’re talking about an exponent of 10^16 for the 8 character random password and 10^17 for the 4 words. Of course this argument falls down completely if that BBC article is wrong and most people only have a vocabulary of 2000 words, or only normally combine 2 words instead of 4+, or only use words of 5 characters or less, or something ;)
I think this is very much a case of different strokes for different folks. If you would normally have a 10+ character random password that is completely random and isn’t just a word with common substitutions such as o->0 and a->4 then you’re probably better off sticking with that. If you normally have a 6 or 8 character password that’s a word with 2 or 3 common substitutions because you can’t reliably remember anything different then you’re probably better off with the 4 random words route.
11/11/2011 at 11:33 BULArmy says:
I use mainly 8 digit passwords, but sometimes I use letters that are the same in Latin and Cyrilic I am from Bulgaria and even if the pass is breached it will give an error, because it must use the cyrilic letter instead of the Latin.
11/11/2011 at 12:03 Xan says:
This whole “secure password” conversation is pointless if the system allows for a “lock out” after 2-3 failed attempts and then forces a password reset or a captcha. Can’t brute force that.
11/11/2011 at 12:20 slpk says:
About that xkcd comic: The caps, symbols and numbers are there for a reason, they make your password harder to break because you’re increasing the size of you alphabet. That said, you don’t need to go crazy with it like the first example. “Correct.horse.battery.staple0″, for example, would be much better.
11/11/2011 at 13:29 Nixitur says:
No, Xan, you don’t get it. The database is compromised, meaning that the hackers now have the database at hand. There is absolutely no server involved at all. They hack the database, not the server.
Also, the xkcd password strength is calculated on having 11 entropy bits per word which means that you’re choosing from a 2^11 list of words.
Even if hackers know that you are using a 4-word combination as a password and even if they have the wordlist you used for generating that password, it’s still (2^11)^4=17592186044416.
Even if they can use 100 billion guesses per second, it still takes about 3 minutes to crack that password.
Not safe enough for you? Well, how about instead of putting spaces in between the words, you put in some random punctuation. Like, instead of “correct horse battery stable”, you’d use “correct§horse4battery%stable” which increases the searchspace significantly, even if the hackers know you’re using that method.
11/11/2011 at 21:30 Starky says:
To those saying that hackers need to get your password from the website database (well the hashed password) you are correct – you can’t brute force at the point of input (because of lockouts).
But in situations like this where someone manages to get the encrypted passwords, it might be days, weeks even months before the trespass is discovered by the server admin – and in that time any 8 digit or less alphanumeric password can be broken by a single ATI 5770 GPU in 2 seconds, so they won’t need to brute force a login, they can just type the password correctly.
9 Digits in about 2 hours, 10 in about 20 hours.
A 4 digit number is secure if they have to manually guess it at the point of input (on the website like a user, or for example as a pin number for a bank card) but no hacker would ever bother with that, they’d be locked out after a few incorrect attempts. No they hack the database get the hashed password and then brute force the hash.
Basically brute forcing the password is done locally, nothing is entered into the website they wish to access.
Say the hash is “b18450a4854617620e942d439eb8a6a0″, there is no mathematical way to calculate the password from that hash, but you CAN calculate a hash from a password.
So these programs use the GPU to hash every single possible letter, number and symbol combination, then compare the result to the original hash, and once they get “b18450a4854617620e942d439eb8a6a0″ they know what the correct password is.
They can then simply enter that password like a legitimate user.
So again, 8 digit fully random symbol passwords such as:
u”`/>HI8
W0qhOhD#
;P*EP”_*
wne%GQ&t
QA`BMF:!
c*T2.h/x
y}udZ9aT
All randomly generated using every key available on a common English keyboard can be brute forced in about an hour (letters and numbers only is 2 seconds) on a mid range GPU (5770). Which can manage about 3 billion password checks per second.
Simply put small weak passwords give them a large window of opportunity, from when they manage to get the password database, and crack the password – to when/if the server admin of the website in question discover the breech – which again might be days to weeks.
Long passwords don’t – it takes too long to de-hash them.
12/11/2011 at 00:07 Melf_Himself says:
And to temper Starky’s fear-mongering:
http://www.shamusyoung.com/twentysidedtale/?p=11523
Salted, hashed passwords take a long time to crack.
This is why current best security practice seems to be “change your password every few months”, not “every few minutes” :S
12/11/2011 at 02:55 Starky says:
That link gets some very fundamental things wrong – I’m no crypto expert, but it’s clear that neither is he.
Salting doesn’t increase the time to brute force an individual password (well not much anyway – because the hacker knows the salt) – it slows them down by requiring them to decrypt each hash 1 user at a time rather than running a single pass and comparing every entry in the database at the same time (or even decrypting them based on known hash values), because every salt is different for every user.
It’s quite easy to discover how the salt is added (at the end, at the start (some even add it every other character or other such patterns) by simply brute forcing a known password.
Simply put less complex (passwords that can only be lowercase and numbers for example that some bad sites still use) will still be brute forced in minutes if not seconds (using new GPU software such as ighashgpu) with or without salt.
Proof: http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/
12/11/2011 at 08:29 Xan says:
@Nixitur I should have been more clear. What I meant was password strength is irrelevant if someone is trying to brute force it to get into your account. When someone already has the database with passwords it’s again irrelevant because what matters then is how the passwords were encrypted.
Starky started with telling people to use safer passwords, why? If someone has the whole database it won’t matter how safe your password is, all that matters is how the database was encrypted.
12/11/2011 at 16:05 Starky says:
Xan, That is utterly, utterly wrong.
It totally does matter. password strength is EVERYTHING (the only defence) against a brute force decrypt.
Brute forcing works by trying every possible combination of characters, hashing them, then comparing the results to the hash from the stolen database. The hacker KNOWS the encryption – it is publicly available information – anyone can easily hash any string they wish. What stops it been useless is the fact that there is no mathematical way to de-hash a value back to the original string.
You can only calculate every possible hash value then compare to the stolen hash, and when you get a match you have the password.
Starting at whatever the minimum is for the password length of the site (say 6 characters) using the same rules the site enforces (so if it is lower case and numbers only maximum of 10 characters the hacker knows brute forcing any password will be fairly easy).
Even if the hacker knows the length of the original password, a more complex password will still take longer to de-hash, simply due to the fact that there are more combinations that must be tried.
Again a 5770 can compare at the rate of 3 billion per second – so it can chew through simple passwords (even up to 9 or 10 digits) in a mater of seconds to hours. Complex ascii passwords up that to days and weeks.
So once again it is utterly wrong that password strength does not matter if a hacker accesses a table of hashed and salted passwords.
In fact it is the utter opposite, password strength is the ONLY defence.
10/11/2011 at 22:50 Mitthrawn says:
Aaand password changed. Pity- i had just memorized my 17 digit random alphanumeric password.
(My steam account is worth more than my bank account (sadly/gladly?)
10/11/2011 at 23:01 cafe says:
gladly
10/11/2011 at 23:11 space_ghost says:
“(My steam account is worth more than my bank account (sadly/gladly?)”
Wow I just realised the same thing! Not sure if I’m sad or happy. It’s a confusing emotion.
11/11/2011 at 00:11 Quxxy says:
My Steam password is more complex than my bank password because my bank doesn’t allow for long, complex passwords.
After all, the security of my bank account is their top priority, so it only makes sense, right?
11/11/2011 at 00:17 Lowbrow says:
Relevant XKCD might save you some time memorizing:
http://xkcd.com/936/
11/11/2011 at 00:48 Stupoider says:
http://imgs.xkcd.com/comics/password_strength.png
Get it together Mitthrawn!
11/11/2011 at 01:07 NieA7 says:
I use KeyPass Portable for all my passwords, lets me use different stupidly long passwords of random gibberish for every site and so long as I remember my USB stick I can log in from any Windows machine.
11/11/2011 at 07:46 LionsPhil says:
If you’re sticking your password keychain in “any Windows machine”, it’s not the most secure thing in the world.
This is the future. Surely you people have smartphone apps that can do this for you by now. (Along with remote wiping so you can reduce the risk of a theif sitting there brute-forcing the master.)
11/11/2011 at 11:22 Mitthrawn says:
I like that XKCD comic- but doesn’t not using numbers/grammatical keys reduce the time it would take to hack it? I guess you could just put a comma on the end or something to throw the infernal machines off.
12/11/2011 at 01:01 NieA7 says:
@ LionsPhil
Well I only use it on machines that I’m prepared to log into anything on, which is to say “not most of them”. My point was more that by having it on a USB stick it gives you greater freedom than a local install. It’s also a lot more convenient to be able to copy and paste your 20 character gibberish password than type them in off a smart phone.
10/11/2011 at 22:50 Mike says:
In before “I TOLD YOU. THEY CALLED ME MAD WHEN I REFUSED TO GO DIGITAL. MAD. WELL WHO’S MAD NOW.”
Although obviously this is a shame.
10/11/2011 at 22:51 johnpeat says:
You’ve gone digital – you’re here – you’re as open as anyone :)
10/11/2011 at 22:53 Mike says:
I have nearly all my games on Steam these days, I wasn’t talking about me. :P
10/11/2011 at 23:44 DigitalSignalX says:
I was digital before it was sexy. In fact, I MADE it sexy, and I still don’t have a facebook or twitter account.
11/11/2011 at 01:45 FataMorganaPseudonym says:
In after lame “In before” comment.
11/11/2011 at 07:43 The Dark One says:
As that text is in all caps and related to video games, I’m assuming you’re quoting the Devil.
I personally blame the cephalopods.
10/11/2011 at 22:51 ResonanceCascade says:
Well shit. How long before the Half-Life 3 source code winds up on a torrent site?
I kid, Valve. I kid.
11/11/2011 at 07:16 MadTinkerer says:
They might have defaced the forums because they were mad that the game development stuff is too secure to hack.
Making Half Life 3 100% unhackable is easy for Valve: set up an internal network and cut off all internet connections to and from that network (except maybe one gateway if you really need offsite backups, but as long as those backups are properly encrypted they’ll be useless). That only leaves physical connections, and employee loyalty will prevent problems in that area.
I work for a bank, so I’m required to take security consciousness training regularly. The two biggest concerns for my department are fraud / money laundering (which doesn’t matter because I don’t interact with customers myself) and privacy violations that can only occur by employees abusing access to privileged information. Basically it boils down to: If someone is fired, don’t let them in a restricted area even if they’re lovely, friendly people, who the customer is sending a check to is nobody’s business, and never let anyone plug a USB into anything else without permission. Hacking is a non-concern because of secure intranets*. Some computers have limited internet access (which has firewalls and such), but all the customer information is kept physically separate.
*This is a technical term, not a misspelling.
11/11/2011 at 15:49 diamondmx says:
Well, if the hackers touch it up a bit, we might have Episode 3 sooner than we thought :D
10/11/2011 at 22:51 Teronfel says:
But…my steam account is different from the forum one.How can they have my password?
10/11/2011 at 22:55 Jim Rossignol says:
Read the text?
10/11/2011 at 23:03 Teronfel says:
Ah…ok got it.Well i changed my password just in case and thank gabe for steam guard
10/11/2011 at 22:51 d34thm0nk3y says:
Thank god for Steamguard, eh? :P
10/11/2011 at 22:56 johnpeat says:
THAT
If you didn’t already have it activated, do so and you’re safe and sound (your account is – someone may be able to post to the forums as you but as they’re forcing password changes there, they can’t).
Note: The only catch is if you use the same password for other accounts (with the same email address) – or god forbid, you use the same password FOR your email address (which is mind numbingly stupid).
Thing is tho – someone defaced the Steam Forums – how could they tell? That’s like mad graffiti appearing in a madhouse surely? :)
10/11/2011 at 23:09 Network Crayon says:
Seems like this is set as standard.
I’d never heard of steam guard until now.
Also, using Paypal to pay for content must help a lot?
10/11/2011 at 23:12 Eclipse says:
they have our credit card info (even if encrypted) there’s no need for Steamguard to stole us money…
I really hope they’ll get those lamers and kick their stupid asses to jail. A jail with a lot of showers and soap bars.
10/11/2011 at 23:14 Phantoon says:
Gaben’s UNBLINKING EYE OF JUSTICE can tell the difference, always.
11/11/2011 at 00:04 VelvetFistIronGlove says:
So watch your credit card statement carefully. If you see purchases you didn’t make, contact your bank’s fraud department. They will refund the charges and issue you a new card.
If you’re really paranoid, call your bank now and ask for a new card.
Credit cards fail nicely. I’m not worried about my credit card being compromised, because I know I can get it sorted out easily.
11/11/2011 at 00:07 lurkalisk says:
Why is it that when hackers are brought up on a game related site, someone always mentions/alludes to prison rape?
11/11/2011 at 00:31 spedcor666 says:
I always assume it’s because some people get off thinking about that sort of thing. Whatever turns them on I suppose.
11/11/2011 at 00:33 manintheshack says:
@lurkalisk: No, I’m pretty sure Eclipse is just implying that they are naughty, smelly criminals.
11/11/2011 at 01:18 Zenicetus says:
@ VelvetFistIronGlove: “Credit cards fail nicely”
Well, not that nicely, depending on the situation.
I’ve had my bank catch CC fraud right away with automatic flagging of suspicious activity, before the statement was even sent for that month. Which is nice, but then they want to cancel the old card and issue a new one. I have a bunch of household stuff on CC auto-pay, like the internet connection, storage rental, and other stuff. Every time I have to enable a new card — and I’ve had to do it a few times due to fraud — it’s a major pain in the ass to track down all my auto-pay billing utility accounts, and inform them of the new CC details.
Yeah, I know… get a separate card for the high-risk stuff, like gaming accounts. But multiple CC accounts will bleed you dry with fees. If anyone wants to know why some of us prefer to use something like Steam for almost all of our game purchases instead of “supporting Indie developers” or whatever… well, that’s why. It’s a drag that Steam was hacked, but that could happen anywhere. Sticking to one main digital distribution outlet minimizes the risk.
11/11/2011 at 02:27 dragonhunter21 says:
I’ve got Steam Guard set to email to my Gmail account, which itself is set to not allow you in unless you have a random six-digit passcode that’s re-generated every ten seconds on my phone. Saved my ass when Mt.Gox got hacked, I’ll say that.
11/11/2011 at 10:04 VelvetFistIronGlove says:
@Zenicetus Yes, it’d be a huge inconvenience, but no great financial loss.
10/11/2011 at 22:52 mrwonko says:
“I am truly sorry this happened, and I apologize for the inconvenience.
Gabe.”
Somehow this part calmed me.
10/11/2011 at 22:56 HexagonalBolts says:
Aww, Gabe! Give us a hug big fella
10/11/2011 at 23:13 siegarettes says:
This was a very classy, and sincere way to handle the compromise.
Sony could learn something from this.
11/11/2011 at 00:39 President Weasel says:
I agree. It’s a classy statement and a far, far better response than Sony’s.
11/11/2011 at 10:51 sneetch says:
Yeah, I’m truly sorry they waited 5 days to tell us it was hacked. I mean I appreciate that they needed to investigate it but “the bad men” (theoretically) have a 5 day lead now.
10/11/2011 at 22:52 applecup says:
Oh shit.
10/11/2011 at 22:53 _frog says:
If the passwords are hashed and salted as they say, there’s no way for the hackers to find the user’s actual password from that info. So really there’s no need to change passwords.
10/11/2011 at 23:09 Brumisator says:
What does salting a password mean?
All these encryption words recycling culinary terminology make me hungry.
10/11/2011 at 23:14 mrwonko says:
I think it means that instead of hashing the original password, you add something random at the end of the password, then encrypt it. So 123 gets turned into 123[randomgibberish], is then hashed. [randomgibberish] is of course saved, too, otherwise you couldn’t check the password later on.
The advantage is that you can’t just compare the hash to a list of hashes of common passwords, you have to actually add the salt – which is different for each user – to the passwords and hash the result, then compare. That’s a lot slower, thus common passwords are harder to crack.
Oh, regarding hashing: That’s a function for encrypting the password in a way that it cannot be decrypted again. For example you could save if the password’s length is odd. You wouldn’t be able to tell the original password based on that information, but of course you could easily find a different one that returns the same value when hashed, which would work as well, so the actual hashing functions are more complex.
10/11/2011 at 23:16 Chufty says:
Hurrah for someone talking sense. If passwords are hashed and salted, then noone has your password. Not even Valve. But you should be changing your passwords regularly anyway, so now’s a good a time as any, right?
Hashing is a one-way process to secure passwords (there’s literally no way of getting the original text back). Salting just ensures that your hash doesn’t match someone else’s who has the same password as you.
10/11/2011 at 23:19 iucounu says:
Salting is good. An unsalted password hash is findable on rainbow tables. It’s how Anonymous hacked HBGary a while back. Here’s an awesome article over at Ars Technica on how they did it, with much interesting stuff about salts, SQL injection, and the like. http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
10/11/2011 at 23:23 fleabait says:
Since the passwords are hashed, hackers would be unable to get the passwords so long as they are sufficiently strong. However, inevitably some users will always choose weak passwords. All it takes is for an attacker to brute-force hash many weak passwords looking for a match in the database, which indicates that a password was discovered.
Salting is when a little extra (known) data is added to the password before it is hashed, which doesn’t improve protection for an individual user, since the data is known, but it makes an attacker’s job much harder because it means they can only brute-force one account at a time instead of all at once. It also gives protection against rainbow tables (which is just a huge lookup table which matches inputs to every possible hash output), but Valve was probably using a hashing algorithm which produces large enough digests so that rainbow tables wouldn’t be practical.
10/11/2011 at 23:26 Roarster says:
Salting doesn’t make it impossible to retrieve a password since the hackers will have the salt as well (it’ll be stored in the database along with the password). What it does mean is that they’ll have to decrypt one password at a time and they wont be able to use a rainbow table to decrypt massive amounts of passwords at once.
Basically it makes your password a lot safer but not completely safe,
10/11/2011 at 23:27 ShatteredStone says:
Salting hashes does not make your passwords invulnerable. It merely makes it take a little longer to find them, if they are “weak” enough to find (and many, if not most, are). The attacker simply won’t have the benefit of using rainbow tables or just one attempt per password.
Many, many people choose “weak” passwords either out of ignorance, comfort, or carelessness. Many use the same password on their email account or on other gaming services. Many use variations on the same “base” (Steam password = hunter2, Desura password = hunter3, email-password = hunter4).
Change your password(s). It’s the only way to be sure. And just hope that Valve implemented the CC-Crypto well enough.
11/11/2011 at 00:06 AlexMax says:
If you’re handling passwords in your web application, you should be doing all of the following things:
* Secure your systems to the best of your ability. Keep up with bugfix releases of your favorite CMS, blog, framework, web server, database, operating system, and so on so you don’t get embarrassed by some six month old exploit.
* Account for both short 8-symbol passwords with random symbols and long passphrases without said requirements. If my password is “RPS is the best blog in the world”, don’t limit me to 20 characters or force me to throw a $ in there when there’s tons of entropy in that password that is easy to remember and hard to crack.
* Use a slow hash like PBKDF2 or bcrypt. Hashes like a single pass of md5, sha1 and all of the sha2 variants are designed to be fast to compute, which is precisely the opposite what you want.
* If you’re using PHP and want to use bcrypt, be extra careful that you’re using the correct incantation of crypt(), fucking it up has the potential to revert to some very insecure hashing defaults without giving you so much as a warning. In fact, just use the phpass library and save yourself the trouble.
* Use a per-password salt, called a nonce. People have discussed salts before in this thread, but I’ve heard a lot of grief from developers who are scared to store the salt in the same place as the hash itself, since they think that storing the one-time salt in a config file makes them safer somehow. *rolls eyes*
* If an intrusion happens, detect it early and preferably force your users to change their passwords on next successful login. Remember, it’s already game over, and you want to make sure that whatever passwords they get out of that database are useless. Of course if you took the rest of my of advice it will probably take them at least a few years to get a single password, but better to be safe than sorry.
11/11/2011 at 00:48 TillEulenspiegel says:
Bears repeating. A few extra CPU cycles is well worth the massive, massive increase in security should the worst happen.
Unfortunately, MD5 and SHA1 still seem to be by far the most common.
11/11/2011 at 07:50 LionsPhil says:
This seems like a good time to point out BozoCrack. Salt is important.
10/11/2011 at 22:53 johnpeat says:
It’s worth noting that this is – for now – a problem with the Steam FORUMS and not the Steam client.
If you used the same password for both – DOH! DUH! DIM! – change them both and make them different.
I don’t have a CC on Steam (I use PayPal) so that’s not a problem.
“Purchase History” – is publically available anyway
Did I miss anything?
11/11/2011 at 02:03 dsi1 says:
Yes, yes you did, apparently SPUF and Steam/Valve’s databases are linked somehow, enough for someone to get into them and (possibly) take encrypted (thankfully) credit card info.
10/11/2011 at 22:53 pakoito says:
Even though it’s a fucking shame, at least this guys look legit. Salted, hashed and encrypted info and 3 days delay on informing and asking for passwords.
10/11/2011 at 22:55 applecup says:
Hey, it’s still miles better than Sony’s “yeah, let’s transmit passwords and credit car details unencrypted, and wait a week or two before we tell everyone their accounts have been compromised”.
10/11/2011 at 22:53 roBurky says:
Oh.
I’m not even sure if I have a Steam forum account.
Edit: After a few failed attempts to log in, it seems I probably don’t. Phew.
10/11/2011 at 23:50 CMaster says:
“found that the intrusion goes beyond the Steam forums.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.”
So if you have a Steam account of any form, you need to be worried.
10/11/2011 at 22:54 caddyB says:
What a shame.
10/11/2011 at 22:56 ts061282 says:
Whatever happens, I’m sure there’s a TF2 hat in this somewhere.
10/11/2011 at 22:57 johnpeat says:
I WOZ HACKED Hats – available soon to anyone who has their account trashed by random lunatics(*)
(*) evidence that you have a PSN or XBL account (which has almost certainly been hacked or robbed) will cover this.
10/11/2011 at 23:16 Phantoon says:
Xbox Live IS robbery.
10/11/2011 at 22:57 Wulf says:
SteamGuard and the fact that the passwords were hashed and salted removes any care that I could have had about this. Sony could learn from these guys. Yeah, they were hacked, but the damage is minimal. Even if someone DID figure out your password, your Steam account is still linked to your computer.
10/11/2011 at 22:58 johnpeat says:
It’s always surprised me that they used an ‘off the shelf’ forum package (Blizzard do too) because if there’s a security hole to be found, it will be in one of those fuckers…
10/11/2011 at 23:04 Magnetude says:
Reassured that I had to go to my emails to get a code to put in when I went to the website to try and change my password, discovered you can’t do it through the site, loaded up my Steam client and was prompted for another emailed code before it’d consider a change password request. They seem to understand what security’s about.
10/11/2011 at 23:04 Saiko Kila says:
I don’t think SteamGuard work for forums. The forum is offline now, but you can still log into it. It doesn’t ask me for code on a new machine (or old, actually changing the motherboard is enough for it) when accessing forums. It asks only when accessing steam account. Which uses separate password.
11/11/2011 at 00:32 Wulf says:
Who cares about the forums, really? Do you? Do I?
Oh no, someone is running around parading as me and pretending to be me. Unless they’re incredibly fucking talented, they’d have a hard time emulating me. I’ve seen people try, it’s just not doable because there’s a fairly unique signature to the way I write. A bunch of people tried it once and we were swapping names, I was the obvious one every time.
So I’m not bothered by that. If someone did steal my online identity (oh no!) then the people who know me will have figured that out within a matter of sentences. I don’t know why, mind you, but this has always been a thing. So I’m really not bothered by that.
What am I bothered by?
I’m bothered by the thought of losing my Steam games or my credit card details. If this was Sony, I’d be pissed, because Sony have proven time, and time, and time again that they haven’t the first clue what this “security” thing is, or how to put it to good use. But Valve? Just look at the example above. It’s Valve. Valve understand security, we’re not going to get fucked over by them.
People wonder why I swear by Steam. See? This is why. Valve was hacked, but the damage was minimal. You won’t need to panic, you won’t need to cancel your credit/debit card, you won’t need to worry about all your games being stolen from you. Because Valve gets security.
Heavily encrypted databases get discovered all the time, it’s fairly common, you don’t hear about it, but it does. Keeping them out of the hands of other people isn’t important because you may have some jerk working for you that may just leak them anyway. You have to assume worst case scenario, you have to encrypt them, heavily. To the point where it would be damn near impossible to crack them.
You can bet Valve did.
And yeah, I’m not surprised that the hackers got in through a probably horridly coded third party forum solution. Valve should have written up their own, really. At the very least, they’ll probably go over this with a fine tooth comb, now.
But yeah, I’ll still stand by Valve, because they understand security, they understand worst case scenarios. If this had been GoG, or Gamer’s Gate… would they be quite so prepared? I’m not sure if my answer would be yes. :P I’ve never revealed all of my reasons for standing with Steam as I do, but ridiculous security is one of them. SteamGuard wasn’t the beginning of it, it was just a really nice step up and evolution from what they already had.
11/11/2011 at 01:42 Muzman says:
This post is far too short for a Wulf second post.
Impostor!
11/11/2011 at 01:46 mod the world says:
A reference to GW2 superiority is also missing. Someone probably hacked his account.
10/11/2011 at 22:57 Fumarole says:
I changed my password several days ago when I learned this happened.
10/11/2011 at 23:18 Meusli says:
When did you find out about it?, seems a bit late for Steam to be telling us now.
10/11/2011 at 23:37 Fumarole says:
It was mentioned in one of RPS’ threads or article comments. I forget where exactly.
10/11/2011 at 23:50 Andy_Panthro says:
I first heard about it on Twitter on Monday I think, someone had noticed that the forums were odd.
11/11/2011 at 09:58 bill says:
I asked why RPS hadn’t mentioned it yet in one of the comment threads yesterday, and there was a (surprisingly mostly ignored) post in the forums before that.
But the general gist was up on Joystiq, Kotaku, etc… 3-4 days ago.
10/11/2011 at 22:57 Velvetmeds says:
“If you have used your Steam forum password on other accounts you should change those passwords as well. ”
Well damn. There’s one problem. I don’t remember what my password for the forums was >_>
Steam forums are still down right?
10/11/2011 at 22:59 johnpeat says:
LastPass.com – never use the same password twice again – never have to remember one either…
10/11/2011 at 23:13 Brumisator says:
So instead of having separate passwords to protect all your accounts separately, you have one big password which would give hackers complete access to everything…yeah, I’ll pass.
10/11/2011 at 23:14 Velvetmeds says:
Well mighty thanks man
Looks like i’ve got something to entertain myself with until Skyrim is unlocked in 45 minutes
10/11/2011 at 23:21 Magnetude says:
What Brumisator said… Surely LastPass only works until someone steals your laptop?
Y’all need to get a formula, beats remembering/writing down individual passwords. I’ve got about fourty different passwords, don’t need to remember any of them – just need about 10 seconds to work it out if it’s one I haven’t used in a while.
Which itself only works until a particularly clever person finds two of my passwords to compare (or one in a nightmare scenario) and cracks all my passwords simultaneously. Ho-hum.
10/11/2011 at 23:24 Velvetmeds says:
What laptop? And you don’t save the “master” password, only you know it.
10/11/2011 at 23:33 Magnetude says:
Well played. I’ll take my leave now, but I ask only that you consider this recommendation from the LastPass homepage:
“It’s so easy – FOX News”
10/11/2011 at 23:35 Velvetmeds says:
Oh damn. That “so easy” might even be a reference to hacking lastpass!!!!!
11/11/2011 at 00:29 Starky says:
Keepass is a much better solution imo.
Stores passwords locally under a master password fully encrypted, is open source – so you can be fairly sure there’s no dodgy code in their spying or broadcasting data, and no malicious security holes or improper encryption implementation (if their was it would be quickly flagged).
Obviously the only real flaw in the system is the master password – as it is stored (encrypted) where keepass is (locally or like me, on a sUSB stick)
But then in order to break your passwords not only would a hacker need to have accessed your actual computer files, but then break (what should be) a complex password.
11/11/2011 at 00:35 Wulf says:
There is a lesson for everyone, here.
Use throwaway passwords for forums. That is all. Yes, including for RPS. If it’s nothing to do with money or valuable data, you should just use throaway passwords for it, because it’s eventually going to be hacked anyway, and then people are going to use that to figure out how you go about passwording things, then they’re going to use that information to steal from you. If they can.
Seriously…
This site;
Every site like it;
Gaming sites;
Forums;
Comic sites;
Every unimportant site…
USE A THROWAWAY PASSWORD.
Being paranoid helps. 8D
11/11/2011 at 00:57 Starky says:
Oh and !!!WARNING!!!
8 Digits IS NOT ENOUGH!
Hell 10 digits isn’t – but 8 is a joke.
Any standard “human” password (As in not random ascii; a few letters [1 or 2 upper case], a couple of numbers and 1 or 2 common punctuations [fullstop is the most common]) can be broken in 2 seconds.
Yes, 2 seconds based on GPU driven brute forcing software and an average GPU.
hell even fully random 8 char gibberish passwords can be GPU broken in hours or days rather than the years a CPU would take.
12 will give you years, but faster GPUs are quickly (frighteningly quickly) making even 12 alphanumeric passwords useless.
I’d highly recommend everyone to use 1 highly complex master password (a complex mnemonic of at least 15 characters with at least 3-4 numbers and 3-4 punctuation)
Say something like:
I WANT ten BIG apple pies for my (50th) birthday (remembering the capitals by stressing the words)
iW10Ba3.14sfm(50th)bd
Easy phrase to remember (with some practice), solid 21 digit alphanumeric (+) password.
Then use that with a password manager – hell a 256 bit AES encrypted 7-zip with a text file in works in a pinch.
Edit:
Like Wulf though I also use a standard “who gives a fuck if they hack it” password (9 digit) for sites that never contain any personal data that can’t easily be found by a quick google of my real name.
Anything with any sensitive data whoever (email, shopping, banking, paypal, steam, business contacts, names/addresses etc, etc… has a complex long (20-40 character, depending on the limit of the site in question) randomly generated password hidden behind a complex master password, stored on a USB drive on my keyring.
11/11/2011 at 01:56 stupid_mcgee says:
Gotta agree with Starky on KeePass. Great little program. Recommended to me by an admin on MajorGeeks, and I trust that site pretty highly.
11/11/2011 at 07:30 Maktaka says:
“Y’all need to get a formula, beats remembering/writing down individual passwords. I’ve got about fourty different passwords, don’t need to remember any of them – just need about 10 seconds to work it out if it’s one I haven’t used in a while.” So very much this. It’s strong, it’s easy, and you’ll never have repeat passwords for anything. Take the name of what you’re logging into, alter it in some way, and salt it with an extra phrase that you use everywhere. For example, if you’re logging into RPS:
Rock Paper Shotgun
shotgun
nugtohs
nugtohsB1rd (because you’re a hipster, so you put a bird on it)
Quick, easy, and you’ll always know your password for everything. Gmail would be “liamgB1rd”, Steam would be “maetsB1rd”, and so on.
10/11/2011 at 22:58 Post-Internet Syndrome says:
Turning on that steam guard feature now. And guess I’ll have to change the password too.
10/11/2011 at 22:58 Demiath says:
Don’t destroy my hope for a digital-only future, you Anonymous Internet Hacker Scum. The next stage in human evolution will be tweeted, damn it…
10/11/2011 at 22:59 Xocrates says:
Here’s to hoping Steam Guard works then.
10/11/2011 at 22:59 johnpeat says:
Dear Gabe,
Thanks for your concern and quick actions – I’ve changed my password, now any chance of Skyrim for £10 off? :)
10/11/2011 at 23:09 mmiasmostati says:
Surely Half-Life 2 would be more appropriate?
11/11/2011 at 04:46 Thermal Ions says:
Surely you can’t want us to believe there’s someone with a Steam account that still doesn’t have HL2?
10/11/2011 at 23:00 CommanderZx2 says:
Attention grabbing headline “Steam Hacked?”…
When in truth it was just the forums and so people should stop worrying.
10/11/2011 at 23:02 Post-Internet Syndrome says:
Did you read it at all? Gabe said himself that they got access to a database separate from the forums, containing all sorts of goodies.
10/11/2011 at 23:02 DickSocrates says:
“We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”
So yeah.
I when I try to change my password, it says to me ‘Steam cannot currently process your request’
Does this mean it’s down or that I’m enterting the wrong existing password? I can’t offhand remember what it is, but have a combination fo things it might be, so I’m not sure what the problem in this case is.
EDIT: It gives that error message when you enter the wrong password, I finally figured out what my actual password is and it worked. I have a password system with variables and the last time I had to log into Steam was a year ago!
10/11/2011 at 23:03 Durkonkell says:
SERIOUSLY READ THE DAMN TEXT.
“We learned that intruders obtained access to a Steam database in addition to the forums”
SERIOUSLY.
10/11/2011 at 23:03 PleasingFungus says:
“We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”
Read the post again.
EDIT: in the time it took me to post this, three other people posted the same thing.
Go team RPS commenters, I guess!
10/11/2011 at 23:08 LTK says:
Maybe you should try reading beyond the headline.
Wow, that was some quick correcting. Five replies before I even saw one.
10/11/2011 at 23:13 CommanderZx2 says:
Try reading it again yourself:
user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked.
So they got user names, names of games you purchased, maybe email addresses and billing address. The rest is encrypted and unreadable to them. Big deal I am sure we can get your email addresses off facebook or some other sites, also mailing addresses are available all over the place such as election registry.
I am sure our own government sells most of this personal information to third partys for money already anyway.
10/11/2011 at 23:31 Durkonkell says:
How serious the threat is is irrelevant to this discussion. You were complaining about RPS using “Steam Hacked?” (which has now changed) as their headline saying that it was “just the forums” when in the first line it says “the intrusion goes beyond the Steam forums”.
You didn’t read the article!
10/11/2011 at 23:00 kud13 says:
ger. I made a Steam forums account last week, to inquire why my Cossacks Art of War wasn’t launching properly.
shoulda waited a few weeks.
10/11/2011 at 23:01 Nathan says:
I hope someone from Valve will read this, but it’d be reassuring to know in what way our passwords were hashed and salted.
10/11/2011 at 23:51 Saldek says:
In what way were they hashed and salted? Well, I’d assume they were cut into small pieces and recooked (probably with potatoes) and salted to taste. There’s really not much to it. I’d rather find out how they poach their eggs.
11/11/2011 at 00:12 VelvetFistIronGlove says:
Saldek wins RPS today.
11/11/2011 at 00:45 Loopy says:
Haha, brilliant Saldek. :D
11/11/2011 at 00:52 TillEulenspiegel says:
Assume it’s not bcrypt and act accordingly*. Because it probably isn’t.
* If you used a reasonable password (not based on a dictionary word, 8+ characters alphanumeric) you should be changing any other accounts which used the same password within the next couple weeks.
If it’s a crappy password that you also used on other important stuff, panic and change everything now now now.
10/11/2011 at 23:02 asshibbitty says:
When Sony got haxxord I was like “aint gonna happen to Valve or MS cuz they know their shit and aren’t a completely dysfunctional outfit to boot” :/
10/11/2011 at 23:04 ResonanceCascade says:
It’s not getting hacked that’s the problem — almost ANYONE can be hacked, regardless of security efforts — it’s having the important information locked down correctly that matters. And it appears that Valve did everything right in that regard.
10/11/2011 at 23:10 asshibbitty says:
The right thing to do would be to automail every user telling them to change the password Not to slip a note to a blog what is this, put that pie down JESUS
10/11/2011 at 23:17 Delusibeta says:
They did. http://i.imgur.com/3Qjir.png
The problem is that you need to turn ads on.
10/11/2011 at 23:23 ResonanceCascade says:
You can turn off ads?
My incompetence saves me yet again!
10/11/2011 at 23:30 asshibbitty says:
That’s the thing that pops up when you quit a game, right? Yeah that’s not how you do it. At least most people won’t disable it since it’s worded like “want to disable update notifications, DLC notifications and uh want some pie? also ads”.
10/11/2011 at 23:36 ShatteredStone says:
Any (yes, ANY) bigger website can be “hacked”. The question is how you deal with such attacks and whether you even notice them if they succeed. Valve are not gods, their systems are fallible. They did it right though; passwords hashed/salted, cc info encrypted, SteamGuard, user notification in spite of having no evidence of actual account break-ins due to this, etc.
Sucks that it happened. May happen again. But at least they don’t screw up so very royally as certain other “vendors” do.
10/11/2011 at 23:50 asshibbitty says:
BRB hacking Google.
10/11/2011 at 23:51 asshibbitty says:
I did it!
http://www.google.com/webhp?hl=xx-hacker
10/11/2011 at 23:02 Leelad says:
Comes from a Chinese URL shortener….I would avoid!
10/11/2011 at 23:03 Tachanka says:
well, they arnt letting me change my password at the moment
10/11/2011 at 23:11 DickSocrates says:
You sure you’re putting in the correct existing password? The message it gives for an incorrect password when trying to change it makes it sound like the service is down, but it isn’t.
10/11/2011 at 23:05 Aemony says:
Steam Guard should be sufficient protection against my Steam account, so the only precautions I’m taking is changing my e-mail password, as that is the main key in the whole environment. Without access to the e-mail they won’t be able to circumvent Steam Guard and as such, they will be unable to access it.
<3 Steam Guard.
11/11/2011 at 11:18 jezcentral says:
Whilst I agree that Steamguard will protect your games, I don’t think the hackers give two hoots about using your account to purchase games for free. They want your credit card details, so they can waltz off into the sun and spent it on more frivolous things.
10/11/2011 at 23:08 Zarunil says:
Covered by Steam Guard, so I won’t be affected by this (hopefully).
Doesn’t matter if my forum account got stolen, as I don’t use that password for other sites (I think).
10/11/2011 at 23:10 Siimon says:
“This database contained information including [...] email addresses, billing addresses.”
sort of contradicts
“We do not have evidence that [...] personally identifying information were taken by the intruders”
Also, why was personally identifying information, such as billing address, not encrypted? They only say CC#’s were.
Or am I reading this wrong?
PS. Jamestown DLC is out <3
10/11/2011 at 23:17 Soundish says:
The way I’m reading it it looks like, Gabe is saying the database was accessed but they don’t know if anything was taken
10/11/2011 at 23:20 Siimon says:
Thats what I read.. But if they had access to the database I’m assuming they downloaded it, which means they have the info. I doubt there are all too many hackers that would deface and do nothing else; even if its not a criminal hacker that did this I’m sure even scriptkiddies would download the data and sit on it…
10/11/2011 at 23:23 Soundish says:
Plus unlike Sony, Valve actually encrypted the CC info
10/11/2011 at 23:41 Veracity says:
Jamestown DLC is only new craft/characters; not sure I see the sense in that when most people have surely already settled on what works for them and don’t use anything else (and that it’s gunner, because everything else is relatively crap, or maybe beam if they just want something easy to manage and don’t care about scoring or how hard Croatoa will be). I would’ve thought more challenge events would have more value, but maybe most people don’t pay much attention to those. It is silly cheap like the torrent of absolute tat that got puked all over Magicka, to be fair. I’m still having it because the powder keg thing looks like it might be what the exploding shot ship no one uses ought to’ve been, so I want to give that a go.
10/11/2011 at 23:13 oceanclub says:
Steamguard is definitely reassuring; I’ve been using it for a while.
While, if the passwords are hashed, there’s no need to change your password, I’d still change it anyway. There’s _always_ a small chance that it was recorded in plaintext at some point; better safe than sorry.
P.
10/11/2011 at 23:13 pupsikaso says:
They might not have evidence that the CC# encryption had been cracked, but if they got the numbers it’s only a matter of time until they figure out how to crack it. And it’s already been 4 days. So I suggest that anyone that had used a credit card with steam (I’m not sure if it should be everyone or just the ones that used the checkbox to store the credit card info with steam) should call their bank and change the credit card. You’ll have to wait a a few days for them to mail you the new card, but I think that’s a small price to pay for your financial security.
10/11/2011 at 23:13 BurningPet says:
I am really not a steam fanboy, but damn, something about gabe just transmits calmness and fairness directly into my brain!
10/11/2011 at 23:13 Kaira- says:
Um, wasn’t this hacking of the forums known for… two or three days? If so, quite slow action telling to people, but still better than certain services I could mention.
11/11/2011 at 00:43 zeroskill says:
Yeah there has been a post on Facepunch for 3 days now saying the Steam Forums got hacked. Nobody seems to know when Valve them selfs found out that other information has been compromised. They could just have done it like others and kept quiet about it.
11/11/2011 at 02:17 stupid_mcgee says:
They knew the forums had been hacked, but not the database. My guess is that they were looking into the forum fiasco and then found out about the DB, wanted to assess what was going on and what potential damage might have been done, and then said something about it. It’s not like they’ve been sitting on this for weeks on end. SPUF went down on the 7th. That’s pretty good communication. I’m sure they’re also having to deal with both FBI and Secret Service right now as well.
10/11/2011 at 23:18 James G says:
Bugger. Changed Steam password, which was unique anyway. Annoyed that I had credit card info associated with the account, I removed it when Sony was hacked, but it slipped back on there. They say its all encrypted though, which is good. Can’t get onto the forums to change that password yet, but again, unique.
Actually, a question about stored credit card data. Do they actually store the numbers, or just a token? Obviously some places will do things the wrong way, but if storing tokens is a possibility then it would make security a hell of a lot better.
Edit: Hah, just realised my card expires at the end of this month anyway. I can’t see the encryption being broken before then. Will keep an eye on it though.
10/11/2011 at 23:20 rocketman71 says:
Well, that requires a big FUUUUUUUUUUUUUUUUUUUUUUUUUUUCK.
10/11/2011 at 23:20 Ultra-Humanite says:
Never registered on the forums and with Steam Guard, it’s a non-issue for me.
10/11/2011 at 23:28 Reikon says:
Whether you have a forum account or not doesn’t seem to matter. It sounds like they were able to access the main Steam database.
10/11/2011 at 23:31 Ultra-Humanite says:
Except the key word there is seem to because you don’t really know. And regardless, it’s a non-issue anyway. You can either panic like chicken little and go through needless hassle or you can be vigilant like you should have been anyway and not need to worry.
10/11/2011 at 23:21 Spinoza says:
Whatever, Gabe.
Now ,where is the Thanksgiving Sale ? (holding wallet ready)
11/11/2011 at 09:34 ThinkAndGrowWitcher says:
:D
10/11/2011 at 23:23 man-eater chimp says:
Well its usually good policy to change passwords semi-regularly anyway (apparently) so I did my Steam one just in case. Steam Guard now seems like a good idea!
11/11/2011 at 00:30 Lowbrow says:
That’s more of a high-level security procedure, spy stuff. Changing your password doesn’t prevent you from being compromised so much as stop the access of someone who is silently accessing a compromised account.
10/11/2011 at 23:23 Delusibeta says:
My Steam account password is an old password that I’ve stopped using elsewhere, plus SteamGuard means that should be safe. My Steam forums password has been leaked before (Nexus forum hacking), so not a big deal. More worrying is the fact that they might have encrypted credit card details. Thankfully, I’ve never saved my billing address and credit card details, and my last Steam purchase was the Halloween sale, so *hopefully* they’ve disposed of the details.
10/11/2011 at 23:25 Electricfox says:
It was only a matter of time really, the sharks have probably been circling for a while, looking for a weakness. Kudos to Gabe and team for dealing with it quickly once the scope of it was realised.
10/11/2011 at 23:27 Veracity says:
But I don’t remember what my account password is. Steam does, which is the only reason I’ve been able to connect to it for a while. I suppose I should try to get that fixed at some point.
10/11/2011 at 23:28 Monkeh says:
It’s the end of world I tell you!
10/11/2011 at 23:29 bit_crusherrr says:
Wheres my free games gabe.
10/11/2011 at 23:30 ilurker says:
Salting doesn’t make weak passwords invulnerable, as xkcd demonstrated amusingly.
11/11/2011 at 17:29 diamondmx says:
The comic you reference has nothing to do with Salting passwords. It has to do with alphanumerics/symbols being used in a password vs having a long password.
10/11/2011 at 23:34 wazups2x says:
I only use PayPal. I’m safe. :)
10/11/2011 at 23:42 pupsikaso says:
Lol, I hope you’re being very sarcastic.
11/11/2011 at 00:39 johnpeat says:
He’s safe from any intrusion into Steam’s system as he wouldn’t be so daft as to use the same password on PayPal and Steam…
11/11/2011 at 00:57 wazups2x says:
Nope, being very serious. :)
And yep, I use a different password for almost everything.
10/11/2011 at 23:35 Buemba says:
Thankfully I got a free year of identity theft protection out of the PSN hullabaloo, so now I guess we’ll see how effective that is.
Also, any recommendations for a password manager?
10/11/2011 at 23:37 ShatteredStone says:
KeePass does what it advertises and runs on practically everything.
If you think LastPass is a good idea, you are beyond help.
If you want distributed/shared copies of your passwords, consider KeePass+DropBox (or any similar service).
10/11/2011 at 23:47 James G says:
How is Lastpass any less secure than keypass + dropbox?
11/11/2011 at 00:21 purdz says:
LOL!
You mean the same dropbox that earlier this year let anyone into anyone’s account with just a username and no password required??
Lastpass is pretty damn secure. especially if you use it with Google authenticator or a Yubikey and also an email address that is set up purely as your last pass account name and doesn’t get used for anything or sent to anyone.
Everything sent to lastpass is encrypted and decrypted LOCALLY ON YOUR COMPUTER meaning lastpass only store the encrypted data which means even they can’t access it. So if you lose access to your email account and lose your password you lose your lastpass account as they can’t reset it.
11/11/2011 at 00:21 Kaira- says:
I’d argue against using Dropbox for storing sensitive data, since it’s not really secure. http://www.wired.com/threatlevel/2011/05/dropbox-ftc/
11/11/2011 at 00:41 johnpeat says:
I like Dropbox but I don’t – even for a second – consider it a ‘secure’ solution – and I’d not store passwords or anything like that within a million miles of it.
LastPass is pretty excellent I reckon – their recent adoption of Google Authenticator codes makes them even more secure – in fact I’d say they were about as secure as it’s possible to get without landmines and laserbeans…
11/11/2011 at 00:54 Lord Custard Smingleigh says:
Dropbox stores all my passwords. I don’t really mind its insecurity, my password file is encrypted. I wrote the encryption myself after reading papers on current techniques, and I’ll rewrite it if weaknesses are found, so I trust that security. Otherwise, go nuts trying to guess my 43 character password with letters, numbers, and punctuation. Hint: Does not use euro signs.
11/11/2011 at 01:02 TillEulenspiegel says:
LastPass does all the encryption client-side with the magic of Javascript. It’s good stuff – if you lose your master password, you’re probably screwed. (“If at this point you have failed to remember your password, your account hint didn’t jog your memory, and you’ve tried the password recovery on every machine you’ve logged into, your only recourse is to delete your account and start over.”)
11/11/2011 at 03:06 JagRoss says:
You’d be even more screwed it you forgot your KeePass password though.
10/11/2011 at 23:45 Velvetmeds says:
Lol steam is going nuts. 2 “false” daily deals on the news page. Happened before i know
I’d jump on that EYE 50% off deal like a shark. if only it were true.
10/11/2011 at 23:47 kyrieee says:
“Salting doesn’t make it impossible to retrieve a password since the hackers will have the salt as well (it’ll be stored in the database along with the password).”
Exactl, but if you have a good password it probably won’t be broken.
I wonder how the CC details are stored though.
edit: fail reply, goddammit
11/11/2011 at 02:05 Starky says:
CC details will probably be stored using 256 bit AES.
10/11/2011 at 23:47 Donkeyfumbler says:
Lastpass is great but I wouldn’t trust it with my passwords to anything important. All those forum and website passwords fine – anything to do with Google, email, digital distribution (like Steam) or anywhere that holds my financial info is in my noggin.
10/11/2011 at 23:47 Vaughn says:
Man, Origin fans are rabid!
11/11/2011 at 00:10 InternetBatman says:
That made me laugh pretty hard.
10/11/2011 at 23:48 Squishpoke says:
I’m tired of these motherfucking hackers…
on this motherfucking plane.
10/11/2011 at 23:51 Velvetmeds says:
I just want SPUF to be back up. I almost killed myself WITH SUICIDE from so much spuf withdrawal
10/11/2011 at 23:56 fashionztt says:
(http://url7.me/c6i4 )
(http://url7.me/c6i4 )
(http://url7.me/c6i4 )
11/11/2011 at 00:01 The_Great_Skratsby says:
Oh Steam Guard your super-usefulness has been confirmed.
11/11/2011 at 00:10 Jac says:
Trying to change my pass and i’m getting the same error others have reported about steam not being able to process my request yet i am 100% certain i’m entering the correct pass.
Has anyone been able change theirs in the last few mins?
11/11/2011 at 00:13 mod the world says:
Yes, i just did, without problems.
11/11/2011 at 00:15 zeroskill says:
Yeah I just changed my pass and I would give me that two times, then it worked. Guess a lot of people are changing their passes right now.
11/11/2011 at 00:46 Jac says:
yeah weird, has worked now cheers.
Now skyrim just has to hurry up and decrpyt itself and all shall be right with the world again.
11/11/2011 at 00:12 mod the world says:
Man, i’m so glad BF3 is on that other system. ^^
11/11/2011 at 00:16 zeroskill says:
To see someone talking about BF3 with the name “mod the world” is highly amusing to me.
11/11/2011 at 00:16 Lord Custard Smingleigh says:
Thank you RPS.
11/11/2011 at 00:55 hello_mr.Trout says:
i second that!
-> i wouldn’t have found out about this otherwise!
as my steam program thing didn’t tell me anything – and i haven’t even blocked ads or whatnot – very curious
11/11/2011 at 00:16 Beelzebud says:
2nd HUGE breach in Valve security.
Honestly, they’re rolling in money, they really need to pump more of it in to security. There is no excuse for something like this to happen, when they have that many people trusting them with CC info…
I’ve been a defender of Valve for a very long time, and they have lost some major points here with me. Get your shit together, Valve….
11/11/2011 at 00:49 Lukasz says:
mate. if you believe there is security which cannot be breached then you live in a naive world.
Of course valve can be hacked. and if they stay in business they will get hack again.
so will facebook
so will rps (when they grow to mega game site)
there is no true security on the web. any information can be stolen and used against your will.
11/11/2011 at 01:34 Starky says:
Indeed, Valve can and should have the best security they can reasonable have – and have in place a system of what to do and implement should it be broken – but nothing is invulnerable.
Hell breeches are almost inevitable – the key is to ensure that any breech results in minimal damage – which valve have done.
Encrypted and salted passwords and encrypted the creditcard details (good valve, bad sony).
Even if they know the salt (which thety probably will) it still adds complexity to calcuplating the hased password, simply because there is NO mathematical method of going from hash > password
A password must be entered and then the hash calculated and results compared – so even if the salt is known and brute force is calculating say 1234567890salt (where numbers can be any alphanumeric) it’s still takes more computing time than just 1234567890 (just due to generating the hash itself to compare).
11/11/2011 at 02:19 Pointless Puppies says:
@Lukasz:
Indeed. It’s kind of sad that there’s a gigantic amount of people out there who think good security is just a matter of throwing money at a department and have them make serious frowny faces as they furiously type at their keyboards and TA-DA! A shiny, impenetrable security system is built! Any time a hacker dude with his 60′s-style eye mask and black-and-white-striped long sleeve shirt cackles types “HACK INTO VALVE PL0X!”, the giant impenetrable wall of 1s and 0s will bounce off the evil hacking bits like a skinny infant on a trampoline! Boom! Out goes the bad bits from the bad guy! Boom! Our wall is unstoppable! The evil hacker dude goes “WHAAAA?!?!” as he’s baffled, absolutely baffled at this amazing feat that he runs away with his arms in the air wailing like a madman for he has been defeated! He shall never again don his hacker mask and attempt his nefarious plans ever again! Valve wins the day, and all they had to do was unload wheelbarrows of cash at the feet of the po-faced geniuses! Type on, defenders of justice, type on!
11/11/2011 at 00:16 mbp says:
So I changed my Steam password. I am sure these criminal arseholes will be really pissed off now that they can no longer play TF2 using my account. Too bad they can just console themselves buy buying stuff with my stolen credit card details.
I hate this.
11/11/2011 at 00:18 Frank says:
Why does SteamGuard have anything to do with this? Don’t you (RPS commenters, supra) see that part about hackers potentially having access to credit card information? It doesn’t sound like that information is contingent on logging in as me.
11/11/2011 at 01:43 Starky says:
They have access to ENCRYPTED credit card information – which even if they just used 128 bit AES for the CC numbers (in reality probably 256 bit) – It would a few thousand years per credit card number to decrypt.
11/11/2011 at 01:54 Frank says:
@Starky. Ok, thanks for the explanation. I’m a lot less worried now.
11/11/2011 at 05:28 Thermal Ions says:
Not to mention that you should always assume someone somewhere has obtained your creditcard details, and be checking your account/statement regularly anyway. Back in the day it used to be people lifting the carbon sheets from the creditcard imprinters out of rubbish bins, now it’s lifting the detail from any number of electronic sources, be it the local club (with an employee who has a drug/gambling problem) or some online store that retains your card details in their database without telling you.
11/11/2011 at 10:00 Milky1985 says:
“They have access to ENCRYPTED credit card information – which even if they just used 128 bit AES for the CC numbers (in reality probably 256 bit) – It would a few thousand years per credit card number to decrypt.
”
Reading the info from valve they have access to the encrpted credit cad information but NOT the numbers, they add in there that there is no evidence the numbers were taken.
I read that as the credit card info (address etc ) were taken, but NOT the numbers themselves, which were never touched.
Basically they have the information on you that you could get from the electrol roll :P
(i could be wrong in my understanding of this, don;t have any current CC details on steam anyway unless i accidently left the “save card details” box ticked last time i got something)
11/11/2011 at 21:47 Starky says:
No, I think there is a chance they have the credit card numbers as in the CC numbers were actually in the database, but there is no evidence the database was downloaded, just accessed – but if they were accessed you have to assume they were taken. But, the credit card numbers will look something like this:
“7AD3C3BF888C9E885CC206D5822ABE44D665F8A47CCB1A02FF069A”
Which without the decryption key (itself a 256 bit string) will take them several trillion years to decrypt by brute force (trying every possible key combination).
There is virtually no chance they will have that key, it would not be stored in the same database – hell it should be stored on part of the server that cannot be accessed from the internet at all.
11/11/2011 at 00:24 Beelzebud says:
That CC database had better be encrypted with AES256, otherwise Valve isn’t fit to run a huge online store.
11/11/2011 at 00:30 Soundish says:
From what I’ve read it was indeed AES256. Hopefully that’s right. I’d also like Valve to say whether the CC info on the database was transaction info or saved cards on accounts as I didn’t save my card details to my account.
11/11/2011 at 00:31 Quine says:
Great- I’ve only just finished changing all my passwords from when my (defunct) XBLA and/or EA logins got hacked recently.
At least Steam have owned up to it quickly- many large firms keep quiet about such intrusions unless they’re sure credit card details have been swiped, and so no-one can identify the weak links in their accounts.
11/11/2011 at 00:32 Solidstate89 says:
No Steam Forum account, but I did just change the password for my main Steam Account to a nice and randomized 20-key password.
As far as credit details go, can anyone tell me if using PayPal makes the leaked credit card information less of a concern?
11/11/2011 at 00:45 johnpeat says:
If you use PayPal they don’t HAVE any credit card info to leak – so yes.
11/11/2011 at 01:50 sinister agent says:
I’m changing mine to password132.
They’ll never catch me!
11/11/2011 at 02:00 stupid_mcgee says:
That’s amazing! I’ve got the same combination on my luggage!
11/11/2011 at 01:57 stupid_mcgee says:
Spy! Hackin’ mah credentials!
Steam forums down!
11/11/2011 at 20:01 oldfart says:
(TF2 announcer) INTRUDER ALERT! HACKER IN THE BASE!
(Gabe) RED SPY IN THE BASE ?! (drops donut box)
(announcer) PROTECT THE USERS DATABASE!
(Gabe) NEED TO PROTECT THE USERS BASE! (storms to datacenter room)
(Robin Walker, already trying to open the door) LETS GO! LETS GO! LETS GO!
(Gabe) Back off, son… (types “1111″ in the security lock)
…
11/11/2011 at 02:21 pipman3000 says:
oh loook i cant change my password because its connected to an old dead email address and i cant change my email address because it requires me to read an email on the old dead one
fuck you steam
11/11/2011 at 05:02 bleeters says:
Yes, your ineptitude is obviously their fault.
11/11/2011 at 12:51 InternetBatman says:
If you have a physical product that you’ve activated on Steam, I know you can take a picture/ scan it and go to Steam tech support to change email addresses. It happened to me a while back. I think they have some other things built in place too, but it cannot be instantaneous since email is their primary point of contact.
12/11/2011 at 23:17 MeestaNob says:
You dont even need that, just email tech support and they’ll fix it up for you.
11/11/2011 at 03:55 PaulOHara says:
I’ll admit that my Steam password was one of my less secure passwords, and that as a student currently studying computer security I should have changed it ages ago; but now I’ve changed it and stored the password in my KeePass database :)
11/11/2011 at 06:37 lgs says:
Steam canceled Paypal as a payment method for Russia, thanks to this my credit card is compromised now.
11/11/2011 at 14:18 johnpeat says:
In fairness to them that’s more PayPal’s problem than Steam’s – they stopped accepting it because they had a tonne of trouble with it…
11/11/2011 at 07:38 SketchyGalore says:
Obviously this isn’t the first time this has happened, but I always run into this same problem. I have NO idea which of my dictionary of passwords I was using for the Steam forums, and since they’re down for security, it’s kinda hard to figure out which one was compromised.
Oh well… how much to you want to bet Origin pulls an Apple maneuver and goes “Ha! We NEVER get hacked!”… and then get hacked three days later.
11/11/2011 at 08:05 jalf says:
I seem to recall mentioning their lax approach to security a couple of times, and getting shouted down.
Anyone wanna argue that *of course* Valve knows what they’re doing, and *of course* your information is safe with them now?
They were informed of (smaller) security issues several times before, and completely failed to react.
11/11/2011 at 08:06 MythArcana says:
Once again, Steamless and clean here since 1980.
11/11/2011 at 10:27 mondomau says:
Good for you! Me and my (un-hacked) steam account with £2000 worth of games I paid around £500 for are very happy for you.
Swings and roundabouts, my friend.
11/11/2011 at 08:08 FCA says:
OK, nice to know my credit card details (which I do not store there BTW, does anyone know if Valve still has them coupled to my account that case?) were encrypted, but why was there no e-mail send to all users?
I haven’t seen that particual Steam popup at all, they have my e-mail, inform me!
Really, why should I learn from this via some third-party website, with not even a link to a steam domain in it.
11/11/2011 at 08:57 Jp1138 says:
Well, I haven´t received any messages from Steam yet either, and haven´t fired up the client during the week, so this is new for me too… You should think they would have sent mails to everybody by now… : (
Fortunately my CC expires this month, so I hope I don´t get any surprises…
11/11/2011 at 10:03 Milky1985 says:
Its possible they are sending out emails, but if they just fired off 5 million + emails at once (basing this on peak logins, no idea how many accounts they have) they would be classed as spam and blocked.
Needs mulitple servers and a slower send out speed, it could be happening, might not be, butat least there is some info on the client, when you sign in or when you play a game.
11/11/2011 at 11:10 sneetch says:
Simply mass mailing is not enough to get you marked as spam Milky; I get mass-mails from GoG, Sony (PSN), Microsoft (Xbox), Impulse and others every week without any problems (and at least the PSN and Xbox mails must be sent to millions worldwide).
11/11/2011 at 12:21 Jp1138 says:
As sneetch said, there doesn´t seem to have any problems sending promotions e-mails, don´t know why this should be different. It has been some days, though, so even if it worked as you say, we should have received some mail by now – SOE at least did this.
11/11/2011 at 12:53 Milky1985 says:
“As sneetch said, there doesn´t seem to have any problems sending promotions e-mails, don´t know why this should be different.”
I would suggest you get a bit of background information on email marketing before arguing my point. Basically its not as simple as just sending them out, there are codes of practice on this sort of thing and just hitting send on even a small number of 10k without abiding by them will get your computer marked as a spam sender and banned from a lot of places. I will explain a bit below.
I am going to say here first that i am NOT saying if they have or have not done it, simply putting out a reson why if they HAVE done it , they might not have sent them all out yet. Its also possible that they just havn’t bothered and are jsut going with the steam message.
“”Simply mass mailing is not enough to get you marked as spam Milky; I get mass-mails from GoG, Sony (PSN), Microsoft (Xbox), Impulse and others every week without any problems (and at least the PSN and Xbox mails must be sent to millions worldwide).”
Firstly as a rule of thumb these campaigns are planed a good couple of weeks in advance, not just rushed together (that does changes athings a little, not too much tho). The actual act of sending out the emails may be shipped off to a third party, these third parties will have email servers that are marked as ok by email receivers (which means they can send lots at once) they will have lots of servers, all sending emails out at what is actually a very slow pace for email, since its perfectly possible to send thousands in a second).
Its very possible that the mass email that you got from them will come through at a very different time for your xbox live friends for example, some of this will be due to regional timing, but some due to speed of sending.
Any third party may not have the capacity for a “we need to send this out now” job (again due to time booked), and you can’t just set your own computer to send out the emails at a fast pace, as you will get ip blocked very quickly by the major spam filter companies,meaning the email doesn’t get through.
They might try to do it in house but if your not registered and auhentication you will have to rate limit your sending, and its actually not that many your allowed to send per minute before you get blocked for some providers.
Basically any email sending out process normally requires a bit of planning, tis why the website options tends to get used first.
And again, as this is the internet and even tho I mentioned it above by now someones probably forgotten what i said 2 minutes ago, I am not saying if they have or have no done it, simply given a reason why we might not have emails if they have done it.
11/11/2011 at 16:12 Jp1138 says:
Well, Milky1985 thanks for taking the time to write such a long answer. I know it must not be so simple as adding your whole contact list and hitting send, but it´s been some days since the hack and, as credit cards may have been compromised (and Steam accounts that, in many cases, may be many times more valuable than the cards) I think swift action to alert the affected should have been taken. That´s why I still though I should have a mail from Valve in my inbox right now and I don´t. But, as someone above has said, I suppose we all now get some hats in compensation ; )
11/11/2011 at 08:44 MrTambourineMan says:
I have such a badass password – 8 random letters + 6 random numbers (combination of two default passwords I was given by local internet providers in ’96 and ’98 AND I have Visa Electron with no money on it (or perhaps 3€ or something) so I’m not even worried :)
11/11/2011 at 09:39 OJSlaughter says:
My Credit Card Information wasn’t saved and I changed my password: safe!
11/11/2011 at 09:53 cytokindness says:
To everyone relying on Steam Guard:
STEAM GUARD HAS BEEN FUNDEMENTALLY AND FATALLY COMPROMISED.
I repeat:
STEAM GUARD HAS BEEN FUNDEMENTALLY AND FATALLY COMPROMISED.
They had access to the database.
Steam Guard creates its machine identifiers and has to store them … as rows in a Valve database.
It is likely that the hackers could have authorised *any combination of machines they liked for any account they liked*
DO NOT RELY ON STEAM GUARD FOR PROTECTION.
11/11/2011 at 10:06 Theory says:
Assuming that Steam Guard data was in the database, which it would seem it wasn’t, and assuming that write access was gained, which it would seem it wasn’t, adding new computers would require on-going database access. Which there isn’t.
11/11/2011 at 10:06 Milky1985 says:
So log in, deauthorize any other computer, then you go safe again….
Of course the threat of steam guard being broken is based on information we do not have, as valve have not said anything about how it works or if there have been db injections (which imo would be easy to detect and reverse), and the hackers would still need to know how to generate the machine code , and it wold possibly be obvious if the same amchien code was valid for 1000′s of accounts.
Overall, as it says a lot on wikipedia ,”citation needed”
11/11/2011 at 09:53 bill says:
I don’t remember if I ever signed up for the Steam Forums… I don’t have any stored passwords for them, and haven’t used them for ages… but who knows. And I can’t even check as they’re offline.
i CANNOT work out a good solution to this password problem…. as i spend hours changing loads of passwords on the off-chance yet again.
- Having the same password is a risk, even if you break it into groups (as steam was part of my more-important group).
But setting up highly secure random passwords for every site has issues too:
- Lastpass seems ok, but they’ve had security issues and I don’t see how having their database stolen with ALL my encrypted passwords would be any worse than having steam’s database stolen with one.
- Keepass would be great (if a little fiddly) if i just used passwords on my home PC… but I also need them sometimes on my work linux pc, and on my android phone.
There is keepassdroid, but even with that logging in to things on my phone is going to be very very fiddly.
Sigh…
11/11/2011 at 10:06 Revisor says:
1) Use a password manager to create, save and autotype your passwords. KeePass, 1Password etc.
Eg my password at RPS is 46 random chars long and I don’t care. KeePass types it for me.
You can share the PW database among computers via Dropbox or physically with a USB keychain.
OR
if you’re doing it by hand
2) Use a sequence of random (!) words as a password.
Every 133T combination like Tr0UbaDor is only difficult for you to remember, not for a cracking machine to crack in a few seconds.
Also meaningless symbols are not difficult to crack, again only difficult for you to remember.
2a) Always use new passwords, never reuse them.
And a part for webmasters:
Use bcrypt.
http://codahale.com/how-to-safely-store-a-password/
11/11/2011 at 10:28 Torn says:
The problem everyone seems to be missing (or not understanding) is that:
- salted username + password details are relatively unimportant: properly salted, it’ll take time to crack. People can change their passwords next time they login, and hopefully are not sharing passwords between different sites and are also using things like Steam Guard, and Google’s 2-step authentication for gmail.
- the main problem here is REVERSIBLE credit card information. Think about it, Steam remembers your credit card number. It’ll store it in an encrypted state, and is able to reverse this at will. Hopefully it was just the DB that was compromised and not the app server that contains whatever secret info needed to reverse the CC info.
11/11/2011 at 11:27 Juuuhan says:
Guess I’m the only one here that don’t use steam.
Then again, things like this could be less dramatic if people had more services similar to steam (without the DRM of course). Hopefully that will become an option in the future.
11/11/2011 at 12:22 JKjoker says:
i fail to see how spreading your information around into more potential hacking targets at the same time increasing the chances of ending up with some jackass company with a ridiculously insecure system would make anything any better
well, ok, there is the advantage of ONLY losing half your gaming library when valve explodes (probably Gordon pissed off about ep3′s delays)
11/11/2011 at 14:32 jezcentral says:
I’m curious as to why people did this. There must be easier targets than Valve, with the upside that another company’s data might not be so hard to crack.
And the “Because they can” or “To show off” arguments don’t seem to hold up, as none of the usual hacker groups are claiming credit.
11/11/2011 at 17:45 DougallDogg says:
Well seams like my angry rant at the plonker in the bank when they decided to cancel and replace my debit card rather than renew the same number has worked out ok.
Grrrrr this has to be about the 5th time this year I have had to go round and change a handful of passwords. Thankfully not too many accounts shared the same credentials as my Steam account (hoping for a surprise delivery from Dominos).
Makes you wonder when a software company, let alone one with as many talented employees such as Valve still use third party forums such as vBulletin.
11/11/2011 at 19:45 Froibo says:
Steam makes you register each computer so unless they have access to your e-mail you shouldn’t worry about your steam password.
11/11/2011 at 21:39 My2CENTS says:
That’s pathetic, how can they use the same server/network for forums/steam db. I think Valve really need to hire professionals and stop risking the people information, PATHETIC.
11/11/2011 at 21:45 Nim says:
The random uninformed forum-raging arm-chair-analysing internet-security wannabe-consultant has spoken.
Heed his ill-researched wisdom and despair!
11/11/2011 at 23:09 My2CENTS says:
Ohh please next time go insult something you have knowledge about, its public info how Steam works, we know their server, they use almost open-source bulletin board and in the end they have the public forums and user personal data on the same network, if that ain’t a security risk, then GTFO troll.
12/11/2011 at 09:33 Nim says:
So this is how trolls feel when they’re successful? It’s a revelation, now I understand why so many do it.
12/11/2011 at 20:04 Jehuty says:
Terribly naive of me, I know, but is it really too much to ask that people simply stop trying to steal my shit? Looks like it’s time for more password changes.
24/11/2011 at 17:53 Alagon says:
I guess my credit card just got hacked earlier this day.
I currently lived in the Netherlands, and this morning I got a phone call from my bank. The guy told me somebody was trying to use my credit card to book a hotel in US. They double confirmed it was a false (of course because I was sleeping in my house in NL.) and blocked my card from further misuse.
After I finally woke up, I began to wonder why. I seldom use my credit card, because we use bank debit card most of the time in NL. Then I found actually I only use my credit card on steam purchase, and I quickly related to the recent steam hacked event.
However, I am not here to condemn steam for this ill event. My bank is vigilant while dealing with false purchase in a rapid and accurate manner, and for that I am grateful. Just want everybody on steam to keep their eyes open, and hope this will not come to you.