24
89 million Steam account details just got leaked, so now's a good time to change your password
(www.xda-developers.com)
this post was submitted on 14 May 2025
24 points (78.6% liked)
Steam
669 readers
1 users here now
For Steam Game Stuff
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
On mobile so forgive any formatting, but the text below is quoted from the NIST faq. https://pages.nist.gov/800-63-FAQ/#q-b03
Q-B05:
Is password expiration no longer recommended?
A-B05:
SP 800-63B Section 5.1.1.2 paragraph 9 states:
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
Well, there's the problem. Why are people using memorized passwords? And why are they picking passwords that could be easily guessed?
Literally, the only password that one should memorize is for their password manager that has strong 2FA enabled.
This recommendation seems to cater to users who already have poor security habits, rather than offering best practices. That's my opinion, anyway.
edit: spelling