FYI: Steam accounts were hacked (around 10th November)

[User137]

I did see the links, but they are not supercomputers that i mentioned, they are like this:

256-bit encrypted text which any password can be made into, is unbreakable for them. I didn't find very good references yet, but this is some:
http://en.wikipedia.org/wiki/Key_siz...e_force_attack
or this: http://www.innovativedevice.com/keyo...k/Exemple2.asp
or how maker of password recovery tool explains, that length of 8 small a..z characters would take 3 years on his home computer
http://www.dekart.com/howto/howto_di...lost_password/

[paul_nicholls]

I did see the links, but they are not supercomputers that i mentioned, they are like this:

Ma! Ma!...can I have one of those for christmas Ma?...please??!?

[SilverWarior]

@User137
Your last link point to an article wich explains aproximate times wich would be needed for password breaking. But have you checked on what kind of a computer (P4 1.6 GHz with 512 MB of RAM). Man that's almost ten years old computer now. If you check http://www.cpubenchmark.net/cpu_list.php wich provide some benchmarking results you could se that Intel Pentium 4 1.4GHz processor got Passmark CPU Mark score 166 , while my AMD Turion X2 Dual Core Mobile RM-70 wich I have on my laptop got Passmark CPU Mark score 1019. That means that my processor has about 6 times more computational power than Intel Pentium 4 1.4GHz wich would result in using 6 times les time for data decryption. And my processor isn't near as powerful as some other processors are today. Acording to the benchmarks on pre mentioned page the processor with the most processing power is Intel Core i7-3930K @ 3.20GHz wich have Passmark CPU Mark score 15153. That is prox. 91 times more than Intel Pemtiom 4 1.4GHz. This means that it would dercypt the data about 90 times faster. So don't belive the times in that old article of yours.
And until now I was only talking about decryption with the plain power of CPU while also utilizing GPU power makes decryption much fster, upto 7 times faster on recent graphics cards and that is by asumption that you use only one graphic card. But if your system has more than one graphic card the gain would be even greater.

Now imagine that you use 1000 computers equiped with Intel Core i7-3930K @ 3.20GHz processor, each also utilizing the power of graphic card and do some calculation in what would be the requred time for breaking data 256- bit encyption.

[User137]

Yes i did see that it is an old article... I also noticed that it paid no attention to encryption algorithm, only that it will attempt a password bruteforce with all possibilities. It depends on encryption, software built in delays for password attempts and so forth.

1.6GHz is not actually too old computer. Even if modern gaming PC is 100 times faster it's still not reaching the speeds required. Multiply mega multimedia PC by 1000 and we are still only at 100000 readings. The calculation times for this kind of encryption at 256 characters is a number with thousands of zeroes. He didn't even display it, you can only talk about it in theory level as they are too large numbers to put on a calculator.

I mean, the number 3.3 years (or 1204days) was a little irrelevant to the topic because passwords aren't normally just small letters. 4032yrs he counts for a..Z,0..9 which is 1471680 days. Given 100000 times more processing power multimedia computer network would crack that in 2 weeks. Now add to that a complex encryption algorithm that multiplies calculation time for single word by 1000. That's propably what AES-256 or something would do.

Then add salt to the password to make it 256 characters long and the calculation time goes out of charts.

[LP]

I mean, the number 3.3 years (or 1204days) was a little irrelevant to the topic because passwords aren't normally just small letters. 4032yrs he counts for a..Z,0..9 which is 1471680 days. Given 100000 times more processing power multimedia computer network would crack that in 2 weeks. Now add to that a complex encryption algorithm that multiplies calculation time for single word by 1000. That's propably what AES-256 or something would do.

You are continuously basing your arguments on Nirvana fallacy by assuming unrealistic base case scenario and supporting your arguments on False dilemma fallacy by assuming that the solutions you have mentioned are the only ones to exist (or assuming lack of better alternatives thereof).

Yes, some people like yourself, me and others on this forum might use different letters and symbols, but inexperienced people, which are the majority, keep using passwords with the name of their pets, ex-girlfriends, movie characters and even their own names. You also keep insisting that the password is perfectly unique, has perfect entropy, has been salted properly, has been hashed properly and that no information is used about the user to guess the password faster. You also assume that hackers will be using some non-professional freeware program made by some random guy on a random machine that was meant to run some games and word applications to crack the perfectly ciphered password.

If you wish to tie yourself to unrealistic theoretical best-case scenarios to achieve false sense of security, it is okay, but I believe that in this particular case of hacked Steam accounts doing so would be a mistake.

[paul_nicholls]

LOL! Wow! I certainly started a big 'discussion'!

[LP]

LOL! Wow! I certainly started a big 'discussion'!

Stream is actually a popular topic and the security concerns everybody, so something interesting can come up out of these discussions.

In my own case I'm lucky not to use Steam, but what would happen if to the same degree GMail/Hotmail/Yahoo accounts would get stolen?

[User137]

Nobody has really given any counter argument to math i have provided. I gave different propability scenarios that should give some kind of hints. It's true that:
- If you prove that bruteforcing through all password combinations takes 1000000 years, how likely is it that someone can optimize the algoritm by 99.9999% so that calculation is done in reasonable time?
- You don't have to bruteforce the full range of random words, just up till first match. You may be lucky sooner or later.
- If no salt is involved, you can use many optimizations like premade lists that guess by ignoring unlikely words like aaa*, bbg* and so forth. There can be alot more optimizations i don't know about.
- If hackers get to know salt algorithm they wouldn't need to go through all 128-256 lengths, but usual 8-10 char lengths that are unsalted passwords.

This wasn't Steam talk now. There is nothing to discuss about it as long as we have no details on how their systems work. In general, if hackers get access to passwords its fault of other things. Low security systems. Most hacked sites that get news popularity propably had their passwords stored as plaintext. Properly encrypted system is truly unbreakable, there's just too many web hosters that make errors in 1 thing or another. It is tough to protect against all possible attacks, but that is a different topic.

It is that you make encryption sound as breakable as cookie that makes me defend it so heavily. To give another simple example, if i selfkeep a 256 bit xor key for text, how would you be able to crack the text? Nobody could, in million years.

[LP]

<edit>
After some thinking I've got your point that you are only defending the encryption method itself. There are also some flaws in the reasoning you provide to which I do not agree, but maybe this is for a another discussion.

To resume, my point is that although in a perfect scenario it is infeasible to break 256-bit encryption on a purely theoretical level, the specific case of stolen Steam account information has a high chance (e.g. bigger than 50%) of being revealed to third party, even though it *might* have used 256-bit encryption to secure its data.

[SilverWarior]

All I wanted is to point out that having ecrypted data does not guarantee its security. Nowadays computers and especialy computer clouds offer huge computational power wich makes data encryption wich has been considered perfectly safe a few years ago, not so safe anymore. If we are hones no data encryption is perfectly safe.

But now I'll point out another thing that might result in ever bigger discusion.

What if hackers don't have to do any data decryption afterall?
Various articles about Steam hack only says that data from the user accounts database was stollen, but no article wich I read doesn't says how that was done. If hackers managed to copy database data as copying database file-s then they will definitly need to decrypt the data before using it. But what if they managed to copy database data by interfaceing to the database itself fooling it that they are some steam web application? This way they might have managed to retrive already decrypted data as usualy data encryption is done with database engine itself.

If we take into account that steam system isn't run just on one server it means that the database itself had to be globally available. This means that hacker had ability to imposter as being one of those servers and accesing a database this way. Offcourse they needed to have proper database login creditentials to gain acces to the database data, but since it isn't very likly that database creditentials are being periodicaly changed they had lot's of time in trying it out (trying a few hundreds of password one day, a few hundreds next day, and so on). All that they had to do is keep number of login trials (guesing of passwords) low enough for not trigering anny alarms and that is all.