As my faithful reader reader knows, I have opinions about security and privacy. One of the things that has been a challenge is when providers and software do not take security as seriously. A prime offender is Steam currently. This opinion was formed before the December 25, 2015 problems with displaying information improperly. My opinion started last year in December 2014. I was in the process of changing and updating many of my passwords. I sent the following question to Steam:
“I am in the process of changing passwords on accounts, and was unable to find the requirements or restrictions for passwords. Can you provide a list of the restrictions please? When I tried to generate a new password using my randomizer it was not accepted. “
The response I originally received showed that the question was not understood (screen shot of the conversation from Steam Support Site):
“Thank you for contacting Steam Support.
We apologize for the delay.
Please follow the link below for information:
Title: How do I change my Steam account password?
If you have any further questions, please let us know. “
I responded indicating:
“I know how to change the password, however when I try to change it, the password is not accepted. So what is the parameters of the passwords “
The Steam response was less than helpful:
Unfortunately, the full requirements are not currently available.
It must not be a previous password and must meet the password strength requirements.
Steam Support has provided you with all of the relevant information regarding this issue. “
Please allow me to highlight that exchange a little more. “The requirements of the password are not available, but your password must meet the requirements.” Steam basically said, we can’t tell you what the requirements are but you need to meet them. At the same time I was doing testing and submitting of passwords to try to find out what the requirements are.
To say that I find that they are lax is an understatement especially for a commerce site; a commerce site that allows and suggests storing of credit card information. I was not able to use certain special characters but I was not sure what they are, so I literally had to make my best assumptions by trial and error. The length of the password was also not clear so I once again did trial and error. I understand why some might think by not indicating password parameters provides a hurdle to people hacking it. Allow me to state that a brute force attack would not care, it would simply add more failures.
If one couples this with the recent breach of information and lack of contrition or concern from Valve/Steam it makes me more nervous. The most frustrating part of this problem is that for many game titles I do not really have another avenue to purchase from. I am still one of those people that wants to have a hard copy of the content I own and not just have it on the cloud. I am comfortable with the idea of a piece of technology having to verify that it is legal through contacting an online server, not ideal but understandable.
So if Steam/Valve is listening, which I doubt, I request and want a more secure system. I would ask the following and I think most people would as well:
- More information about password requirements
- More complex and longer passwords allowed
- Two Factor Authentication
- Proactive Communication when there is a problem, notice I didn’t say if but when as given the current track record it is only a matter of time
To my readers, I ask that you share these ideas with others and get Valve and Steam to pay attention and make improvements.