Steam Users

[Pincus]

If you haven't checked your email, then you better read this:

http://www.pcgamer.com/2011/11/10/steam ... mpromised/

Just a reminder, if you use the same password at multiple sites, including here, please change your password. Like, now.

[Yichimet]

So, hashed and salted passwords means that as long as it's a random salt we don't have to worry about too much about about the password being translated to plain text, right?

[Greebo]

Not really. Databases of hashes already exist. The salt adds a twist but not a difficult one to overcome.

[Malstrom]

Not really. Databases of hashes already exist. The salt adds a twist but not a difficult one to overcome.

It's very rare that they would use a 2-way hash for passwords. It will likely be very difficult to transform those passwords into plaintext. Passwords are rarely decrypted for authentication.

The usual thing to do is to encrypt the entered password and to compare the 2 encrypted versions for auth.

I am not overly concerned about this Steam crack. Could it be a problem? Sure, but it's not really very likely.

Mal

[Pincus]

Malstrom: http://en.wikipedia.org/wiki/Rainbow_table

There's a reason why a large salt should be used.

[Malstrom]

A rainbow table is ineffective against one-way hashes that include salts

There's a reason why a large salt should be used.

Good thing it was used.

Apologies if I was not precise enough. Replace "hash" with "hash-with-salt" in my above post.

Really I was just trying to say that these things are not designed to be reversed.

Mal

[Greebo]

We don't know how large the salts are, we don't know which hash algorithm was used (have they even updated it since Steam went live? Production code that works is notoriously long-lived), we don't know if they had access to the app servers as well as the db and thus presumably to the algorithms. We don't know if each user had a different salt although we can assume that. We do know that hash algorithms are designed to be fast so it won't *that* long these days if they focus on a selection of deemed high-value passwords if Valve didn't do everything right.

I don't think *my* password was valuable but I changed it anyway.

[Thalevia]

I decided better safe than sorry and changed my password...it'll be fun to try and remember which of 15 different ones I use it is when I have to actually type it in again.

[Malstrom]

Changing your password is a smart thing. I did it too. If my post implied you should not bother to change your password then it was wrong wrong wrong.

Better safe than sorry.

Mal

Tapatalk

[Ashenfury]

Like Mal I'm not overly concerned about it. The password issue can be resolved easily enough anyways: Change your password. The scary part is our credit card information. That means that they also have our complete name and address.

Again I'm not too worried about it. I haven't even changed my password yet but I will today. What I really wish I could do is change my login name!