OR, you simply refuse to believe what Phillip has stated with regard to concerns about it weakening security.

 

Pretty much this, yes.

 

You do know what 'sceptical' means, don't you? I'm not sure I could be clearer on that point.

 

Anyway, que sera and all that.

Did BW fall and hit their head again? Changing log-in information to something that is public knowledge is not only stupid, it's irresponsible. For the love of all that is good in the world DO NOT DO THIS!

Did BW fall and hit their head again? Changing log-in information to something that is public knowledge is not only stupid, it's irresponsible. For the love of all that is good in the world DO NOT DO THIS!

 

There's another person who either hasn't read Phil's excellent posts or can't be reasoned with.

 

Edit: Consolidated:

 

The complete list of Phillip_BW's posts on this topic:

 

http://www.swtor.com/community/showpost.php?p=5961316&postcount=296

http://www.swtor.com/community/showpost.php?p=5961675&postcount=303

http://www.swtor.com/community/showpost.php?p=5965096&postcount=389

 

DevTracker: http://www.swtor.com/community/devtracker.php

 

Search specifically for all Phillip_BW posts: http://www.swtor.com/community/search.php?searchid=3617416

Edited March 11, 2013 by DarthTHC

Pretty much this, yes.

 

You do know what 'sceptical' means, don't you? I'm not sure I could be clearer on that point.

 

Anyway, que sera and all that.

 

There is a difference between "skeptical" and "unwilling to believe". You pretend to be "skeptical", but in fact this response to me (above) shows me that you simply are "unwilling to believe". Which is fine if that is the way you want to go with it... BUT then don't complain that there are no BW dev posts addressing your concerns.

 

/2-cents

"No purge planned - the game is way too young to be thinking of removing old accounts, especially as a lot of those accounts have game data associated with them and we would like our players to be able to return to everything they left behind if they do leave."

 

Found this whole statement ironic considering I left for a while (whilst still maintaining a subscription I might add) and naturally had to change the name of some of my favourite characters. Unacceptable. Guess I won't be returning after all.

 

Edit: I just wanted to add that this was well after the servers were merged.

Edited March 12, 2013 by TheRealBluehero

You should follow the advice of Ruhrpottpatriot

 

Apparently some people like you didn't even bother to look at that posts, like Ruhrpottpatriot said: "I really urge you to read his posts(...)". Not only you but everyone, before posting here.

Thanks to both of you for compiling the "official" responses in a single place. I'm sure it'd be helpful to more than just me if the moderators moved them to the head of the topic though.

 

 

I had my account hacked in other mmorpg (which I played for almost 6 years) and I was the most carefull as a user can be, I didn't deserve what happened to me in that case.

 

I agree -- but sad as it may be, it was to be expected as a consequence of entrusting esthetically valuable data -- your characters, items, game progress -- to a third party (the gaming service) for safekeeping, against every possible caveat in the EULA. "<Whatever>-as-a-service" technologies are convenient, but convenience always has a price; in the case of *aaS, that price is control. You are at the mercy of the service provider and whoever can manipulate their data; you have no say in how this data is managed -- worst you can do is terminate your subscription, maybe sue them for damages, but good luck with that given the EULA. This is one reason I tend to avoid relying on cloud/*aaS solutions (including MMO games), and prefer old-school installable single-player games or games that use peer networking models or those with open server executables, with all the code and data easily replicable and within reach. TOR is a rare exception, I play this mostly because its prequels are my long-time favorites.

 

If a hacker wants to hack your account he will, we just have to make their life as harder as possible, and trust the people that looks up for our accounts security do their best to avoid it.

 

Just to make it clear, I was not calling into question the technical competence of BW/EA security staff, maybe only my own. On the contrary, SW:TOR is one of few online systems I know of to employ multiple-factor ("something you know" + "something you have/are") and defense-in-depth (password + security questions) approaches. I was only remarking on the fact that, as Wired's "Kill the Password" article points out (interesting read, BTW), better security always has the tradeoff of inconvenience and/or privacy. It would be nice to let the users decide if they are willing to make that tradeoff (and how much) instead of enforcing policies that claim to serve the users, but under the hood mostly serve to guard BW/EA against damage from their own mess-ups.

 

With this I still maintain that for most users, single-factor (password-only) authentication should be good enough as long as both the user and BW/EA manage this information responsibly. The mentioned Wired article fails to identify the flaws of passwords themselves (OK, one -- "good passwords are hard to remember," but even that is mostly a user error). Rather, it centers on the mishandling of passwords, the biggest of them being the presence (yes!) of "password reset" backdoors in most systems, and the associated social engineering exploits. By the Force, if anything should be killed, it's the password resets, not passwords. As my instructor used to say, "all known attacks against RSA are attacks against idiots using RSA." The same easily applies to password-based authentication. If I lose my password, I'm an idiot and get what I deserve. Instead of catering to the needs of idiots, who'll always find a way to mess up no matter what, online services would do well to educate users and cater to the needs of the competent.

As part of the April 2nd release or later? I can't say just yet on April 2nd, but this is one of the ducks I'm lining up. It's no coincidence that the change we are making is related to that (among other) self-service implementations. One of the ducks even has 'move' in it's name.

 

The sooner the better to be honest. Having to call Support to remove the authenticator is an overly costly and time consuming process.

 

I'm still not convinced this is a good idea. Everything I know about security tells me that every single piece of login information (Username, Password, authenticator info, secret questions) should be kept 150% secret. Since the usernames are used on the forum, that's a piece of login information that is being unnessercarily exposed.

The sooner the better to be honest. Having to call Support to remove the authenticator is an overly costly and time consuming process.

 

I'm still not convinced this is a good idea. Everything I know about security tells me that every single piece of login information (Username, Password, authenticator info, secret questions) should be kept 150% secret. Since the usernames are used on the forum, that's a piece of login information that is being unnessercarily exposed.

 

With all due respect, you must not know much about security...

 

There's a funny thing that happens when dealing with a lot of fields such as security -- in which those who know almost nothing are confident in their knowledge and think they know quite a bit, while those who are extremely knowledgeable question their intelligence regularly.

 

I certainly don't mean this to be rude -- but many of the people posting on here probably don't know ANYTHING about security, or understand that -- as has already been said -- a username/email should NEVER be used as a safety measure. There are dozens of security checks that no user will ever see, and will never become public knowledge (for good reason).

 

TL;DR -- Professionals in security are explaining to people that this change has NO effect on security -- but is allowing them to implement other changes to increase security. I'm inclined to agree, because I'm not a security expert. However, should my account be hacked (or if many accounts are hacked), I may change my tune.

This is a bad move. I for one I have 2 accounts hacked from other MMO's and using my login in Name is a sure bet way to get hacked. I would like to keep my email address as my login and still keep using my Authenticator I got with my Collector's Edition. Plus if my account gets hacked I will file a suit against EA/Bioware for breach of contract.

The weird thing is that other sites used display names first and because that wasn't secure enough, moved on to emails. I think the ones that use multiple forms may be slightly more secure. Example, one used a login name, a password, a character name and a security code. The last being optional.

This is really a bad idea. No one knows my email but everyone who comes to the forums will know my Display name.

 

How is that more secure? You are giving away the first piece of information.

This is really a bad idea. No one knows my email but everyone who comes to the forums will know my Display name.

 

How is that more secure? You are giving away the first piece of information.

 

 

Sometimes.... sometimes... there is merit in reading through a thread for the detailed responses by the Bioware head of security about why you are so wrong and are worrying about the wrong things from a security perspectice.

 

I'm not kidding.... take the time to read what has been shared in response to your complaint (which has been expressed and answered multiple times.

 

Sometimes.... sometimes... there is merit in reading through a thread for the detailed responses by the Bioware head of security about why you are so wrong and are worrying about the wrong things from a security perspectice.

 

I'm not kidding.... take the time to read what has been shared in response to your complaint (which has been expressed and answered multiple times.

 

Taking the time to read answers that are wrong doesn't help.

 

But, I suppose they must learn from their mistakes. And boy are they going to learn after this goes live. lol

Taking the time to read answers that are wrong doesn't help.

 

But, I suppose they must learn from their mistakes. And boy are they going to learn after this goes live. lol

 

I'm bookmarking your response. Because it will be worth it to come back in two weeks and go...

 

WUT??!!

 

 

Some "the sky is falling!!!" style responses are worth the extra effort.

Edited April 1, 2013 by Andryah

I'm bookmarking your response. Because it will be worth it to come back in two weeks and go...

 

WUT??!!

 

 

Some "the sky is falling!!!" style responses are worth the extra effort.

 

lol And how will to determine that? Will Bioware call you and tell you everything was alright? Maybe what you should do is sit in the the CS forums and watch all the people post about being hacked.

 

Though judging by your own post history I see you just enjoying trolling. No one here is yelling the 'sky is falling'. They are trying to stop a mistake to a game that we love to play.

 

If you don't like the game, why are you here? Must be an MMO out there better fitting to your demeanor. I can think of at least one. Welcome to ignore. At least that is a feature that is being used to its full potential.

lol And how will to determine that? Will Bioware call you and tell you everything was alright? Maybe what you should do is sit in the the CS forums and watch all the people post about being hacked.

 

Though judging by your own post history I see you just enjoying trolling. No one here is yelling the 'sky is falling'. They are trying to stop a mistake to a game that we love to play.

 

If you don't like the game, why are you here? Must be an MMO out there better fitting to your demeanor. I can think of at least one. Welcome to ignore. At least that is a feature that is being used to its full potential.

 

LOL... I think you are probably the first person in forum history to tell me "If you don't like the game, why are you here?"

 

I'm more used to being called fanboy, white knight, Bioware apologist, <insert your favorite perjorative here>.

 

THAT was funny.

Edited April 1, 2013 by Andryah

Taking the time to read answers that are wrong doesn't help.

 

But, I suppose they must learn from their mistakes. And boy are they going to learn after this goes live. lol

 

And just how are the answers wrong? Do tell.

LOL... I think you are probably the first person in forum history to tell me "If you don't like the game, why are you here?"

 

I'm more used to being called fanboy, white knight, Bioware apologist, <insert your favorite perjorative here>.

 

THAT was funny.

indeed, andryah is the ultimate bioware apologist. on that dude behalf, i will say that he is sorry ol' great whitelighter. may you continue you BW fanboism for eons to come

This is really a bad idea. No one knows my email but everyone who comes to the forums will know my Display name.

 

How is that more secure? You are giving away the first piece of information.

 

Sometimes people cannot be convinced by using logic; they can only be convinced by invoking emotional responses. I think you might be one of those people.

 

Had you read Phillip_BW's posts, you would understand the myriad of reasons that this change makes the authentication system more secure. If you're worried about it being less secure, well, it's been in use for months already. Since f2p went live.

 

In all that time, how many SWTOR accounts have you heard of being compromised? We have a pretty vocal community. I read the forums every weekday. I have heard of zero.

 

In ONE DAY, how many WoW accounts are compromised?

 

Phillip_BW knows security. He's proven that not only through his informative posts here on the forums but also in his stellar results with this game.

 

Even though it may be raining or even snowing where you are, the sky is, in fact, NOT falling. It will be fine. Just as it has been since f2p went live. In fact, with the new self-service stuff they're talking about, things will be BETTER!

 

Taking the time to read answers that are wrong doesn't help.

 

But, I suppose they must learn from their mistakes. And boy are they going to learn after this goes live. lol

 

I'm sure the community would love to understand more detail about your claim that Phillip_BW's answers are "wrong", starting with your own pedigree in network security. Please, do share!

 

Besides, as I mentioned above, it has been live since f2p happened. I can find no reports compromised accounts. What exactly do you think the developers need to "learn"?

Edited April 1, 2013 by DarthTHC

Don't look at my display name!

 

No, wait, that's not gonna work....

Don't look at my display name!

 

No, wait, that's not gonna work....

That's because you forgot to wave your hand.

still not over impressed with this move,I don't disagree that it may be better security and all that but I don't want my display name as my login to my account simple as that. Edited April 1, 2013 by Avorniel

still not over impressed with this move,I don't disagree that it may be better security and all that but I don't want my display name as my login to my account simple as that.

 

Your display name has been synonymous with your email address for authentication since f2p went live. That ship has sailed.

Taking the time to read answers that are wrong doesn't help.

 

But, I suppose they must learn from their mistakes. And boy are they going to learn after this goes live. lol

 

As someone already said -- Please, enlighten us with your knowledge of Security.

Oh, I'm sorry, you have no idea what you're talking about? That's what I thought.

 

None of these answers are wrong. YOU are clearly the only troll here. Just because you lack of knowledge of security practices DOESN'T mean someone else is wrong. There's a reason he's the head of security and you aren't. There's a reason not a SINGLE account has been hacked, vs. the hundreds hacked every week in WoW and other MMOs.

 

AND -- Andryah may be outspoken and opinionated, but CERTAINLY not a troll. Unlike you, she clearly understands logic, even if she does apologize for Bioware too much