Originally Posted by Drac
Clicking a link by itself shouldn't be able to steal your password. Never type your steam password into a form field in a web browser - not even the web version of Steam's community website. Even just typing the password and not submitting/sending the form is enough to have a script on the page sneakily send whatever you type to a hackers database after each keystroke.
Not entirely true, if you're worried about a keylogger, the keylogger will capture the entry direct into the Steam client as well. If you've had script injected after manually navigating to the steam website then you've got other serious issues going on (e.g. you've been pwned anyway). I doubt you'll get big use of CSRF or anything against steam. Personally, I'd classify this as acceptable risk.
More specifically never enter your username and password into a web form (for anything) that you did not navigate to manually. If you follow a link you click (even from google) DO NOT enter your username and password. This is why banks always tell you to type the URL to their banking site manually. Never enter your username and password into a web page that is not protected by SSL/TLS - most modern browsers will display either a padlock symbol and/or will change the colour of the URL (green for firefox). If you see any errors pop up about certificates, run for the hills.
You can be attacked by clicking on any given link without first inspecting the URL. If you aren't technically able to check these details, then you shouldn't click links someone has sent you - if they're all "hey check out this cute youtube clip of a kitten falling asleep in a teacup: YouTube - Kitten fall asleep in a teacup
" don't click the link, manually go to youtube and search for the clip yourself.
This applies to all forms of communication, email, steam IM, MSN etc.
For those with kids: Make sure you teach your kids never to click on links someone sends them without asking you first. Also make sure you don't have a CC registered against their steam account - always send by gift!