Password bruteforcing has become almost irrelevant on most platforms, so a complicated password, while encouraged out of habit, is not the necessity, it was 25 years ago. Steam does have a cooldown for wrong pw attempts, as do most sites, which means, no script can simply run through all possible combinations, and a five letter pw is as safe as a 256 kb one. Just make sure, you don't use the same password on too many places, and ensure, that those that can cause more damage when stolen (including Steam, yes) are unique.
We have also reached a point, where the safest way to store a password (except for memorisation) is actually writing it down on paper (and leaving it out of sight from any webcameras).


Way more important is the part about not entering data into external sites. All currently known schemes have at least some aspect of social engineering bound to them.

If you are logged into your Steam account in your web browser, every website that requires a Steam login should allow you to confirm your account without entering data. This is by far the easiest way to tell legitimate websites apart from fake ones.
It is still not advised to follow every link to "free" stuff and the like, as there may be malware hidden in it, but usually virus sites and phishing sites are mutually exclusive, as they do not want to ring alarms by having multiple frauds to be discovered.


And finally... threads in this forum are rather to be opened by people who seek help, than those who offer it. This text will be lost in the depths of a hundred daily threads soon, so it may not be the best place to put the effort into. Maybe consider publishing a guide about it.
And sadly, it often feels like people who take the time to read about the issues of scams often only do so after the damage is done.

https://xkcd.com/936/
TL;DR: Long > complex

Originally posted by Jerry:

Password bruteforcing has become almost irrelevant on most platforms, so a complicated password, while encouraged out of habit, is not the necessity, it was 25 years ago. Steam does have a cooldown for wrong pw attempts, as do most sites, which means, no script can simply run through all possible combinations, and a five letter pw is as safe as a 256 kb one. Just make sure, you don't use the same password on too many places, and ensure, that those that can cause more damage when stolen (including Steam, yes) are unique.
We have also reached a point, where the safest way to store a password (except for memorisation) is actually writing it down on paper (and leaving it out of sight from any webcameras).


Way more important is the part about not entering data into external sites. All currently known schemes have at least some aspect of social engineering bound to them.

If you are logged into your Steam account in your web browser, every website that requires a Steam login should allow you to confirm your account without entering data. This is by far the easiest way to tell legitimate websites apart from fake ones.
It is still not advised to follow every link to "free" stuff and the like, as there may be malware hidden in it, but usually virus sites and phishing sites are mutually exclusive, as they do not want to ring alarms by having multiple frauds to be discovered.


And finally... threads in this forum are rather to be opened by people who seek help, than those who offer it. This text will be lost in the depths of a hundred daily threads soon, so it may not be the best place to put the effort into. Maybe consider publishing a guide about it.
And sadly, it often feels like people who take the time to read about the issues of scams often only do so after the damage is done.

Ok, so you say that the passwords if "kept" on the system (so offline mode can work) are actually protected well. Then I guess no one can hack my system and retrieve said password?



Anything can be hacked.

Originally posted by RX-0:

If there is anything else someone wan'ts to contribute with - please share!

Account Security Recommendations

https://help.steampowered.com/en/faqs/view/6639-EB3C-EC79-FF60

Examples of hijacking attempts

A list of common scams can be found here. <-----------LINK to here :

https://www.reddit.com/r/Steam/wiki/scamtypes

It covers pretty much everything you said, and more. Problem is, sadly like this eventually, people don't want to read it, even after they get scammed or hijacked.

Originally posted by RX-0:

Anything can be hacked.

Passwords are not targeted these days. People are. It's been proven time and again that people are the weakest link in the security chain. It's easy to overwhelm someone when their emotions are being manipulated or those who just generally always let their guard down and have no situational awareness. The weakest of the herd are prioritized as it requires the least effort and generally always nets a favorable result for the attacker. They know it is far easier to have someone just give them what they need (IE: username and passwords) than it is to try and hack it.

Originally posted by RX-0:

This is fairly simple, there are certain things you need to avoid, and use your head.
Let's start shall we?

First, if something seems to good to be true - it most likely is:
"Login here for free upgrades!"
Don't do it. Think again, why would someone give away something that actually cost money?


Someone want you to vote for them in a game. But you have to login to a site outside that is not affiliated to Steam or the game you are in. Don't go there in login!


Always protect your own "property", this being all the games you have purchased, own and Steam itself. Never trust anyone you don't know, even people at work/school.


Don't use cheats. This will give you a VAC ban, and make the account/game unusable, or even steal the account instead!


Protect whatever you have, use Steam Guard.


Password protection? Sure. However, there are some rules you need to know..
1. Never use your or anyone else in your household's birthday numbers.
2. Never use any type of names, these are hacked with ease.
3. Never tell or show anyone your password, keep it safe.

Creating a good, hard to hack password? Well, you can always do the right thing - mix capital letters, numbers and "wildcard characters" (!@#$?) .

Example of a password:
?myN@#3ISaP@$$w0rD!

Yes, it will be hard to remember, write it down somehow, keep it safe. But remember, the harder the password - the harder to find/hack it, it will be.


If there is anything else someone wan'ts to contribute with - please share!

Just gonna put cents into this as well, and add things for better understand for internet safety.

For 1. it's not bad to fluff date of birth, but also draw back if you ever happen to forget about it if didn't record it like password manager, another problem is that most services barely, if at all go by this, as this is basically one of the last options for proving account ownership which would be used for free users, instead of those that became customers. Another problem is that some services goes by your ID DOB, rather then giving false DOB to them such as gov services, banking, or etc...

For 2. Not always true, the thing is if you use names, or words you realize they have to go though the whole dictionary, but not only that but not everyone uses english dictionary which is another thing have to take into account, now names that even more crazy to it as well as can have millions of names, this can be your name, someone, something, fictional, or whatever. The real problem is when only go for the bare minimum password requirement where made it way too simple is where the real issue about. That's why more compaines enforce people to push for capitalize letters, add numbers, symbols, or even special characters which make things 100x more harder for attackers when comes to that, as not only they have to figure out name/word if used, but also all kinds of placement order, and more.

For 3. This is good but shouldn't be limited to passsword, it should be any private info shouldn't be shared at all period, and should always be common sense when comes to that for that reason, less details thrown around on the internet about you, the less they have any idea how to attack you without knowing any of your important details, but always want to take into account you don't want to use same password for everything, can use same password for group of accounts or across services, but ensure to have different passwords for your most important things like payments services, gov account service, and etc.... So even if attacker manage to get one password, it no threat to your important things, and can always change the least non-important accounts passwords.

With all that in mind, more compaines are already equipped against brute force attacks for years, that means attackers can't brute services someone account like can't set up a bot to spam million times to get someone password until it cracks, as well happens after number of fail attempts you get with a cooldown that can last an hour upto a week depends how the services set it up, not only that but can also auto lock accounts, or warn user of such events, as well even track if someone trying to login from said IP as well. Example Microsoft can show you all login attempts history, as well IPs, and method of trying to login.


Now moving on internet safety tips, and advices for using Steam.

Originally posted by Dr.Shadowds 🐉:

Here are the most common reason people get accounts hijack for any service really are as followed.
- Sharing account infomation with others. <--- Very common with impersonators, pretending to be Steam admin / support.
- Logging in on phishing sites. <--- Very common with skin gambling sites.
- Downloading / Installing Virus / Keylogger on your system.
- Using public devices that has keyloggers, such as cyber cafe, school computers, and etc...
- Storing your login credentials on a unsecured service that others has access to view.
- Using same login credentials for all your things, or using same login credentials on another service that had a data leak. Yes it does matter because even if it not related to Steam, if using same login credentials, hijackers will try to use those credentials to see what services you use with those credentials. https://haveibeenpwned.com/

https://youtu.be/9TRR6lHviQc

The type of story scammers say to you.

- "Hey vote for my team", and they link you a phishing site link, and try get you to login.

- "Hey I can't add you, please add me", and they try to start their scam with you.

- If you're friend with someone that got their account hijacked, you get scam message like, "I report you", "you been banned", and whatever to try scare you, and they tell you to trade your items to them, or if you have a login to phishing site may have a API key on account that redirect trades, they ask you to give them money, or etc...

- If you already got your account compromise by them, they change your display name to banned, or whatever, your display picture as well, they may delete your friends, and try to spend your wallet funds if you have any, also trade all your items, but if they see if you have mobile authenticator attached, they play their scam to get you to confirm the trade to get your items off your account to their account quicker if they're able to trick you into confirming the trade.


I show you few examples.
https://steamcommunity.com/sharedfiles/filedetails/?id=2329645315
https://steamcommunity.com/sharedfiles/filedetails/?id=2570975058

https://youtu.be/JuWHCBeZrqI
https://www.youtube.com/watch?v=kook1DlxDAw
https://www.youtube.com/watch?v=0DDnV-MHSaY
https://www.youtube.com/watch?v=WfTXxLraokE

https://steamcommunity.com/discussions/forum/1/4956744526904317093/#c4956744526904653890

Originally posted by rawWwRrr:

Originally posted by RX-0:

Anything can be hacked.

Passwords are not targeted these days. People are. It's been proven time and again that people are the weakest link in the security chain. It's easy to overwhelm someone when their emotions are being manipulated or those who just generally always let their guard down and have no situational awareness. The weakest of the herd are prioritized as it requires the least effort and generally always nets a favorable result for the attacker. They know it is far easier to have someone just give them what they need (IE: username and passwords) than it is to try and hack it.

^This.

Believe it, or not most hasks, or hackers you might think, or believe are not actually software hackers at all, but actualy social engineering hack basically anyone can do this really, that means people that trick you to giving them your info, just like those scam Nigerian prince emails, phone calls scams, message from a friend claiming needing a favor real bad, or all kind of methods to trick you into either giving money, your info, or etc to them.

When you look online majority of account theft is actually by scammers, and phishing attacks, not hackers, as people are the most common targets online.

Step 1: actually be diligent enough to read these sort of things before you get hacked instead of after. That where most people who lose their account go wrong.

Well activate Steam Guard , add a phone
and dont post your Steam API Key on some 3rd party Skin sites :)

I recently had an account stolen because another party falsely claimed I had stolen it from them, while it's being worked on fixing, how would I prevent this from happening again in the future?

Originally posted by Energywelder:

I recently had an account stolen because another party falsely claimed I had stolen it from them, while it's being worked on fixing, how would I prevent this from happening again in the future?

read my post above #6.

useful

Originally posted by Dr.Shadowds 🐉:

Originally posted by Energywelder:

I recently had an account stolen because another party falsely claimed I had stolen it from them, while it's being worked on fixing, how would I prevent this from happening again in the future?

read my post above #6.

#6 Seems to be more preventing people from figuring out your password instead of preventing steam from helping others hijack your account.

Originally posted by Energywelder:

Originally posted by Dr.Shadowds 🐉:

read my post above #6.

#6 Seems to be more preventing people from figuring out your password instead of preventing steam from helping others hijack your account.

You simple don't share, or give your account with others, and don't share private details with others either, that the advice.

As long you don't share proof of ownership with other "party" they can't used that agasint you to try take your account.

Originally posted by Dr.Shadowds 🐉:

Originally posted by Energywelder:

#6 Seems to be more preventing people from figuring out your password instead of preventing steam from helping others hijack your account.

You simple don't share, or give your account with others, and don't share private details with others either, that the advice.

As long you don't share proof of ownership with other "party" they can't used that agasint you to try take your account.

I appreciate the reply, but we never shared our personal details with anyone. In fact the account was just stolen yet again, steam ignoring the multiple factors of authentication we have on the account. I have submitted a ticket to get it back, but it is frustrating that steam never paused to take a look at the fact that there have been repeated attempts to hack this account and theyve enabled it every step of the way.

Originally posted by Energywelder:

Originally posted by Dr.Shadowds 🐉:

You simple don't share, or give your account with others, and don't share private details with others either, that the advice.

As long you don't share proof of ownership with other "party" they can't used that agasint you to try take your account.

I appreciate the reply, but we never shared our personal details with anyone. In fact the account was just stolen yet again, steam ignoring the multiple factors of authentication we have on the account. I have submitted a ticket to get it back, but it is frustrating that steam never paused to take a look at the fact that there have been repeated attempts to hack this account and theyve enabled it every step of the way.

Nobody hacked your account. Nobody. If anyone had access the problem came from your side. Most likely by giving away account information. If you didnt actively do it something else is compromised on your end. A Keylogger for example. Though even that wouldnt do that much if you use Steam Guard (which you should).