Jump to content

Display name only...


Lunafox

Recommended Posts

I just read that as of April 2nd, only our display name will be needed to log in, I don't see how this is safer...but I'm wondering about the security keys, are these still going to be needed? Or are they not required now, and do we have to have them removed from the account or anything?

 

Thanks. :)

Link to comment
Share on other sites

I just read that as of April 2nd, only our display name will be needed to log in, I don't see how this is safer...but I'm wondering about the security keys, are these still going to be needed? Or are they not required now, and do we have to have them removed from the account or anything?

 

Thanks. :)

 

You will still need your password and security key. ;) Otherwise all of the rest of us could login as Lunafox and take your stuff. :p

 

It's just that you won't use your email for the login "username" anymore.

Edited by Andryah
Link to comment
Share on other sites

Really not thrilled with this. I would have liked it if they allowed you at least a one time chance to change your display name first. They claim they don't have that capability yet. Oh but if you have a name that is deemed offensive they will make you change it right away.
Link to comment
Share on other sites

Ok thanks for the answers guys. Much appreciated, specially Andryah, lol. I wondered how that was gonna work, lol. Glad to hear they'll still need the other stuff, it just didnt read that way to me when I saw the notice.
Link to comment
Share on other sites

The reason why it's safer, is that someone hacking your account will NOT automatically know your email adress as well. And they can't change your email adress without entering the old one first and going through confirmationmails etc. Which they can't reach because they don't have your mail addy.

 

If you get hacked, then all they have is your username and password. So while they can steal your in-game stuff, they can't steal your entire account.

 

I'd still like to see a regional lockout added though, so someone with an IP from Uzbekistan or Mexico or Timbuktu or whatever couldn't access my account, simply because they're from a different region than where I come from.

Link to comment
Share on other sites

The reason why it's safer, is that someone hacking your account will NOT automatically know your email adress as well. And they can't change your email adress without entering the old one first and going through confirmationmails etc. Which they can't reach because they don't have your mail addy.

 

If you get hacked, then all they have is your username and password. So while they can steal your in-game stuff, they can't steal your entire account.

 

I'd still like to see a regional lockout added though, so someone with an IP from Uzbekistan or Mexico or Timbuktu or whatever couldn't access my account, simply because they're from a different region than where I come from.

 

I suspect the real reason it's slightly more secure is that too many idiots out there use the same email address / password combination for everywhere they go.

 

Once your credentials have been leaked from joesinsecuresite.com they are pasted up on pastebin or somewhere and then tried at every game, bank, website possible to see if you're dumb enough to have re-used them elsewhere.

Link to comment
Share on other sites

I suspect the real reason it's slightly more secure is that too many idiots out there use the same email address / password combination for everywhere they go.

 

Once your credentials have been leaked from joesinsecuresite.com they are pasted up on pastebin or somewhere and then tried at every game, bank, website possible to see if you're dumb enough to have re-used them elsewhere.

 

Or it's actually LESS secure.

 

With this change, anyone who can view the forums (read: EVERYONE) immediately knows 1/2 to 1/3 of the information necessary to log into your account depending on whether or not you have an authenticator associated to it. They don't have to hack a database. They don't have to get you to click on their phishing link. They just have to open a browser.

 

Before this change, well... can YOU tell me the email address I have associated with this account? That's right, you have NONE of the information necessary to log in as me.

 

They're not doing it to make it more secure. They're doing it to make it easier on themselves. F2P accounts do NOT need or use email address to log in; only user name.

Edited by DarthTHC
Link to comment
Share on other sites

Or it's actually LESS secure.

 

With this change, anyone who can view the forums (read: EVERYONE) immediately knows 1/2 to 1/3 of the information necessary to log into your account depending on whether or not you have an authenticator associated to it. They don't have to hack a database. They don't have to get you to click on their phishing link. They just have to open a browser.

 

Before this change, well... can YOU tell me the email address I have associated with this account? That's right, you have NONE of the information necessary to log in as me.

 

They're not doing it to make it more secure. They're doing it to make it easier on themselves. F2P accounts do NOT need or use email address to log in; only user name.

 

You missed the point. Currently all the bad guys are doing is taking big lists of email addresses and associated passwords and trying them at the log-in to see if they are a live account. They don't care whose account it is.

 

With this change they are less likely to have your username and password, unless you've been careless enough to use that combination elsewhere.

Edited by GoldenHornet
Link to comment
Share on other sites

You missed the point. Currently all the bad guys are doing is taking big lists of email addresses and associated passwords and trying them at the log-in to see if they are a live account. They don't care whose account it is.

 

With this change they are less likely to have your username and password, unless you've been careless enough to use that combination elsewhere.

 

You're missing the point. With this change they ALREADY HAVE FOR FREE - NO WORK INVOLVED - the name of every user who has ever posted to the forums.

 

In my case, that puts them WAY ahead of where they are now. They would have to specifically hack this game's user database to get my email address.

Link to comment
Share on other sites

You're missing the point. With this change they ALREADY HAVE FOR FREE - NO WORK INVOLVED - the name of every user who has ever posted to the forums.

 

In my case, that puts them WAY ahead of where they are now. They would have to specifically hack this game's user database to get my email address.

 

Currently, if you have used that email address and password somewhere else on the internet and it has been leaked (which has happened lots of times over the last couple of years) then they have ALL of the information they need, for free, no work involved.

 

Changing it to username takes that away, they now only have half of the info they need.

 

Hopefully you are also using a security key, which makes this much harder, if not close to impossible, for the casual bad guy.

Link to comment
Share on other sites

Currently, if you have used that email address and password somewhere else on the internet and it has been leaked (which has happened lots of times over the last couple of years) then they have ALL of the information they need, for free, no work involved.

 

Changing it to username takes that away, they now only have half of the info they need.

 

Hopefully you are also using a security key, which makes this much harder, if not close to impossible, for the casual bad guy.

 

How do they only have half the information they need if they only have to open this web site and take a look around to get login ID's?

 

If we require email address to log in, it's more secure because that information is not displayed anywhere. If we only need user ID to log in, then it's less secure because if you look to the left of this text, you have mine. And I can look to the QUOTE tag and now I have yours. (It's GoldenHornet! Ooh! I'm a L33+ H4cker!) How is that so hard to comprehend?

 

As an aside, I guarantee you that the email address associated with my account is not available on any list anywhere, unless that list was generated specifically by hacking this game's user database. I haven't heard of any hacks, but then again, would EA really publish that sort of thing if they weren't forced to?

Edited by DarthTHC
Link to comment
Share on other sites

How do they only have half the information they need if they only have to open this web site and take a look around to get login ID's?

 

If we require email address to log in, it's more secure because that information is not displayed anywhere. If we only need user ID to log in, then it's less secure because if you look to the left of this text, you have mine. And I can look to the QUOTE tag and now I have yours. (It's GoldenHornet! Ooh! I'm a L33+ H4cker!) How is that so hard to comprehend?

 

As an aside, I guarantee you that the email address associated with my account is not available on any list anywhere, unless that list was generated specifically by hacking this game's user database. I haven't heard of any hacks, but then again, would EA really publish that sort of thing if they weren't forced to?

 

If they were trying to hack your specific account, then you might be right. The point is they aren't. They are just looking for live accounts that match the email/pwd combinations they know. They don't care who's account it is.

Link to comment
Share on other sites

You're missing the point. With this change they ALREADY HAVE FOR FREE - NO WORK INVOLVED - the name of every user who has ever posted to the forums.

 

In my case, that puts them WAY ahead of where they are now. They would have to specifically hack this game's user database to get my email address.

 

A worthy read from a dev on the topic --------------> http://www.swtor.com/community/showpost.php?p=5955636&postcount=98

 

The problem addressed by removing the email address as a choice (and yes, currently you can use your email OR your forum handle to log in) is that there are too many people who are careless with their email address and password all over the internet

 

Email pharming IS the single biggest target of account hackers. Sometimes they get lucky and get your often reused password as well. But mostly they phish email addresses to tease out access to MMO accounts more then they actually gain full login/pasword from their internet hacking attempts. They get said email addresses by hacking low security 3rd party websites. There is noting to target with a forum handle except to try to brute force a login (for which you should read the linked response above).

Edited by Andryah
Link to comment
Share on other sites

It's all actually sort of moot anyway.

 

I can give someone my user id AND password and remove the authenticator and they still couldn't get into my account, unless they do so from a location (IP address) I've already used.

 

But arguing that a value that is freely available just for opening a web site is somehow more secure than an email address that is displayed nowhere on the web site is a swerve at best, even on EA's part.

 

They want to simplify their code so that f2p and sub logins can use the same algorithm. Whatever other reason they give you is lip service.

Link to comment
Share on other sites

It's all actually sort of moot anyway.

 

I can give someone my user id AND password and remove the authenticator and they still couldn't get into my account, unless they do so from a location (IP address) I've already used.

This is the important bit that I think a lot of people are missing. These protections are already in place, as is the ability to log in via username.

 

But arguing that a value that is freely available just for opening a web site is somehow more secure than an email address that is displayed nowhere on the web site is a swerve at best, even on EA's part.

 

They want to simplify their code so that f2p and sub logins can use the same algorithm. Whatever other reason they give you is lip service.

It may not be more secure for your game account, but it could be for your email account.

Note that you, personally, aren't getting any enhanced security out of this, because judging by your posts in this thread, you use a specific email address only for SWTOR. Lots of other people don't.

 

If someone gets struck by a keylogger, and the logger catches them signing into SWTOR:

a) Email-based login: they have snagged your email address and game password.

b) Display Name-based login: they have snagged your display name and game password.

 

In both cases, it may be difficult for them to get into the game account, due to authenticators and the location-based checks you mentioned. However, in case (a), they can take that email address and try to crack that account -- which could very possibly not be as well-protected as the game account. That's potentially a much worse issue than "just" your game account.

 

On a side note, someone in the sticky thread mentioned that in some countries, email addresses are considered personal information and are not allowed to be used in this capacity, so there could be some legal wrangling behind the change as well.

Link to comment
Share on other sites

This is the important bit that I think a lot of people are missing. These protections are already in place, as is the ability to log in via username.

 

 

It may not be more secure for your game account, but it could be for your email account.

Note that you, personally, aren't getting any enhanced security out of this, because judging by your posts in this thread, you use a specific email address only for SWTOR. Lots of other people don't.

 

If someone gets struck by a keylogger, and the logger catches them signing into SWTOR:

a) Email-based login: they have snagged your email address and game password.

b) Display Name-based login: they have snagged your display name and game password.

 

In both cases, it may be difficult for them to get into the game account, due to authenticators and the location-based checks you mentioned. However, in case (a), they can take that email address and try to crack that account -- which could very possibly not be as well-protected as the game account. That's potentially a much worse issue than "just" your game account.

 

On a side note, someone in the sticky thread mentioned that in some countries, email addresses are considered personal information and are not allowed to be used in this capacity, so there could be some legal wrangling behind the change as well.

 

You're still predicating the "increase" in security on the assumption that people are being stupid with their email accounts and passwords or, best case, that they've been hacked.

 

That's a horribly flawed argument for making part of the information required authentication free and open to EVERYONE.

 

Let's put it this way...

 

If email is the required user ID, then the effort required for someone of nefarious intent to obtain it is:

 

a) The user is a dork

b) The user is not a dork but something got hacked

 

If the user name is the required user ID, then the effort for someone of nefarious intent to obtain it is:

 

a) They open this web site

 

Which is better? Which requires more effort? Which is more secure?

 

Come on. It's not rocket science and it's not a trick question. Don't overthink it.

Edited by DarthTHC
Link to comment
Share on other sites

DarthTHC, I understand your argument, but I'm not saying this change automatically makes your game account more secure. It might make your email account more secure. Because yes -- lots of people ARE stupid with their security.

 

Because of the other security measures in place (with more apparently to be added, according to the gold post), Display Name login doesn't make your game account less secure. Your Display Name may be a known value, but it is still equally hard to actually enter the account because of the other security factors. It's like having a single number for a combination lock -- but the door that's locked with the combo lock also requires a keycard, and maybe a retina scan.

 

(Aside: how many players are there who have never posted in the forums? They all have an account name here, but a crawler script would probably never find it because it's never been publicly used... kind of like your email address. That doesn't make your point less valid, but it does mean that that particular security hole doesn't apply to everyone. Neither of them (email vs. username) do.)

Link to comment
Share on other sites

So how bad is this going to screw up the rest of my EA/Origin stuff? I know when first making the SWTOR account the password changed everything else related to my EA/Origin stuff. I will be rather pissed if this fubar's all my other stuff.
Link to comment
Share on other sites

So how bad is this going to screw up the rest of my EA/Origin stuff? I know when first making the SWTOR account the password changed everything else related to my EA/Origin stuff. I will be rather pissed if this fubar's all my other stuff.

 

No change. Your account is still linked to Origin, however you will continue to log in to Origin using your email address as their security implementation is still different. There is no link to your SWTOR Display Name in Origin so no added risk...

Or so the Security guy says, at any rate.

Link to comment
Share on other sites

 

Before this change, well... can YOU tell me the email address I have associated with this account? That's right, you have NONE of the information necessary to log in as me.

 

For a few months now, you've been able to login with your display name. There's no decrease in security from today to 4/2/13, or from yesterday to today, for that matter.

Edited by OmenQ
Link to comment
Share on other sites

×
×
  • Create New...