Skip to main content

If you use Steam, you should be aware that they have been compromised recently. Their online forums have been defaced and intruders have also gained access to a Steam user database that contains, among other things, usernames, salted and hashed passwords, games purchased, billing information, and encrypted credit card details.

First, a quick overview of the related computer security topics, then some advice on what to do if you read about this type of thing happening to one of your accounts.

"Hashing" something (such as a password) means to run it through a one-way function. This explains the concept in more detail if you're curious. The result of a hash is often called a "digest". When the user account is first created on a computer, the user types in a password, the password is hashed, and the digest is saved on the computer. The password itself is not saved on the computer, and the digest cannot be converted back into the password. When a user logs into the computer, the password that he/she types in is run through a hash and the resulting digest is compared with the stored digest. If the digests match, the password is correct.

The problem with simply hashing passwords is that somebody with a lot of computer time and a lot of storage can make a program that creates a dictionary of words, hashes each of those words, and stores a digest for each word. This is called a rainbow table. Somebody with a rainbow table and a database full of password digests can compare the two quickly and come up with a list of accounts that have passwords that match words in the rainbow table. So then somebody came up with the idea of salting.

To "salt" a password, random text is generated when a user first sets a password on his/her account. This text is added onto the password the user has entered before it is hashed. The text is also stored with the user account. The next time the user logs in, this salt is added to his/her password attempt before it is hashed and compared with the stored digest. Because of rainbow tables, salting passwords before they are hashed is a common security practice, and with a sufficiently large salt and password length this can make rainbow tables ineffective.

One-way encryption is great for one-way things like password comparisons where the real information will be supplied, hashed, and compared to a digest. But for things like credit card information where the data is stored and reused in an automated fashion, such as recurring monthly billing or buying things from an online merchant without having to reenter your credit card every time, the server must be able to decrypt these encrypted records. If somebody copies a database with encrypted data AND figures out how the system decrypts it for billing...

Also, even if passwords are salted and hashed (sounds kind of delicious) it's still possible for someone to figure them out through a process called brute force. This may consist of a program that guesses weak or common passwords and tries them against every user account in the database. This is far less desirable for an attacker than using a rainbow table because it takes more time and usually offers fewer results, but it'll reveal the accounts with the weakest passwords in a reasonable timeframe.

So, some things to consider if your account with an online service may be compromised:

  • If your password is the same or similar to the password on your e-mail account, change your e-mail account password immediately.  Many websites will, if you've forgotten your password with them, allow you to reset your password by following a link they'll e-mail to you.  If an attacker has access to your e-mail account, he/she can use this feature to compromise your account on any system that uses this feature.
  • If your password is the same or similar to passwords on other websites that use your e-mail account as your username, change your passwords on these websites.
  • Use a unique and strong password for each account you've got. Easier said than done, I guess, but there's no substitute for it.
  • If credit card information is ever part of a compromise, whether encrypted or not, watch your credit card statements like a hawk. Avoid using check cards online or maybe altogether if you can -- my friend is now waiting 10 days for his bank to refund $500 to his account because his card was fraudulently used in a different country. You should also make note of any services that automatically bill you via credit card and prepare to change your details with them should you have to report your current card stolen.
  • Be aware that with the combination of your card information and your e-mail address, billing address, or phone number, someone can more convincingly impersonate your bank or credit union when attempting to phish information from you. They may seek details of how to get into your online banking account, for example.
  • If your phone number is involved in a compromise, don't rule out the possibility of the intruders impersonating your bank or other authority over the phone and soliciting sensitive information from you. When my card was briefly shut off by my credit card company (they thought buying several things online was suspicious) the company security called me and asked for the name of my bank, my date of birth, my social security number, and if I recall correctly the credit card number. Nothing stopping an enterprising malcontent with some of that information from doing a little telemarketing to get the rest. If you are to give sensitive information over the phone it is best that you do it by getting a phone number to call and to verify that number online first by punching it into a search engine to make sure it's affiliated with the company you want to talk to. Don't call us, we'll call you.
  • In addition, to foil phishing, don't follow links that are sent to you by e-mail; directly type your online banking website address (or online auction web address, or PayPal web address, etc.) into your address bar when you want to visit, or make it a bookmark/favorite in your web browser. If your bank or other institution seems to ask for personal details through e-mail for whatever reason, ignore it. And if it's really them and they complain or mess with your service, loudly chastise them and move your money elsewhere (course, some people are already ahead of me on this.)

Anyway, I'm sorry to hear about this because I really do enjoy using Steam. But hopefully this information will be of some use to you if one of your own favorite e-tailers gets broken into in this fashion.

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Ugh, another password to change. (4+ / 0-)

    It seems like I gotta do this every other week.

    THanks for the valuable information. Is it possible for those who accessed the database to decrypt the salted passwords? Didn't Gawker have encrypted passwords but they were still cracked anyway?

    #occupywallstreet "Either you taste, feel and smell the intoxication of freedom and revolt or sink into the miasma of despair and apathy. Either you are a rebel or a slave." -- Chris Hedges

    by pot on Fri Nov 11, 2011 at 01:25:09 AM PST

    •  Well... (2+ / 0-)

      Salt is typically added to the password. So if my password is "melon", a two byte salt might change it to "uZmelon", and a ten byte salt could change it to "kE8Cnjs3Iomelon".

      Short salts with short (or easy) passwords could feasibly be cracked by rainbow tables.  Better security calls for using long salts, requiring long passwords, and using a hash function that is sufficiently difficult to deter brute forcing.

      If the Wikipedia article is accurate, Gawker was using an inadequate hash function (DES) and a tiny bit of salt (12 bits, or about one-and-a-half characters' worth). DES only works on the first 8 characters of the password -- "computer" and "computerman5000" would be treated as the same password.

      A better system might use SHA-256 and 16-32 bytes worth of salt.

      I would believe Steam passwords are stored more securely than Gawker's were. But even with the best hash function and copious amounts of salt, an attacker can figure out weaker passwords with a copy of the salt, the password digests, and knowledge of the hash function used. It's pretty trivial to write a program that reads the salt and digest from a user account and just try one password after another against it, and there are dictionaries of common passwords out there that you can feed to such a program to quickly ferret out any weak passwords that exist in the database.

      Those dictionaries are also often used when users create an account to tell them whether their password is easily guessed.

      •  It is quite stunning how fast.. (1+ / 0-)
        Recommended by:

        a brute-force password crack can be done these days.  People have been able to program mid/high-end graphics cards to do these things - these cards oftentimes have several hundred GPUs (graphical processing units), and each one can try a single password combination.

        The specifics are going to depend on the algorithm used, of course, but I have seen sample programs that demonstrate password cracking that can come up with a password in a matter of minutes.

        That's part of the reason that they want to force you to use special characters in your passwords these days - essentially there are a larger number of combinations that one would need to check for a brute-force search.

    •  What I guess I'm trying to say (1+ / 0-)

      (Previously in long form because I'm tired and rambling) is, yeah, assume if somebody's got a copy of the Steam database that they can determine the passwords to your Steam forum account and your actual Steam account.

      If that's the case, they probably won't (or really can't) crack all of them, it's likely they can crack some of them, and the ones that they crack will probably be the low-hanging fruit like "secret" or "iforget". I'm changing mine anyway though.

  •  I have to get some sleep (2+ / 0-)

    So it'll be a while before I'm back to respond to comments.  I just wanted to get this information out there to the handful of people who might not have heard it yet.

    I wish the industry could figure out this whole credit card security thing, but from what little I've dabbled in e-commerce it seems like a tough problem, especially if the card numbers have to be stored somewhere.

  •  Apple Store under siege too (5+ / 0-)

    Recently there have been an increasing number of accounts hacked and fraudulent purchases made on Apple accounts which at first they were stonewalling but now seem to be taking seriously.

    If you have an any Apple online account I strongly suggest you log in to see if any unauthorized purchases or changes have been made, to change your password and delete your credit card information (it can be re-entered later to make a purchase).

    If your account has been hacked, don't waste time with online support but contact Apple directly:

    USA  408.996.1010

    Here is a thread where users are discussing the details of their hacks for your reference:

    That is a link to the most recent page in the threads of this time you can backtrack previous threads to get a better idea of the methods being use and tell-tale signs that may appear in your account.

    As diarist says, set a STRONG password.

    What about my Daughter's future?

    by koNko on Fri Nov 11, 2011 at 02:04:19 AM PST

  •  Excellent technical explanation! (5+ / 0-)

    Thanks for posting this.

  •  Interesting that you post this on Veterans Day (3+ / 0-)
    Recommended by:
    DWG, milkbone, ferment

    because about three years ago, on Veterans Day, I discovered that a script kiddie had hacked into my Bank of America card account and put a Final Fantasy monthly charge on it.

    I called the emergency number on the back of the card to report it, and was appalled to find the lost/stolen card department closed for the holiday.

    It's a good thing the kiddie didn't think to take advantage of Veterans Day sales.

    (And it took three weeks for BofA to replace the card.)

    The thing about quotes on the internet is you cannot confirm their validity. ~Abraham Lincoln

    by raboof on Fri Nov 11, 2011 at 03:29:20 AM PST

  •  Tip from a professional inside >> (1+ / 0-)
    Recommended by:

    When you create your password, it can be something easy to remember but nearly impossible to break.


    Above is an example.

    Check your password against the one above:

  •  If you start using strong passwords.. (1+ / 0-)
    Recommended by:

    and especially a different one for different accounts, then a password vault is a useful thing to have.  All you need to remember is the vault password.

    I use this one:

  •  Actually Brute Forcing something doesn't take long (2+ / 0-)
    Recommended by:
    FG, ferment

    Google up CUDA multi forcer.  While desktop CPU's are limited to the quad and hex core CPUs made by intel in windows and mac platforms, or the octa and 12 core AMD cpus on Windows, video cards contain hundreds of cores.  My main system has 3x gpus each with over 400 cores.  

    These cores can be used for brute force attacks and when it's done via GPU brute forcing is so stupidly fast and easy it makes a mockery of even 48 character full ascii passwords, it's rather hilarious.

    Yeah if you're living in the 90s or using a laptop with an anemic GPU that's not an option, but if you have serious hardware GPU cracking is where it's at and password strength means nothing once that gets involved.

    "Foolproof systems don't take into account the ingenuity of fools."

    by overclocking on Fri Nov 11, 2011 at 05:41:34 AM PST

    •  It depends. (0+ / 0-)

      If you use something like SHA-256 it's currently a good idea to iterate the hash a lot (100,000 times?) when computing the digest for passwords. But, yeah, none of this lasts forever. I've seen the lengths people have gone to for Bitcoin mining.

      From what I hear the new hotness for password safety is bcrypt, but I haven't used it yet.

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site