(ETA: Note the reason I mention 50+ is that I specifically vary the length randomly; when I don't the cracks drop to hours apart.)
It's significantly more likely that you've been keylogged or phished if attackers are actually accessing your Steam account with passwords of that complexity.
I do assume it is brute force/password spray.
More details in sibling reply: https://news.ycombinator.com/item?id=25739283
with 5 bits per character (and assuming random characters, which is what you mean right?), that's 300 bits of entropy, nothing in the universe could brute force that
I believe that the password spray capabilities of today's botnets on any endpoint that returns results as fast as network messages travel should not be underestimated in a distributed enough attack. Given that not-varying the password length had a noticeable impact on time, the warnings from my email providers, and other increasingly paranoid measures I've taken [0], I have no reason to suspect that this anything but a very distributed password spray attack.
Simple GitHub searches seem to indicate that there are known password spray capable Steam endpoints that currently still leak password correctness/verification data regardless of 2FA enabled (and also leak whether or not 2FA is enabled on the account) and always falls back to email-based 2FA. (These leaks and that fall back would have me believe it's one of the Password Recovery or 2FA Recovery endpoints.) Though I've not attempted to run such gists/"utility libraries" myself to verify (I'm too lawful neutral/not a black hat whatsoever), at a surface level it seems like more than enough evidence to suggest botnets would use such things if enough people were posting "helpful password recovery tools" on GitHub that password spray accounts you tell it to.
[0] The paranoia has gotten quite "fun":
- I only ever sign in to Steam now inside the Steam client and Steam Mobile app.
- I disabled all OAuth applications on my account, no longer sign in under any web browser, and have refused to allow new applications.
- I've removed all devices except my primary gaming desktop and mobile device.
- I've removed all credit card data that I can and haven't bought or paid for anything directly in the Steam client in years.
- There's evidence that password hashes used to be leaked from a file in the Steam client's folder. (I believe that file no longer exists in recent Steam clients, at least.) For that reason, I've turned on Windows Controlled Folder Access (aka Windows Ransomware Protection) on all of my Steam folders. This has been an amazing bundle of joy~ and has basically stopped me from playing Steam games. Games are developed by children and it is amazing the number of entry point binaries a single game might have to run, how often even "offline only" games still want to run binaries they copy or bury in random places in %LocalAppData% or worse %Temp%. The whack-a-mole to enable games to run under Controlled Folder Access becomes its own very not fun minigame before you can actually start the real game. (It's also really interesting to see what some games do when they fail to get folder access they just assume they'll always have. So many permutations of "the game works but crashes at weird points" or "the game thinks it is running on a Mac for stupid reasons" or "the game thinks you intentionally want to run it without the ability to save or load saves, because that's a thing people might do?".)
My paranoia suggests my next steps are only to isolate Steam to its own entirely separate user account on the machine and/or its own unique VPN.
My basic threat modeling assumes if they were compromising anything specific outside of Steam, they'd have compromised my email accounts already.
At this point it increasingly feels like the only reason I keep Steam installed is to reset the password every time I get a Steam Guard email.
Frankly a keylogger on your laptop sounds more plausible.
https://security.stackexchange.com/questions/82389/calculate...
Secondly, you seem to conjecture that attempting password guesses against a network service would somehow bring that difficulty down considerably, to reachable levels. However: local hash guesses are made on GPUs or specialized FPGAs, whereas servers run on regular multi-purpose CPUs—plus, if you had a server respond to login attempts nonstop, it would spend half of the time in context switches and kernel calls. Top http frameworks in pure C reach just over a million responses per second when doing nothing but sending empty responses. You're asking that Steam dedicate a fleet of thousands of servers to facilitate cracking your password. And on top of that, the service would also need a database that likewise serves billions of requests a second.
Additionally, modern hash algorithms like bcrypt are constructed so that they take considerable and configurable time (on any hardware), so the hashing rates are on the order of tens of thousands a second or less, instead of billions and trillions. Since Steam are evidently very concerned with account security, I'd guess they take advantage of these algorithms—and since you changed the password recently, it was probably hashed with the latest used algorithm.
Besides all of the above, a service easily foils password guesses by limiting the number of attempts against an account in a time span, which is by now one of the basic prescribed measures. The whole purpose of ‘password spraying’ is to sidestep this limitation by attacking a lot of users but using most common passwords. In no way does it help with guessing a single long random password.
Lastly, while it's conceivable that Steam could have some vulnerabilities that would make cracking its accounts easier, those wouldn't be burned by attacking the same accounts over and over for months.
To sum up: the whole magnitude of the task is such that no one would solve it just to steal your trinkets, even if they could. It's time to accept that either your passwords are easily guessable, or are lifted from you in some way.
