Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display name only...

First BioWare Post First BioWare Post

GoldenHornet's Avatar


GoldenHornet
03.05.2013 , 02:40 PM | #11
Quote: Originally Posted by DarthTHC View Post
Or it's actually LESS secure.

With this change, anyone who can view the forums (read: EVERYONE) immediately knows 1/2 to 1/3 of the information necessary to log into your account depending on whether or not you have an authenticator associated to it. They don't have to hack a database. They don't have to get you to click on their phishing link. They just have to open a browser.

Before this change, well... can YOU tell me the email address I have associated with this account? That's right, you have NONE of the information necessary to log in as me.

They're not doing it to make it more secure. They're doing it to make it easier on themselves. F2P accounts do NOT need or use email address to log in; only user name.
You missed the point. Currently all the bad guys are doing is taking big lists of email addresses and associated passwords and trying them at the log-in to see if they are a live account. They don't care whose account it is.

With this change they are less likely to have your username and password, unless you've been careless enough to use that combination elsewhere.

DarkTrooperV's Avatar


DarkTrooperV
03.05.2013 , 02:42 PM | #12
They are already starting to use the Displayname now. I just logged into my account using just my display name. The email part is still there though.
The Joker: They're only as good as the world allows them to be. I'll show you. When the chips are down, these... these civilized people, they'll eat each other. See, I'm not a monster. I'm just ahead of the curve.

DarthTHC's Avatar


DarthTHC
03.05.2013 , 02:43 PM | #13
Quote: Originally Posted by GoldenHornet View Post
You missed the point. Currently all the bad guys are doing is taking big lists of email addresses and associated passwords and trying them at the log-in to see if they are a live account. They don't care whose account it is.

With this change they are less likely to have your username and password, unless you've been careless enough to use that combination elsewhere.
You're missing the point. With this change they ALREADY HAVE FOR FREE - NO WORK INVOLVED - the name of every user who has ever posted to the forums.

In my case, that puts them WAY ahead of where they are now. They would have to specifically hack this game's user database to get my email address.

GoldenHornet's Avatar


GoldenHornet
03.05.2013 , 02:47 PM | #14
Quote: Originally Posted by DarthTHC View Post
You're missing the point. With this change they ALREADY HAVE FOR FREE - NO WORK INVOLVED - the name of every user who has ever posted to the forums.

In my case, that puts them WAY ahead of where they are now. They would have to specifically hack this game's user database to get my email address.
Currently, if you have used that email address and password somewhere else on the internet and it has been leaked (which has happened lots of times over the last couple of years) then they have ALL of the information they need, for free, no work involved.

Changing it to username takes that away, they now only have half of the info they need.

Hopefully you are also using a security key, which makes this much harder, if not close to impossible, for the casual bad guy.

DarthTHC's Avatar


DarthTHC
03.05.2013 , 02:52 PM | #15
Quote: Originally Posted by GoldenHornet View Post
Currently, if you have used that email address and password somewhere else on the internet and it has been leaked (which has happened lots of times over the last couple of years) then they have ALL of the information they need, for free, no work involved.

Changing it to username takes that away, they now only have half of the info they need.

Hopefully you are also using a security key, which makes this much harder, if not close to impossible, for the casual bad guy.
How do they only have half the information they need if they only have to open this web site and take a look around to get login ID's?

If we require email address to log in, it's more secure because that information is not displayed anywhere. If we only need user ID to log in, then it's less secure because if you look to the left of this text, you have mine. And I can look to the QUOTE tag and now I have yours. (It's GoldenHornet! Ooh! I'm a L33+ H4cker!) How is that so hard to comprehend?

As an aside, I guarantee you that the email address associated with my account is not available on any list anywhere, unless that list was generated specifically by hacking this game's user database. I haven't heard of any hacks, but then again, would EA really publish that sort of thing if they weren't forced to?

GoldenHornet's Avatar


GoldenHornet
03.05.2013 , 02:59 PM | #16
Quote: Originally Posted by DarthTHC View Post
How do they only have half the information they need if they only have to open this web site and take a look around to get login ID's?

If we require email address to log in, it's more secure because that information is not displayed anywhere. If we only need user ID to log in, then it's less secure because if you look to the left of this text, you have mine. And I can look to the QUOTE tag and now I have yours. (It's GoldenHornet! Ooh! I'm a L33+ H4cker!) How is that so hard to comprehend?

As an aside, I guarantee you that the email address associated with my account is not available on any list anywhere, unless that list was generated specifically by hacking this game's user database. I haven't heard of any hacks, but then again, would EA really publish that sort of thing if they weren't forced to?
If they were trying to hack your specific account, then you might be right. The point is they aren't. They are just looking for live accounts that match the email/pwd combinations they know. They don't care who's account it is.

Andryah's Avatar


Andryah
03.05.2013 , 03:02 PM | #17
Quote: Originally Posted by DarthTHC View Post
You're missing the point. With this change they ALREADY HAVE FOR FREE - NO WORK INVOLVED - the name of every user who has ever posted to the forums.

In my case, that puts them WAY ahead of where they are now. They would have to specifically hack this game's user database to get my email address.
A worthy read from a dev on the topic --------------> http://www.swtor.com/community/showp...6&postcount=98

The problem addressed by removing the email address as a choice (and yes, currently you can use your email OR your forum handle to log in) is that there are too many people who are careless with their email address and password all over the internet

Email pharming IS the single biggest target of account hackers. Sometimes they get lucky and get your often reused password as well. But mostly they phish email addresses to tease out access to MMO accounts more then they actually gain full login/pasword from their internet hacking attempts. They get said email addresses by hacking low security 3rd party websites. There is noting to target with a forum handle except to try to brute force a login (for which you should read the linked response above).
MMOs mimic real life in some ways. Take challenges for example.... you can either use intellect and overcome a challenge or not. In other words, you can make lemonade from lemons, or you can just suck on the lemon. Up to you.

DarthTHC's Avatar


DarthTHC
03.05.2013 , 03:04 PM | #18
It's all actually sort of moot anyway.

I can give someone my user id AND password and remove the authenticator and they still couldn't get into my account, unless they do so from a location (IP address) I've already used.

But arguing that a value that is freely available just for opening a web site is somehow more secure than an email address that is displayed nowhere on the web site is a swerve at best, even on EA's part.

They want to simplify their code so that f2p and sub logins can use the same algorithm. Whatever other reason they give you is lip service.

Jenovan's Avatar


Jenovan
03.05.2013 , 03:40 PM | #19
Quote: Originally Posted by DarthTHC View Post
It's all actually sort of moot anyway.

I can give someone my user id AND password and remove the authenticator and they still couldn't get into my account, unless they do so from a location (IP address) I've already used.
This is the important bit that I think a lot of people are missing. These protections are already in place, as is the ability to log in via username.

Quote: Originally Posted by DarthTHC View Post
But arguing that a value that is freely available just for opening a web site is somehow more secure than an email address that is displayed nowhere on the web site is a swerve at best, even on EA's part.

They want to simplify their code so that f2p and sub logins can use the same algorithm. Whatever other reason they give you is lip service.
It may not be more secure for your game account, but it could be for your email account.
Note that you, personally, aren't getting any enhanced security out of this, because judging by your posts in this thread, you use a specific email address only for SWTOR. Lots of other people don't.

If someone gets struck by a keylogger, and the logger catches them signing into SWTOR:
a) Email-based login: they have snagged your email address and game password.
b) Display Name-based login: they have snagged your display name and game password.

In both cases, it may be difficult for them to get into the game account, due to authenticators and the location-based checks you mentioned. However, in case (a), they can take that email address and try to crack that account -- which could very possibly not be as well-protected as the game account. That's potentially a much worse issue than "just" your game account.

On a side note, someone in the sticky thread mentioned that in some countries, email addresses are considered personal information and are not allowed to be used in this capacity, so there could be some legal wrangling behind the change as well.
Ebon Hawk * The Thirteenth Legion * RP/Social/Casual
Kjara | Avidior | Mizret | Ysmena
Forging Fortune * Aviditas

DarthTHC's Avatar


DarthTHC
03.05.2013 , 03:46 PM | #20
Quote: Originally Posted by Jenovan View Post
This is the important bit that I think a lot of people are missing. These protections are already in place, as is the ability to log in via username.


It may not be more secure for your game account, but it could be for your email account.
Note that you, personally, aren't getting any enhanced security out of this, because judging by your posts in this thread, you use a specific email address only for SWTOR. Lots of other people don't.

If someone gets struck by a keylogger, and the logger catches them signing into SWTOR:
a) Email-based login: they have snagged your email address and game password.
b) Display Name-based login: they have snagged your display name and game password.

In both cases, it may be difficult for them to get into the game account, due to authenticators and the location-based checks you mentioned. However, in case (a), they can take that email address and try to crack that account -- which could very possibly not be as well-protected as the game account. That's potentially a much worse issue than "just" your game account.

On a side note, someone in the sticky thread mentioned that in some countries, email addresses are considered personal information and are not allowed to be used in this capacity, so there could be some legal wrangling behind the change as well.
You're still predicating the "increase" in security on the assumption that people are being stupid with their email accounts and passwords or, best case, that they've been hacked.

That's a horribly flawed argument for making part of the information required authentication free and open to EVERYONE.

Let's put it this way...

If email is the required user ID, then the effort required for someone of nefarious intent to obtain it is:

a) The user is a dork
b) The user is not a dork but something got hacked

If the user name is the required user ID, then the effort for someone of nefarious intent to obtain it is:

a) They open this web site

Which is better? Which requires more effort? Which is more secure?

Come on. It's not rocket science and it's not a trick question. Don't overthink it.