|
|
|
|
|
|
by WorldMaker
1987 days ago
|
|
|
Also, there are plenty of reasons it might not be happening as badly elsewhere as it is happening specifically on Steam. Microsoft (and Microsoft Research) has made it very clear in recent papers that distributed password spray (where the spray is spread out over large numbers of IP addresses/countries/etc) is the number 1 issue right now in passwords, and that detection and blocking are crucial. Steam has argued in the past that such things are impossible to do at their scale. (Microsoft would argue today that their scale in Office 365/Azure AD/Microsoft Accounts has easily now dwarfed Steam's scale.) There's enough evidence today (as I already mentioned) that Steam still doesn't have those detections/blocking in place (and are relying too much on Steam Guard/2FA to keep accounts safe). (Not to get too deep into the woods of Steam criticism, but the argument may not be that it is impossible at scale but that it is impossible to prioritize it within Valve's notorious management culture.) |
|
|
I'm skeptical of what you're proposing because it's not hard to design a system that freezes mass random IP login attempts to an account after 'x' low number of random attempts and then only allow the past successful IP addresses to continue with a successful login. As well, as do an email verification if the password is successful but being used from a new IP address.