> Steam presumably scaled naturally (through decades of growing usage and also decades of huge scale DDoS attacks) to something like that for other reasons and are possibly missing safeguards to prevent it being misused.
Just to drive the technical point home: such scale is basically just not feasible. We're talking literally thousands of servers doing nothing but md5 hashes, to vaguely bring cracking a shortish password into the realm of possibility. No one would set up such a system, any sane sysadmin would investigate the load long before it gets to such scale, and the budget would raise questions. Even if Steam uses md5, every little piece of logic around the hashing function multiplies the CPU load compared to bare hashing.
DDOS protection is done on specialized hardware, again long before the count gets to thousands of servers. You buy a box and put it in your datacenter in front of the balancer servers. In my experience, one box nicely handled load going to about two hundred application servers (iirc), likely with plenty of capacity to spare.
So you can estimate the necessary time just with http responses: 50 alphanumeric characters is 62^50 = 4.16e89 permutations, divided by 7.3 million = 5.7e82 seconds, or 1.8e75 years.
On that four-GPU box from 2016, cracking would take 3.3e71 years—which is considerably better but still doesn't quite fit in the age of the universe. So even md5 stolen from Steam Guard wouldn't help much in the case of a long password (unless some miraculous attacks were developed since 2016).
> So even md5 stolen from Steam Guard wouldn't help much in the case of a long password
(Though, with unsalted md5 or sha1, it's possible to find a shorter collision instead. But afaik it requires executing specific techniques instead of the regular algorithms, and obviously the Steam server isn't doing that, so it must be done locally with a stolen hash.)
Just to drive the technical point home: such scale is basically just not feasible. We're talking literally thousands of servers doing nothing but md5 hashes, to vaguely bring cracking a shortish password into the realm of possibility. No one would set up such a system, any sane sysadmin would investigate the load long before it gets to such scale, and the budget would raise questions. Even if Steam uses md5, every little piece of logic around the hashing function multiplies the CPU load compared to bare hashing.
DDOS protection is done on specialized hardware, again long before the count gets to thousands of servers. You buy a box and put it in your datacenter in front of the balancer servers. In my experience, one box nicely handled load going to about two hundred application servers (iirc), likely with plenty of capacity to spare.
See this vid for an example of how cracking was done on GPUs in 2016. Each of the GPUs cranks out ~10 billion hashes a second: https://www.youtube.com/watch?v=7U-RbOKanYs
Here's the current benchmark of frameworks doing bupkis but writing plain text in responses. I was mistaken in the earlier comment, it's about seven million responses a second: https://www.techempower.com/benchmarks/#section=data-r19&hw=...
So you can estimate the necessary time just with http responses: 50 alphanumeric characters is 62^50 = 4.16e89 permutations, divided by 7.3 million = 5.7e82 seconds, or 1.8e75 years.
On that four-GPU box from 2016, cracking would take 3.3e71 years—which is considerably better but still doesn't quite fit in the age of the universe. So even md5 stolen from Steam Guard wouldn't help much in the case of a long password (unless some miraculous attacks were developed since 2016).