Thanks for explaining it so cogently. And while using the same email for multiple sites is ok, using the same password is a really bad practice, you won't get any argument from me there.

 

I would also point out that I have no objection at all to de-coupling email from login and I don't think I conveyed any objection to that.

 

But you totally side-stepped the question I raised about people's *perceptions* regarding account security.

 

While Phillip (and you and others) can talk til you're blue in the face about how these changes will improve security, people conditioned for years by being told to never, ever share their login info are going to resist hearing that message.

 

BW even tells us in one loading screen tool-tip to never share your info, yet they now turn around and give half of it away to world + dog. Simply saying "oh, sure, never, ever tell anyone your password but, meh, your login doesn't really matter" isn't terribly reassuring at first blush.

 

I'll be the first to admit that, however much EA falls short in almost ever other regard, security certainly seems top-notch.

I didn't sidestep it exactly, I addressed it at the end of my post, but frankly I don't have a good answer or entirely disagree with what you're saying. Obviously, as illustrated in this thread, the perception is that doing this is a bad thing and it causes some people to panic and rage. The question becomes how much damage is this negativity really going to cause? I don't have any kind of data on that or have any clue what the real world costs for them to implement new logins for everyone is. My guess though is that people will complain at first but then forget about it when they realize there isn't any rampant account hijacking going on after the change. Until then all they can do is try to educate people.

.....Obviously, as illustrated in this thread, the perception is that doing this is a bad thing and it causes some people to panic and rage. The question becomes how much damage is this negativity really going to cause? ....

Based on past observations.... there will be little to no impact over this in terms of damage from peoples perceptions. Even when an MMO gets a bad rep for ACTUAL hacked accounts... people don't leave.

It's the forums afterall...... "short attention span theater of sorts"....... Where yesterday's crisis is today's "Wut?" and tomorrow's "Huh??". People will quickly move on to raging over the color of the next release of the pet monkeys in cartel packs... and people threatening to quit over it.

TL;DR: this too shall pass.

Without going into specifics, as I know you can't, how does using the display names help the development of new features, such as self-help services? My understanding, based upon your previous answers, is that because of the Free-To-Play players don't have an email associated with their accounts. Also, what other systems do you have in the pipeline concerning the new features coming after April 2nd?

As for those complaining about display name login, it is already available now. All these conspiracy theories about "Hackers will be able to hack accounts more easily now just by browsing the forums" etc., they could already do that now, but with the current security systems in place, they can't. Personally, I see this as a welcome change to simplifying the entire system.

Using emails for usernames was a terrible idea to begin with, they're long, clunky, should only be used for communication purposes and as usernames for the email service providers.

Funny story, I just tried to login with my display name and kept getting errors... Couldn't figure it out because looking at my display name here it looks like what I think it should (it's also my Xbox Live Gamertag) but wait no it isn't... that's an o not a 0 ROFL

What was it 3 years ago when I created this account to apply for beta, it was AbsolutGrndZero because I hadn't had the thought to use an 0 as a added novelty to the name.

That said, now I really want to change it!

you have been able to sign in with both email and display name for a while now.

You people keep saying this as if that makes it all okay and we have nothing to complain about.

Well, in case you didn't realize most people didn't even know that change was made. It wasn't announced. It was just done. And since most players don't read past the ability changes in patch notes it never got noticed. Actually, I'm not even sure it was in any patch notes and nobody posted anything about the addition of 3 extra words (or Display name) on the login. So, saying that it has been this way for a while does nothing to alleviate anyone's concerns and their concerns are valid regardless.

Given that this is 45 pages long now, likely it's been voiced already, but as a customer's opinion, I'd repeat it even then.

1) Hopefully having login name decoupled from the email address would mean the email address for an account becomes changeable.

2) Please refrain from "security through obscurity" practices when it comes to end users; these are more of an annoyance (to both legit users and determined attackers) than any valid help or detriment. For example, things like (a) security questions, (b) not being able to find an account name for character name (and message players by their account name) are serious inconveniences in the game. A login has a public part (name, email, etc) and a private part (password); making sure the private part remains private is the responsibility of the user -- as EULA clearly states, I believe. Additional security features (hide account name, set up security questions, set up security key, invalid login limit) may be nice as long as they are optional, because ordinarily, using a strong password should be enough. If I use "password" for password and suddenly have my account stolen -- then I get what I deserve. If I use the same password for my account as I use for some forum and suddenly have my account stolen -- I get what I deserve. If I log in from some machine without making sure it's adequately protected from keyloggers and sniffers, and suddenly have my account stolen -- I get what I deserve. If, on the other hand, I have my account stolen because somebody hacked EA and stole my login info from under your noses -- then you get what you deserve by losing me as a subscriber, security questions or no.

1) Hopefully having login name decoupled from the email address would mean the email address for an account becomes changeable.

It already is, afaik.

[...]Additional security features (hide account name, set up security questions, set up security key, invalid login limit) may be nice as long as they are optional, because ordinarily, using a strong password should be enough. If I use "password" for password and suddenly have my account stolen -- then I get what I deserve. If I use the same password for my account as I use for some forum and suddenly have my account stolen -- I get what I deserve. If I log in from some machine without making sure it's adequately protected from keyloggers and sniffers, and suddenly have my account stolen -- I get what I deserve. If, on the other hand, I have my account stolen because somebody hacked EA and stole my login info from under your noses -- then you get what you deserve by losing me as a subscriber, security questions or no.

You really should read this article. A password no longer is the means of securing an account. Bioware knows that and they have back-end systems in place which you don't see nor experience (as a normal customer) which prevent account hacking even if your password is stolen (granted, only if you have security questions and or one-time-key-authentificator)

For those who didn't have the chance to read Phillips posts, here are the links, which explain in great detail why the new system is actually better:

http://www.swtor.com/community/showthread.php?p=5954106#post5954106 (Courtney's starting post)

http://www.swtor.com/community/showthread.php?p=5955636#post5955636 (First reply)

http://www.swtor.com/community/showthread.php?p=5961316#post5961316 (Second reply)

http://www.swtor.com/community/showthread.php?p=5961675#post5961675 (Third reply)

http://www.swtor.com/community/showthread.php?t=607377&page=39 (Fourth reply)

To summarize a bit:

1. The Username is not a better system per se, it is neutral. No security is gained or lost for SWTOR, only if another site is hacked the chances of your info falling into wrong hands is reduced via decoupling. It is like you are telling a person the name on which your bank account is registered.

2. Switching to usernames enables the security department to introduce more back-end measures to further strengthen the account (this is the main reason why they are doing the change)

3. Multiple systems for account protection are already in place (Password, Authenticator, SAQ, IP-Check, to name the disclosed ones), most of them back-end.

4. There will be no way to block an account just by knowing his display name and then typing in the password wrong multiple times (or more specific: The one who does it gets his IP blocked, you can still log-in normally)

5. The changes has nothing to do with your ingame character names.

6. You already can log-in with your username.

7. He's a brit.

I really urge you to read his posts, they are very detailed and explain why the change is a good thing.

This is totally off-topic, but why do so many people leave the default post display at 10 per page? I can't deal with that many page refreshes; much rather scroll through a longer page. This post is on page 12 for me.

Often been wondering the same thing, on a lot of forums. Personally I find 20 responses per page to be good. 10 makes the threads just seem excessively huge and you're clicking "next page" every other minute.

A quick question for our head of security:

Has there been a thought of switching form the current SK app to the Google SK app? Arena net has scrapped their own version of an authenticator in favour for Googles.

I think this could also benefit TOR, as the Google app is probably used by more people. It also has Blackberry support already.

i very much disagree with what their doing with this, changing it from your email to display name is a terrible idea, as everyone on here has pointed out it makes us that much more susceptible to hacking, maybe if we all complain enough they wont do it LOL

I don't believe you've actually read this thread if that is what you think.

Is this even considered safe? Since everyone can see my display name in-game?

I just logged in with my display name now and have for a while. You can try and hack me if you want.

I just logged in with my display name now and have for a while. You can try and hack me if you want.

Password doesn't seem to be 1234. I'm stumped.

Password doesn't seem to be 1234. I'm stumped.

You were getting close but remember that passwords require you to have a captial letter and more characters than that.

You were getting close but remember that passwords require you to have a captial letter and more characters than that.

Sooo 1234A then. Got it, thanks for your stuff.

Please be aware that beginning on April 2, 2013, logging in to the game or website will require your Display Name. Email addresses will no longer be accepted; your Display Name will be the only accepted option.

 

Read More

I don't know why you guys are just doing this now, I was saying this ever since Beta. And getting Display Names changed can't be that hard and should definitely be looked at for those that might want to change theirs for being their login ID. I got mine changed actually, got the email to prove it.

Its simple dont want to get hacked dont post ;-) its probably a way out of replying to post ;-) oh bioware u so crazy

Someone took my avatar pic, I do not like this. Can BioWare make a customized one just for me?

A quick question for our head of security:

Has there been a thought of switching form the current SK app to the Google SK app? Arena net has scrapped their own version of an authenticator in favour for Googles.

I think this could also benefit TOR, as the Google app is probably used by more people. It also has Blackberry support already.

I sure hope not.

"let Google it" is not a proper IT solution.

Given that this is 45 pages long now, likely it's been voiced already, but as a customer's opinion, I'd repeat it even then. (...)

(...) -- then you get what you deserve by losing me as a subscriber, security questions or no.

I had my account hacked in other mmorpg (which I played for almost 6 years) and I was the most carefull as a user can be, I didn't deserve what happened to me in that case. If a hacker wants to hack your account he will, we just have to make their life as harder as possible, and trust the people that looks up for our accounts security do their best to avoid it.

You should follow the advice of Ruhrpottpatriot

For those who didn't have the chance to read Phillips posts, here are the links, which explain in great detail why the new system is actually better:

http://www.swtor.com/community/showthread.php?p=5954106#post5954106 (Courtney's starting post)

http://www.swtor.com/community/showthread.php?p=5955636#post5955636 (First reply)

http://www.swtor.com/community/showthread.php?p=5961316#post5961316 (Second reply)

http://www.swtor.com/community/showthread.php?p=5961675#post5961675 (Third reply)

http://www.swtor.com/community/showthread.php?t=607377&page=39 (Fourth reply)

 

I really urge you to read his posts, they are very detailed and explain why the change is a good thing.

Apparently some people like you didn't even bother to look at that posts, like Ruhrpottpatriot said: "I really urge you to read his posts(...)". Not only you but everyone, before posting here.

It already is, afaik.

 

 

You really should read this article. A password no longer is the means of securing an account. Bioware knows that and they have back-end systems in place which you don't see nor experience (as a normal customer) which prevent account hacking even if your password is stolen (granted, only if you have security questions and or one-time-key-authentificator)

 

 

I really urge you to read his posts, they are very detailed and explain why the change is a good thing.

I read the first couple of pages of this link and I was honestly amazed mostly because it actually makes sense, unfortunately. I will not profess to know exactly the headaches that BW has nor at this point in my life will I ever fully be able to. However, given that I am logging in with a physical key generator every time and might be changing to an android app instead, I feel relatively safe logging in because the code changes with every press of the button.

I would suggest that BW perhaps consider an exercise in greater explanation with this move, if it has not already been that is.

I read the first couple of pages of this link and I was honestly amazed mostly because it actually makes sense, unfortunately. I will not profess to know exactly the headaches that BW has nor at this point in my life will I ever fully be able to. However, given that I am logging in with a physical key generator every time and might be changing to an android app instead, I feel relatively safe logging in because the code changes with every press of the button.

 

I would suggest that BW perhaps consider an exercise in greater explanation with this move, if it has not already been that is.

Lots of sensationalist points made in that article, but every logical attack he makes begins with the assumption that something is already vulnerable or has been compromised -- the database containing the passwords (which should be protected at a minimum by web service layers, and the passwords should be hashed with a unique salt), the computer the user accesses, the length and strength of the password itself, or the carelessness of the housekeeper in trusting someone over the phone whose identity isn't properly verified. That doesn't prove anything about passwords being outdated. That's like saying keys are outdated because the burglar has stolen the key or broken a window. And yet keys remain the staple of physical security. And passwords the staple of web security. Utter fallacy.

Algorithms exist to stretch the length of time it takes to calculate password hashes, thus making brute force much more unlikely to succeed. Brute force only works in the first place against unsalted hashes of exposed passwords or systems that accept infinite logon attempts. It still remains that a large enough password (20 characters or more, maybe a little less) cannot be brute force cracked or guessed. Humans can remember strings that long if properly constructed: twentYplUschar@cterS! is one trivial example. If they're lazy then that is a different story, but once again doesn't prove anything about passwords being inherently weak or outdated.

I will stipulate that as systems grow complex the vulnerabilities appear in various ways. All of these need to be protected in order for the password to be useful. That, I take it, is the author's point, but again that does not prove the password to be useless.

The fact remains that humans put a much higher premium on convenience than security. The former is easy to understand and directly impacts productivity, unlike the latter. People need to be educated and pressure needs to be placed on large companies in order for any real change to occur.

Only people that post on the Forums have their Display Name visible to others currently. Even then we took that into account when designing the updated system and I wouldn't recommend trying to attack known Display Names...

 

You should log on to Steam again - they currently only use the equivalent of DisplayName, and that name is what you are known as to all your friends (and in the community section of Steam for that matter).

Actually, Steam doesn't use your DisplayName, your Steam username and displayname are different. How do I know? Simple, the name I use to log in to steam is different than what shows on my profile, my login name is also not listed among the "this player has also played as" names... Just saying.