Are we going to be given the option to change the display name? I made one with little to no thought. If it is something I have to use as a login in I want to have the opportunity to change it to something I feel is usable and secure.

Please, read the Dev Tracker

Answered already

Its amazing how many armchair security professionals there are playing swtor. You all should apply for high level security jobs for knowing so much.

 

/end sarcasm

 

Everyone screaming about knowing half of your login information know absolutely nothing about security. Heres how you would have to attack the site if you know the display name vs email.

 

Scenario 1

Try to log in.. brute force the password. Internal systems pick up brute force attack and block the IP, flag it for review. Seriously Brute force attacks are very easy to detect.

 

"But they could use a BotNet" True hackers using a BotNet are not interested in stealing your Swtor account. They want personal info like CC info to sell or the database of the user/passwords to sell to a 3rd party. They would be attacking Biowares internal network. Not brute forcing your account.

 

"Gold Farmers......." Don't brute force, they either buy email/password lists from other hacked sites or hack vulnerable forum/game sites and use it to try and access accounts for other games. Majority of users don't practice good security and use email addresses on multiple sites. You yourself probably don't but for every 1 person that does, there is probably a couple hundred that don't

 

Simple passwords... Again this is your own fault, not biowares, if your using a simple password like 'Password1' then you should seriously consider changing it to something much harder to guess like P2Ssw4Rd (replace each vowel with an even number and capitalize the next letter). And obviously don't use the word password.

 

Scenario 2

Try to log in with someones display name, click forgot password, but I don't have your email address so now I am kinda stuck because I don't know where they are sending the password. I could try to social engineer the answer out of the person, or Bioware, lets say im successful, I still don't know the password to the email account, so were back to either trying scenario 1 on the email site, or back to trying to socially engineer the password out of the person. If you give up your password to someone its your own fault and you can't blame BW for that.

 

Most email sites now have some sort of 2 factor or 2 step verification, you also shouldn't be using the same password for email and other sites. And if someone does ask you for your password, you should be asking yourself why, since no one ever would ask your for that info.

 

Those claiming that they know "50% of the login" are missing SAQ's and IP verification, so really you only know 33%, 25% if they are using an authenticator

 

If I had to guess the reason they are moving away from email is to seperate your email address from display name to be able to start using email verification steps for login, for users that either can't get an authenticator, don't want one, but want some sort of 2-factor login.

 

Whats funny is this same fear mongering / argument went down before launch when they were using email addresses to login. Now that they are changing it, same fear mongering / argument. Damned if you do, damned if you don't

 

TL;DR

Usernames should not be a protection for authentication. Authentication is separate from identification. Identification is a piece of data that describes an individual or group. Most of the time a username is a sequence of characters that uniquely identifies an individual. Typically an individual is authenticated with a password. I may claim I am Margret Thatcher, but if I can not type in Margret Thatcher's password than I can not authenticate as Margret Thatcher.

Nicely summarized and explained Mogic.

Requoted, in it's entirety.... simply because this sane post needs to be reinforced over and over again for some.

Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

How are both true?

They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?

Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

 

How are both true?

 

They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?

A ban/block of some length on the offending IP address with a threshold high enough so that it only fires on brute force activity as opposed to simple user error would accomplish it.

This does not bother me one bit. After all we already have the option to use our Display Name to Log-In and it is not like I have not been on other sites and games that do the same thing. Basically many of the sites and games I have used and played use my Display Name that I make for that service.

For me, I in fact much rather like to use my Display Name over my Email Address. For one it is completely different from any of my Email Addresses out there. Your Email Address is more important than a Display name as it grants more access if people find that out. In fact knowing the Email Address makes Finding out the Password or Impersonating the Person much easier. In my opinion, the Less opportunity people have to find out an email the better.

You know I fear the people walking by when I use my Laptop in public more than I fear a person attacking this account system or forums and game. there is just something about having an email address displayed on the screen as people walk by that bugs me.

You know speaking of Security, it is kind of the reason I went ahead and got the Security Key Device. It is just one other added bit of security that a person needs to go through. I really suggest that if players out there have not done this, that they go ahead and do so. It doesn't matter if they choose the App or the Actual Key Chain Device. But if they do this it does help in Security, which is why I would suggest that people get it. Especially those that are worried about it.

That is just my opinion.

Only people that post on the Forums have their Display Name visible to others currently. Even then we took that into account when designing the updated system and I wouldn't recommend trying to attack known Display Names...

 

You should log on to Steam again - they currently only use the equivalent of DisplayName, and that name is what you are known as to all your friends (and in the community section of Steam for that matter).

You know in reading this thread I see people saying otherwise to this. Not sure if Steam changed something down the line but for me my Display Name there is the same as what I use to log-in. Of coarse I made my Steam Account a long time ago and I do not use it much as I really am not a fan of Steam so I am not sure if they changed that in some way. So what you say here is correct for what my experience with Steam is.

Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

 

How are both true?

Because it IP bans them. You will still be able to log in from your IP address.

I do have a question. Is there any chance we'll be able to write our own security questions? Or get more options than what's there currently? The current ones don't seem particularly secure.

You can put anything you like in those answers. You don't have to answer truthfully As long as you remember what your answers are.

What is your favorite color?

Broomticket

You can put anything you like in those answers. You don't have to answer truthfully As long as you remember what your answers are.

Q: "What's your primary school?"

A: "superman"

Because it IP bans them. You will still be able to log in from your IP address.

 

 

 

You can put anything you like in those answers. You don't have to answer truthfully As long as you remember what your answers are.

 

What is your favorite color?

Broomticket

While that's true, it's hard for me to remember wrong answers to questions I only encounter a couple times a year.

You can put anything you like in those answers. You don't have to answer truthfully As long as you remember what your answers are.

 

What is your favorite color?

Broomticket

Q: "What's your primary school?"

A: "superman"

I love the way you answered this. I do not think I could have said it better.

You pretty much nailed it as it does not matter what what your answer is. It does not have to be anything related to the question. Just make something up. I personally do that a lot.

So in case you haven't come across me before (most haven't!), I'm Phillip Holmes, the Senior Manager of Security here at Star Wars: The Old Republic.

 

Actually today an attacker also needs to know the answers to your Security Questions. In the future (more news in the next few weeks) that will require the attacker to also know your email account password. We also monitor for brute force attacks and have other systems in place to mitigate that type of threat.

To this I have to repeat the plea: Please let us choose our own questions. The questions to choose from partly ask for information that can be obtained or guessed with a little research.

Giving me the option to choose my own security questions would enable me to ask for information that I know is not publicly available or guessable.

This is especially important since only an address and the 3 security questions are required to remove the security key from an account.

I love the way you answered this. I do not think I could have said it better.

You pretty much nailed it as it does not matter what what your answer is. It does not have to be anything related to the question. Just make something up. I personally do that a lot.

I used to do that, but it became a bother to manage all the wrong answers. In the end, it's inconvenient, and once inconvenience reaches critical mass it becomes a huge danger to caution.

To this I have to repeat the plea: Please let us choose our own questions. The questions to choose from partly ask for information that can be obtained or guessed with a little research.

 

Giving me the option to choose my own security questions would enable me to ask for information that I know is not publicly available or guessable.

 

This is especially important since only an address and the 3 security questions are required to remove the security key from an account.

As as been stated before, what you put into the security question answer text box doesn't have to relate to the actual question at all. Make up your own question. Answer "jizzlesnort". Whatever.

I was quite amused that one of the security questions is "favorite movie". How many unthinkingly answered, "Star Wars"? I sure didn't!

As as been stated before, what you put into the security question answer text box doesn't have to relate to the actual question at all. Make up your own question. Answer "jizzlesnort". Whatever.

 

I was quite amused that one of the security questions is "favorite movie". How many unthinkingly answered, "Star Wars"? I sure didn't!

Edited my post. 14 years on the Internet with fake answers made me in the end return to the truth, because the truth is easier to remember, doesn't get lost in when a notebook or calendar is lost or a hard drives is wiped.

Just an option to let us choose our own questions would be enough. Or mix it, make it a choice of 3 fixed and 3 freely chosen ones.

Hilarious..... except the hypothetical you quoted is inaccurate.

 

It's pretty simple to put anti-griefing measures in place with existing systems to prevent this. In fact, it's clear that they already exist, and have since launch. But hey... feel free to try to grief forum members and see what happens. They will lock-out your IP (since it is not recognized and validated for the account you are trying to grief), and then look it up to see in their database to see what actual SWTOR account validly uses your IP and then send you a ban notice for attemting to hack someone elses account.

 

The only real griefing vulnerability is another family member inside your own IP range set....and that really is a family behavior problem, not a security problem.

a simple router reset will unban my ip (or disable static ip)

a simple router reset will unban my ip (or disable static ip)

And how many router resets do you suppose a hacker will go through in order to finally gain access, assuming the router reset doesn't just result in them being assigned the same IP anyway?

Most hackers are looking for the quickest way in. To them, time is money. Measures that extend the time required by any appreciable length make it cost prohibitive so they move on.

You know what gets me the most out of all this and is making me laugh about all these complaints?

So many people are complaining about something that is already in place and already able to be done. Basically you can already use you Display Name to login so it makes no difference if they remove the ability to use Email Address or not. If you are afraid of someone knowing and trying to use your Display Name to hack your account, you are already to late. I just find it funny that people are overlooking this and making a fuss about it.

So why even complain about them removing the ability to use your Email and only use your Display Name? It is better to not use an email address after all.

Anyways that is just my view on it.

Holy fish-sticks the amount of complaining here is truly hysterical.

It's pretty damn clear that Phillip KNOWS what he's talking about, and I love his little bits of British humor thrown in (I'm a fan of British humor personally), and again as has been pointed out SEVERAL TIMES, you can

ALREADY USE YOUR DISPLAY NAME TO LOG IN

so the people here freaking out about it are looking twice as silly right now, also ask yourself this, how often have we actually heard about accounts being hacked? Personally the last time I heard about someone getting hacked was back in October of last year, so about 6 months ago, compare that to WoW or Rift where someone's getting hacked nearly every other day, it's pretty damn clear that from his immense amounts of patience in answering our questions that Bioware is taking this security thing extremely seriously and wouldn't be doing this unless it was meant to also help improve security.

Also folks, please remember that Phillip has nothing to do with game coding or bug smashing, he's there for security, just like a member on the coding team wouldn't have anything to do with security he has nothing to do with coding or bug squashing and would more than likely screw things up if he even tried fixing some bugs

Let's all just calm the fark down trust in what Phillip is saying, because again, its pretty damn clear with how articulate he is in his answers (which I'm truly amazed how detailed he is in answering multiple questions) that things will work out fine and he knows what he's doing.

First off I do want to thank you for coming on to the forums to attempt to explain this.

However,

Based on the feedback you will be happy to hear that we are again discussing the perceived issue. I can't promise 'soon' - heck, I can't promise 'later' just yet. It is likely based on the underlying systems that we will not change the account Display Name, but rather look at adding a new Forum Name that can be different.

This proposed solution is simply not good enough. You have let the cat out of the bag and the only way to put it back again is to allow us to change the login name and have it different to our existing display name. The other way around doesn't work as the information is already public, besides which I chose my display name because that is in fact how I wish to be displayed. I use the same one on several game sites, all of which use a different identifier as login, and it has never been any kind of security issue before now.

Also allowing people to change display name on the forum means losing track of who said what and can itself be a source of confusion. Since I am pretty sure that you use some kind of numeric identifier for users internally then it should technically be possible to change the name associated with that identifier, though obviously I don't know how easy this would be.

While we are at account security, I've 2 questions:

1) Why we have to call customer suport to de-attach authenticator from our phone. Can't it be done in-account or in-app.

2) Do you plan to release Windows Phone / Windows desktop version of authenticator app?

While we are at account security, I've 2 questions:

1) Why we have to call customer suport to de-attach authenticator from our phone. Can't it be done in-account or in-app.

 

2) Do you plan to release Windows Phone / Windows desktop version of authenticator app?

As for 1), he mentioned part of the reason for making this change to log in was to implement more "self-help" features and reduce the need to call customer support.

Wee I actually had my questions answered.. Even though I think Phillip misunderstood the first one..

I looked Philip up on Linkedin and found we had a few groups shared.. Fellow CISSP'er ..