11-10-2011, 10:32 PM
For anyone worried, let me give a brief rundown of how security on Steam works, it's actually surprisingly good.
Firstly, your password is not stored as readable text, that would be silly, there are three levels of encryption they use to store it;
1.Generate a hash from your password, this encrypts it into a string of numbers and letters, each section varies depending on what letter it is, and also the what the whole word is.
2.Salt the hash, this means it adds a specific set of characters to the end, then re-hashes it, so you would need to know this code to work out what the original has was.
3.Encrypt the hash, this can be any number of techniques to change the hash code into something entirely different, you would need the encryption key and to know what encryption system they're using to decrypt it.
In effect you would need to know what encryption they're running, what the encryption key is, what the salt code is, and an insane amount of computer time to have a shot at decrypting the hash back to the original password, even someone inside Valve with direct access to the database couldn't tell what your password is.
It also emails you to confirm when a different computer tries to log into your account, tries to change the password, or anything else to do with accessing it, this is the Steam Guard system and it works very, very well.
(when they added it, Gabe Newell himself gave out the password to his Steam account at the conference just to show how secure it was)
In theory your password is totally safe.
So why change your password? Because you should always do that when there's a data leak, the only information we have is that something has gone wrong somewhere, and there is no way to judge what's been compromised or what tricks are being pulled, never underestimate how crafty people can be, and always assume they've thought of something you haven't.
The big scare here of course is if you have a bank account linked to your Steam account, that's the data you really don't want getting out, it's not as well encrypted (because the system actually needs to be able to decrypt it without any input) and the encryption key could be cracked.
If you DO have any bank details logged with Steam, I'd suggest you unlink them to be safe, and keep an eye on any transactions going through that account, I'll be keeping my ear to the ground to catch if the data gets leaked anywhere and if I can get a copy of it I'll be happy to check it to see if anyone here was compromised.
(note: Paypal accounts should be perfectly safe, it's not part of Steam so none of your account details get stored there, it's only card details you need to worry about)
Firstly, your password is not stored as readable text, that would be silly, there are three levels of encryption they use to store it;
1.Generate a hash from your password, this encrypts it into a string of numbers and letters, each section varies depending on what letter it is, and also the what the whole word is.
2.Salt the hash, this means it adds a specific set of characters to the end, then re-hashes it, so you would need to know this code to work out what the original has was.
3.Encrypt the hash, this can be any number of techniques to change the hash code into something entirely different, you would need the encryption key and to know what encryption system they're using to decrypt it.
In effect you would need to know what encryption they're running, what the encryption key is, what the salt code is, and an insane amount of computer time to have a shot at decrypting the hash back to the original password, even someone inside Valve with direct access to the database couldn't tell what your password is.
It also emails you to confirm when a different computer tries to log into your account, tries to change the password, or anything else to do with accessing it, this is the Steam Guard system and it works very, very well.
(when they added it, Gabe Newell himself gave out the password to his Steam account at the conference just to show how secure it was)
In theory your password is totally safe.
So why change your password? Because you should always do that when there's a data leak, the only information we have is that something has gone wrong somewhere, and there is no way to judge what's been compromised or what tricks are being pulled, never underestimate how crafty people can be, and always assume they've thought of something you haven't.
The big scare here of course is if you have a bank account linked to your Steam account, that's the data you really don't want getting out, it's not as well encrypted (because the system actually needs to be able to decrypt it without any input) and the encryption key could be cracked.
If you DO have any bank details logged with Steam, I'd suggest you unlink them to be safe, and keep an eye on any transactions going through that account, I'll be keeping my ear to the ground to catch if the data gets leaked anywhere and if I can get a copy of it I'll be happy to check it to see if anyone here was compromised.
(note: Paypal accounts should be perfectly safe, it's not part of Steam so none of your account details get stored there, it's only card details you need to worry about)