Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

LarryRow's Avatar


LarryRow
03.05.2013 , 03:39 PM | #121
Quote: Originally Posted by Blackavaar View Post
I notice that you purposely avoided answering the most logical way to make our accounts more secure, my suggestion to have us all create New Unique Account Names, instead of using names that can be easily gleaned off any forum we use.

I myself play many Online Games and use many forums and I use the same Display Name (aka. Forum Handle) in all of them. Using that as my login is not a more secure way of doing anything. What kind of "Security Expert" can ignore that simple logic?

Read more carefully, mate:

Quote: Originally Posted by Phillip_BW View Post
We did look at using a secondary 'login only' display name, but sadly this would create more confusion and increase costs associated with support of the new system rather than decrease existing support costs. And again, I stress that knowledge of the Display Name in of itself is not a security measure - we have many other controls in place to mitigate that knowledge.
Major props to Phillip for taking the time to address these concerns. I wasn't too worried before and I'm certainly not worried now.
A classic sig that should not be lost:
Quote:
Stunned , pew pew hack slash , stunned , running backward circles, stunned cannot move, pew pew, break stun, 30 second snare, wha?!?!!? stunned, knockdown, ...less stun more pew pew and hacknslash please.

JPryde's Avatar


JPryde
03.05.2013 , 03:40 PM | #122
Quote: Originally Posted by Phillip_BW View Post
I'm a security expert and would love to take up that challenge - but then I have access to internal tools and can tell you the answer
I can guarantee however that your email address is used on multiple sites. We don't control the security of 'all the sites' and as a result whenever another site that is using email address is hacked and your details disclosed, that the attacker will know who to phish or similar. Not so true for a Display Name that most people don't always get to use on every site they visit...
Not everything you think is 'hidden' truly is.
So you know, that the mail of my own domain is not exclusively used ? When I own several mail-accounts that are exclusively under my own control ?
Respect... but I would suggest, that you are a little less bold on what you claim to be able to guarantee.

And even if I did use my email-address on any other site, then someone would still need to figure out, that I am using that e-mail for SWTOR too... With your proposed new system, noone needs to take any guesses. Everyone interested in hacking will know for sure, what my login name is.
~~~ Macht Wächter ~~~
Vanjervalis Chain
Jhoira, Skarjis, Trântor, Ric-Xano, Sabri-torina, Tir-za, Shaina ...
We do not brake for Wookiees !

Bomyne's Avatar


Bomyne
03.05.2013 , 03:46 PM | #123
Quote: Originally Posted by chuixupu View Post
Thanks Phillip, for responding.

So many paranoid, conspiratorial people on the interwebz.

At least the response is not as explosive as when Blizzard almost made displaying real names mandatory.
It's not paranoia. It's fact. Gold sellers exist on the internet. These people hack accounts and steal gold, credits, etc from MMO accounts then turn around and sell them to other players. Previously they had to rely on keyloggers and clever methods to get login details. Now they only need to skim the forums.

I have an authenticator on my account but I don't 100% trust apple or google not to accidently include a bug or exploit in their OS software, so I don't rely on it's for security. Passwords are easy to overcome. Most people use easy to guess passwords. I'm willing to bet that Password1 is a VERY common SWTOR password.

Leonalis's Avatar


Leonalis
03.05.2013 , 03:49 PM | #124
facepalm

PAMuttoni's Avatar


PAMuttoni
03.05.2013 , 03:51 PM | #125
Raise your hand if your Swtor account has been hacked.

...


Raise your hand if you think this change is necessary. (No one asked for it)

....


Instead of focusing in Log In changes, fix the game crashes, lag, disconnections.....
Keelahn (Combat) VR98 Aios (Seer) VR82 Kal'ree (Scrapper) VR70+
Tassadar (Marksman) VR85 Ze'siha (Darkness) VR87 Vehnar (Body Guard) VR70

Blackavaar's Avatar


Blackavaar
03.05.2013 , 03:55 PM | #126
Quote: Originally Posted by LarryRow View Post
Read more carefully, mate:



Major props to Phillip for taking the time to address these concerns. I wasn't too worried before and I'm certainly not worried now.
No, I read that. Basically what he is saying there is that while that would be more secure they're really more interested in cutting costs than increasing security. So, this whole explanation of this will increase our security is still absolute ********.

Only the meek get pinched. The bold survive.(███████████████████████████████████║║█[Θ]█]◙◙◙◙◙◙◙◙[█]

theblaznee's Avatar


theblaznee
03.05.2013 , 03:57 PM | #127
Alright, now the "book is open" so to speak, and we have Swtors CSO looking at this, I'd like to personally get some assurance here..

1. Userdatabase with logins, passwords and security key answers.. Are they hashed using md5, sha-(1-512) or any other fast "off the shelf" crypto algorithm (yes or no answer - no need to feed info)? Are they salted?

2. Do you use multi factor authentication before allowing authorization attempts? Does the level of authorization required change based on the provided authentication "level".. Basically, do you have differing levels of authentication?.

3. This is mostly me being curious. Why don't you require all users to use 2-factor? With the current reliance on username/password schemes - even with security questions, the only way forward is at least 2-factor.

My hopes for answers are

1. No, we use a high work factor custom password encryption hash.

2. Yes

3. We wish we could, but politics say 2-factor is not user-friendly and so..
Don't mistake my silence for ignorance, my calmness for acceptance or my kindness for weakness!

Fight hard, die well!

LarryRow's Avatar


LarryRow
03.05.2013 , 04:06 PM | #128
Quote: Originally Posted by Blackavaar View Post
No, I read that. Basically what he is saying there is that while that would be more secure they're really more interested in cutting costs than increasing security. So, this whole explanation of this will increase our security is still absolute ********.

Okay, but you said he avoided it. You are free to not be satisfied with the explanation, but he did address it.

Also, he said not using a unique login name would cut costs and be less confusing. Let's be fair.
A classic sig that should not be lost:
Quote:
Stunned , pew pew hack slash , stunned , running backward circles, stunned cannot move, pew pew, break stun, 30 second snare, wha?!?!!? stunned, knockdown, ...less stun more pew pew and hacknslash please.

Prysha's Avatar


Prysha
03.05.2013 , 04:19 PM | #129
Bioware, if you really want to increase security .. WHY THE F... we have to use our Display name in Forums ???

in many other games you have seperated Forum name , acount name AND login name... means 3....
i really dont care usually.. because i was usigg display name all time.. but your reasoning is just dumb .. sry...

if you want to increase security... let us have different forum names...lol
Character Equipment Profiles: Your voice is needed, click here to support the idea!
SWTOR - Armors with pictures!

Andryah's Avatar


Andryah
03.05.2013 , 04:20 PM | #130
Quote: Originally Posted by Blackavaar View Post
No, I read that. Basically what he is saying there is that while that would be more secure they're really more interested in cutting costs than increasing security. So, this whole explanation of this will increase our security is still absolute ********.

You are over-looking a key aspect of the hacker mindset. They want lowhanging fruit.

Emails are the number one thing that MMO hackers work hard to accumulate. Not just because they can sometimes get passwords with them, but because they are great for phishing. The point being that it is email addresses that todays hackers are after, NOT forum handles. That might change down the road when/if all the MMO stop using emails as login handles, but until then.... there is little to no risk that some hacker team is going to go after SWTOR forum handles and try to then brute force them. The organized hackers don't brute force things, there is plenty of stupid internet users to harvest such that they don't have to work that hard. There are simply easier prey out on the internet then for them to chip teeth on SWTOR, which to the best of my knowledge as been free from mass hacker scandles (unlike some other popular MMOs).
Forum disputatio ------> est completum ineptias.