OMG someone who gets it! i wish i could upvote you or give you something, you are a beacon in a sea of people confused about basic and complex security concepts.

/facepalm Its not cookie based security, it's using a cookie to track client uniqueness. There are many other controls in play. If all they were doing was storing a single cookie locally and trusting it, you might have half a leg to stand on here So much misinformation in this post. What is it you do for a living? i can tell you, what I do is work with, break into and help fix things exactly like what you posted above and I wouldn't put my faith in a lot of the auth systems used by banks. auth systems are complex, SWTORS included and involve so many other things you just cannot see or understand behind the scenes that all you people spouting off at the mouth as arm chair security architects just makes me cringe. I've got work to day but I will say this, knowing what I know about how SWTOR auth works (and I know more than most), I am quite happy with it, and testing and knowing about these systems is what I do every day. It has minor issues and minor flaws (some of which are actually getting fixed, or just have been fixed) but it's not bad. At the end of the day, you do need to sit down and think about why there are no massive amounts of account hacks (or massive amounts of gold spam either) in SWTOR, and let that sink in for a bit.

How do they get the mac address through the browser? I know their are methods, but they involve running client side script/code to get it, it'as not ever presented by the browser. Steam is also software running on your computer, not your browser, the same way the launcher is software running on your system. Software on your system can get that, the browser can't. just to be sure, I have steam running right now, but logging into steampowered prompts me for my code which it emails me. also, take a look at the cookies before and after using the steam website and having to enter a code. notice the difference? notice the browserid cookie and the steamlogin cookie?

Do you have a good way to determine client uniqueness without using cookies/javascript or anything else clientside in a world of dynamic IP addresses? Lets hear your solution.

So what i gather, is you expect to be able to take a security control like disabling cookies or disabling javascript (or disabling anything else that potentially adds risk while using rich experiences online) and get the same rich experience? you sir have 2 problems, you don't know how security works and you dont know how the internet works. You cannot blatantly apply a security control across something like the internet to disable the rich experience and then whine because it doesn't work. You've done none of YOUR due diligence to determine the risk of what the control works on for the site you are applying it against. You need to evaluate, are cookies on this site ok or not? Do i trust the site? Am I ok with the loss of functionality from disabling cookies? the same goes for anything else, java, javascript, flash etc etc. There are a lot of place you absolutely DO want to disable all of it because the impact of untrusted code is high and the loss of functionality is something you don't care about. you have to evaluate the risk, the impact and the likelihood on a site by site basis. You haven't done that though, you've just disabled things on all sites and said screw it, i don't care what loss of functionality I might suffer. Then you whine cos you lost functionality. Website depend on good implementations of things like cookies/javascript to give their users a good experience. There is no way to examine who you are and determine that you don't need to be prompted without a little 2 way trust. If you wont trust SWTOR, they wont trust you. It's pretty simple and anyone with an OUNCE of actual security knowledge can see that. Before you go off on tangents about cookie stealing and all that, be sure you REALLY understand how those things are done. p.s. I do have quite a bit of security experience and can debate this and anything else around security all day if you like.

Yes, please raise the cap. This was really annoying on launch and we ended up with 4 guilds of 500 people, 2 empire and 2 republic. To allow chatting between them we made custom chat channels and disabled guild chat. the problem? Custom chat channel security controls are broken and have been since launch, you cannot lock them down, boot people, mute people etc. If someone mistypes the command to get in, your password is public and anyone can come in and you can do nothing. If the guild limit was so small, this wouldn't be an option we could have everyone in one guild and not be restricting people to 1 main, 1 alt.

Probably because you don't understand all the other systems, controls etc involved, or don't understand that assuming login name is "private" is poor security in itself. So relying on "secret" usernames is a bad idea, assuming the username is not known by an attacker is a bad idea, there are MANY other controls in place that do not assume that your username is secret, an attacker knowing it, or not knowing it doesn't matter. http://en.wikipedia.org/wiki/Kerckhoffs's_principle <-- read it.

Yep and he covered that in a later post. You might want to read all of Phillips posts before replying. Goes for anyone.

totally agree. Bioware can't control if you use the same password though, they can assume many people do and put in controls to reduce the impact of that risk.. They already do that. This change allows them to lower the number of times compromised creds could directly be used to attack an account, put in better detection's on the back end to detect unauthorized users and put in self help services. in my book, win, win and win. Less chance of comp, better layered protections and a better customer experience.

One last post from me to help show why this is a good thing, and I am going to use my own real world data for it. Gamigogames was compromised last year, I had an account there, along with 8.2 million other people. They got my username, my email and my (weakly) hashed password. - http://massively.joystiq.com/2012/07/23/eight-million-gamigo-user-accounts-compromised/ The username is not the same as the one I use here, but the password is. I happen to be using a unique password for that site (as I do for every site thanks to LastPass) but had I been using the same password in multiple locations, my account on SWTOR could have been at risk. any place that uses my email, and that password (if it was the same) would have been at risk. the places using a login name that is different? Safe. This. This is why. That is as simple (and real world) as I can make it for you. If you are interested in how i get notifications of when my information is compromised, how I secure my stuff (my day job is in security) send me a PM.

you have been able to sign in with both email and display name for a while now. Everyone, not just you. Go try it. We'll wait. It's all the back end systems and protections that phillip manages that are why there are not rampant account hacks. All they are trying to do is move to something that allows for more self service options to fix when you have problems and more options to better secure things on the back end. Self service means less calls to support, less time wasted, less unhappy people being on hold for a long time. The changes don't lower security in any way. I'm not angling for a job, I already have one, I work in security. I test systems, design systems and break into systems every week and I am just tired of seeing the same irrelevant arguments over and over.

Been implemented for a while now. ^ your rants above are crazy conspiracy crap.

Oh, if you want an example of why emails are kind of sucky, go to Pwned List http://pwnedlist.com They collect the email addresses from website leaks/dumps and you can check if your email/password has been leaked. You will be surprised. *edit in case anyone is concerned. Pwned List is legit, it's a service you can use to alert you if your details have been leaked/compromised, it's also used by LastPass (great password service btw) to alert people when they are affected by a security compromise of a site.

Lots of buzzwords Stop thinking about your account, start thinking about millions of accounts where people commonly use the same email and password across multiple sites. Email is unique. bob@bob.com controls his account, so really only he can use it across the many sites. therefore when one site gets hacked and bobs password and email are stuck up on the internet, he gets added to large lists that bad guys run on auth systems. if bob uses a login name, he doesn't own it or control it and so it can't be unique across all the sites he logs into. If Bob123 is exposed via an attack, the bad guys have a much higher hit ratio, they have no idea Bob123 on Site X is NotBob on SWTOR. Everytime a new site gets hit, you see the list run against sites to try and find accounts using the same password. this makes it a little harder.

Just to put this in perspective. given adequate other controls (which they obviously have). It doesnt matter if I have your login ID (whether it's email or username). it matters if I have that, and your password. Since your email is generally static (and usually reasonably unique, ie generally only you use it at each website you sign up to).. when various websites get hacked (which happens a lot) and a email/password combo ends up on a rather large list, chances are much better than you have used the same email and password here. if you use a username, chances of you using the same username and password on multiple sites is slimmer, as it's not unique to you (ie bob@bob.com is unique to bob if it's his email address, but TheBob might be already taken so on here he is BobTehAwsum). I know from doing security on some large authentication systems that every time there is a massive password dump from a newly hacked site, there is a LARGE increase in successful logins to the systems i was monitoring. You guys only need to think about your account, Phil needs to think about all the accounts and has access to much more data, so having been in a similar position I both agree with and trust him. TL;DR email is unique to you, username might not be. password reuse chance is much lower.