Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

DarthVentress's Avatar

03.06.2013 , 05:09 PM | #301
this is just insane! why the hell use your forum dispaly name/ID as part of the log in has me baffled , your handing people half of the key to get into someones account.

If you want to remove the use of emails i can understand that as that in itself has a "bit" of risk depending on how offten someone might hand that out, but why not do what other games have done and done so successfuly in the past , a login name and pw which is seperate to your forums name , this to me and im sure others would make much more sence than the road your heading down now.
CE finaly 02Oct2011

MajikMyst's Avatar

03.06.2013 , 05:14 PM | #302
Quote: Originally Posted by DarthVentress View Post
this is just insane! why the hell use your forum dispaly name/ID as part of the log in has me baffled , your handing people half of the key to get into someones account.

If you want to remove the use of emails i can understand that as that in itself has a "bit" of risk depending on how offten someone might hand that out, but why not do what other games have done and done so successfuly in the past , a login name and pw which is seperate to your forums name , this to me and im sure others would make much more sence than the road your heading down now.
Please go read the post by Phillip from Bioware on the previous page.. Thanks..
Who is the more foolish? The fool or the fool that follows him?

[.] Lost but never forgotten!! 12-01-2011 R.I.P.

Phillip_BW's Avatar

03.06.2013 , 05:18 PM | #303 Click here to go to the next staff post in this thread. Next  
Starting at page 21...

Quote: Originally Posted by Missandei View Post
So basically, now every retarded kiddie will be able to block any account just entering 10+ times the wrong password to the Display Name he can get from Forums?

Great job BioWare!
Easy answer here: No.
Even accomplished kiddies will not be able to block any account by just entering 10+ times the wrong password. They can't do that today either. The current system requires knowing the correct password (if they can get that far) to even attempt at being able to 'block' an account.

Quote: Originally Posted by Missandei View Post
Yes. And when your account is blocked due to the numerous failed hack attempts... guess what? You have to dial to the Bioware CS that already proved as a total bull..t..
Have you prepared to a 5hrs waiting on the line to just get reset your account to be allowed you to log in?
One of the key reasons we are making this change is to enable an implementaiton of a variety of self-service options where you will no longer have to call CS.

Quote: Originally Posted by Mallorik View Post
My forum name is not my email that can be hacked and used to retreive my password.
Not a question, but thank you for 'getting' one of the reasons we are making this change

Quote: Originally Posted by SeriouslyMike View Post
Oh, sure, how about people who still use such antiquated technology as e-mail clients that download and then delete your e-mails from the server? So even if someone hacks your e-mail account on one of 28 days of the month when Bioware doesn't send notifications that your account was billed or something, he still won't have anything. That and is it so hard to google your very public display name and connect it to an e-mail? Also, if your e-mail gets hacked, BioWare helpfully refers to you by display name in all personal messages like Cartel Coin purchase confirmations. So, if anything, it only makes it easier to target specific players.
Yeah, pretty much that. Other games do have that, so what's the problem here?
I totally agree that if your personal email is compromised that you will be vulnerable to many issues. I don't believe you that it is easy to google a Display Name and connect it to an email address. Even then, I don't believe its easy to find the password for that email account.

I'll stress again (and I know, I repeat myself a lot!) that protecting your personal email account is very important. Use a unique password, and if possible get a two-factor system such as Two-Step for GMail. I like GMail's solution.

Quote: Originally Posted by Terin View Post
Just curious, could this change have any impact on the game itself? For example, will my Display Name perhaps also eventually migrate into SWTOR itself? Or is this purely a change for the site?
This will affect how you authentication within the Launcher, and the Website. Nothing else will change in regard to using Display Name only for log in purposes.

Quote: Originally Posted by old_benn View Post
I haven't read the 15 pages since this was posted, so forgive me if this has already been pointed out.

I sincerely hope that this does not mean that I have to give BW my e-mail account password! I will *not* be doing so. It would be tragic to lose customers over something so stupid.
I really really do not want you to tell us your email account password. Please don't! :jawa_grin:

Quote: Originally Posted by bowlergirl View Post
You might not be able to answer this question...

Do you guys hire former hackers to attempt to hack the site and user information to make your security better? I have heard about companies outsourcing reformed hackers to help their businesses.
I've found most 'former hackers' aren't that good at real security testing. Most might get lucky a couple of times on a well known exploit, but for testing 'all the things'? Not in my experience. There is always the exception, but thus far I haven't come across anybody who purports to be a former hacker who has been somebody I would pay money to.
The answer to 'do you use internal and/or external security penetration testers to run security tests against your site and user information to make your security better' is: yes.

Quote: Originally Posted by Soul_of_Flames View Post
Display name "ONLY" log in. Does this mean they are removing security keys?
No - we are not removing Security Keys.

Heh, I should have read through the rest of the posts before thinking I needed to answer lots of new questions! I'm up to page 31 now, so if there are more questions I'll post when I can, until then I leave you with a wookie wearing sunglasses!

Phillip Holmes
SWTOR Head of Security

TemjinX's Avatar

03.06.2013 , 05:21 PM | #304
Quote: Originally Posted by MrSchmo View Post
I don't understand how this help security. No one knows what email I use to log in. Everyone knows your 'Display Name'. Granted they need to know the security questions, but knowing each persons display name is one less barrier IMO.
Not sure about you but the game does not show my display name because people don't all use the same name to log in such as I. So unless you made it the same then that's where your fault is.

Dink's Avatar

03.06.2013 , 05:25 PM | #305
When will we get an authentication app for (don't hate) Windows 7/8 phones? I'm not going to carry my keyfob with me everywhere just so I can login to the website, so I've yet to activate it...but I would activate if I had an app I could access from my phone.
Rebuc Arisso ::: Major :::
Eternal Vigilance. :::
The 'Ideal Guild Quiz' :::

iamthehoyden's Avatar

03.06.2013 , 05:41 PM | #306
Quote: Originally Posted by Phillip_BW View Post
...massive post with a crapton of answers to questions...
Wow, I am completely impressed with the level of clarity and transparency on this topic. You've really gone out of your way to answer the questions raised, and for me, at least, this has cleared up any misgivings I had about this change. (It also reminded me that it was time to change my email password )
aren't you a little short for a stormtrooper?
Fan Fiction: My Name is Solomon Crae The Man in the Box

GalaxyStrong's Avatar

03.06.2013 , 06:08 PM | #307

They are trying to protect us from a Hacker tactic called Combo'ing. What Combo'ing is, is when a bunch of hacker attack a weak website that does not have good security and raid it for "Login & Password" info. Then, they take the login & passwords and start trying to use them on other websites (Examples- Paypal, Bank websites, GAME websites, credit card websites, ect, ect, ect.) and when they find a match they get on to the account and then they screw you. This tactic works quite often because people now more than ever are forced to register to online sites in order to get access to the site and most people HATE trying to remember several login's & passwords so, they try as much as possible to recycle the same login & password if they can (I try not reuse passwords for this reason but, people do it all the time). By changing their login requirement to a screen name it helps secure your information due to the fact most web sites want you to use your email address as your login and there fore most of the time hacker using this technique are going to try to use your email address as the login and then apply the password they found.

Blackavaar's Avatar

03.06.2013 , 06:49 PM | #308
Quote: Originally Posted by Phillip_BW View Post
OK, I've finished this reply up to the end of page 20. Given the sheer length of this post I'll reply again for page 21+ soon!
Okay. Well, I have to admire your patience and tenacity.
I am glad you are reconsidering using a new unique account name.
Thank you for taking time to address our concerns.

Only the meek get pinched. The bold survive.

Nomakk's Avatar

03.06.2013 , 06:50 PM | #309
Apparently people are too short sighted to see the change is actually better. Have any of you ever had your account hacked? Did the hacker guess your password or use your e-mail to get it. The latter is likely the answer.

Hackers aren't stupid, do you really think they grab usernames and then just guess passwords until they find one. NO. That would be stupid. Instead, they use methods like pretending to be you and WHOOPS! you forgot your password. So, they have it BOX!!

A hacker would much prefer having your e-mail addy over your username. Do you really think hackers are fixated on 1 game? Do we really think they are like "Let me just hack 1 game and guess passwords until I get one" No. MMO players tend to play multiple MMO's and thus, their e-mail is the common link to many passwords in most cases. You know, like ones beyond video games...

Come on guys, stop saying its "a change just to change" when it's really "complaining just to complain". They want to make money, they don't make spiteful changes and hurt their bottom line. They would only make the change if it had a monetary benefit (like long term account security, thus long term happy unhacked customers).

Well done on all the responses Phillip. Excellent boldness to take on the community without fear

Malkavier's Avatar

03.06.2013 , 06:53 PM | #310
I see about 22 pages went poof

As far as security goes for this new system:

1) The weakest link in the entire chain is the question/answer segment. This is the weakest link in any password retrieval or account verification system, as this information can be rather easily gleaned using Google, Facebook, social engineering tricks, best guessing etc. A smart enough attacker can narrow this information down quite a bit by focusing on a particular target and paying attention to their average time spent in game, what days, what time of day, etc and then making a good guess at their regional location, especially if paired with the way particular people "speak" in forum posts. This kind of information is more valuable than most people consider.

2) Everyone should get and use a Security Key authenticator, period. I'd almost urge EA/Bioware to make them mandatory for any and all accounts. They should sell them for Cartel Coins if they have to, but more of these NEED to be applied to accounts. The physical keyfob needs to be on sale in every region this game is available, there's no excuses for it not to be (currently EU and AIPAC have issues).

3) One of the Bioware employees mentioned two-factor authentication systems. This type of system is no longer viable. Google, Apple, Microsoft, et al, all had their two-factor systems broken, and it went without detection for nearly a year in at least one case.

4) Phone/Mobile authenticators: Good idea on paper, bad idea in practice. Take a lesson from what happened to the reporter who had a 15-year old seize control of his iPhone and the associated Apple account via social engineering. Said kid then went on to take control of his Google account as well (said kid was able to get past the two-factor Google uses...because Google sends it to the mobile phone number on the account).

There are more to list, but I am reserving any further comment until I see exactly how this new system pans out.
L50 Annhi Marauder L50 Madness Sorc L17 Gunslinger L23 Pyro Tech L35 Medic OP L17 Marks Sniper L50 Lethality Sniper

"Your fear angers me. My anger feeds my hate. My hate gives me strength."