1. SteamRep is shutting down at the end of 2024. See announcement.

Official Guide General Steam Client Security Considerations.

Discussion in 'SteamRep Guides' started by DataStorm, Dec 22, 2012.

  1. DataStorm

    DataStorm Retired Staff

    Messages:
    3,373
    NOTE: I'm not finished on this, but I don't want to continue now, so its not complete and needs many additions.

    As I take "security" a bit wider in this manual, I'm combining the security of the account itself and the trading aspects of it where you keep your account safe from hijacking. But also on good practices for how one's profile should be set up.

    First consider the requirements to gain access to your account:
    • Login name
    • login password
    • Secret Question
    • Steam Guard code, send to you via email:
      • E-mail login name
      • E-mail Login password
    Login name:
    Most people already keep their password "secret", but not so much on their login name. None of the above is of interest to anybody but the owner of the account, its hijacker and Valve. Regularly I see screenshots of the steam client where those are shown, and all the work need to be done to make out of that a crop shot again is annoying.
    [​IMG]

    If you are reading this, chances that you already have a steam account are pretty high. There is not much point in telling about using secure login names of a minimum length, and not using words/real names etc but a random numbers/characters one if you already have to deal with your current account. That brings us to the fact that a login name cannot be changed in steam.

    Securing Password:
    Basically this is a copy/paste of what I've written in the email guide I linked below about such. What should be the requirements of a password:
    • Minimum lenght 7 characters, recommended 10, longer is better. 20+ is good.
    • Consisting of a lot of different type of characters:
      • Contains numbers 1-0: 1234567890
      • Lower case a-z: abcdefghijklmnopqrstuvwxyz
      • Upper case A-Z: ABCDEFGHIJKLMNOPQRSTUVWXYZ
      • Signs like "`~!@#$%^&*()_+[]\{}|;':",./<>?"
      • Special characters on AEIOUY characters like: "áäàâÁÄÀÂéëèê
      • And other "reachable" characters like çǃ€
        CTRL-ALT-"1" up to "=": ¡²³¤€¼½¾‘’¥×
        CTRL-ALT-"Q" up to "\": å®þ«»¬
        CTRL-ALT-"A" up to "'": ßðø¶´
        CTRL-ALT-"Z" up to "/": æ©ñµç¿
      • Space: " "
      • And alt codes: ƒ ø£Ø (various, for what one can remember)
    • Make it RANDOM fully, don't use words you know and swap just l3tt3r5 4 nurnb3r5 for those swaps are very easy to guess by a brute force tool: "1" = "L" or "I", 2 = two or to, 3 = "three" or "e", 4 = "for" or four, or "a", 5 = S, 6 = G, 7= T, etc etc etc The number must stand on its own, not being a dependency of a word to form. Any word is bad anyway.
    This should make the range of different charracters per position about 150 or more. The difficulty of the password would then be: "number of possible characters" to the power of "number of characters".
    with 150 possible characters, and a password lenght of 20, the number of posibilities is:

    3,3252567 x 10^43 or 33 with 42 zero's behind it.

    There are sites generating secure password of specified length and difficulty, also there some programs out there that generate/store them. Store it somewhere safe, or consider for instance TrueCrypt to store it into.

    Luckily, Steam allows passwords to be stored into the client itself. So you only need to have the password when you clean out the steam client to re-install steam or when you move to another computer.

    Secret Question:
    Regard this the same as a password, make it password grade, this way a relative cannot unlock it for knowing where you where born, what your mothers maiden name was, what school you where in, or what your pet's name is.
    I never understood why it didn't allow custom questions, but as long as you make it password grade, nobody can guess the answer, even if your school, pet, mother, birthplace etc are on facebook/known to your sibblings etc.

    Steam Guard:
    Basically its a system where one needs access to the linked email address to be able to log into steam. The requirements are therefore that you need to have a verified email address linked to your steam account. Verification is quite simple, and has a separate guide for Steam Guard is required to be enabled to be able to trade.
    Steam Guard required to be enabled for trading by Valve

    E-Mail:
    Now, I've already done a email security guide, please check that one out here.

    -----------------------------------
    So far the account credentials and ability to log in. There is also the settings within steam that are either of interest or increases the ease of use of some features.

    Steam Settings:
    Already touched with the Steam Guard settings, but there is more. To reach steam settings:

    • Open Steam.
    • Go to top left, and click "Steam", and select "Settings":

      [​IMG]
    • You get a simular screen like this:
      [​IMG]
    As you can see above, this is the first tab "Account" of the Steam Settings. You can adjust:
    • Your secret question (requires your Password and then Steam Guard code)
    • "Don't save account credentials on this computer". To not save account credentials on the computer you are on. This one is quite important to tick if you are elsewhere, not on your own computer. Like at a friends house or even worse: internet cafe. (If you log into your steam account at a internet cafe, you'd be advised to change passwords of BOTH steam and your email address after once back on a trustworthy computer at your home)
    The "Friends" tab:
    [​IMG]
    Two options of interest (within the red rectangle):
    • Display timestamps in chat log. I really advice to turn this one on, it helps in a number of ways. One of them is that you keep aware of the time, the other is that you are able to see WHEN somebody said something to you. A lot of people just chat to somebody, and you seeing the window only after some time makes you unaware when this was said, an hour ago, or mere minutes. There are enough times its helpfull to have this on.
    • Always open a new chat window rather than a tab. I Favorite it myself on. This setting, and other settings below it about playing sounds and notifications is personal preference (and can be adjusted per contact in your friends list). I do want to say that you can "drag" off a specific chat from the combined chats, or drag one onto each to combine them. This all by "grabbing" the "tab" part where on top is the name shown with the mouse, and drag it off or onto eachother.
    The "Interface" tab:
    [​IMG]

    Turn on the option "Display Steam URL address bar when available". Its a hugely useful feature to be able to know who'se profile you are on by seeing the Steam URL bar on a profile. The URL may be a custom one, but you can copy/paste it into the SteamRep site ( http://steamrep.com ) in the search bar to find out if its a scammer or not, or search more info, like their backpack via tf2items.com/tf2b.com or backpack.tf , their TradePost posts or OutPost posts etc.

    Other tabs:
    The other tabs are all personal preference here.

    -------------------------
    Profile settings
    The profile settings are generally to your personal likings. There are for trading several considerations:
    • Nickname/Profile name. I just want to express that you should in general better not use a nickname equal to your login name. If you already do so, there may be no point changing. But if your login name is reasonably difficult to guess, change the nickname or "Profile Name" as Valve calls this. Stay with a nickname, it makes you recognizable. Changing it every time will make ppl lose track of you in their friends list, and they wont remember what occasion you got added etc. Also, try to be original with it, something the least amount of people will have. There are LOADS of people with "Ace" or any popular culture thing.
    • Avatar. An avatar is generally advised to be unique. Something others wont have. Don't be the 10.000th person with a pacman avatar or w/e. Take a picture for example that you yourself took of something (in my case of my cat) and make a nice cut-out of it to use. If you must change, change it to some other picture you made of the same subject. Doesn't really matter what the avatar is, just not the default "question mark". Avatar may be up to 184x184 pixels, in a picture format like jpg or png etc (no animated gifs allowed).
    • Public profile/public backpack. Its for trading generally adviced to have a public Profile and backpack, so people can view your profile and backpack. There are several sites that ban if you don't have them public.
    • Comments on your profile. Do not use it for reputation. Really, countless times one sees a lot of fake steam profile rep, and people assume its real. Its way too easy for a lot of scammers with alts to "stuff" the comments to have a number of pages full of them by using alt accounts, "buy" rep for a reclaimed from people etc. Don't give rep for something that didn't happen. Please read:
      What Constitutes Reputation

    To edit the profile, go to Steam, click Community/Profile and click Edit my Profile.
    [​IMG]
    Unwritten Fool likes this.
  2. DataStorm

    DataStorm Retired Staff

    Messages:
    3,373
    reiterate:

    NOTE: I'm not finished on this, but I don't want to continue now, so its not complete and needs many additions.