Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

DarthTHC's Avatar


DarthTHC
03.07.2013 , 09:49 AM | #371
Quote: Originally Posted by Imbafedor View Post
you'd better resolve the known bugs and the latency issues rather than going around with this bs. I think you are mocking us and this is the last problem you should handle, there will be more problems with people who won't be able to log in in the end.
Wait... you want EA to fix a problem that's between your house and your ISP?

What does this site: http://www.speedtest.net/ tell you about your connection? What does it tell you about your connection if you alt-f4 out of SWTOR when you experience "latency" and run it right away? Anyone in your house downloading movies or music or doing anything else big on your internet at the time of your latency?
Human beings see oppression vividly when they're the victims. Otherwise they victimize blindly and without a thought. ~ Isaac Bashevis Singer

GizmoBill's Avatar


GizmoBill
03.07.2013 , 09:57 AM | #372
Quote: Originally Posted by Phillip_BW View Post
I have that on my list of things to look at already. That is a much harder challenge to change though as Display Name is also a unique reference, and changing the unique reference can create a ton of data inconsistencies. Technically possible, but not technically easy to accomplish. I wouldn't hold your breath on this one.
Why would you want to design your system to rely on a display name as an unique key rather than using some id? Haven't you guys thought of things like the ability to change that at some point? I work as a software developer for almost a decade now and in every project I've been this was a just common sense...
"There is no death, there is... oh look a pony!"

DarthTHC's Avatar


DarthTHC
03.07.2013 , 10:00 AM | #373
Quote: Originally Posted by GizmoBill View Post
Why would you want to design your system to rely on a display name as an unique key rather than using some id? Haven't you guys thought of things like the ability to change that at some point? I work as a software developer for almost a decade now and in every project I've been this was a just common sense...
Display name has to be a unique reference. If there were multiple DarthTHC's or GizmoBill's posting on the forums, imagine the havoc it would wreak!
Human beings see oppression vividly when they're the victims. Otherwise they victimize blindly and without a thought. ~ Isaac Bashevis Singer

kcabnibats's Avatar


kcabnibats
03.07.2013 , 10:03 AM | #374
My display name is the same as my Legacy name because I didn't know it was spose to be private. This is, once again a completely dumb move by EA. WoW has been doing this for waaaay longer than SWTOR and the fact that they still use e-mail is a dead giveaway. E-mail address is the safe and secure answer. So if I forget my p-word are they gonna send it to my swtor.com account that I can't access w/o my p-word or my e-mail? This just proves they have no idea what they are doing.

DarthTHC's Avatar


DarthTHC
03.07.2013 , 10:04 AM | #375
Quote: Originally Posted by Phygeon View Post
My display name is the same as my Legacy name because I didn't know it was spose to be private. This is, once again a completely dumb move by EA. WoW has been doing this for waaaay longer than SWTOR and the fact that they still use e-mail is a dead giveaway. E-mail address is the safe and secure answer. So if I forget my p-word are they gonna send it to my swtor.com account that I can't access w/o my p-word or my e-mail? This just proves they have no idea what they are doing.
Alll that statement proves is you haven't been reading Phillip_BW's posts.

Try this: http://www.swtor.com/community/devtracker.php

Also, if you're using WoW as the benchmark for account security, please compare and contrast the number of WoW accounts that have been compromised with the number of SWTOR accounts that have.
Human beings see oppression vividly when they're the victims. Otherwise they victimize blindly and without a thought. ~ Isaac Bashevis Singer

Ahkinaten's Avatar


Ahkinaten
03.07.2013 , 10:23 AM | #376
Are we going to be given the option to change the display name? I made one with little to no thought. If it is something I have to use as a login in I want to have the opportunity to change it to something I feel is usable and secure.

JonathanCP's Avatar


JonathanCP
03.07.2013 , 10:27 AM | #377
Quote: Originally Posted by Ahkinaten View Post
Are we going to be given the option to change the display name? I made one with little to no thought. If it is something I have to use as a login in I want to have the opportunity to change it to something I feel is usable and secure.
Please, read the Dev Tracker

Answered already
If your thread title is not a variation on "open letter... BIOWARE,... fail... NOW!", then you are a fanboy

Andryah's Avatar


Andryah
03.07.2013 , 10:28 AM | #378
Quote: Originally Posted by Mogic View Post
Its amazing how many armchair security professionals there are playing swtor. You all should apply for high level security jobs for knowing so much.

/end sarcasm

Everyone screaming about knowing half of your login information know absolutely nothing about security. Heres how you would have to attack the site if you know the display name vs email.

Scenario 1
Try to log in.. brute force the password. Internal systems pick up brute force attack and block the IP, flag it for review. Seriously Brute force attacks are very easy to detect.

"But they could use a BotNet" True hackers using a BotNet are not interested in stealing your Swtor account. They want personal info like CC info to sell or the database of the user/passwords to sell to a 3rd party. They would be attacking Biowares internal network. Not brute forcing your account.

"Gold Farmers......." Don't brute force, they either buy email/password lists from other hacked sites or hack vulnerable forum/game sites and use it to try and access accounts for other games. Majority of users don't practice good security and use email addresses on multiple sites. You yourself probably don't but for every 1 person that does, there is probably a couple hundred that don't

Simple passwords... Again this is your own fault, not biowares, if your using a simple password like 'Password1' then you should seriously consider changing it to something much harder to guess like P2Ssw4Rd (replace each vowel with an even number and capitalize the next letter). And obviously don't use the word password.

Scenario 2
Try to log in with someones display name, click forgot password, but I don't have your email address so now I am kinda stuck because I don't know where they are sending the password. I could try to social engineer the answer out of the person, or Bioware, lets say im successful, I still don't know the password to the email account, so were back to either trying scenario 1 on the email site, or back to trying to socially engineer the password out of the person. If you give up your password to someone its your own fault and you can't blame BW for that.

Most email sites now have some sort of 2 factor or 2 step verification, you also shouldn't be using the same password for email and other sites. And if someone does ask you for your password, you should be asking yourself why, since no one ever would ask your for that info.

Those claiming that they know "50% of the login" are missing SAQ's and IP verification, so really you only know 33%, 25% if they are using an authenticator

If I had to guess the reason they are moving away from email is to seperate your email address from display name to be able to start using email verification steps for login, for users that either can't get an authenticator, don't want one, but want some sort of 2-factor login.

Whats funny is this same fear mongering / argument went down before launch when they were using email addresses to login. Now that they are changing it, same fear mongering / argument. Damned if you do, damned if you don't

TL;DR
Usernames should not be a protection for authentication. Authentication is separate from identification. Identification is a piece of data that describes an individual or group. Most of the time a username is a sequence of characters that uniquely identifies an individual. Typically an individual is authenticated with a password. I may claim I am Margret Thatcher, but if I can not type in Margret Thatcher's password than I can not authenticate as Margret Thatcher.
Nicely summarized and explained Mogic.

Requoted, in it's entirety.... simply because this sane post needs to be reinforced over and over again for some.
Forum disputatio ------> est completum ineptias.

KALELSAB's Avatar


KALELSAB
03.07.2013 , 10:56 AM | #379
Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

How are both true?

They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?

iamthehoyden's Avatar


iamthehoyden
03.07.2013 , 11:03 AM | #380
I do have a question. Is there any chance we'll be able to write our own security questions? Or get more options than what's there currently? The current ones don't seem particularly secure.
aren't you a little short for a stormtrooper?
---------------
Fan Fiction: My Name is Solomon Crae The Man in the Box