Can't say it shatters my world. The e-mail I used was a secondary one, and there's no credit information linked to my profile whatsoever.

At least the credit card numbers were hashed and SALTed. But still, there are some who don't (Sony), which is why I purchase most of my games in the store.

I guess you could say...

That's a leaky Valve.

YEEEEEEEEEEEEEEAAAAAAAAAAAAAAAAH!

Yeah, it's blowing Steam all over the place.

Until the password manager gets hacked or the password manager tells you to pay or else they'll put all your passwords on the internet.

Just a quick heads-up that at least one person I know mentioned some fraudulent purchases appeared on his card that was on Steam, so do be on the watch if your credit details were stored online.

Really? What was the charge from? Did that person use there credit card elsewhere or only used it on steam?

They didn't say, but they're certain the card number could only have come from Steam (they haven't used it elsewhere for a while.)

The hackers are having a field day. I've seen reports of accounts being hacked for days now, and have an idea how it's happening (bitter experience). Password security doesn't mean squat when you inadvertently install a keylogger.

KeePass saves your passwords in an encrypted file on your PC, or wherever else you choose to store it, not an internet database.

Wonderful. Just wonderful. So now not only are publishers forcing this software I don't want on me in the name of copyright protection, but now the company that makes that software has all my personal information, including possibly my billing address and credit card info. Great. I only used Steam under great duress as it's the only way to play the PC version of Skyrim, but I've always hated it, and this is just one more reason. There is absolutely no reason whatsoever that a single player offline game like New Vegas or Skyrim should require Steam, and now thanks to this security breach I will never again but any game that requires Steam again. Ever.

If I hated Steam before I despise it now.

You're pretty true to your avatar, aren't you?

I suggest that if you truly hate Steam you should not buy Steamworks games as that only puts even more money in the Publisher's pocket. Missing out on TESV is a small price to pay to make a statement.

True. Yes I hate publishers forcing me to use Steam for retail games (it isn't Steam itself that bothers me so much, but publishers using Steamworks as DRM for retail games.), but I figured that I could put up with it for Skyrim. Now after all this I will never buy a Steamworks game again. Ever. If that means missing out on future TES games, or having to play them on the consoles (which is defiantly not my platform of choice) then so be it.

The money still goes to the publisher.

Of course they'll be some that can be done easily, though I expect that if its done right those should be very few and far between. And really, anything can be decrypted, even stuff like well implemented AES 256 can be decrypted, its just a matter of time and resources (with AES and current tech, even governments would have trouble doing so before the end of the universe ). As always with data security, complete impenetrability is an unobtainable ideal; anyone who's sane realises that the goal is to make breaches impracticable to achieve, and even then its only a matter of time before advances catch up.



It is also open source, which means there are plenty of end users who'll be keeping an eye on the code and raising a stink if anything dodgy gets put in (so the developers can't get away with deliberately adding back doors or stuff to steal your information).

I'd use it, but it doesn't work so well with GNU/Linux . But I'm okay with giving some grudging trust to Lastpass. After all, their very livelihood depends on it, so I would expect them to maintain strong security and have people keeping an eye on things.

They got some awesome skills and a very serious grudge against me if they want to first penetrate my network, second access my computer, and third defeat my encryption. They also apparently stole my USB stick I carry on me at all times and is only plugged into my computer when I am unlocking my database.

As already mentioned, there are plenty of offline password managers out there that make it laughably unrealistic for any hacker to compromise your database.


There's http://www.keepassx.org/, though there's no addons for Firefox/Chrome like there is for KeePass, but auto-type works. As an Opera user myself anyway, Auto-type is quite usable.

Well that's just stupid. Sorry, it is.

If you don't buy games on Steam, you don't need to put any financial information in there at all. You run the game's installer, Steam is installed, and you create an account. It asks for a username, a password and your email address. You then validate the game to link it to your account, install it, and play it.

Heck, even if you somehow despise Steam that much, you don't even need it to play after that. You run the launcher to set your INI settings, then you never need Steam again. You run the game directly through TESV.exe and you don't even need Steam running.

Every company has security breaches, no company is 100% secure. Completely boycotting one company, and so many amazing games for quite trivial reasons is in my opinion absurd.

Well, I notice that there's a few misconceptions here... First of, one must know that Encryption and Hashing are NOT the same. A basic description of each:

• Encryption: using an algorithm to encode a set of data into a result that is as variable-length as the input, that can keep it secure until it is decoding using the same key that was used to encode it.
  
• Hashing: using an algorithm to convert an input set of data into a FIXED-LENGTH output, that is, by design, NOT reverse-engineerable. It is impossible to accurately decode a hash to get the original input.

Now, while data that needs to be retrieved (DRM-secured media, "saved" passwords in a password manager, secured data) encryption is what will need to be used.

On the flip side is hashing, which is used on password databases, or at least those that aren't a complete joke. (yes, many major sites still store passwords in plaintext) This adds a layer of security to the users' passwords: if a hacker manages to steal the database (or part of it) it merely makes the brute-force attack POSSIBLE, as they now can just set up their own system to check passwords by entering in repeated, different combinations to see if they match. Otherwise, they'd be limited by the "lock-out" mechanism most log-in routines have, where typically 3 wrong passwords in succession will prevent further log-in attempts for a while. (such as 15 minutes here)

Now, for added security, many hashes are "salted;" that is, a "salt" is an extra value that is added to the input (that is, your password) before it is hashed. This makes the brute-force attack much more difficult, as now stealing the database is insufficient, as that only tells the hash result of the password+salt, which leaves the hackers having to guess BOTH all combinations of password AND salt. So if, say, your password is "The Elder Scrolls V: Skyrim", while the MD5 hash (the most common, if hardly the best, hashing algorithm) will be "462eec40be7229f6e8ac7928a247703b", if the passwords are salted, it won't show up like that, and hence that database entry could mean ANYTHING.

Also, do remember that just because you're one user out of millions doesn't mean that you're going to be safe against them deciding to pick YOU to hack; hackers who try at this tend to not "pick individuals," but attempt to simply see how many of those accounts they can crack at once. Hence they often don't brute force, but rather start by using something like a "rainbow table." In short, they have a file with, say, "the top 1,000 passwords," all in their pre-hashed version. They then simply do a cross-check with the stolen database; as a general rule, a large number of people will be using these "most popular" passwords. (it's what makes them the most popular, after all) If 10% of a 10,000,000 database use the top 1,000, that's a full million accounts cracked without having to brute-force a thing. This is why you're told to make sure your passwords are unique. Of course, nothing is 100% secure: the downside of a hashing algorithm is the logical trade-off for being reverse-engineerable: multiple source passwords could yield the same end result... And if your password might be very obscure, there's no guarantee that the end-result hash will match that of one of those "most popular passwords." This is why you STILL change your password in situations like these.

Now, as for ENCRYPTED data... It actually tends to be less secure than hashed passwords, and ESPECIALLY salted and hashed passwords. So yes, all the more reason to be cautious.

Thanks for that clarification, Nottheking - it's been a few years since my cryptography course.