Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

Jenovan's Avatar


Jenovan
03.05.2013 , 10:47 AM | #21
I would be interested to hear from the devs on this -- though I'm not sure how much they're willing to talk about security measures, for obvious reasons.

I think, though, the idea is that the kind of processes used to steal accounts by gold farmers, etc. may simply try to log in with any email address they can get their hands on and attempt to brute-force the passwords. Guild Wars 2 went through a few security contortions after release and heavily recommended that your GW2 email address NOT be used for any other purpose, to minimize the risk of this kind of attack.

On the flip side, our display names are very visible to US, here -- but we're all subscribers. While this could lead to personally-motivated hacking, I imagine the sheer volume of that pales in comparison to the sort of email address farming sketched out above.
Ebon Hawk * The Thirteenth Legion * RP/Social/Casual
Kjara | Avidior | Mizret | Ysmena
Forging Fortune * Aviditas

WahineKoa's Avatar


WahineKoa
03.05.2013 , 10:48 AM | #22
Quote: Originally Posted by JPryde View Post
Okay, so here is a challenge for security experts:

1. Find out my display name
2. Find out my e-mail addy, which I use for SWTOR and this website.
3. Evaluate which of the two is harder to find out.
4. Explain how the new system will improve security

This is a ludicrous change. You remove a more or less hidden value and replace it by an openly accessible value and call that an improvement in security ??
This is how it works;

Trojans and other malicious software are installed to your computer by hackers who install them to your computer through various techniques.

These trojans, for example, read whatever you write on your screen and send it further to the hacker.

When you login with your email adress for example to swtor.com the hacker may then easily try to hack themselves to your email adress, hotmail as an example, which is easy to hack for people who know how to do it.

Then they just simply request a new password from swtor.com to your email adress they already hacked, and after they recieve a new passwotrd they make a hostile takeover of your swtor account.

NOW, when you only login with your "username" these trojans wont get any vital information from you, meaning the possibility of hostile takeover of your swtor account is decreased significantly.

Smoatman's Avatar


Smoatman
03.05.2013 , 10:48 AM | #23
This is a Terrible idea. Bioware EA DON"T DO IT!!!

AbsolutGrndZero's Avatar


AbsolutGrndZero
03.05.2013 , 10:50 AM | #24
I posted the question of this to a friend of mine who is a... "computer security specialist" (nice term for it) asking him what he thinks... if it''s more or less secure. I'll post back when he says.
The Babylon Legacy
Harbinger
Racquel, Stancerry, Jennica, Porcelain

Rankyn's Avatar


Rankyn
03.05.2013 , 10:51 AM | #25
Yeah, this is a very very bad idea.
So now, in order to hack my account, you need to figure out my email address (which is unique to SWTOR) and my password.

After this change, you will know that my username is Rankyn because it's plastered all over the forum and all you're left to do is try to figure out my password.
You've essentially done 50% of the work for anyone trying to hack my account.

If security is the real issue then our usernames need to be a 3rd option that is neither our email address or our forum name.

AbsolutGrndZero's Avatar


AbsolutGrndZero
03.05.2013 , 10:54 AM | #26
Quote: Originally Posted by rankyn View Post

if security is the real issue then our usernames need to be a 3rd option that is neither our email address or our forum name.

^^^

this. Bioware. Do this.
The Babylon Legacy
Harbinger
Racquel, Stancerry, Jennica, Porcelain

NextGenHunter's Avatar


NextGenHunter
03.05.2013 , 10:55 AM | #27
...nope...if this happens...nope (unsub)

Altheran's Avatar


Altheran
03.05.2013 , 10:56 AM | #28
Quote: Originally Posted by Jenovan View Post
On the flip side, our display names are very visible to US, here -- but we're all subscribers. While this could lead to personally-motivated hacking, I imagine the sheer volume of that pales in comparison to the sort of email address farming sketched out above.
Like i said, you can already log in by using forum names, so what you're describing can already be done.

JPryde's Avatar


JPryde
03.05.2013 , 10:58 AM | #29
Quote: Originally Posted by WahineKoa View Post
[...]NOW, when you only login with your "username" these trojans wont get any vital information from you, meaning the possibility of hostile takeover of your swtor account is decreased significantly.
Granted, for people, who are unable to keep their own space at least somewhat secure, it might actually be an improvement, but answer me this...

Is the login process acepting unlimited false entries ?

Option A: it does.
Result: The possibility of a brute force hacking attempt to my account incresed by a magnitude. So far a potential hacker had to brute force my mail-addy and the password and get both right at the same time... you do not get info, if the username or the password was wrong, you only get info, that something was wrong. Also you would be unable to specifically target me, as you cannot know, which login my chars have. In the future, you will have my login already and "only" need to brute force my password.

Option B: it does not allow unlimited false entries...
Result: After X false attempts, the account is automatically suspended for security reasons.
Further result: Everyone who dislikes a posting I did can take my screen name and try to login on my account... do this 20x false and my account is automatically suspended... Of course, my security is not compromised in this scenario, but I got the hassle with getting my account back to working properly.

So while I do understand more than a bit of security issues, I do not see, how this change increases my security.
~~~ Macht Wächter ~~~
Vanjervalis Chain
Jhoira, Skarjis, Trântor, Ric-Xano, Sabri-torina, Tir-za, Shaina ...
We do not brake for Wookiees !

Rankore's Avatar


Rankore
03.05.2013 , 11:00 AM | #30
Okay everybody, you all know that Bioware does an April Fool's joke every year right? This is all this is. It take in effect April 2. The day before they will say it's a joke. Everybody please stop getting so worked up over this. Like many have said, if they did do this change then any one would already have half your login info. Again this is nothing but a joke.