Steam safe for brute force? :: Help and Tips

STEAM

All Discussions > Steam Forums > Help and Tips > Topic Details

This topic has been locked

ger.Illuminat[um] May 7, 2015 @ 8:29am

Steam safe for brute force?

Hi!
I just had a curious discussion with someone who desperately needed to know my actual steamaccount name.
My question is simple: Is it possible with help of a brute force attack to get into someone's steam account? Or is it somehow protected?
I use a pretty strong password in my opinion; 10 alphabetical, 2 capital the rest small, 2 Numbers and one special character and also Steamguard.
Could this someone potentially get into my account just with the known accountname?
I know there was once a possibility to get into an SteamGuard-protected account via a cr4cked steam.dll which injected itself somehow or something.
Am I safe?

Thanks!
greetings

< >

Showing 1-15 of 21 comments

Jony May 7, 2015 @ 8:30am

лол

#1

Cathulhu May 7, 2015 @ 8:39am

While Bruteforce is technically possible, Valve implemented safeguards against that. For example, if you enter a wrong password three times the account gets locked for 15 minutes.
That gives you only 20 tries an hour, 480 a day, 14400 a month.
Sounds much, but if you take into consideration that a password with 8 letters can have about 3.026×10^15 different combinations it would take quite some time to try all possible combinations, about 94.5 years to be exact.
I'm pretty sure Valve would notice a bruteforce attempt in way less than a week and take additional actions to protect the account.

Last edited by Cathulhu; May 7, 2015 @ 8:40am

#2

ImmortalMan#GFS May 7, 2015 @ 8:42am

м м

#3

Muppet among Puppets May 7, 2015 @ 8:43am

Originally posted by ger.Illuminatum:
Hi!
I just had a curious discussion with someone who desperately needed to know my actual steamaccount name.

What was the "reason"?

See it that way: Your email address shows its account name all the time. So to say.
Do you think your email is unsafe after someone knows your email address?

#4

76561198016353073 May 7, 2015 @ 8:44am

help

#5

pdlzera May 7, 2015 @ 8:49am

Vai Corinthians !!

#6

ger.Illuminat[um] May 7, 2015 @ 9:11am

Hey!
Thank you all for your quick answers.

Originally posted by Cathulhu:
While Bruteforce is technically possible, Valve implemented safeguards against that. [...]
I'm pretty sure Valve would notice a bruteforce attempt in way less than a week and take additional actions to protect the account.

Okay, thanks!

Originally posted by Muppet among Puppets:
What was the "reason"?

I bought a Bioshock Key and it was already activated ._. I bought quite a few games and was never unhappy with this shop (a German shop, no chineese one or someting) and the support wanted picture proof of me typing in the key while seeing a list of my games (to see if it wasn't already activated or something, don't know). So I blacked out my accountname in the top right and the support didn't allow that as a proof, because the picture was obviosly edited.

Originally posted by Muppet among Puppets:
Do you think your email is unsafe after someone knows your email address?

Hm, that's quite an interesting comparison, I never thought of that.
Okay, I think as long they don't ask for my password to test if THEY could avtivate the key theirselves I have not much to fear :D
Thanks alot!

greetings

#7

NyaGPT Aug 1, 2015 @ 3:21pm

What if someone knows your pass or that of a vualve empleye *cough* gaben *caugh* cuase he/she published it and manages to break in is that there or gaben fault

Last edited by NyaGPT; Aug 1, 2015 @ 3:22pm

#8

Cathulhu Aug 1, 2015 @ 3:25pm

Valve does not safe passwords on their servers. No one with more than half a brain does that. You only safe hashes of passwords and SALT them so that even if someone obtains that data, he almost certainly can not use it, unless he spends half an eternity removing the SALT and reverse calculating the hash, both would take a very, very long time.

Unless you are utterly moronic like Sony and safe them in plain text.

For reference:
https://en.wikipedia.org/wiki/Hash_function
https://en.wikipedia.org/wiki/Salt_%28cryptography%29

#9

NyaGPT Aug 1, 2015 @ 3:26pm

Originally posted by Cathulhu:
Valve does not safe passwords on their servers. No one with more than half a brain does that. You only safe hashes of passwords and SALT them so that even if someone obtains that data, he almost certainly can not use it, unless he spends half an eternity removing the SALT and reverse calculating the hash, both would take a very, very long time.

Unless you are utterly moronic like Sony and safe them in plain text.

For reference:
https://en.wikipedia.org/wiki/Hash_function
https://en.wikipedia.org/wiki/Salt_%28cryptography%29

still what if some1 hacks gaben

#10

Cathulhu Aug 1, 2015 @ 3:28pm

At one time Gabe Newell gave away his Steam account name and passwords intentionally and still no one was able to enter his account:
http://www.escapistmagazine.com/forums/read/7.268638-Gabe-Newell-Gives-Away-Personal-Steam-Password
No one was able to enter it anyway.
Valve is not stupid.

Last edited by Cathulhu; Aug 1, 2015 @ 3:29pm

#11

Tev Aug 1, 2015 @ 3:33pm

Out of normal breaching, if put into numbers.

Unless things have changed much from 2011, it uses AES-256.

A 256bit encryption is the mathematical equivalent of 2^256 key possibilities. To put that into perspective, 2^32 is about 4.3 billion, and it keeps growing exponentially after that. What does this mean though? Well simply put, let’s say hypothetically all the super computers in the world (the ultimate brute force attack) decided to group up and tasked themselves to decrypt your AES-256 key so they could access your data. Assume they could look at 2^50 keys per second (which is approximately one quadrillion keys/second – a very generous assumption). A year is approximately 31,557,600 seconds. This means that by using the one billion super computers required to do this, they could check about 2^75 keys per year. At this rate it would take these computers 2^34 years (the age of our universe) to look at less than .01% of the entire key possibilities.

Last edited by Tev; Aug 1, 2015 @ 3:34pm

#12

NyaGPT Aug 1, 2015 @ 3:46pm

Originally posted by Cathulhu:
At one time Gabe Newell gave away his Steam account name and passwords intentionally and still no one was able to enter his account:
http://www.escapistmagazine.com/forums/read/7.268638-Gabe-Newell-Gives-Away-Personal-Steam-Password
No one was able to enter it anyway.
Valve is not stupid.

i got as far as the steam guard screen XD
but dont tell gaben i did

#13

El Cactus Aug 1, 2015 @ 4:07pm

:x

#14

baajimyriam Aug 1, 2015 @ 4:07pm

Even on 2004 brute force was useless.

#15

< >

Showing 1-15 of 21 comments

Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details

Date Posted: May 7, 2015 @ 8:29am

Posts: 21

Start a New Discussion

Discussions Rules and Guidelines