I keep being somewhat baffled by Steam's login process every time I'm forced to go through it. Apparently Steam is such a cesspool of (pre)pubescent teenagers, with rampant account hacking and theft of funds, swag or whatever, that they feel the need to fortify the process if only to make it more inconvenient for the hackers.
- “Remember the password” barely ever works, even on desktop. Since I don't quite log in every day due to being too old for that, I have to redo the process every time—on a machine that I bought with my own money just for myself and intend to protect with both technical means and physical force.
- Somehow copy-pasting passwords from KeepassX/XC doesn't work on Mac, with the shortcut. Not sure if this is a misfeature of Steam, but I have to paste the password to an editor first and then copy out of there into Steam. (Seems though that ‘paste’ in the context menu does work—this might've changed since I first noticed the issue.)
- And of course, the weird variation on 2fa, via email, instead of the good regular TOTP. As is tradition by now, I'm also given the choice of installing yet another app on the phone, which somehow doesn't quite seem to serve my interest.
Hmm, what I mean is, I open up Steam on my Linux system. Usually it remembered my login but sometimes I need to login again. If I then type my password, it says: "type the code we emailed to continue".
So if I wouldn't have access to that email account, I couldn't login and lose the Steam account, even when knowing the password.
Although, some of the methods from the link would still work, so that's solved, I guess.
Except that even if you use Steam Mobile you can't turn off email-based "self-service account recovery" in Steam. Your email account is always going to be the final key to control of your account.
Which is why my email accounts have warned me that every time a botnet cracks my Steam account password there are attempts to open what they think is my email account with the password they just cracked. My Steam account password these days is cracked scarily often, and I'm afraid my Steam account is now one of my weakest links in my online security footprint. I'm not dumb enough to use the same password for my email addresses as my Steam account, but the fact that Steam seems to be allowing password spray fast enough that machines keep cracking 50+ character passwords in days is alarming.
(ETA: Note the reason I mention 50+ is that I specifically vary the length randomly; when I don't the cracks drop to hours apart.)
I'm curious about what specific thing is signaling to you that your Steam password has been cracked. (I assume you mean brute forced?)
It's significantly more likely that you've been keylogged or phished if attackers are actually accessing your Steam account with passwords of that complexity.
I don't understand how it can be possible to brute force a 50+ character password
with 5 bits per character (and assuming random characters, which is what you mean right?), that's 300 bits of entropy, nothing in the universe could brute force that
Most of those old password-length "time to crack" estimates are based on a single machine. Many of the common ones you see today are based on the added assumption that they aren't spraying directly at a password endpoint but are instead predicated on breaking the hashes and the extra (increasingly minimal in the age of Bitcoin) cycles needed to hash/salt/pepper the passwords and/or building rainbow tables.
I believe that the password spray capabilities of today's botnets on any endpoint that returns results as fast as network messages travel should not be underestimated in a distributed enough attack. Given that not-varying the password length had a noticeable impact on time, the warnings from my email providers, and other increasingly paranoid measures I've taken [0], I have no reason to suspect that this anything but a very distributed password spray attack.
Simple GitHub searches seem to indicate that there are known password spray capable Steam endpoints that currently still leak password correctness/verification data regardless of 2FA enabled (and also leak whether or not 2FA is enabled on the account) and always falls back to email-based 2FA. (These leaks and that fall back would have me believe it's one of the Password Recovery or 2FA Recovery endpoints.) Though I've not attempted to run such gists/"utility libraries" myself to verify (I'm too lawful neutral/not a black hat whatsoever), at a surface level it seems like more than enough evidence to suggest botnets would use such things if enough people were posting "helpful password recovery tools" on GitHub that password spray accounts you tell it to.
[0] The paranoia has gotten quite "fun":
- I only ever sign in to Steam now inside the Steam client and Steam Mobile app.
- I disabled all OAuth applications on my account, no longer sign in under any web browser, and have refused to allow new applications.
- I've removed all devices except my primary gaming desktop and mobile device.
- I've removed all credit card data that I can and haven't bought or paid for anything directly in the Steam client in years.
- There's evidence that password hashes used to be leaked from a file in the Steam client's folder. (I believe that file no longer exists in recent Steam clients, at least.) For that reason, I've turned on Windows Controlled Folder Access (aka Windows Ransomware Protection) on all of my Steam folders. This has been an amazing bundle of joy~ and has basically stopped me from playing Steam games. Games are developed by children and it is amazing the number of entry point binaries a single game might have to run, how often even "offline only" games still want to run binaries they copy or bury in random places in %LocalAppData% or worse %Temp%. The whack-a-mole to enable games to run under Controlled Folder Access becomes its own very not fun minigame before you can actually start the real game. (It's also really interesting to see what some games do when they fail to get folder access they just assume they'll always have. So many permutations of "the game works but crashes at weird points" or "the game thinks it is running on a Mac for stupid reasons" or "the game thinks you intentionally want to run it without the ability to save or load saves, because that's a thing people might do?".)
My paranoia suggests my next steps are only to isolate Steam to its own entirely separate user account on the machine and/or its own unique VPN.
My basic threat modeling assumes if they were compromising anything specific outside of Steam, they'd have compromised my email accounts already.
At this point it increasingly feels like the only reason I keep Steam installed is to reset the password every time I get a Steam Guard email.
I have no stakes in defending Steam, but—you realize that if someone were cracking passwords left and right for years then the web would be full of complaints like yours? Everyone would know that it's a thing that's happening. Eternal questions would be pondered to the sound of Guard notifications, lovers would gaze at stars with faint notificationing in the background, and musicians and poets would compose songs to that tune.
Frankly a keylogger on your laptop sounds more plausible.
My belief is that this is a canary in the coal mine. We know that password systems don't work in the long run. There's been lots of reasons to get people away from passwords for day-to-day things. Some canaries are going to die sooner than others, and I have some ideas why this particular canary of mine died early. There are other complaints out there about Steam specifically of hacked accounts where passwords were "guessed" and then email accessed. Additionally, I have a pretty good idea of why, for what I think to be very dumb reasons, my account is a particularly well known to be "high value" account (going back to the parent comment way above that depending on how you value it, my Steam account is worth more than the PC I connect to it with). Steam itself is also in the weird "entertainment" place where it has bank-like features, but not quite the same pressure to have bank-like security (because it's just "games" and "hats"). The article here itself points to things likely written prior to 2012 that are still in active use today in Steam's login path (whether or not you believe age/tech debt implies "broken" most banks have upgraded their login systems likely four or five times since).
(My account is one of the oldest accounts on the platform, predating Half-Life 2's launch, and originally accessed via dial up internet. It has several now rare collections of games and at least a couple now "impossible to buy" games. Most critically to it being "well known" to have such value, it has several of the most rare/valuable "TF2 hats", which I think is incredibly dumb and that the marketplace is a huge gambling mistake, and those were known at the time when all Steam inventories were public [oh, the spam and phishing attempts that generated back when that was public and easily accessible]. My limited regard for the marketplace and limited use of it would make it somewhat obvious if I had "sold them" in the time since inventories allowed going private.)
As for a keylogger, specifically, I would go insane if I ever had to type 50+ character passwords. The keys you will log are Ctrl and V. Sure that opens up questions to clipboard logging and/or Password Manager incursion, but as I mentioned above, I have enough reason to suggest the threat isn't that sophisticated (in part because it is just "games" and "hats"), and paranoid circumvention in place already (even beyond the ones mentioned specifically in the above comment).
Also, there are plenty of reasons it might not be happening as badly elsewhere as it is happening specifically on Steam. Microsoft (and Microsoft Research) has made it very clear in recent papers that distributed password spray (where the spray is spread out over large numbers of IP addresses/countries/etc) is the number 1 issue right now in passwords, and that detection and blocking are crucial. Steam has argued in the past that such things are impossible to do at their scale. (Microsoft would argue today that their scale in Office 365/Azure AD/Microsoft Accounts has easily now dwarfed Steam's scale.) There's enough evidence today (as I already mentioned) that Steam still doesn't have those detections/blocking in place (and are relying too much on Steam Guard/2FA to keep accounts safe). (Not to get too deep into the woods of Steam criticism, but the argument may not be that it is impossible at scale but that it is impossible to prioritize it within Valve's notorious management culture.)
You could attempt contacting steam and ask if they know how many attempts have been made from different IP addresses in total for login to your account. I feel like that's really the only way to verify what you're proposing. Steam likely has logs of all the IP addresses that attempt login to whatever account.
I'm skeptical of what you're proposing because it's not hard to design a system that freezes mass random IP login attempts to an account after 'x' low number of random attempts and then only allow the past successful IP addresses to continue with a successful login. As well, as do an email verification if the password is successful but being used from a new IP address.
I have sent tickets to Steam asking for such corroboration. I've never gotten beyond a "don't worry Steam Guard seems to be working as intended" and general Tier 1 copy-paste responses.
So I figured I'd go read what's ‘password spraying’ that you mention:
> Password spray is the opposite of brute-forcing. Adversaries acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords.
Firstly, you seem to believe that password hashes provide only a small reserve of difficulty compared to the abilities of current computers. That's not so. Just read or watch any introduction on hashes: the most basic principle is that even with a huge cluster of top-of-the line hardware, it would take billions of years to guess a password of a decent length. When hash algorithms are ‘broken’, like with md5 and sha1, it's because newly found weaknesses bring down their strength by a factor of billions.
Secondly, you seem to conjecture that attempting password guesses against a network service would somehow bring that difficulty down considerably, to reachable levels. However: local hash guesses are made on GPUs or specialized FPGAs, whereas servers run on regular multi-purpose CPUs—plus, if you had a server respond to login attempts nonstop, it would spend half of the time in context switches and kernel calls. Top http frameworks in pure C reach just over a million responses per second when doing nothing but sending empty responses. You're asking that Steam dedicate a fleet of thousands of servers to facilitate cracking your password. And on top of that, the service would also need a database that likewise serves billions of requests a second.
Additionally, modern hash algorithms like bcrypt are constructed so that they take considerable and configurable time (on any hardware), so the hashing rates are on the order of tens of thousands a second or less, instead of billions and trillions. Since Steam are evidently very concerned with account security, I'd guess they take advantage of these algorithms—and since you changed the password recently, it was probably hashed with the latest used algorithm.
Besides all of the above, a service easily foils password guesses by limiting the number of attempts against an account in a time span, which is by now one of the basic prescribed measures. The whole purpose of ‘password spraying’ is to sidestep this limitation by attacking a lot of users but using most common passwords. In no way does it help with guessing a single long random password.
Lastly, while it's conceivable that Steam could have some vulnerabilities that would make cracking its accounts easier, those wouldn't be burned by attacking the same accounts over and over for months.
To sum up: the whole magnitude of the task is such that no one would solve it just to steal your trinkets, even if they could. It's time to accept that either your passwords are easily guessable, or are lifted from you in some way.
> You're asking that Steam dedicate a fleet of thousands of servers to facilitate cracking your password. And on top of that, the service would also need a database that likewise serves billions of requests a second.
No, I'm just saying that I believe Steam presumably scaled naturally (through decades of growing usage and also decades of huge scale DDoS attacks) to something like that for other reasons and are possibly missing safeguards to prevent it being misused.
Obviously, I'm making cynical assumptions and failing to give Steam the benefit of the doubt here. I'm sorry.
> Additionally, modern hash algorithms like bcrypt are constructed so that they take considerable and configurable time (on any hardware), so the hashing rates are on the order of tens of thousands a second or less, instead of billions and trillions. Since Steam are evidently very concerned with account security, I'd guess they take advantage of these algorithms—and since you changed the password recently, it was probably hashed with the latest used algorithm.
The article points to evidence that the login system possibly hasn't been updated since around 2012. Plenty of systems were still using unsalted MD5 back in 2012. It's a huge assumption that they've kept up with modern hash algorithms.
Additionally, the SteamGuard files stored in the base client directory were reported to include MD5 hashes at least as recently as 2014. (Even worse that file contained long lived tokens directly able to bypass SteamGuard.)
I hope Steam is doing better than that today, but you can forgive my pessimism/cynicism after fighting this cycle much longer than I would have liked that the conclusions I jump to remain that Steam isn't doing enough to protect account security.
> It's time to accept that either your passwords are easily guessable, or are lifted from you in some way.
I've gone through a lot of paranoia and anxiety over this. I've done a lot to eliminate suspects and shrink attack surface, and continue to do so. So far as I can tell this is specifically a Steam phenomenon, Steam is the weak link in the chain, and my other accounts seem secure accept that my email providers report failed login attempts from the same IPs mentioned in SteamGuard emails shortly after the SteamGuard timestamp.
Anyway, I've expended too many words of paranoia and cynicism in this thread. I appreciate the attempts to help.
> Steam presumably scaled naturally (through decades of growing usage and also decades of huge scale DDoS attacks) to something like that for other reasons and are possibly missing safeguards to prevent it being misused.
Just to drive the technical point home: such scale is basically just not feasible. We're talking literally thousands of servers doing nothing but md5 hashes, to vaguely bring cracking a shortish password into the realm of possibility. No one would set up such a system, any sane sysadmin would investigate the load long before it gets to such scale, and the budget would raise questions. Even if Steam uses md5, every little piece of logic around the hashing function multiplies the CPU load compared to bare hashing.
DDOS protection is done on specialized hardware, again long before the count gets to thousands of servers. You buy a box and put it in your datacenter in front of the balancer servers. In my experience, one box nicely handled load going to about two hundred application servers (iirc), likely with plenty of capacity to spare.
So you can estimate the necessary time just with http responses: 50 alphanumeric characters is 62^50 = 4.16e89 permutations, divided by 7.3 million = 5.7e82 seconds, or 1.8e75 years.
On that four-GPU box from 2016, cracking would take 3.3e71 years—which is considerably better but still doesn't quite fit in the age of the universe. So even md5 stolen from Steam Guard wouldn't help much in the case of a long password (unless some miraculous attacks were developed since 2016).
> So even md5 stolen from Steam Guard wouldn't help much in the case of a long password
(Though, with unsalted md5 or sha1, it's possible to find a shorter collision instead. But afaik it requires executing specific techniques instead of the regular algorithms, and obviously the Steam server isn't doing that, so it must be done locally with a stolen hash.)
However, near as I can figure, it offers no way to provision a second device with the same seed (or store the seed).
It's one of two sites that I use TFA for that I don't have a backup for, which is mildly annoying. I do have recovery codes, and will all too happily fall back on SMS.
For me, when I download Steam Authenticator it's tied to my phone number so the first time I login it will send me a text message code, and then from there it generates the authenticator codes in app
Well in the scenario where you lose access to your email address you would theoretically still have access to your phone with the steam app already installed and authenticated
I'm not sure what you mean by auto-login not working. I've had my Steam account for 11 years and I can remember a time where that was the case, but it works so reliably nowadays I didn't even remember it was an issue until reading your comment.
I'm 90% sure it's a account-based bug. My account has had this issue for ~6 years now (I've used steam for 15 years). It happens on any browser or device. No cookie clearing, doesn't happen to any other account, etc. Every time I bring it up, the majority of people say they don't have an issue, while a small handful of others chime in about experiencing it too.
It has to be a bug, or maybe a security feature for accounts of a certain size?
I think they restrict the 2FA methods since they want tighter control over them. For example, if you use their Steam app for 2FA and you need to move it to a new phone your account gets put into a restricted mode and you cannot use the Community Market for 15 days. This restriction also gets applied to any item you touch, so if you trade an item to someone else, the store restriction moves with the item.
They also strong-arm you into using the app. If you log into a new device (or Steam thinks it's a new device since you cleared cookies) and you don't use their app for 2FA, then the device will not be able to trade or use the market for 7 days. They only waive this restriction if you use their app for 2FA and it has been active for at least 7 days.
It's a bit frustrating since the Community Market/Trading is likely only used by a minority of users, but seemingly a ton of login limitations are imposed because of it.
> It's a bit frustrating since the Community Market/Trading is likely only used by a minority of users, but seemingly a ton of login limitations are imposed because of it.
It's probably because it moves a significant amount of money, between trading cards, CSGO knives, TF2 hats, etc. Of course, nothing comparable to banking systems and general-purpose marketplaces, but I personally think those protections only add to the product.
> Of course, nothing comparable to banking systems and general-purpose marketplaces
Rumor is, some MMO games have markets exceeding GDPs of plenty of first-world countries, and ingame items are used by gangs to move funds across borders. Both Cory Doctorow and Neil Stephenson wrote books featuring this phenomenon, and I'm pretty sure they both usually take their ideas from reality.
Since Steam is a Big Guy, and its market is dedicated to this very activity and sits on top of many games at once, I'd guess it to have a sizeable slice.
Doctorow's book is “For The Win” (if I'm not mistaken—really need to get into the habit of writing some notes about the books I read, especially when marathoning through an author's bibliography).
Stephenson's book is “Reamde”, which is a weird, even for him, mix of realistic-sci-fi-about-computers with an adventure thriller.
I think I also found some articles about actual size of virtual economies and the use of them by crime. But those likely went into the Pile To Read, which is a rather sad fate in my case and the hope is thin.
I don't use the Steam 2FA app and when I sell Steam trading card, there's a banner saying 'you haven't used our 2FA, market listing will be held for 7 days'. But then usually the cards I list are sold the same day, I don't really understand why; perhaps because (on the Steam client), I rarely have to log in?
I have the same issue. On Mac, I log in to Steam about once a week (sometimes longer than that). I have to login with my password and get a Steam code almost every time.
Does the Mac version of Steam install through the Mac App store (or is it offered there), and does that store also have the webview restrictions? If that's the case, I'm wondering if that's triggering them to use web login methods, and while I haven't logged into steam on the desktop again since I installed it on this new one ~6 months ago, I have to log into the website and get a code almost every time I want to do something there, so I wonder if the Mac version of Steam is somehow under the web based login restrictions.
LOL, that's true. I wasn't even thinking of what Steam does, and was just considering it's authentication mechanism. Doubly silly of me, since I'm definitely interested and following to some degree the Epic lawsuit.
Huh strange. I’ve used steam on windows, Mac and Linux over the years and with different frequencies of use and still only ever have to manually log in once every few months.
I stopped using Steam because it was too annoying. Not sure what all they get up to for their anticheat crap, but something I do with my network/machine apparently sets them off.
Fighting with bullshit like this is not what I'm looking for when I want a game, so screw it, if a game needs Steam, I don't need the game.
It's not an issue with the app, it's in the browser only. I like using the browser for browsing since tab support is better, bookmarking and also extensions such as Steam Enhanced.
It's a weird variant of TOTP, but you have to be rooted or modify the app in order to extract the secret to use with other apps. Years ago I wrote a script to do it, but I'm not sure if it still works -- it's not really worth doing imo
The issue is that the app uses a custom protocol to confirm Steam community transactions (Steam inventory trades, etc). So if you use an authenticator like AndOTP, you lose the ability to confirm those.
I reverted to e-mail. I only have free software on my phone, and don't regret that choice.
> “Remember the password” barely ever works, even on desktop.
It happens to me only when I keep switching machines (sometimes I play on Linux, sometimes on Windows) => I guess that it's some kind of security check.
If I stick all the time to a single machine then I basically never have to re-login (if I don't stop playing for something like 1 month or longer).
I lost my password, access to my email address and all information that could have been used to identify me like my paypal account. This was somewhere around 2017. It took 2 emails to get them to transfer my account to my new email address and reset my password.
Here's my experience with recovering a Steam account. Some time before I lost access to my Steam account, I bought Portal 2 for the PS3 which included an activation code to get the PC version on steam for free. When I asked Steam support to help me regain access, they asked me to write a specific thing on the flyer with the activation code, scan it and send that in to verify It's my account. After that they helped me recover the account.
Valve introduced Steam and it's security by Gabe announcing his login and password to the world. You couldn't get in though precisely because of the 2FA.
This was a LONG time ago when things being secure on the internet wasn't a given to most people.
> “Remember the password” barely ever works, even on desktop
Is that for browser or client? I had issue with the browser for the past 6 or so years. Every time I bring it up, a few others mention having this issue but not everyone. I think it's an account based issue since it happens on any device I use. It only happens with Steam and no other site.
- “Remember the password” barely ever works, even on desktop. Since I don't quite log in every day due to being too old for that, I have to redo the process every time—on a machine that I bought with my own money just for myself and intend to protect with both technical means and physical force.
- Somehow copy-pasting passwords from KeepassX/XC doesn't work on Mac, with the shortcut. Not sure if this is a misfeature of Steam, but I have to paste the password to an editor first and then copy out of there into Steam. (Seems though that ‘paste’ in the context menu does work—this might've changed since I first noticed the issue.)
- And of course, the weird variation on 2fa, via email, instead of the good regular TOTP. As is tradition by now, I'm also given the choice of installing yet another app on the phone, which somehow doesn't quite seem to serve my interest.