FYI: Steam accounts were hacked (around 10th November)

[User137]

Would you mind sharing wich ones?

Just on local computer, trying different software throughout the years. I have a ftp server as hidden service online with computer every day, which only accepts localhost for admin.

About subnetting or IP manipulation, that really is just a DoS attack. Consider it as a mail that you send anonymously to someone. The receiver has no way to send you its "thanks", such as "welcome to the system", because it doesn't know where you are. So this method directly cannot be used to gain access to the system but its just harrassment.

..humans can remember only simple passwords wich have some predictable patters. This means that guesing those passwords is easier.

That was maybe so 5 years ago, but now assume that every password has number and letter (Nobody cares about passwords that don't, thats just stupidity and everyone knows that). Pick a random steam name and try guessing his password just like that... How many attempts would it take? 10? Try a botnet to login to his account... oh wait, his user account has 10 second delay between login attemps, and 10 total limit till it locks up waiting for email verification or something.

Should i rephrase it. Could i guess your pascalgamedev password easily in under 1000000 attempts?

I'm just saying of various techniques you can use with net services, not that they are best and flawless just on their own or without much further planning through the whole thing. Just because you say there are flaws in a techique, do you think nobody uses them?

Also, you might think that locking up someones account for hacking attempt is a too harsh method. It's actually reality on many systems, it's just that hacking in general is not that common against certain user accounts. Even a game server as old as Diablo 2 visibly said the player last failed login attempts to see if someone had tried to hack him.

An alternative solution would be simply a delay (e.g. few seconds) so that it will take quite some time for an automatic solution to guess the password, which you can detect later in the logs and do the necessary investigation on the matter without affecting any of the users or shutting down the system prematurely.

And that's exactly the same thing i was talking about, i'm just not mentioning all minor details. Server admins may still shut it down for safety reasons if they wish to do so, IP logs are there anyway, be it useful or not. It should be in most cases very easy to see sudden spike in failed login attempts. Assuming system has any such graph tracking at all.