Ursprünglich geschrieben von Xautos:

Saying it and proving are two different matters. that is the problem this thread faces.

It is and it isn't. It takes a 1 minute google search to check the thing. For some reason that is not clear to me people in this thread (yourself included) just knee-jerked without even checking.

Ursprünglich geschrieben von Xautos:

if there really is a security vulnerably? Valve needs to know about it and plug it.

that means the location of the program, how it works and what steps are taken to bruteforce. so spill the beans to spawn in a pm or on his profile so actions can be taken.

Now, this would be a good suggestion, but he didn't suggest anything of the sort even after reading that a tool was available, so I don't believe he is the right channel. If you (or spawn) could point me in the right direction to signal the issue I would be most grateful.

Ursprünglich geschrieben von Xautos:

Ursprünglich geschrieben von cinedine:

You can. As Garthor rightfully said the thing has to work while being offline. The hash is stored locally.

I mean, you can literally google the tool for it yourself and try it. It's even available on Github and not some Dark-Net super secret magic mojo.

Saying it and proving are two different matters. that is the problem this thread faces. if there really is a security vulnerably? Valve needs to know about it and plug it.

that means the location of the program, how it works and what steps are taken to bruteforce. so spill the beans to spawn in a pm or on his profile so actions can be taken.

Again if you want family view pin to work offline the PIN has to be stored locally

the OP is lying in that in the client you cannot brute force the PIN. its not possible

If you want to perform offline attacks, THAT IS NOT A SECURITY VULNERABILITY. The PIN is already salted and hashed. But again that's only intended to protect against mass password leakages and from one password leakeage from impacting the entire database. Because only one password is relevant, hashing slows down the attack but not by much given the attack surface

If you encrypt it, then you have to store the encryption key somewhere. which means an offline attack has to have access to it somehow. These are problems no matter what you go into. Secutiy programs like Authy hash the local keys for your 2fa. But even they know this is only designed to stop 'casual' zero effort compromises. Since only one password is relevant in this case, you can spend like $4 on AWS to hack even a 10 character non-random non-ascii variants which will get done in a day.Want to do it at home? Might take like 1-2 days tops on even a moderately powerful GPU

Family PIN is not designed as a massive security measure that is invulnerable to OFFLINE brute force attacks. That isnt a security vulnerability

Ursprünglich geschrieben von ShelLuser:

This is not a payment system we're talking about and well.. raising your kids is still something which the parents should do. Why put the burden on Steam here?

Also... maybe you should teach your children why you felt the need to put up that filter. If you carefully explain this stuff then there's a good chance they pick up on it and won't even bother trying to circumvent it. You know... doing some parenting and all that?

But I get it... these are the modern times where we blame everyone else for our own actions and shortcomings.

well said, as someone who often works with kids and mentor others online, you be surprised how many lazy parents that just treat the computer/tv as the babysitter and wonder why so many kids end up being horrible brats. Sad part is many of them just go into adulthood and retain that stereotypical "angry xbox 12 year old" mentality.

Ursprünglich geschrieben von Satoru:

Ursprünglich geschrieben von Xautos:

Saying it and proving are two different matters. that is the problem this thread faces. if there really is a security vulnerably? Valve needs to know about it and plug it.

that means the location of the program, how it works and what steps are taken to bruteforce. so spill the beans to spawn in a pm or on his profile so actions can be taken.

Again if you want family view pin to work offline the PIN has to be stored locally

the OP is lying in that in the client you cannot brute force the PIN. its not possible

Nobody was lying. You jumped the TC immediately and called BS without asking for clarification and instead lectured them to death before they got the chance to give more information.
Also making assumptions about their parenting and attacking them for it.
Not that this isn't the MO of many here. Sadly.

At the very least Garthor already proved they actually DO care about their childrens use of Steam by knowing about the parent controls and activating them. Which is far more than many do.

Ursprünglich geschrieben von Xautos:

that means the location of the program, how it works and what steps are taken to bruteforce. so spill the beans to spawn in a pm or on his profile so actions can be taken.

There can't be any actions taken.
Even with a purely online authentification one could re-route the request to a mock server and always send a success message.
The security issue that needs to be "fixed" is your client working on your local machine.

Ursprünglich geschrieben von Satoru:

the OP is lying in that in the client you cannot brute force the PIN. its not possible

I suggest you improve your reading skills. Nowhere I suggested that the PIN has been bruteforced from the client. I explicitly mentioned that there was a different tool. Please check your facts.

Ursprünglich geschrieben von Satoru:

If you want to perform offline attacks, THAT IS NOT A SECURITY VULNERABILITY. The PIN is already salted and hashed. But again that's only intended to protect against mass password leakages and from one password leakeage from impacting the entire database. Because only one password is relevant, hashing slows down the attack but not by much given the attack surface

If you encrypt it, then you have to store the encryption key somewhere. which means an offline attack has to have access to it somehow. These are problems no matter what you go into. Secutiy programs like Authy hash the local keys for your 2fa. But even they know this is only designed to stop 'casual' zero effort compromises. Since only one password is relevant in this case, you can spend like $4 on AWS to hack even a 10 character non-random non-ascii variants which will get done in a day.Want to do it at home? Might take like 1-2 days tops on even a moderately powerful GPU

Family PIN is not designed as a massive security measure that is invulnerable to OFFLINE brute force attacks. That isnt a security 'breach'

Again, where did I mention "security breach"es? Just check the title of thread: "What good is PIN parental control if it can be easily bruteforced?". That's the question.

And what you say above "Family PIN is not designed as a massive security measure that is invulnerable to OFFLINE brute force attacks." is exactly the crux of the problem. I have no qualms with the way family PIN is designed, but I DO have qualms with Valve not letting me know the issue. Basically, by making "Family PIN [...] not designed as a massive security measure that is invulnerable to OFFLINE brute force attacks" it is almost useless. That's the point.