[aasasd]

I keep being somewhat baffled by Steam's login process every time I'm forced to go through it. Apparently Steam is such a cesspool of (pre)pubescent teenagers, with rampant account hacking and theft of funds, swag or whatever, that they feel the need to fortify the process if only to make it more inconvenient for the hackers.

- “Remember the password” barely ever works, even on desktop. Since I don't quite log in every day due to being too old for that, I have to redo the process every time—on a machine that I bought with my own money just for myself and intend to protect with both technical means and physical force.

- Somehow copy-pasting passwords from KeepassX/XC doesn't work on Mac, with the shortcut. Not sure if this is a misfeature of Steam, but I have to paste the password to an editor first and then copy out of there into Steam. (Seems though that ‘paste’ in the context menu does work—this might've changed since I first noticed the issue.)

- And of course, the weird variation on 2fa, via email, instead of the good regular TOTP. As is tradition by now, I'm also given the choice of installing yet another app on the phone, which somehow doesn't quite seem to serve my interest.

[mhh__]

My steam account is worth more than my computer, I'm quite happy that it's hard to steal.

I also don't have to log in every time I use it, that's not a steam-problem.

[Aardwolf]

One issue: if you lose access to your email, you also lose access to your worthy steam account, since it emails a code every time

[brandon]

Email access is required for self-service account recovery, but there are plenty of other documented methods:

https://support.steampowered.com/kb_article.php?ref=5421-QTF...

[Aardwolf]

Hmm, what I mean is, I open up Steam on my Linux system. Usually it remembered my login but sometimes I need to login again. If I then type my password, it says: "type the code we emailed to continue".

So if I wouldn't have access to that email account, I couldn't login and lose the Steam account, even when knowing the password.

Although, some of the methods from the link would still work, so that's solved, I guess.

[WorldMaker]

Except that even if you use Steam Mobile you can't turn off email-based "self-service account recovery" in Steam. Your email account is always going to be the final key to control of your account.

[WorldMaker]

Which is why my email accounts have warned me that every time a botnet cracks my Steam account password there are attempts to open what they think is my email account with the password they just cracked. My Steam account password these days is cracked scarily often, and I'm afraid my Steam account is now one of my weakest links in my online security footprint. I'm not dumb enough to use the same password for my email addresses as my Steam account, but the fact that Steam seems to be allowing password spray fast enough that machines keep cracking 50+ character passwords in days is alarming.

(ETA: Note the reason I mention 50+ is that I specifically vary the length randomly; when I don't the cracks drop to hours apart.)

[brandon]

I'm curious about what specific thing is signaling to you that your Steam password has been cracked. (I assume you mean brute forced?)

It's significantly more likely that you've been keylogged or phished if attackers are actually accessing your Steam account with passwords of that complexity.

[Aardwolf]

I don't understand how it can be possible to brute force a 50+ character password

with 5 bits per character (and assuming random characters, which is what you mean right?), that's 300 bits of entropy, nothing in the universe could brute force that

[wnevets]

Doesn't the steam mobile app provide access codes?

[elliottcarlson]

It does

[banana_giraffe]

However, near as I can figure, it offers no way to provision a second device with the same seed (or store the seed).

It's one of two sites that I use TFA for that I don't have a backup for, which is mildly annoying. I do have recovery codes, and will all too happily fall back on SMS.

[Aardwolf]

How does that one authenticate itself then?

(NOTE: I didn't even know the PC gaming service steam had a mobile app ;))

[stevewodil]

For me, when I download Steam Authenticator it's tied to my phone number so the first time I login it will send me a text message code, and then from there it generates the authenticator codes in app

[wnevets]

Well in the scenario where you lose access to your email address you would theoretically still have access to your phone with the steam app already installed and authenticated

[Quillbert182]

That's not true, I lost access to my email a couple years ago, and support was able to get me my account back.

[Kaze404]

I'm not sure what you mean by auto-login not working. I've had my Steam account for 11 years and I can remember a time where that was the case, but it works so reliably nowadays I didn't even remember it was an issue until reading your comment.

[Wowfunhappy]

How often do you log in?

My experience is that a lot of this stuff works really well if you're using Steam regularly, and completely falls apart if you use it once a month.

[e_proxus]

It also logs you out as soon as you enable a VPN connection (to a different cpuntey/IP?) while running.

[Kaze404]

Interesting. I definitely log in daily, I have Steam set to auto-launch because of Remote Play.

[ehsankia]

I'm 90% sure it's a account-based bug. My account has had this issue for ~6 years now (I've used steam for 15 years). It happens on any browser or device. No cookie clearing, doesn't happen to any other account, etc. Every time I bring it up, the majority of people say they don't have an issue, while a small handful of others chime in about experiencing it too.

It has to be a bug, or maybe a security feature for accounts of a certain size?

[chupasaurus]

Exactly the same for me in browser but not the main client where it happens occasionally for a few times in a row and then returns to automatic.

[pugworthy]

Over 17 years for me and never any issues really.

[devrand]

I think they restrict the 2FA methods since they want tighter control over them. For example, if you use their Steam app for 2FA and you need to move it to a new phone your account gets put into a restricted mode and you cannot use the Community Market for 15 days. This restriction also gets applied to any item you touch, so if you trade an item to someone else, the store restriction moves with the item.

They also strong-arm you into using the app. If you log into a new device (or Steam thinks it's a new device since you cleared cookies) and you don't use their app for 2FA, then the device will not be able to trade or use the market for 7 days. They only waive this restriction if you use their app for 2FA and it has been active for at least 7 days.

It's a bit frustrating since the Community Market/Trading is likely only used by a minority of users, but seemingly a ton of login limitations are imposed because of it.

[Kaze404]

> It's a bit frustrating since the Community Market/Trading is likely only used by a minority of users, but seemingly a ton of login limitations are imposed because of it.

It's probably because it moves a significant amount of money, between trading cards, CSGO knives, TF2 hats, etc. Of course, nothing comparable to banking systems and general-purpose marketplaces, but I personally think those protections only add to the product.

[aasasd]

> Of course, nothing comparable to banking systems and general-purpose marketplaces

Rumor is, some MMO games have markets exceeding GDPs of plenty of first-world countries, and ingame items are used by gangs to move funds across borders. Both Cory Doctorow and Neil Stephenson wrote books featuring this phenomenon, and I'm pretty sure they both usually take their ideas from reality.

Since Steam is a Big Guy, and its market is dedicated to this very activity and sits on top of many games at once, I'd guess it to have a sizeable slice.

[Kaze404]

Wow, that sounds like an interesting read. I'll see if I can track one of those books down, thanks!

[aasasd]

Doctorow's book is “For The Win” (if I'm not mistaken—really need to get into the habit of writing some notes about the books I read, especially when marathoning through an author's bibliography).

Stephenson's book is “Reamde”, which is a weird, even for him, mix of realistic-sci-fi-about-computers with an adventure thriller.

I think I also found some articles about actual size of virtual economies and the use of them by crime. But those likely went into the Pile To Read, which is a rather sad fate in my case and the hope is thin.

[benhurmarcel]

I would absolutely disable my access to that community market if it meant I could use a regular TOTP.

[baud147258]

I don't use the Steam 2FA app and when I sell Steam trading card, there's a banner saying 'you haven't used our 2FA, market listing will be held for 7 days'. But then usually the cards I list are sold the same day, I don't really understand why; perhaps because (on the Steam client), I rarely have to log in?

[chupasaurus]

Valve has softened this policy 2 years ago without an announcement.

[Nullabillity]

FWIW, the app uses a variant of TOTP. Some TOTP apps (including one for Yubikeys[0]) support generating them if asked to.

[0]: https://github.com/Yubico/yubioath-desktop/issues/72

[blackearl]

How often are you logging into Steam? The app stays logged in for me pretty much forever

[dfabulich]

I have the same issue. On Mac, I log in to Steam about once a week (sometimes longer than that). I have to login with my password and get a Steam code almost every time.

[kbenson]

Does the Mac version of Steam install through the Mac App store (or is it offered there), and does that store also have the webview restrictions? If that's the case, I'm wondering if that's triggering them to use web login methods, and while I haven't logged into steam on the desktop again since I installed it on this new one ~6 months ago, I have to log into the website and get a code almost every time I want to do something there, so I wonder if the Mac version of Steam is somehow under the web based login restrictions.

[dfabulich]

The website definitely has a crazy short session length (it can't be more than 48 hours, probably substantially less).

I do login to the website more often than I do the native Steam app, typically to wishlist games that I see linked from other web sites.

I wonder if logging into the website invalidates all of my sessions after however many hours.

[Wowfunhappy]

> Does the Mac version of Steam install through the Mac App store

It does not, and I can't see it ever being allowed there. It's quite literally an alternate app store!

[kbenson]

LOL, that's true. I wasn't even thinking of what Steam does, and was just considering it's authentication mechanism. Doubly silly of me, since I'm definitely interested and following to some degree the Epic lawsuit.

[dkersten]

Huh strange. I’ve used steam on windows, Mac and Linux over the years and with different frequencies of use and still only ever have to manually log in once every few months.

[_jal]

I stopped using Steam because it was too annoying. Not sure what all they get up to for their anticheat crap, but something I do with my network/machine apparently sets them off.

Fighting with bullshit like this is not what I'm looking for when I want a game, so screw it, if a game needs Steam, I don't need the game.

[ehsankia]

It's not an issue with the app, it's in the browser only. I like using the browser for browsing since tab support is better, bookmarking and also extensions such as Steam Enhanced.

[jonathanlydall]

Compromising of game accounts with real world monetary value is very much an industry, one with competition, customer service, supply chains, etc.

Source: I used to do customer service for Blizzard and a large part of our work was dealing with accounts compromised by gold sellers.

[eat_veggies]

It's a weird variant of TOTP, but you have to be rooted or modify the app in order to extract the secret to use with other apps. Years ago I wrote a script to do it, but I'm not sure if it still works -- it's not really worth doing imo

https://github.com/steamguard-totp/steamguard-shared-secret

[MayeulC]

The issue is that the app uses a custom protocol to confirm Steam community transactions (Steam inventory trades, etc). So if you use an authenticator like AndOTP, you lose the ability to confirm those.

I reverted to e-mail. I only have free software on my phone, and don't regret that choice.

[jannes]

Unfortunately, you can't use Steam Guard without a phone number.

[aimor]

“Remember the password” barely ever works

This has been my experience too. I still check the box every time I log in.

[zepearl]

> “Remember the password” barely ever works, even on desktop.

It happens to me only when I keep switching machines (sometimes I play on Linux, sometimes on Windows) => I guess that it's some kind of security check.

If I stick all the time to a single machine then I basically never have to re-login (if I don't stop playing for something like 1 month or longer).

[nonsince]

I lost my password, access to my email address and all information that could have been used to identify me like my paypal account. This was somewhere around 2017. It took 2 emails to get them to transfer my account to my new email address and reset my password.

[dkersten]

Did they ask for much to verify it was yours? Given what you said, I guess not?

[utf_8x]

Here's my experience with recovering a Steam account. Some time before I lost access to my Steam account, I bought Portal 2 for the PS3 which included an activation code to get the PC version on steam for free. When I asked Steam support to help me regain access, they asked me to write a specific thing on the flyer with the activation code, scan it and send that in to verify It's my account. After that they helped me recover the account.

[dkersten]

That actually seems like a pretty reasonable solution, in your particular case.

[leokennis]

Actually, when using Steam on macOS, it feels like traveling back to 2005.

I like Steam, it’s convenient and it works, but I don’t think “being ahead of the curve” is in their dictionary.

[thedmstdmstdmst]

Valve introduced Steam and it's security by Gabe announcing his login and password to the world. You couldn't get in though precisely because of the 2FA.

This was a LONG time ago when things being secure on the internet wasn't a given to most people.

[ehsankia]

> “Remember the password” barely ever works, even on desktop

Is that for browser or client? I had issue with the browser for the past 6 or so years. Every time I bring it up, a few others mention having this issue but not everyone. I think it's an account based issue since it happens on any device I use. It only happens with Steam and no other site.

[birdyrooster]

I had to remove and reinstall Steam to get my auto login working again

[kamyarg]

Download the mobile app, they have an option to enable OTP pushes, when I login my phone gets the code directly in notifications.

I also was annoyed by email code thingy until I found this recently.

[pugworthy]

As others have said, the value of accounts can be very high. Mine's that way, not just for the games on it, but for its age.