Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

UltimateKrucible's Avatar


UltimateKrucible
03.11.2013 , 01:14 PM | #501
Quote: Originally Posted by Andryah View Post
OR, you simply refuse to believe what Phillip has stated with regard to concerns about it weakening security.
Pretty much this, yes.

You do know what 'sceptical' means, don't you? I'm not sure I could be clearer on that point.

Anyway, que sera and all that.
. Shine on, you crazy pixel.

Funny post! The nine circles of SW:TOR PvP hell

TexasMarine's Avatar


TexasMarine
03.11.2013 , 01:19 PM | #502
Did BW fall and hit their head again? Changing log-in information to something that is public knowledge is not only stupid, it's irresponsible. For the love of all that is good in the world DO NOT DO THIS!

DarthTHC's Avatar


DarthTHC
03.11.2013 , 01:21 PM | #503
Quote: Originally Posted by TexasMarine View Post
Did BW fall and hit their head again? Changing log-in information to something that is public knowledge is not only stupid, it's irresponsible. For the love of all that is good in the world DO NOT DO THIS!
There's another person who either hasn't read Phil's excellent posts or can't be reasoned with.

Edit: Consolidated:

The complete list of Phillip_BW's posts on this topic:

http://www.swtor.com/community/showp...&postcount=296
http://www.swtor.com/community/showp...&postcount=303
http://www.swtor.com/community/showp...&postcount=389

DevTracker: http://www.swtor.com/community/devtracker.php

Search specifically for all Phillip_BW posts: http://www.swtor.com/community/searc...archid=3617416
Human beings see oppression vividly when they're the victims. Otherwise they victimize blindly and without a thought. ~ Isaac Bashevis Singer

Andryah's Avatar


Andryah
03.11.2013 , 02:52 PM | #504
Quote: Originally Posted by UltimateKrucible View Post
Pretty much this, yes.

You do know what 'sceptical' means, don't you? I'm not sure I could be clearer on that point.

Anyway, que sera and all that.
There is a difference between "skeptical" and "unwilling to believe". You pretend to be "skeptical", but in fact this response to me (above) shows me that you simply are "unwilling to believe". Which is fine if that is the way you want to go with it... BUT then don't complain that there are no BW dev posts addressing your concerns.

/2-cents
Forum disputatio ------> est completum ineptias.

TheRealBluehero's Avatar


TheRealBluehero
03.12.2013 , 12:08 AM | #505
"No purge planned - the game is way too young to be thinking of removing old accounts, especially as a lot of those accounts have game data associated with them and we would like our players to be able to return to everything they left behind if they do leave."

Found this whole statement ironic considering I left for a while (whilst still maintaining a subscription I might add) and naturally had to change the name of some of my favourite characters. Unacceptable. Guess I won't be returning after all.

Edit: I just wanted to add that this was well after the servers were merged.

PaZPyX's Avatar


PaZPyX
03.12.2013 , 02:47 AM | #506
Quote: Originally Posted by Nemhain View Post
You should follow the advice of Ruhrpottpatriot

Apparently some people like you didn't even bother to look at that posts, like Ruhrpottpatriot said: "I really urge you to read his posts(...)". Not only you but everyone, before posting here.
Thanks to both of you for compiling the "official" responses in a single place. I'm sure it'd be helpful to more than just me if the moderators moved them to the head of the topic though.


Quote: Originally Posted by Nemhain View Post
I had my account hacked in other mmorpg (which I played for almost 6 years) and I was the most carefull as a user can be, I didn't deserve what happened to me in that case.
I agree -- but sad as it may be, it was to be expected as a consequence of entrusting esthetically valuable data -- your characters, items, game progress -- to a third party (the gaming service) for safekeeping, against every possible caveat in the EULA. "<Whatever>-as-a-service" technologies are convenient, but convenience always has a price; in the case of *aaS, that price is control. You are at the mercy of the service provider and whoever can manipulate their data; you have no say in how this data is managed -- worst you can do is terminate your subscription, maybe sue them for damages, but good luck with that given the EULA. This is one reason I tend to avoid relying on cloud/*aaS solutions (including MMO games), and prefer old-school installable single-player games or games that use peer networking models or those with open server executables, with all the code and data easily replicable and within reach. TOR is a rare exception, I play this mostly because its prequels are my long-time favorites.

Quote: Originally Posted by Nemhain View Post
If a hacker wants to hack your account he will, we just have to make their life as harder as possible, and trust the people that looks up for our accounts security do their best to avoid it.
Just to make it clear, I was not calling into question the technical competence of BW/EA security staff, maybe only my own. On the contrary, SW:TOR is one of few online systems I know of to employ multiple-factor ("something you know" + "something you have/are") and defense-in-depth (password + security questions) approaches. I was only remarking on the fact that, as Wired's "Kill the Password" article points out (interesting read, BTW), better security always has the tradeoff of inconvenience and/or privacy. It would be nice to let the users decide if they are willing to make that tradeoff (and how much) instead of enforcing policies that claim to serve the users, but under the hood mostly serve to guard BW/EA against damage from their own mess-ups.

With this I still maintain that for most users, single-factor (password-only) authentication should be good enough as long as both the user and BW/EA manage this information responsibly. The mentioned Wired article fails to identify the flaws of passwords themselves (OK, one -- "good passwords are hard to remember," but even that is mostly a user error). Rather, it centers on the mishandling of passwords, the biggest of them being the presence (yes!) of "password reset" backdoors in most systems, and the associated social engineering exploits. By the Force, if anything should be killed, it's the password resets, not passwords. As my instructor used to say, "all known attacks against RSA are attacks against idiots using RSA." The same easily applies to password-based authentication. If I lose my password, I'm an idiot and get what I deserve. Instead of catering to the needs of idiots, who'll always find a way to mess up no matter what, online services would do well to educate users and cater to the needs of the competent.
Q: What happens when the value of Pi changes?
A: The universe reboots.

Bomyne's Avatar


Bomyne
03.13.2013 , 05:12 AM | #507
Quote: Originally Posted by Phillip_BW View Post
As part of the April 2nd release or later? I can't say just yet on April 2nd, but this is one of the ducks I'm lining up. It's no coincidence that the change we are making is related to that (among other) self-service implementations. One of the ducks even has 'move' in it's name.
The sooner the better to be honest. Having to call Support to remove the authenticator is an overly costly and time consuming process.

I'm still not convinced this is a good idea. Everything I know about security tells me that every single piece of login information (Username, Password, authenticator info, secret questions) should be kept 150% secret. Since the usernames are used on the forum, that's a piece of login information that is being unnessercarily exposed.

Kilora's Avatar


Kilora
03.13.2013 , 06:27 AM | #508
Quote: Originally Posted by Bomyne View Post
The sooner the better to be honest. Having to call Support to remove the authenticator is an overly costly and time consuming process.

I'm still not convinced this is a good idea. Everything I know about security tells me that every single piece of login information (Username, Password, authenticator info, secret questions) should be kept 150% secret. Since the usernames are used on the forum, that's a piece of login information that is being unnessercarily exposed.
With all due respect, you must not know much about security...

There's a funny thing that happens when dealing with a lot of fields such as security -- in which those who know almost nothing are confident in their knowledge and think they know quite a bit, while those who are extremely knowledgeable question their intelligence regularly.

I certainly don't mean this to be rude -- but many of the people posting on here probably don't know ANYTHING about security, or understand that -- as has already been said -- a username/email should NEVER be used as a safety measure. There are dozens of security checks that no user will ever see, and will never become public knowledge (for good reason).

TL;DR -- Professionals in security are explaining to people that this change has NO effect on security -- but is allowing them to implement other changes to increase security. I'm inclined to agree, because I'm not a security expert. However, should my account be hacked (or if many accounts are hacked), I may change my tune.

Cidco's Avatar


Cidco
03.13.2013 , 07:44 AM | #509
This is a bad move. I for one I have 2 accounts hacked from other MMO's and using my login in Name is a sure bet way to get hacked. I would like to keep my email address as my login and still keep using my Authenticator I got with my Collector's Edition. Plus if my account gets hacked I will file a suit against EA/Bioware for breach of contract.

Ebonynight's Avatar


Ebonynight
03.29.2013 , 05:10 AM | #510
The weird thing is that other sites used display names first and because that wasn't secure enough, moved on to emails. I think the ones that use multiple forms may be slightly more secure. Example, one used a login name, a password, a character name and a security code. The last being optional.