It’s perfectly clear what it means.

http://en.wikipedia.org/wiki/Salt_(cryptography)
http://en.wikipedia.org/wiki/Cryptographic_hash_function

The internet is pretty tricky to use these days.

lol someone must have installed origin

Who cares what the intruders did or did not take, ¿will I buy again from a company that is vulnerable to credit-card encrypted data snacth? – I DON´T THINK SO… but Gabe is very, very, very sorry that this happenned, so it´s alright ¬¬´

Ure an idiot…

Wow if only steam had employed you to solve their security problems, who would have thought this could all have been prevented by a simple firewall.

I would have thought the exploit would have occurred using an exploit in the forum software, which would have been accessible on port 80, a firewall would only work if they blocked port 80 outright – which means nobody could have accessed the site at all. But hey, you’re the security expert and steam are the idiots. Right.

Can I have some clarity on how you are a CTO, unless of course, your CTO means: “Cock Toking Orifice”

less of a CTO than you are, he was asking the article not to be retarded.

A salted hash is MUCH safer than an unsalted hash.

Basically, they’ll be able to crack your password **if they randomly pick your account to try and hack**.

It is like giving them a bag full of 7×7 rubic cubes.

If they pull the rubic cube out that has your password on it, they can solve the cube and get your password. But it doesn’t help them with the next 25 million rubic cubes in the bag, they still have to solve those ones too.

So individual accounts will be hacked as a result of this, but it isn’t like they have a database full of usernames and passwords.

The main problem here is I bet most users use the same password that their email login uses that they registered with Value. This means you not only need to change your Value login, but also your email account as well otherwise they could be accessed and owned. Salted hashes are easy to crack using oclHashcat but the sheer number of salted hashes does slow it down a hell of a lot.

I love how people are still defending Valve and Steam. They effed up people! Total FAIL. Steam is a shoddy client that should be frickin’ OPTIONAL. The SSA is horseshit. The client doesn’t prevent piracy. It doesn’t provide services gamers would miss – if it did the SSA wouldn’t need to exist – it should attract gamers by being a good service, not by being mandatory.

I hope Valve continues to get rogered again and again, and again, and again… until it becomes an optional client for legit gamers who see it for what it is. A taint to all PC games that ship with the SSA.

I don’t get your point. Is there some way that Steam users should react to this differently because it’s “they have everything they need to recover your password” and not “they have your password”? Because if that’s what you’re trying to say, you’re frankly full of crap.

do any of you understand how salts work? without the salt the hackers aren’t getting the passwords. Now if they obtained the salt as well from Valve’s code then rainbow tables can probably crack most of the accounts with minimal effort. Also to clarify to post author, hash+salt != encrypted

As a guy who is an information security professional protecting systems on par with the complexity of Steam on a daily basis (for two decades now), and who routinely deals with clients who have significant breaches, allow me to give you my perspective on how “great” a job they did. They got hacked. Clearly for some folks, that’s an “it happens, no system is 100% secure, yada-yada, insert excuses here”. That’s a lousy, lazy way to look at it and I wouldn’t employ an executive that saw it that way, but that’s a different discussion for a different time. Let’s look at what they’ve said and assess the basic blocking and tackling stuff. Apparently they didn’t know about the breach until the hackers defaced web sites. Why not? The user database was compromised, but they don’t know for sure if credit card numbers were stolen. Why not? We routinely deploy off the shelf technology to answer those questions, because when you’ve been breached, those are the only questions that matter, and “reasonable precautions” in my world include being able to answer these questions. Not some time in the future, not “we think” or “maybe”. Indeed, for some of my clients, not being able to answer those question, promptly and completely, is is a company-ending proposition. In my judgement, what has been published points to “minimal precautions”, not “reasonable”, considering the data they were storing.

So if you want to play “ignore that giant elephant in the room…look at how stupid the journalists are because they got a trivial detail wrong”, then go ahead. If you want to assert “just how little was compromised”, go for it. But in my world, it’s pretty clear that the *only* thing Valve got right is prompt disclosure. Don’t get me wrong, that’s a big deal, and I applaud them for it. But even an cursory survey of previous breaches teaches one that simple username+password disclosures can have broad negative impact, and at a minimum this one includes more personal information than that. Being an apologist and attempting to play down the seriousness of this incident is, at best, irresponsible.

It is not clear (at least to me) that reasonable precautions were not in place. Not knowing the exact details may be a matter of timing. They may still be evaluating log data (it takes time as you know). They also may have the information and not be willing to share because they don’t have a fix yet.

Steam is such a Joke!
My account was Hacked & the only way to get support is to sign in.
Now How am I supposed to sign in if I got hacked.
Stupid Useless Steam!

Sure, you also blame the people that had burglars for the fact that they got robbed. Not the burglars. I mean, they should have placed fences, alarms, ap-mines and such to stop the burglars, right.

Maybe he could make up for it by MAKING HALF LIFE 3, DARNIT.