Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

Andryah's Avatar


Andryah
03.05.2013 , 01:37 PM | #91
Quote: Originally Posted by Beranzen View Post
Was waiting for the ever predictable "you do this and I'll unsub" post.
Well, there is always some thread topic that is "catnip" for the kitten (er.. I mean threat) I guess.
Forum disputatio ------> est completum ineptias.

JamieKirby's Avatar


JamieKirby
03.05.2013 , 01:38 PM | #92
Hmmm, this must be a joke or bioware finally shows their true insanity because after this is started, everyone will know what to use to log into the accounts, all thats left is the password and those can be easy to find out, assuming you know the person and so on.

Koyaanisqat's Avatar


Koyaanisqat
03.05.2013 , 01:43 PM | #93
Quote: Originally Posted by JamieKirby View Post
Hmmm, this must be a joke or bioware finally shows their true insanity because after this is started, everyone will know what to use to log into the accounts, all thats left is the password and those can be easy to find out, assuming you know the person and so on.
If you're a target for social engineering, you'd think you'd realize it.
Elgyn Vriess, Space Pirate of the KDY-MANTIS Amelia, HYPERSPACE LEGEND.
Courier at large; Mercenary at small.
Elgyn Vriess Courier Company: When you need tab A inserted into slot B without C getting in the way. No questions asked (besides, "What'll it pay?").

Sindorin's Avatar


Sindorin
03.05.2013 , 01:45 PM | #94
I don't see how this improves security....
For The Empire!

Oya, Surtr! Ni su'cuyi, gar kyr'adyc, ni partayli, gar darasuum!

Blackavaar's Avatar


Blackavaar
03.05.2013 , 01:46 PM | #95
Quote: Originally Posted by Andryah View Post
Does a forum handle represent higher security by itself? No. But it also is less likely to exist and be used in multiple places across the internet. So it is less prone to hacker based proliferation of attack.
Wrong. Most gamers/forum users use the same forum name in every game they play. Really, while this change doesn't make it any less secure, it really doesn't make it more secure either.

Like I said above, if they really wanted to make it more secure they should be telling us to create a new unique Account Name. CoH did something similar once upon a time and that's what they did.

Only the meek get pinched. The bold survive.(███████████████████████████████████║║█[Θ]█]◙◙◙◙◙◙◙◙[█]

Merouk's Avatar


Merouk
03.05.2013 , 01:50 PM | #96
Quote: Originally Posted by Andryah View Post
What hackers will not do is sit someone down and collect forum names by hand off of a forum.
Before: Hackers had to hack WoW or some other game's database to get a list of user id's. Relatively hard to do.

Now: All they have to do is write a web crawler / script to collect user names from the forums. There are even pre-mades out there. It's not even illegal to collect information from public websites.

Nobody sits someone down, how dumb is that? There are scripts available on the internet. Legal scripts.

Sugandhalaya's Avatar


Sugandhalaya
03.05.2013 , 02:16 PM | #97
So much funny decisions in this weeks. By the way...german community really loves your work...u should look into the german forum
You will condemn, I'll convert.
You will preach, I will pervert.

Phillip_BW's Avatar


Phillip_BW
03.05.2013 , 02:21 PM | #98 Click here to go to the next staff post in this thread. Next  
So in case you haven't come across me before (most haven't!), I'm Phillip Holmes, the Senior Manager of Security here at Star Wars: The Old Republic.

I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.

Some responses below - apologies if I don't reply to every question...


Quote: Originally Posted by Icebergy View Post
April Fools?
No - that's April 1st before 12pm local time... Today is the 5th March, and the change goes live on the 2nd April...

Quote: Originally Posted by Hardtarget View Post
well that's... weird, since the whole point is the game uses our origin accounts
No change. Your account is still linked to Origin, however you will continue to log in to Origin using your email address as their security implementation is still different. There is no link to your SWTOR Display Name in Origin so no added risk...

Quote: Originally Posted by bigheadbrandon View Post
so now everyone will know half of what you use to login?
iuno theres a reason why something like steam doesn't show people your account name...
Only people that post on the Forums have their Display Name visible to others currently. Even then we took that into account when designing the updated system and I wouldn't recommend trying to attack known Display Names...

You should log on to Steam again - they currently only use the equivalent of DisplayName, and that name is what you are known as to all your friends (and in the community section of Steam for that matter).


Quote: Originally Posted by MrSchmo View Post
I don't understand how this help security. No one knows what email I use to log in. Everyone knows your 'Display Name'. Granted they need to know the security questions, but knowing each persons display name is one less barrier IMO.
So two things here. Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account. We are implementing a few other measures (more news on that in the few weeks!) to ensure that account take over risk is mitigated.

I would recommend you make sure you use a very different password for your email account to anything you use elsewhere though. I know that is just common sense, but it's very very important. If possible use a dual-factor authentication system like the Two-Step solution that can be used on top of GMail.


Quote: Originally Posted by WSS_Toxin View Post
I don't like this, if you are going to make us log in with our display names at least make it so we can change our display names at least one time.
I have that on my list of things to look at already. That is a much harder challenge to change though as Display Name is also a unique reference, and changing the unique reference can create a ton of data inconsistencies. Technically possible, but not technically easy to accomplish. I wouldn't hold your breath on this one.

Quote: Originally Posted by Urael View Post
A) EAware redefining terms AGAIN. Display Name = Forum "Handle" for those curious.

B) While at first blush it would seem that going from Email ( usually unknown/private ) to Handle ( very public ) there may seem to be a risk to security for hacking. I for one would expect to have A LOT of hacking attempts given how many people "love me" here. What you have is a fall back to the "questions" you were asked to associate with your account. These are triggerred if you don't log in from a consistante IP. Update your questions and change your password to be 10+ characters long with at least 2 Upper case, 2 lower case letters, 2 numbers, and 2 special characters. Nothing to worry about.
Understandably, we have spent a lot of effort in making sure the new system will mitigate hacking attempts, especially of the brute-force variety. As mentioned above, there will be more news on this in the next few weeks.

Quote: Originally Posted by JPryde View Post
Okay, so here is a challenge for security experts:

1. Find out my display name
2. Find out my e-mail addy, which I use for SWTOR and this website.
3. Evaluate which of the two is harder to find out.
4. Explain how the new system will improve security

This is a ludicrous change. You remove a more or less hidden value and replace it by an openly accessible value and call that an improvement in security ??
I'm a security expert and would love to take up that challenge - but then I have access to internal tools and can tell you the answer
I can guarantee however that your email address is used on multiple sites. We don't control the security of 'all the sites' and as a result whenever another site that is using email address is hacked and your details disclosed, that the attacker will know who to phish or similar. Not so true for a Display Name that most people don't always get to use on every site they visit...
Not everything you think is 'hidden' truly is.


Quote: Originally Posted by Arlon_Nabarlly View Post
I hope this is a joke, if not it's really really really really really really stupid. A step backwards. Pretty much everywhere let's you use your e-mail as login anymore and more are moving towards that, not away from.
My market research as a security professional tells me otherwise. Sorry to disagree here.

Quote: Originally Posted by morfius View Post
You are actually decreasing security using display name, not increasing it.
To be secure compliant logon name has to be unique and not shown to whole world.
It may create some fuss in the begging , but please add different logon name.
Actually to be secure requires a lot more systems to be in place than relying on a unique Display Name. Showing it to the world should never be considered a security consideration.
We did look at using a secondary 'login only' display name, but sadly this would create more confusion and increase costs associated with support of the new system rather than decrease existing support costs. And again, I stress that knowledge of the Display Name in of itself is not a security measure - we have many other controls in place to mitigate that knowledge.


Quote: Originally Posted by Daxy View Post
exactly

no one "knows" my e-mail or my real identity but everyone on these forums knows my username

my mind is conjuring scenes where some butthurt player has a tiff with another and begins trying to hack an account
where 1/2 of the login information is available for the world to see
Attempts at hacking of our site are not tolerated at all. Doing so would get that player in a lot more trouble than it any gain they think they might be able to get.

Quote: Originally Posted by Yaesive View Post
The question I have will we be allowed to do a one-time Account Name change if we desire without losing history of our posting?
Mentioned earlier, but no, this is not currently in plan, just listed as something we can look at later.

Quote: Originally Posted by Yaesive View Post
Additionally I am wondering if we will see a purge of inactive User accounts to free up possible accounts for new player?
No purge planned - the game is way too young to be thinking of removing old accounts, especially as a lot of those accounts have game data associated with them and we would like our players to be able to return to everything they left behind if they do leave.

Quote: Originally Posted by Jenovan View Post
I would be interested to hear from the devs on this -- though I'm not sure how much they're willing to talk about security measures, for obvious reasons.

I think, though, the idea is that the kind of processes used to steal accounts by gold farmers, etc. may simply try to log in with any email address they can get their hands on and attempt to brute-force the passwords. Guild Wars 2 went through a few security contortions after release and heavily recommended that your GW2 email address NOT be used for any other purpose, to minimize the risk of this kind of attack.

On the flip side, our display names are very visible to US, here -- but we're all subscribers. While this could lead to personally-motivated hacking, I imagine the sheer volume of that pales in comparison to the sort of email address farming sketched out above.
You are right, I can't go in to a lot of detail. Account Take Overs in our industry is a very big deal, and we treat that very seriously. I would say one thing and only thing only is needed to protect a player's account on SWTOR as well as pretty much every other company's website and/or game and/or bank out there:
Use a different password on your email account and if possible secure it using two-factor authentication such as Two-Step for GMail.
I can't stress how important that is for everybody! It should go without saying, but there you go. I've said it.


Quote: Originally Posted by Rankyn View Post
Yeah, this is a very very bad idea.
So now, in order to hack my account, you need to figure out my email address (which is unique to SWTOR) and my password.

After this change, you will know that my username is Rankyn because it's plastered all over the forum and all you're left to do is try to figure out my password.
You've essentially done 50% of the work for anyone trying to hack my account.

If security is the real issue then our usernames need to be a 3rd option that is neither our email address or our forum name.
Actually today an attacker also needs to know the answers to your Security Questions. In the future (more news in the next few weeks) that will require the attacker to also know your email account password. We also monitor for brute force attacks and have other systems in place to mitigate that type of threat.

Quote: Originally Posted by JPryde View Post
Granted, for people, who are unable to keep their own space at least somewhat secure, it might actually be an improvement, but answer me this...

Is the login process acepting unlimited false entries ?

Option A: it does.
Result: The possibility of a brute force hacking attempt to my account incresed by a magnitude. So far a potential hacker had to brute force my mail-addy and the password and get both right at the same time... you do not get info, if the username or the password was wrong, you only get info, that something was wrong. Also you would be unable to specifically target me, as you cannot know, which login my chars have. In the future, you will have my login already and "only" need to brute force my password.

Option B: it does not allow unlimited false entries...
Result: After X false attempts, the account is automatically suspended for security reasons.
Further result: Everyone who dislikes a posting I did can take my screen name and try to login on my account... do this 20x false and my account is automatically suspended... Of course, my security is not compromised in this scenario, but I got the hassle with getting my account back to working properly.

So while I do understand more than a bit of security issues, I do not see, how this change increases my security.
I can't go in to more detail other than to say that you are missing a bunch of security controls we have in place that make both of your scenarios incorrect. Both scenarios were thought of (and dozens more) and mitigated by both our existing solution as well as the added measures we are putting in place.

Quote: Originally Posted by reiimura View Post
does that mean that if i sign in with that name, i play that specific character? if so what happens to all my other characters, do i have to sign them in by name too? seems like an aweful lot of remembering for people like me who have 12 characters.
We are only changing how you log in to your account - your characters stay tied together as part of that overall account. No need to worry!

Quote: Originally Posted by Mallorik View Post
Using email as a login is moronic, i have played mmos since everquest was in beta. Ive been hacked once and it was when wow changed their logins to emails. Ever since then ive always had to create a new and seperate email for games dumb enough to use email as your log in.
Personally I use 'Plus Addressing'. Every site I visit has a unique email address regardless of username, and a unique password to boot. I also use Password Safe (sourceforge project) to keep track of them all. If you were to ask my what my password is to a particular site, I wouldn't have a clue! I don't know the username most of the time either of course!

Quote: Originally Posted by PhoenixaRising View Post
I dont see this being a huge change or drop in security, as it has already been possible to log in with either the account email or forum name for a long time.
I do see it being a problem for people who rarely use the forums and may not remember their forum names. There will definitely need to be notifications sent via email about this.

I also see it being an issue for those who may have previously played the game and return for the expansion. If it has been long enough they likely will not remember their forum name, and who knows what sort of hoops they would have to jump through in order to retrieve the name.
We are also putting in a 'I forgot my account name' feature which will email you the name - we too thought of all the players that might not see the messaging or even come back after April 2nd.

Have I mentioned that people need to make sure their own email account is as secure as possible?

Phillip Holmes
SWTOR Head of Security

RalphYauger's Avatar


RalphYauger
03.05.2013 , 02:31 PM | #99
Please make it so we can change our display names.

discbox's Avatar


discbox
03.05.2013 , 02:37 PM | #100
Why not remove the login-name completely, and make it more secure?