undefined | Better HN

0 pointsWorldMaker5y ago0 comments

> You're asking that Steam dedicate a fleet of thousands of servers to facilitate cracking your password. And on top of that, the service would also need a database that likewise serves billions of requests a second.

No, I'm just saying that I believe Steam presumably scaled naturally (through decades of growing usage and also decades of huge scale DDoS attacks) to something like that for other reasons and are possibly missing safeguards to prevent it being misused.

Obviously, I'm making cynical assumptions and failing to give Steam the benefit of the doubt here. I'm sorry.

> Additionally, modern hash algorithms like bcrypt are constructed so that they take considerable and configurable time (on any hardware), so the hashing rates are on the order of tens of thousands a second or less, instead of billions and trillions. Since Steam are evidently very concerned with account security, I'd guess they take advantage of these algorithms—and since you changed the password recently, it was probably hashed with the latest used algorithm.

The article points to evidence that the login system possibly hasn't been updated since around 2012. Plenty of systems were still using unsalted MD5 back in 2012. It's a huge assumption that they've kept up with modern hash algorithms.

Additionally, the SteamGuard files stored in the base client directory were reported to include MD5 hashes at least as recently as 2014. (Even worse that file contained long lived tokens directly able to bypass SteamGuard.)

I hope Steam is doing better than that today, but you can forgive my pessimism/cynicism after fighting this cycle much longer than I would have liked that the conclusions I jump to remain that Steam isn't doing enough to protect account security.

> It's time to accept that either your passwords are easily guessable, or are lifted from you in some way.

I've gone through a lot of paranoia and anxiety over this. I've done a lot to eliminate suspects and shrink attack surface, and continue to do so. So far as I can tell this is specifically a Steam phenomenon, Steam is the weak link in the chain, and my other accounts seem secure accept that my email providers report failed login attempts from the same IPs mentioned in SteamGuard emails shortly after the SteamGuard timestamp.

Anyway, I've expended too many words of paranoia and cynicism in this thread. I appreciate the attempts to help.

0 comments

aasasd5y ago

> Steam presumably scaled naturally (through decades of growing usage and also decades of huge scale DDoS attacks) to something like that for other reasons and are possibly missing safeguards to prevent it being misused.

Just to drive the technical point home: such scale is basically just not feasible. We're talking literally thousands of servers doing nothing but md5 hashes, to vaguely bring cracking a shortish password into the realm of possibility. No one would set up such a system, any sane sysadmin would investigate the load long before it gets to such scale, and the budget would raise questions. Even if Steam uses md5, every little piece of logic around the hashing function multiplies the CPU load compared to bare hashing.

DDOS protection is done on specialized hardware, again long before the count gets to thousands of servers. You buy a box and put it in your datacenter in front of the balancer servers. In my experience, one box nicely handled load going to about two hundred application servers (iirc), likely with plenty of capacity to spare.

See this vid for an example of how cracking was done on GPUs in 2016. Each of the GPUs cranks out ~10 billion hashes a second: https://www.youtube.com/watch?v=7U-RbOKanYs

Here's the current benchmark of frameworks doing bupkis but writing plain text in responses. I was mistaken in the earlier comment, it's about seven million responses a second: https://www.techempower.com/benchmarks/#section=data-r19&hw=...

So you can estimate the necessary time just with http responses: 50 alphanumeric characters is 62^50 = 4.16e89 permutations, divided by 7.3 million = 5.7e82 seconds, or 1.8e75 years.

On that four-GPU box from 2016, cracking would take 3.3e71 years—which is considerably better but still doesn't quite fit in the age of the universe. So even md5 stolen from Steam Guard wouldn't help much in the case of a long password (unless some miraculous attacks were developed since 2016).

aasasd5y ago

> So even md5 stolen from Steam Guard wouldn't help much in the case of a long password

(Though, with unsalted md5 or sha1, it's possible to find a shorter collision instead. But afaik it requires executing specific techniques instead of the regular algorithms, and obviously the Steam server isn't doing that, so it must be done locally with a stolen hash.)

j / k navigate · click thread line to collapse

0 comments

aasasd5y ago

See this vid for an example of how cracking was done on GPUs in 2016. Each of the GPUs cranks out ~10 billion hashes a second: https://www.youtube.com/watch?v=7U-RbOKanYs

So you can estimate the necessary time just with http responses: 50 alphanumeric characters is 62^50 = 4.16e89 permutations, divided by 7.3 million = 5.7e82 seconds, or 1.8e75 years.

aasasd5y ago

> So even md5 stolen from Steam Guard wouldn't help much in the case of a long password

j / k navigate · click thread line to collapse