Just want to know how to ‘fix’ Steam’s password field? Scroll down to “How to Fix It”
Steam & Security Theatre
You’re a smart guy. You’re not stupid about computer security. And that’s why you always make sure that you use a different password for every service you use, right? You might even use
a different password for every account, even when you have different passwords on the same service. You know that there are really, really good reasons why it’s
simply not good enough to, for example, have “high-security”, “general use” and “low security” passwords, and re-use each of them in several places. And if you don’t know that: well,
take my word for it and I’ll explain it in detail later.
It’s no great hardship to have lots of long, complex, effectively-random passwords, these days. Tools like SuperGenPass, LastPass, and KeePass, among others, mean that nowadays it’s so easy to use a different password for every
service that there’s no excuse not to. So you probably use one of those (or something similar), and everything’s great.
Except for that one
application – Steam. I have Steam save my password on my desktop PC (by the time somebody steals my
desktop PC and breaks into the encrypted partition on which my data files lie, I have bigger problems than somebody stealing my Just Cause 2 achievements), but it forgets the password every time that Ruth uses her Steam account on my computer. No problem, I think: I can easily copy-paste it from my password
manager… nope: Steam won’t let you paste in to the password field.
What? If you ask Valve (Steam’s creators) about this, they’ll say that it’s a security feature, but that’s bullshit: it’s security theatre, at best. And at worst, it means that people like me are inclined to use less-secure passwords because it’s
harder to memorize and to type out that a more-secure password would be.
How to Fix It
Well, obviously the best way to fix it would be to successfully persuade Valve that they’re being stupid: others are already trying that. But what would be nice in the meantime would be a
workaround. So here is is:
- Edit
Program FilesSteamPublicSteamLoginDialog.res (Program FilesSteamPublicSteamLoginDialog.res on 64-bit Windows, somewhere else entirely on a Mac) using
your favourite text editor (or Notepad if you don’t have a favourite). Take a backup of the file if you’re worried you’ll break it.
- In the
"PasswordEdit" section (starting at about line 42), you’ll see name/value pairs. Make sure that the following values are set thusly:
-
"tabPosition" "1"
-
"textHidden" "0"
-
style="TextEntry"
The next time you load Steam, you’ll be able to paste passwords into the password field. The passwords won’t be masked (i.e. you’ll see the actual passwords, rather than asterisks), but
the dialog never loads with a password pre-populated anyway, so as long as you make sure that nobody’s looking over your shoulder while you type, you’re set!
Update: let’s face it, Valve’s security policies suck in other ways, too. Please read the tale of a friend-of-a-friend who’s desperate to change her Steam username.
Great! But it turns out that despite there being libraries to produce server-side implementations of the technology in PHP, Perl, and C, nobody
had yet bothered to write one in that most marvelous of programming languages, Ruby.
