ConsoleCity Forums  

Go Back   ConsoleCity Forums > ConsoleCity > General
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

General ConsoleCity's general discussion forum, post anything and everything here.

Reply
 
Thread Tools Rate Thread Display Modes
Old November 10th, 2011, 06:30 PM   #1
RSS Bot
Bot
 
Join Date: Aug 2006
Posts: 125,989
RSS Bot will become famous soon enoughRSS Bot will become famous soon enoughRSS Bot will become famous soon enoughRSS Bot will become famous soon enoughRSS Bot will become famous soon enoughRSS Bot will become famous soon enoughRSS Bot will become famous soon enoughRSS Bot will become famous soon enough


Games Owned: 0
Games Wanted: 0
[Joystiq] Valve: Steam user database hacked, no evidence of personal info taken

In a message sent to all Steam users by Valve's Gabe Newell, it was revealed that the vandalizing of the Steam forums which occurred on November 6 was followed by an intrusion on "a Steam database." The hacked database included usernames, "hashed and salted" passwords, a transcript of game purchases, email and billing addresses, and encrypted credit card info -- though the message specified that Valve doesn't have any evidence of the intruders taking the credit card numbers or any other "personally identifying information," or that the encryption on said numbers or passwords had been cracked.

The company is investigating the incident, but as a few forum users have been compromised, all users must change their passwords during their next forum visit. Steam users aren't forced to change their passwords, but are encouraged to do so, especially if they match their forum passwords. Also, if your bank account, Paypal account, PSN, Xbox Live, email, AIM or, you know, anything shares your forum password, you should probably change that too, and then you should probably just move into a log cabin in the woods for a while.

You can read Newell's full message after the break.Continue reading Valve: Steam user database hacked, no evidence of personal info taken
Valve: Steam user database hacked, no evidence of personal info taken originally appeared on Joystiq on Thu, 10 Nov 2011 18:14:00 EST. Please see our terms for use of feeds.



Permalink | Email this | Comments

More...
RSS Bot is offline   Reply With Quote
Sponsored Links
Old November 10th, 2011, 08:18 PM   #2
Aeon Storm
Moderator
 
Aeon Storm's Avatar
 
Join Date: Feb 2003
Location: Green Hill Zone
Posts: 29,051
Aeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond reputeAeon Storm has a reputation beyond repute


Games Owned: 2081
Games Wanted: 213
Exclamation

Change your shit if you haven't already.
__________________
SEGA hates me.
Aeon Storm is offline   Reply With Quote
Old November 10th, 2011, 08:40 PM   #3
Vid Gamer
Registered User
 
Vid Gamer's Avatar
 
Join Date: Nov 2000
Location: Astoria, NY
Posts: 20,876
Vid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of lightVid Gamer is a glorious beacon of light

Live!: BizzyBum
PSN: BizzyBum
Steam: BizzyBum

Games Owned: 375
Games Wanted: 0
This shit is getting annoying...
Vid Gamer is offline   Reply With Quote
Old November 10th, 2011, 10:07 PM   #4
VampMan
Registered User
 
VampMan's Avatar
 
Join Date: Jun 2000
Location: Philadelphia PA
Posts: 5,926
VampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant futureVampMan has a brilliant future


Games Owned: 25
Games Wanted: 0
I was going to start a thread for this question but I'll just ask here instead. How much more secure would your password be if you typed it twice? Would there be anything that would make it more vulnerable than a string of the same length that didn't follow that pattern?
__________________
Push the envelope, watch it bend.
VampMan is offline   Reply With Quote
Old November 10th, 2011, 10:09 PM   #5
Viper
Administrator
 
Viper's Avatar
 
Join Date: May 2000
Location: Colorado, USA
Posts: 13,004
Viper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond repute

PSN: JayCCity
Steam: jaycc

Games Owned: 690
Games Wanted: 64
Send a message via ICQ to Viper Send a message via AIM to Viper Send a message via Yahoo to Viper
Use lastpass or 1password so at least you don't have to worry about password reuse when these accounts get hacked. Though in this case if the passwords were salted and hashed it's unlikely that the hackers will be able to recover anything useful.
__________________
Viper is offline   Reply With Quote
Old November 10th, 2011, 10:13 PM   #6
Viper
Administrator
 
Viper's Avatar
 
Join Date: May 2000
Location: Colorado, USA
Posts: 13,004
Viper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond repute

PSN: JayCCity
Steam: jaycc

Games Owned: 690
Games Wanted: 64
Send a message via ICQ to Viper Send a message via AIM to Viper Send a message via Yahoo to Viper
Longer passwords are always better than shorter passwords. It's more difficult to brute force longer passwords. Repeating is probably fine as long as the repeated part isn't easy to guess. I don't know if brute force attackers attempt with repeated strings, but to be safe, assume they do.
__________________
Viper is offline   Reply With Quote
Old November 10th, 2011, 10:25 PM   #7
Jerome
Registered User
 
Jerome's Avatar
 
Join Date: Sep 2000
Location: Michigan
Posts: 12,786
Jerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud ofJerome has much to be proud of


Games Owned: 95
Games Wanted: 0
Quote:
Originally Posted by Viper View Post
Longer passwords are always better than shorter passwords. It's more difficult to brute force longer passwords. Repeating is probably fine as long as the repeated part isn't easy to guess. I don't know if brute force attackers attempt with repeated strings, but to be safe, assume they do.
Here's an interesting write-up on passwords and what can constitute a really good password. I definitely agree with having longer passwords, and definitely not something so simple as dictionary words. It boggles my mind people still do that (and I know people who do!).

Anyway, I launched my Steam client a little earlier, and noticed the pop-up message from Gabe. I don't think there is a CC tied to my account, but I'm going to have to double check. I think I'm okay there (but hopefully that stuff is safe for everybody). I'm updating my password, just to be on the safe side though.
__________________
"In my time we didn’t depend on high-tech gadgets like you do. We didn’t need a mechanical washing unit to wash our clothes. We just used a washing machine!" ~ Philip J. Fry
Jerome is offline   Reply With Quote
Old November 11th, 2011, 01:34 PM   #8
fgarriel
Moderator
 
fgarriel's Avatar
 
Join Date: Jul 2000
Posts: 22,325
fgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant futurefgarriel has a brilliant future


Games Owned: 133
Games Wanted: 0
I use a guid generator for my passwords and change every 30 minutes.
fgarriel is offline   Reply With Quote
Old November 11th, 2011, 02:56 PM   #9
Pahn
Moderator
 
Pahn's Avatar
 
Join Date: Jun 2000
Location: You know the place
Posts: 23,644
Pahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond reputePahn has a reputation beyond repute

PSN: ivangimpo

Games Owned: 219
Games Wanted: 0
Send a message via AIM to Pahn
Quote:
Originally Posted by Jerome View Post
Here's an interesting write-up on passwords and what can constitute a really good password. I definitely agree with having longer passwords, and definitely not something so simple as dictionary words. It boggles my mind people still do that (and I know people who do!).
http://xkcd.com/936/

I'm thoroughly in that camp. It's so much nicer to type a long all lowercase password then to bother with different weird requirements that differ with every site. Maybe not the most secure, but definitely easier. I wish IT people would heed that advice and change some policies. But it's probably dangerous for an IT person to run counter to the "common wisdom of best IT practices" even when the common practices are somewhat flawed.

I'm not saying that all lowercase is the answer. Ideally, a password should probably contain at least some of those other items...but requiring me to have 2 or 3 special characters and 2 or 3 numbers, and 2 or 3 uppercase, and 2 or 3 lowercase gets really annoying. I'm not sure that anything more than 1 each adds any real security against a brute force.

I'm also railing against the requirement to change passwords every 60 days or whatever (like at work). That shit gets annoying. Especially when you have 30 different passwords, each with different requirements, and each changing at a slightly different date. And there's no easy program to use to remember those passwords. So people resort to reusing passwords (bad) or writing them down (bad). If my employer would step into the 20th century, we could use our ID + one password to access everything. Then that one password could be incredibly hard to guess, but easy to remember if it's your only one.

Someday, maybe.
__________________
Pahn!
“About the only thing Lindsay Lohan and Elizabeth Taylor have in common is that your senses would be assaulted if you spread their legs right now and you’d get some awful disease if you fucked them."

Last edited by Pahn : November 11th, 2011 at 03:14 PM.
Pahn is offline   Reply With Quote
Old November 11th, 2011, 08:25 PM   #10
Viper
Administrator
 
Viper's Avatar
 
Join Date: May 2000
Location: Colorado, USA
Posts: 13,004
Viper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond repute

PSN: JayCCity
Steam: jaycc

Games Owned: 690
Games Wanted: 64
Send a message via ICQ to Viper Send a message via AIM to Viper Send a message via Yahoo to Viper
Quote:
Originally Posted by Pahn View Post
http://xkcd.com/936/

I'm thoroughly in that camp. It's so much nicer to type a long all lowercase password then to bother with different weird requirements that differ with every site. Maybe not the most secure, but definitely easier. I wish IT people would heed that advice and change some policies. But it's probably dangerous for an IT person to run counter to the "common wisdom of best IT practices" even when the common practices are somewhat flawed.

I'm not saying that all lowercase is the answer. Ideally, a password should probably contain at least some of those other items...but requiring me to have 2 or 3 special characters and 2 or 3 numbers, and 2 or 3 uppercase, and 2 or 3 lowercase gets really annoying. I'm not sure that anything more than 1 each adds any real security against a brute force.

I'm also railing against the requirement to change passwords every 60 days or whatever (like at work). That shit gets annoying. Especially when you have 30 different passwords, each with different requirements, and each changing at a slightly different date. And there's no easy program to use to remember those passwords. So people resort to reusing passwords (bad) or writing them down (bad). If my employer would step into the 20th century, we could use our ID + one password to access everything. Then that one password could be incredibly hard to guess, but easy to remember if it's your only one.

Someday, maybe.
Using one password is only good if you can guarantee that the place where that password is stored is following proper procedures to keep it safe and unrecoverable. In this day and age, sadly, that's not the case.

There are good programs for remembering your passwords for you, LastPass and 1Password. They're not perfect, but they're really nice if you have an online account with more than service.

I agree that rotating passwords is a worthless requirement. All it does is frustrate the user, and force them to forget or log their password somewhere that isn't secure.

Really long passwords that are easy to remember are the way to go, unfortunately a lot of websites/applications enforce a password maximum length requirement still, which is absolutely pointless if they're hashing and salting the password anyhow (which they should be, if they aren't, they're a prime target).
__________________
Viper is offline   Reply With Quote
Old November 13th, 2011, 07:11 AM   #11
scottt
Registered User
 
Join Date: Aug 2000
Location: Ottawa
Posts: 10,079
scottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to all


Games Owned: 930
Games Wanted: 0
Changing password and limiting the length are 2 bad industry practice.

If you have a password that would take a million year to brute force through an online interface, why bother changing it?

Obviously, crackers start with a list of well known password. Brute forcing password online would take forever. Breaking the incryption on a table that you have downloaded is only limited by the power of your CPU.

What keeps the cracker from dowloading the scripts and software used to encrypt and salt the data while he's there?
__________________
kids, be open minded about Evil.
scottt is offline   Reply With Quote
Old November 13th, 2011, 10:11 AM   #12
Viper
Administrator
 
Viper's Avatar
 
Join Date: May 2000
Location: Colorado, USA
Posts: 13,004
Viper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond repute

PSN: JayCCity
Steam: jaycc

Games Owned: 690
Games Wanted: 64
Send a message via ICQ to Viper Send a message via AIM to Viper Send a message via Yahoo to Viper
Quote:
Originally Posted by scottt View Post
What keeps the cracker from dowloading the scripts and software used to encrypt and salt the data while he's there?
Hashing and salting isn't the same as encrypting.

Hashing is a one-way algorithm, typically MD5 or SHA hashes are used. If you don't salt the passwords, the hacker can run your md5 hashes against a rainbow table (list of hashes that the original string is known for).

For example:

Say my password is "password", here's the md5 of that:

5f4dcc3b5aa765d61d8327deb882cf99

And here's a reverse md5 lookup of that hash:

http://md5.benramsey.com/md5.php?has...8327deb882cf99

Found easily, because the md5 hash of password is known and stored in lookup tables.

Now, say I salt the password with a 4 character salt:

password:a4f1

Here's the md5:

c48b14620c7fc7d521f21f74708b6251

And the lookup:

http://md5.benramsey.com/md5.php?has...f21f74708b6251

So even if the hacker has access to the md5 hashes, salts, and the code that salts and stores the password, it still becomes a guessing game (brute force). He can't just take the hashes and run them against a lookup table because the salt will make the hash change, and it's unlikely that it will match known md5 hashes. He'd have to take the salt, and combine it with common passwords, calculate the md5 of the combination until he finds a match. Possible? Yes, as it's just brute force, and if the hacker can do it locally, he can check many passwords much faster than trying to brute force an online system, so password strength is still important.

However, password strength is useless if the site that stores your password stores it in clear text (completely useless), un-salted (possibly useless, depends on the complexity of the password and the depth of the rainbow tables) or even two-way encrypted (possibly useless if the hacker has access to the keys used to encrypt the password).

Now, MD5 has its own issues due to collisions (same hash can represent two different strings), but there are better hashing algorithms out there, like SHA2.

In the end, don't use the same password in more than one place. It's the best practice, just in case a site you have an account with is ever compromised. Your password for that site may be found (whether it's in the clear, or the hacker uses a lookup table, or even brute forces it), but at least they won't be able to use your username/email + password combinations to unlock your accounts on other sites.
__________________
Viper is offline   Reply With Quote
Old November 17th, 2011, 06:23 AM   #13
scottt
Registered User
 
Join Date: Aug 2000
Location: Ottawa
Posts: 10,079
scottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to allscottt is a name known to all


Games Owned: 930
Games Wanted: 0
MD5 is not an encryption, it's just a type of CRC.

Once you're offline, brute forcing doesn't take that long if you have the hardware.

Also, you don't have to rebuild the entire table before you start looking for matches.
__________________
kids, be open minded about Evil.
scottt is offline   Reply With Quote
Old November 17th, 2011, 09:58 AM   #14
Viper
Administrator
 
Viper's Avatar
 
Join Date: May 2000
Location: Colorado, USA
Posts: 13,004
Viper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond reputeViper has a reputation beyond repute

PSN: JayCCity
Steam: jaycc

Games Owned: 690
Games Wanted: 64
Send a message via ICQ to Viper Send a message via AIM to Viper Send a message via Yahoo to Viper
Quote:
Originally Posted by scottt View Post
MD5 is not an encryption, it's just a type of CRC.
Yes, I never said otherwise.

Quote:
Once you're offline, brute forcing doesn't take that long if you have the hardware.
Agreed, but it takes longer if they can't use rainbow tables (hash is salted).

Quote:
Also, you don't have to rebuild the entire table before you start looking for matches.
Not sure what you're referring to here.
__________________
Viper is offline   Reply With Quote
Reply


Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 05:28 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.