GabeN once leaked his password on purpose to prove how secure Steam Authenticator was, before people were familiar with 2FA.
Copied from the post:
You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at
We also recommend setting up the Steam Mobile Authenticator if you haven’t already, as it gives us the best way to send secure messages about your account and your account’s safety.
I appreciate they took the time to do this. Still though, when was the last time you changed your steam password? Regardless of this it never hurts to update it
Been over a decade.
Nist says if the account is protected by MFA password expiry isn’t needed.
Nah. The need to regularly change passwords is unnecessary. If you use a sufficiently long password, unique passwords for every site, and 2FA/MFA for “important” logins, then you’re good.
Businesses requiring their staff to regularly cycle passwords is outdated and makes their systems less resilient, since it opens more angles for social engineering attacks or password security carelessness.
Unique is probably the most important thing. Well, and not using “password123” of course. As long as its not easy to guess the main thing you want to avoid is password reuse because you don’t know how securely its being stored. May well get leaked as plaintext some day which some of mine certainly have been over time.
That is when I learnt that no, a “very secure” password that you use everywhere isn’t very secure at all.
not using “password123”
So “Password123!” Is still good, then?
I’m not saying every three months, but after 5-7 years like me, it’s probably just a good idea. Who knows what devices have the passwords saved on it still
- Don’t use the same password on Steam that you use from other services.
- Use a long password, with random characters and numbers.
- Use a password manager.
- Do not click on links in emails, unless you are 100% sure its from Valve. Better yet, visit Steam in your browser or the Steam app and search for the page there directly. Do not login on random websites requiring you to login to Steam.
- Do not click on links in chat from people you don’t know or added recently to your friends list.
- Set your Steam profile to private, or enable it for friends only at best. Especially if you have lot of skins.
- Ultimate weapon: Use official 2FA (2 factor authentication) with Steam app on your phone. Do not lose your phone, as you cannot login to Steam otherwise.
No security is perfect, but following these basic rules will help you to secure your account. And there shouldn’t be any need to reset the password often. If you feel better, reset it once per year or so. I don’t.
Just might do that. Thanks for the tip.
