Steam Users
Steam Users
If you haven't checked your email, then you better read this:
http://www.pcgamer.com/2011/11/10/steam ... mpromised/
Just a reminder, if you use the same password at multiple sites, including here, please change your password. Like, now.
http://www.pcgamer.com/2011/11/10/steam ... mpromised/
Just a reminder, if you use the same password at multiple sites, including here, please change your password. Like, now.
Re: Steam Users
So, hashed and salted passwords means that as long as it's a random salt we don't have to worry about too much about about the password being translated to plain text, right?
Re: Steam Users
Not really. Databases of hashes already exist. The salt adds a twist but not a difficult one to overcome.
Grisbault, Twice-Made.
The p, s, l, and t are silent, the screams are not.
The p, s, l, and t are silent, the screams are not.
Re: Steam Users
Greebo wrote:Not really. Databases of hashes already exist. The salt adds a twist but not a difficult one to overcome.
It's very rare that they would use a 2-way hash for passwords. It will likely be very difficult to transform those passwords into plaintext. Passwords are rarely decrypted for authentication.
The usual thing to do is to encrypt the entered password and to compare the 2 encrypted versions for auth.
I am not overly concerned about this Steam crack. Could it be a problem? Sure, but it's not really very likely.
Mal
Re: Steam Users
Malstrom: http://en.wikipedia.org/wiki/Rainbow_table
There's a reason why a large salt should be used.
There's a reason why a large salt should be used.
Re: Steam Users
Good thing it was used.Pincus wrote:There's a reason why a large salt should be used.A rainbow table is ineffective against one-way hashes that include salts
Apologies if I was not precise enough. Replace "hash" with "hash-with-salt" in my above post.
Really I was just trying to say that these things are not designed to be reversed.
Mal
Re: Steam Users
We don't know how large the salts are, we don't know which hash algorithm was used (have they even updated it since Steam went live? Production code that works is notoriously long-lived), we don't know if they had access to the app servers as well as the db and thus presumably to the algorithms. We don't know if each user had a different salt although we can assume that. We do know that hash algorithms are designed to be fast so it won't *that* long these days if they focus on a selection of deemed high-value passwords if Valve didn't do everything right.
I don't think *my* password was valuable but I changed it anyway.
I don't think *my* password was valuable but I changed it anyway.
Grisbault, Twice-Made.
The p, s, l, and t are silent, the screams are not.
The p, s, l, and t are silent, the screams are not.
Re: Steam Users
I decided better safe than sorry and changed my password...it'll be fun to try and remember which of 15 different ones I use it is when I have to actually type it in again.
Steam Users
Changing your password is a smart thing. I did it too. If my post implied you should not bother to change your password then it was wrong wrong wrong.
Better safe than sorry.
Mal
Tapatalk
Better safe than sorry.
Mal
Tapatalk
"While I stand, no Grim will fall"
Re: Steam Users
Like Mal I'm not overly concerned about it. The password issue can be resolved easily enough anyways: Change your password. The scary part is our credit card information. That means that they also have our complete name and address.
Again I'm not too worried about it. I haven't even changed my password yet but I will today. What I really wish I could do is change my login name!
Again I'm not too worried about it. I haven't even changed my password yet but I will today. What I really wish I could do is change my login name!