If geeks love it, we’re on it
If geeks love it, we’re on it
You found the friendliest gaming & tech geeks around. Say hello!
primesuspect
The Curator of Delightful Experiences Admin, D&D Supernerd, Supporter, Expo Attendee
Icrontic — Home of the Big Beef Burrito since 8-8-2000, fool. A Short-Media community © 2003–2013. Powered with <3 from Vanilla & WordPress.
Articles RSS
Comments
Thanks for putting that up Prime I don't check my email enough to catch something like that.
Just changed my passwords, hope they get everything fixed up soon.
My guess, everyone's caught wind of this and the password change requests are overloading whatever capability Steam's servers have for managing that sort of thing.
That or its just Steam being Steam, the amount of those messages I get in a month is ridiculous.
tl;dr: You're wrong.
The passwords are much more likely to be crackable. They are not actually encrypted. Passwords are stored as a cryptographic hash. Valve doesn't tell us which hash was used, but if it was MD5, which is somewhat likely, all but the securest (i.e., longest) passwords will probably be compromised. If it was something more secure, a good password should still be safe.
No need to argue what was effected, just change your passwords as a precaution.
Be proactive, not reactive.
There are many methods to generate an encrypted password hash. The old standard is to use a hash function (such as MD5, SHA1, etc) combined with a salt. This makes it difficult to simply look up the precomputed value of the hash - but not impossible. Considering the incredible speed one can compute the older hashes like MD5 and SHA1, it's perfectly feasible to crack these in days if not hours with a modest amount of CPU/GPU power.
However, there are more modern hash functions such as bcrypt and pbkdf2 which take much much longer to create a hash. The result is it takes much much longer to attempt to crack it. They're not very widely used right now, but their popularity is increasing as more password databases get compromised. It's very unlikely the Steam database was built with one of these hashes in mind.
I don't know how they encrypt or store their credit card data, but one thing's for sure: it has to be reversible for them to decrypt it and process your payment. Thus it's only a matter of cracking the key - which again, depends on the ciphers used, the key length, etc. Is there only one private key protecting all the credit card data? If so, it may be worthwhile to attempt to brute force the entire key. All that really matters is computing power and time. If you're lucky it's complex and large enough that they'll never feasibly be able to crack it.
So how about it, kid? Do you feel lucky?
I just want to clarify that it is not really feasible for an individual to brute force anything that has been encrypted with standard asymmetric cryptography techniques. Nothing is possible if they don't have the secret key file. If they do, and it's encrypted like it should be, then the attacker will have to guess the symmetric key used to encrypt the secret key ("passphrase"). This is much more plausible than brute-forcing a key from scratch but it should still be safe if a good passphrase was used.
The data may have been encrypted symmetrically using something like AES or Blowfish. In this case, as in the case of the encrypted secret key, it's much more plausible to crack if a bad passphrase was used, but should be safe if a good passphrase was used. Symmetric encryption is somewhat likely since it would have simplified the automated process of unlocking credit card data.
If someone has your credit card info, it's not so simple as changing your password.
I hope and expect that someone at Valve will provide more technical detail soon.