Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

drgnmstr_'s Avatar


drgnmstr_
03.07.2013 , 07:46 AM | #351
Quote: Originally Posted by Blackavaar View Post
I notice that you purposely avoided answering the most logical way to make our accounts more secure, my suggestion to have us all create New Unique Account Names, instead of using names that can be easily gleaned off any forum we use.

I myself play many Online Games and use many forums and I use the same Display Name (aka. Forum Handle) in all of them. Using that as my login is not a more secure way of doing anything. What kind of "Security Expert" can ignore that simple logic?

This. If you don't do this then you're not taking the security of your player base in to account.

First off, we should NOT be able to use display name at the present time. you need to turn that off now.

Second, In your database, add a new column called ForumHandle. Update the registration form and user account to allow players to change that value. maybe initially default it to current user name.

If you do those things and people don't go change their forum handle, then that's their fault and they didn't take it seriously. While what you want to do is sound in a way, you're still making a vulnerability by not letting us change it. In fact that's exactly what STEAM allows us to do. There's a reason you shouldn't reinvent the wheel, so take a hint from your peers.

DarthTHC's Avatar


DarthTHC
03.07.2013 , 07:47 AM | #352
Quote: Originally Posted by Merouk View Post
Forget about security for a second. You are not giving us control over whether the username is hidden or visible, and lack of control is obviously what's making us "vocal." It doesn't matter whether a hidden username actually increases security or not; in our minds it does. Consider the cost of implementing a hidden username or non-login forum name solely against the benefit of shutting us the hell up and having happier customers.

It's what you're doing with your posting, anyway, trying to get us to be less vocal. It's not working for some of us. You're using reason and logical explanations to argue agains how we feel. It's not working.
Your user name has been visible from the minute you first posted to the forums and you had to have known that the first time you posted to the forums. If you're that upset about your user name being public, why post to the forums?

LarryRow's Avatar


LarryRow
03.07.2013 , 07:51 AM | #353
Quote: Originally Posted by Phillip_BW View Post
If it is any consolation, I've only spent a few minutes responding to these posts,
I call BS. This level of detail and attentiveness requires a much larger time commitment.

Don't stop the sass, Phillip. These guys need to know that
1. British people are the funniest.
2. Amateurs and arm-chair analysts are not qualified to weigh in on internet security
A classic sig that should not be lost:
Quote:
Stunned , pew pew hack slash , stunned , running backward circles, stunned cannot move, pew pew, break stun, 30 second snare, wha?!?!!? stunned, knockdown, ...less stun more pew pew and hacknslash please.

johnnyreece's Avatar


johnnyreece
03.07.2013 , 08:02 AM | #354
Quote: Originally Posted by Phillip_BW View Post
A couple of people have noted I use a bit of 'sass' in my replies.
I'm just glad you don't have to use the same sugary tone the rest of the yellow posters have to. I enjoy the frankness of your posts. Carry on.
Neldiahr, Sith Sorcerer Gibsenne, Imperial Operative
Neldienne, Powertech Smash'Kitteh, Meowauder

Pscyon's Avatar


Pscyon
03.07.2013 , 08:04 AM | #355
Eh. Can't say I mind the change. I don't really care one way or the other. It probably varies based on the provider, but I'm pretty sure Bioware's login name is more secure than my email address. Especially considering the fact the former has an authenticator, the latter only has a password. At the end of the day it doesn't matter what security measures are implemented though since people will keep invariably biting on phishing and/or filling their computers with malware, only to blame everyone but themselves for losing their accounts...
Sith Sorcerer

Iaitanto's Avatar


Iaitanto
03.07.2013 , 08:18 AM | #356
Hello,

Just in advance: I'm no native speaker so I apologize for bad or clumsy english beforehand.

Claim:
Quote:
This new change to the log in procedure is being implemented for several reasons. This change increases the security of our game authentication system, which helps continue to keep the game protected from many security threats including account takeovers.
Security Tokens improve security. Answers to questions only the person asked should know improve security. Enforcing strong passwords increases security. But the above doesn't. Just to make it clear in advance: I don't mind if either display name or e-mail address are used for identifying the user. Because both are equally 'secure' or 'insecure'. They are neutral pieces of information, that are known to the public. Public meaning here "other people than you". They identify an account, and don't authenticate or authorize. E-mail addresses are usually public, because otherwise it would defy their purpose (which is, that other people can reach you), display names are public, because you can see them in a public accessible forum.

However, thinking it would improve security by switching the identifying part of user credentials is in my book hand-waving, smokes and mirrors. Or among security people better known as an attempt of "security through obscurity". STO of course, is no security at all. I could have accepted if BW simlply said something along the lines of "it's needed for some reorganisation of IT/security systems", but the claim of this change increasing security is counter-productive in my opinion, as it conveys a false sense of security.

If you really want to improve security, think along the lines of PKI. Have people generate their private/public keys, with the private key being protected by a strong passphrase. Offer some GUI for this purpose. Then encrypt the traffic between the user's machine and the game servers. Of course this takes a toll on convenience and performance, but this is the price usually paid for security. And even such a system is not 100% secure.

But please, don't claim 'more security' where in truth there isn't.

Best regards,
- Iaitanto

PeterGun-SWE's Avatar


PeterGun-SWE
03.07.2013 , 08:18 AM | #357
Quote: Originally Posted by Phillip_BW View Post
I don't mind being asked at all! I can only apologize for the delay, and can assure you that we are working on this. I don't have an actual date for when we can get the key-fobs available for purchase again. I can say that even today I had various emails specifically on this topic with the teams in Europe that control the EU side of the Origin store, and therefore the availability of the key-fobs themselves.
I really do want everybody to have a Security Key or at least the choice on if they want to get one - this has been a hot topic with me (as many people internally know) ever since we had to take the key-fobs off the store last year.
Once again... a BIG thanx to you Phillip_BW, for trying to anwser all our questions. You are a true Master of Patience.

Just let me ask one last question on Security Keys, and then ill let you of the hook. Is there a Security Key app in the works for Windows phones? And if so, when might it be released. Cause i wouldnt mind following your advice and use a Security Key, preferably a physical key, but i can use a app untill then.

And once again thanx for trying to explain all this to us security laymen...
Cause... No matter how secure a target the user is always the weakest link.

Merouk's Avatar


Merouk
03.07.2013 , 08:47 AM | #358
Quote: Originally Posted by DarthTHC View Post
Your user name has been visible from the minute you first posted to the forums and you had to have known that the first time you posted to the forums. If you're that upset about your user name being public, why post to the forums?
Actually, no, I created the account at game release in 2011 and AT THAT TIME my username (= my email) was not visible to any of you, so I went ahead and created a forum title and started posting. I even had the option to change my forum name (Merouk) to whatever I wanted, any time I wanted, and it was just a forum name. I didn't choose it with the understanding that it was going to be part of the logon security.

I did choose the email address specifically for logon security.

When they went F2P, without notifying anyone, they enabled the forum handle to be used for logging into the game. I didn't realize it or I would have complained about it then. Suddenly the forum handle became fixed / unchangeable, and they gave us the option to change email addresses. Except they didn't notify anyone that they were going to do that.

So, NO, they pulled a bait-and-switch, and now I have NO OPTIONS to keep my login hidden like my email was. I am frustrated.

Why continue to post? I usually post newbie help or tech support answers; I can certainly stop doing it. Also stop sending bug reports, because, FU EA/Bioware, why continue to try to be helpful when you make it frustrating and dangerous.

DarthTHC's Avatar


DarthTHC
03.07.2013 , 09:12 AM | #359
Quote: Originally Posted by Merouk View Post
Actually, no, I created the account at game release in 2011 and AT THAT TIME my username (= my email) was not visible to any of you, so I went ahead and created a forum title and started posting. I even had the option to change my forum name (Merouk) to whatever I wanted, any time I wanted, and it was just a forum name. I didn't choose it with the understanding that it was going to be part of the logon security.

I did choose the email address specifically for logon security.

When they went F2P, without notifying anyone, they enabled the forum handle to be used for logging into the game. I didn't realize it or I would have complained about it then. Suddenly the forum handle became fixed / unchangeable, and they gave us the option to change email addresses. Except they didn't notify anyone that they were going to do that.

So, NO, they pulled a bait-and-switch, and now I have NO OPTIONS to keep my login hidden like my email was. I am frustrated.

Why continue to post? I usually post newbie help or tech support answers; I can certainly stop doing it. Also stop sending bug reports, because, FU EA/Bioware, why continue to try to be helpful when you make it frustrating and dangerous.


OK. I'm not going to do the research but I'll agree with your timeline.

But still, after having read Phillip-BW's latest dissertation, what exactly is the harm of someone knowing your user name? In order to log into your account, they still need:

1) Your password
2) Your authenticator's code, if you've done the smart thing and associated one to your account
3) If you have no authenticator and they're at an IP you haven't used, the answer to one of your security questions

I thought as you do right up to the point I read Phillip_BW's post. Things are going to be even MORE secure because of other things they're doing behind the scenes with this change, which, of course, they cannot tell us the intricate details of because that would compromise their plans, right? Plus, it looks like things are going to be even more self-servicy once Phillip_BW gets all his ducks nicely lined up so that's yet another benefit.

And the only downside is... someone may not have to guess your user ID but they still have to guess your password and crack your authenticator or guess a security question's answer.

Go ahead. Log in as me and transfer all my credits to one of your characters then delete all of mine. My user ID is DarthTHC.

Gainward's Avatar


Gainward
03.07.2013 , 09:17 AM | #360
well nice with the disblay name thingy......but the thing i would love is a real ID so u dont need to add like a million names caus of ur friends have alot of alts and stuff