Jump to content

Display Name Only Log In - Coming April 2, 2013


CourtneyWoods

Recommended Posts

Read more carefully, mate:

 

 

 

Major props to Phillip for taking the time to address these concerns. I wasn't too worried before and I'm certainly not worried now.

 

No, I read that. Basically what he is saying there is that while that would be more secure they're really more interested in cutting costs than increasing security. So, this whole explanation of this will increase our security is still absolute ********.

 

:cool:

Link to comment
Share on other sites

  • Replies 531
  • Created
  • Last Reply

Top Posters In This Topic

Alright, now the "book is open" so to speak, and we have Swtors CSO looking at this, I'd like to personally get some assurance here..

 

1. Userdatabase with logins, passwords and security key answers.. Are they hashed using md5, sha-(1-512) or any other fast "off the shelf" crypto algorithm (yes or no answer - no need to feed info)? Are they salted?

 

2. Do you use multi factor authentication before allowing authorization attempts? Does the level of authorization required change based on the provided authentication "level".. Basically, do you have differing levels of authentication?.

 

3. This is mostly me being curious. Why don't you require all users to use 2-factor? With the current reliance on username/password schemes - even with security questions, the only way forward is at least 2-factor.

 

My hopes for answers are :D

 

1. No, we use a high work factor custom password encryption hash.

 

2. Yes

 

3. We wish we could, but politics say 2-factor is not user-friendly and so..

Link to comment
Share on other sites

No, I read that. Basically what he is saying there is that while that would be more secure they're really more interested in cutting costs than increasing security. So, this whole explanation of this will increase our security is still absolute ********.

 

:cool:

 

Okay, but you said he avoided it. You are free to not be satisfied with the explanation, but he did address it.

 

Also, he said not using a unique login name would cut costs and be less confusing. Let's be fair.

Link to comment
Share on other sites

Bioware, if you really want to increase security .. WHY THE F... we have to use our Display name in Forums ???

 

in many other games you have seperated Forum name , acount name AND login name... means 3....

i really dont care usually.. because i was usigg display name all time.. but your reasoning is just dumb .. sry...

 

if you want to increase security... let us have different forum names...lol

Edited by Prysha
Link to comment
Share on other sites

No, I read that. Basically what he is saying there is that while that would be more secure they're really more interested in cutting costs than increasing security. So, this whole explanation of this will increase our security is still absolute ********.

 

:cool:

 

You are over-looking a key aspect of the hacker mindset. They want lowhanging fruit.

 

Emails are the number one thing that MMO hackers work hard to accumulate. Not just because they can sometimes get passwords with them, but because they are great for phishing. The point being that it is email addresses that todays hackers are after, NOT forum handles. That might change down the road when/if all the MMO stop using emails as login handles, but until then.... there is little to no risk that some hacker team is going to go after SWTOR forum handles and try to then brute force them. The organized hackers don't brute force things, there is plenty of stupid internet users to harvest such that they don't have to work that hard. There are simply easier prey out on the internet then for them to chip teeth on SWTOR, which to the best of my knowledge as been free from mass hacker scandles (unlike some other popular MMOs).

Link to comment
Share on other sites

So allowing everyone to read my login name is security? I have an e-mail address I use EXCLUSIVELY for SWTOR, this because that is the safest way, people needing to aquire both in some way to gain access. It also tells me when BW/EA pull the same crap another company did with account information (Still getting bogus and possibly real spam from that company that sold my account after 1 year when I cancelled the entire account).

 

So no, this does not make things more secure. Not buying any claims of steps being taken to make it more secure again, you're showing people who we are, half the player chosen login information. I also use a security key, so that gives me some security, but telling the whole world my login name does not provide more security as they now need less to gain access. Don't have 100% faith in the security key as it is, but now I NEED it in case someone makes a really lucky password guess. Used to be they needed a really lucky e-mail guess as well, they can already skip those now.

 

There should at least be a login name and a display name as 2 fields, allowed to be the same, but not advised to. Using that login name over the display name and then not allowing e-mail address is the only way to give some security in the way you appearantly intend it.

 

Used to say E-mail or Display name for free players and just E-mail for subscribers I think. Not sure what the reason behind that was, but I feel that was way better.

Edited by Lyshar
Link to comment
Share on other sites

Okay, but you said he avoided it. You are free to not be satisfied with the explanation, but he did address it.

 

Also, he said not using a unique login name would cut costs and be less confusing. Let's be fair.

 

Oh yeah, like it's so confusing having a unique login name. Really, the only people this would be confusing for are morons, so I don't think that is a factor at all. No, this is about cutting costs, nothing more.

 

:cool:

Link to comment
Share on other sites

There are simply easier prey out on the internet then for them to chip teeth on SWTOR, which to the best of my knowledge as been free from mass hacker scandles (unlike some other popular MMOs).

 

Yes, to my knowledge not one single account has been hacked on SWTOR, so why bother making this change at all?

 

:cool:

Link to comment
Share on other sites

Whoever told you guys this is safer should leave a large opening where his/her job used to be. How old and out of touch do you need to get, EA? You've proven you haven't got a clue what gamers want. So stop already. Change for the sake of change is a futile exercise for you and annoying as heck for your paying customers.
Link to comment
Share on other sites

It's not paranoia. It's fact. Gold sellers exist on the internet. These people hack accounts and steal gold, credits, etc from MMO accounts then turn around and sell them to other players. Previously they had to rely on keyloggers and clever methods to get login details. Now they only need to skim the forums.

 

I have an authenticator on my account but I don't 100% trust apple or google not to accidently include a bug or exploit in their OS software, so I don't rely on it's for security. Passwords are easy to overcome. Most people use easy to guess passwords. I'm willing to bet that Password1 is a VERY common SWTOR password.

 

You do understand that there is security in depth on logins for SWTOR right? That is how the best security works, by depth of layers, not relying on any single layer for protection.

 

Personally, I think you are being paranoid to the point of silliness.... but giving you the benefit of the doubt....Let's walk down that paranoid pathway..... through the layers (the ones we know of, because I'm positive there are others behind SWTOR that we know nothing about.

 

1) Let's give a hacker your forum handle as his starting point. Yep, you heard me... hand it to him.

2) dang...he does not have your password and he does not have your email address to associate with it, so he can't go try to phish your password from you via email (I'm not saying you are that gullible, but that is what he would have to do).

3) I'm sure you have a secure password right? Let's give you the benefit of the doubt and say you have a strong password that is unique to this login target. because if you don't well that's on you. How exactly would the hacker who has your handle get a valid password for your login????? Especially since Phillip has clearly stated that SWTOR has anti-brute force hack protocols in place so he can't brute force to get it.

 

4) Just for the sake of paranoia progression.... lets say he somehow gets it. Whooops.... he tries to log in and gets a prompt asking for your security key. I know I know... he already put two 10 digit random numbers together and came up with an answer of "4" and knew to first to get your security key from god knows where....SINCE HE DID NOT KNOW IN ADVANCE YOU HAD ONE, NOR WHAT TYPE (HARDWARE OR SMARTPHONE).

 

5) Just for the sake of parnoia progression, lets pretend he got by phishing you for it ('cause that is the only way he gets one that he can firmly identify as yours) Whooops! he did not log in from your known IP address so the login authenticator demands an answer to one of 5 secrect questions. Unless you posted them up on your Facebook, how exactly is the hacker going to get the answers??????

 

My point? The hurdles that must be successfully traversed for some hacker (ie: a stranger that knows nothing about you) to successfully log in to your account are such that it's at best a billion to one chance he succeeds before flags trigger at Bioware and your account is frozen until you unlock it via an authorized unlock notification.

 

There are simply easier targets on the internet for hackfesting by the professional hackers then an SWTOR account with a strong password, an active authenticator, and secret questions to overcome the wrong IP address. There are tens of thousands of silly people that practically give their login info away to curious hackers such that they can't be bothered to try to hack the bascially unhackable. They would do much better to try to hack SWTOR.com directly to get your precious login validation data.... and there are no signs that that would be doable, nor would a hacker want to bring that kind of corporate attention to themselves (they like to work quietly, under the radar)

 

PS: And if you don't trust apple (I don't either by the way, as they are probably less secure then SWTOR.com And are a bigger target), then get yourself a hardware authenticator for $5 and remove all doubt. But even if they hacked Apple and got your authenticator token....how exactly would they tie it back to your forum handle and password to be able to actually make use of it?

Edited by Andryah
Link to comment
Share on other sites

Read between the lines people. They are implementing some form of mobile two factor authentication wherein your email address will be used to confirm your login when connecting from a new computer. Therefore your email address can't be your login, or hacking your email will circumvent the security here.

 

Add on the fact, which has been pointed out over a dozen times, that you can already attempt to login to someones account with their display name and the paranoia is truly out of proportion. (How long before we see petition threads labeled "Post here if you are unsubbing because of the login changes" ?)

Link to comment
Share on other sites

read between the lines people. They are implementing some form of mobile two factor authentication wherein your email address will be used to confirm your login when connecting from a new computer. Therefore your email address can't be your login, or hacking your email will circumvent the security here.

 

qft. :)

Link to comment
Share on other sites

So in case you haven't come across me before (most haven't!), I'm Phillip Holmes, the Senior Manager of Security here at Star Wars: The Old Republic.

 

I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.

 

Some responses below - apologies if I don't reply to every question...

 

Thank you for responding to these concerns. Though I would personally rather log in with e-mail, I understand your reasons and am therefore satisified. Thank you for being active in communication with the players!

 

*crosses fingers for the ability to change Display Name however* :jawa_smile:

Link to comment
Share on other sites

One concern that I have is that it seems this is opening up a way for people to "grief" each other by intentionally trying to log into someone else's account and failing a number of times, resulting in the account getting locked out. Currently, the only way to re-enable the account is to call customer service.

 

I, personally, don't want to have to call customer service to get my account re-enabled over and over again if someone decides they want to pick on me. That would be enough to make me not want to play this game anymore.

 

Are there any plans to address this scenario?

Link to comment
Share on other sites

The point your missing is how do u know only bioware has your email and where else can that information be found?

 

Also on a macro level how many people use the same email address and same password for other log ins. And who controls that?

 

email accounts are routinely phished. Its false security to think it is hidden at a macro level.

 

Good change. And not a shock since rmt are tied to the account now.

 

Maybe you can explain: why

 

Blizzard changed the login from login-name to email and said: this is more safety

Bioware changed the login from email to login name

 

Logic!

 

And blizzard has a liitle bit more user and my email adress on the battle net is additional my login to sc2 and D3 and wow:rolleyes:

Edited by Leonalis
Link to comment
Share on other sites

Big thanx for the replys Phillip_BW :)

 

 

And since this topic is about security and you are the Senior Manager of Security, i hope you dont mind me asking:

 

When will we in Europe and Asia-Pacific be able to buy Physical Security Keys?

 

And please dont give me that baloney that its possible via the Origin Store, or even via the US Origin Store... cause they dont ship outside the US. :p

Link to comment
Share on other sites

Would it be possible to add Display name aliases that are displayed in the forum but differ from the display name used for logging in? That would alleviate many security concerns people are having with this new system.
Link to comment
Share on other sites

One concern that I have is that it seems this is opening up a way for people to "grief" each other by intentionally trying to log into someone else's account and failing a number of times, resulting in the account getting locked out. Currently, the only way to re-enable the account is to call customer service.

 

I, personally, don't want to have to call customer service to get my account re-enabled over and over again if someone decides they want to pick on me. That would be enough to make me not want to play this game anymore.

 

Are there any plans to address this scenario?

 

Considering that display names currently already work as logins, it's not like anything is changing there.

 

Would it be possible to add Display name aliases that are displayed in the forum but differ from the display name used for logging in? That would alleviate many security concerns people are having with this new system.

 

This would be a nice idea. I probably wouldn't have chosen this username if I had know it was all I could display on the forums. :o

Edited by chuixupu
Link to comment
Share on other sites

Big thanx for the replys Phillip_BW :)

 

 

And since this topic is about security and you are the Senior Manager of Security, i hope you dont mind me asking:

 

When will we in Europe and Asia-Pacific be able to buy Physical Security Keys?

 

And please dont give me that baloney that its possible via the Origin Store, or even via the US Origin Store... cause they dont ship outside the US. :p

 

It would be nice to know when this is going to be addressed, as if my current one breaks I can't replace it (and getting it removed sounds like a terrible hassle in itself.)

Link to comment
Share on other sites


×
×
  • Create New...