Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

Tamayoke's Avatar


Tamayoke
03.06.2013 , 11:48 AM | #241
I don't like it one bit.

Well least now they can push harder at "offering" the security key system.

I must say that my secondary WoW account with the security key has never been hacked, unlike my prime account was before I got the key. But I do not like more steps, not being integrated in Origin (specially after the big push for email address changes and name changes after they destroyed the old forums at launch)
Sounds like somethomg for THIER conveinence, not ours
Proud member of >>>>OoO<<<< If the Force is like toast, with a dark side and a light side? I am BUTTER
Quote: Originally Posted by s_bowser View Post
Time was, lifting an X-Wing out of a swamp was an impressive demonstration of the force. Kids these days. *grumble*grumble*get off my lawn*grumble*grumble*

RavensBloodyClaw's Avatar


RavensBloodyClaw
03.06.2013 , 11:48 AM | #242
How is using your display name any different now then any other form you may use? If you use Twitter, people know your user name as well. Let's get real here. Any site can be hacked and customer's information can be stolen meaning passwords and login information.

Now that being said, unless you know me personally, you will not know 1) my password, 2) the email address I use to reset my password and 3) the answers to my questions.

When answering the questions, you do not have to actually use an answer that matches the question. The question could ask for your favorite vacation spot and you could say, Warpedmonkies and the system wouldn't know if t was an actual place or not.

Think people, no one at EA is going to ask you for your account information. So if you get an IM from someone stating that they are from EA and need your email address to authenticate you or your going to be booted and banned, you know it's a scam.

Can anyone one of you actually guess what my email address is? How about guessing the email of other people here? I really and truly doubt that anyone would be able to guess anyone else email and then guess that password. If you're smart you have a multitude of passwords and names for different sites.

I myself have 30+ email addresses for various sites on various email providers. Some are site specific and others are for the the type of sites. It's not the end of the world or swtor. You'll all live.

Wellixl's Avatar


Wellixl
03.06.2013 , 11:51 AM | #243
Quote: Originally Posted by JPryde View Post

Option B: it does not allow unlimited false entries...
Result: After X false attempts, the account is automatically suspended for security reasons.
Further result: Everyone who dislikes a posting I did can take my screen name and try to login on my account... do this 20x false and my account is automatically suspended... Of course, my security is not compromised in this scenario, but I got the hassle with getting my account back to working properly.
This ^

*** Bioware/EA if you can't manage security properly then please find another way, a fob token or something.
This is ridiculous.

As the poster says - if i was pvping a people hated me or whatever they could attempt to log in as me several times and get my account suspended (if they knew my forum handle). This is a stupid idea.

you haven't hired Julio Torres by any chance? he's full of stupid ideas.
Pennance Darkstone
Quote: Originally Posted by Evactacular View Post
Complaint: Why don't you nerf X class??? They can kill me!Fix: ...you're an idiot. There's no fixing you.

Thaladan's Avatar


Thaladan
03.06.2013 , 11:59 AM | #244
@Phillip Holmes,
SWTOR Head of Security ..omg the Senior Manager of Security here at Star Wars !! nothing else .. amazing !

but sorry master senior head man of general quarter of the great center of security, your new system isridiculous !!

i want to change my display name right now !

- a simple subscriber, member of the imperial fleet, future free to play if all is going like that..do you understand : no money ! -

Andryah's Avatar


Andryah
03.06.2013 , 12:09 PM | #245
Quote: Originally Posted by DaRoamer View Post
No, they have thought beyond the need for the 5 hour queue. If someone attempts to log in to your account the first thing the website does is compare their location to the last location YOU logged in from. If it's not the same it assumes it's NOT YOU who is logging in. That person then has 4 or 5 attempts to guess your password. If he fails then the account is locked for HIS IP, not YOURS. You will still be able to log in just fine

If somehow the attacker guesses your password before it's locked they STILL can't log in. They would need to know the answer to the one of the security questions you filled in when you made the account.

I know most forum posters think they're smarter than the devs but as Phillip said they've already considered all these scenarios and have systems in place to prevent them.
Quoted to emphasize what DaRoamer has shared. /2-thumbs-up

There is an interesting psychology at play in a lot of posts in this thread, which is also why so many people have weak passwords (over-reliance on loginID): the assumption (or dependence) on a login-ID as a strongpoint of log-in authentication. It's not, and never has been in the modern era. A good analogy is the typical corporate employee loginID and password. The whole company probably knows your loginID (since it will often be the first half of your email address, or sometimes a nickname derived directly from it), but nobody knows your password and your employer requires you to use a strong password. Same principle applies here.

The strongpoints in security for login authentication in the modern era is strong passwords + secret questions + IP tracking/interlock + Authenticators. LoginID is not really a factor in the security layering. Yeah, it can add some layer of extra requirement... but it's NOT where security empahasis is applied in modern security processes. If it was, then they would require you to use a "strong" id which they do not and never have.

So, let's state it clearly and emphatically: loginIDs are not where security lies. It only identifies you to the authenticator process so that the actual security interogation and validation can then be applied.

Now, some will probably say... OK... then why not just use the email address?? Because your email account is how Bioware communicates with you about your account (like when you make changes to your account, including changing your email address)... so it needs to be separate and disconnected from actual login authentication. Separaing it adds another layer of security (in the context of hacking and robbing your account). And it is worth noting (as Phillip did earlier) a players email address also needs to be better protected by the player then probably the majority of players actually do.

The real mistake (if we want to insist there be one) on Bioware's part was using email addresses to begin with. They were drawn into it by Origin probably in the early days. But whatever, they are removing it beginning in April.
Forum disputatio ------> est completum ineptias.

Andryah's Avatar


Andryah
03.06.2013 , 12:15 PM | #246
Quote: Originally Posted by Wellixl View Post
This ^

*** Bioware/EA if you can't manage security properly then please find another way, a fob token or something.
This is ridiculous.

As the poster says - if i was pvping a people hated me or whatever they could attempt to log in as me several times and get my account suspended (if they knew my forum handle). This is a stupid idea.

you haven't hired Julio Torres by any chance? he's full of stupid ideas.
Hilarious..... except the hypothetical you quoted is inaccurate.

It's pretty simple to put anti-griefing measures in place with existing systems to prevent this. In fact, it's clear that they already exist, and have since launch. But hey... feel free to try to grief forum members and see what happens. They will lock-out your IP (since it is not recognized and validated for the account you are trying to grief), and then look it up to see in their database to see what actual SWTOR account validly uses your IP and then send you a ban notice for attemting to hack someone elses account.

The only real griefing vulnerability is another family member inside your own IP range set....and that really is a family behavior problem, not a security problem.
Forum disputatio ------> est completum ineptias.

old_benn's Avatar


old_benn
03.06.2013 , 12:16 PM | #247
Quote: Originally Posted by Phillip_BW View Post
Actually today an attacker also needs to know the answers to your Security Questions. In the future (more news in the next few weeks) that will require the attacker to also know your email account password. We also monitor for brute force attacks and have other systems in place to mitigate that type of threat.
I haven't read the 15 pages since this was posted, so forgive me if this has already been pointed out.

I sincerely hope that this does not mean that I have to give BW my e-mail account password! I will *not* be doing so. It would be tragic to lose customers over something so stupid.
Jal-en 55 Guardian Kal-en 55 Gunslinger
Payd'n 55 Operative Boe'ba'fet 55 Powertech
Cr'sh'r 55 Marauder Kym'br'li 55 Sage
Aay'den 55 Commando Dom'n'ninz 55 Sorceror

Erundil-test's Avatar


Erundil-test
03.06.2013 , 12:16 PM | #248
Quote: Originally Posted by WSS_Toxin View Post
I don't like this, if you are going to make us log in with our display names at least make it so we can change our display names at least one time.
I was going to write the same thing.
LET US CHANGE DISPLAY NAME. ONCE.
(or more times, if you wish, I won't complain)

Andryah's Avatar


Andryah
03.06.2013 , 12:20 PM | #249
Quote: Originally Posted by Erundil-test View Post
I was going to write the same thing.
LET US CHANGE DISPLAY NAME. ONCE.
(or more times, if you wish, I won't complain)
Out of curiosity..... WHY?

I see a lot of people asking for this... but why? What difference does it make?
Forum disputatio ------> est completum ineptias.

Andryah's Avatar


Andryah
03.06.2013 , 12:22 PM | #250
Quote: Originally Posted by old_benn View Post
I sincerely hope that this does not mean that I have to give BW my e-mail account password! I will *not* be doing so. It would be tragic to lose customers over something so stupid.
Um... where on earth did you even get the idea that Bioware would need/want your email password???????

Of course not!!! They never said they would, and there is absolutely no reason for them to have it.
Forum disputatio ------> est completum ineptias.