So in case you haven't come across me before (most haven't!), I'm Phillip Holmes, the Senior Manager of Security here at Star Wars: The Old Republic.

I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.

Some responses below - apologies if I don't reply to every question...

April Fools?

No - that's April 1st before 12pm local time... Today is the 5th March, and the change goes live on the 2nd April...

well that's... weird, since the whole point is the game uses our origin accounts

No change. Your account is still linked to Origin, however you will continue to log in to Origin using your email address as their security implementation is still different. There is no link to your SWTOR Display Name in Origin so no added risk...

so now everyone will know half of what you use to login?

iuno theres a reason why something like steam doesn't show people your account name...

Only people that post on the Forums have their Display Name visible to others currently. Even then we took that into account when designing the updated system and I wouldn't recommend trying to attack known Display Names...

You should log on to Steam again - they currently only use the equivalent of DisplayName, and that name is what you are known as to all your friends (and in the community section of Steam for that matter).

I don't understand how this help security. No one knows what email I use to log in. Everyone knows your 'Display Name'. Granted they need to know the security questions, but knowing each persons display name is one less barrier IMO.

So two things here. Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account. We are implementing a few other measures (more news on that in the few weeks!) to ensure that account take over risk is mitigated.

I would recommend you make sure you use a very different password for your email account to anything you use elsewhere though. I know that is just common sense, but it's very very important. If possible use a dual-factor authentication system like the Two-Step solution that can be used on top of GMail.

I don't like this, if you are going to make us log in with our display names at least make it so we can change our display names at least one time.

I have that on my list of things to look at already. That is a much harder challenge to change though as Display Name is also a unique reference, and changing the unique reference can create a ton of data inconsistencies. Technically possible, but not technically easy to accomplish. I wouldn't hold your breath on this one.

A) EAware redefining terms AGAIN. Display Name = Forum "Handle" for those curious.

 

B) While at first blush it would seem that going from Email ( usually unknown/private ) to Handle ( very public ) there may seem to be a risk to security for hacking. I for one would expect to have A LOT of hacking attempts given how many people "love me" here. What you have is a fall back to the "questions" you were asked to associate with your account. These are triggerred if you don't log in from a consistante IP. Update your questions and change your password to be 10+ characters long with at least 2 Upper case, 2 lower case letters, 2 numbers, and 2 special characters. Nothing to worry about.

Understandably, we have spent a lot of effort in making sure the new system will mitigate hacking attempts, especially of the brute-force variety. As mentioned above, there will be more news on this in the next few weeks.

Okay, so here is a challenge for security experts:

 

1. Find out my display name

2. Find out my e-mail addy, which I use for SWTOR and this website.

3. Evaluate which of the two is harder to find out.

4. Explain how the new system will improve security

 

This is a ludicrous change. You remove a more or less hidden value and replace it by an openly accessible value and call that an improvement in security ??

I'm a security expert and would love to take up that challenge - but then I have access to internal tools and can tell you the answer

I can guarantee however that your email address is used on multiple sites. We don't control the security of 'all the sites' and as a result whenever another site that is using email address is hacked and your details disclosed, that the attacker will know who to phish or similar. Not so true for a Display Name that most people don't always get to use on every site they visit...

Not everything you think is 'hidden' truly is.

I hope this is a joke, if not it's really really really really really really stupid. A step backwards. Pretty much everywhere let's you use your e-mail as login anymore and more are moving towards that, not away from.

My market research as a security professional tells me otherwise. Sorry to disagree here.

You are actually decreasing security using display name, not increasing it.

To be secure compliant logon name has to be unique and not shown to whole world.

It may create some fuss in the begging , but please add different logon name.

Actually to be secure requires a lot more systems to be in place than relying on a unique Display Name. Showing it to the world should never be considered a security consideration.

We did look at using a secondary 'login only' display name, but sadly this would create more confusion and increase costs associated with support of the new system rather than decrease existing support costs. And again, I stress that knowledge of the Display Name in of itself is not a security measure - we have many other controls in place to mitigate that knowledge.

exactly

 

no one "knows" my e-mail or my real identity but everyone on these forums knows my username

 

my mind is conjuring scenes where some butthurt player has a tiff with another and begins trying to hack an account

where 1/2 of the login information is available for the world to see

Attempts at hacking of our site are not tolerated at all. Doing so would get that player in a lot more trouble than it any gain they think they might be able to get.

The question I have will we be allowed to do a one-time Account Name change if we desire without losing history of our posting?

Mentioned earlier, but no, this is not currently in plan, just listed as something we can look at later.

Additionally I am wondering if we will see a purge of inactive User accounts to free up possible accounts for new player?

No purge planned - the game is way too young to be thinking of removing old accounts, especially as a lot of those accounts have game data associated with them and we would like our players to be able to return to everything they left behind if they do leave.

I would be interested to hear from the devs on this -- though I'm not sure how much they're willing to talk about security measures, for obvious reasons.

 

I think, though, the idea is that the kind of processes used to steal accounts by gold farmers, etc. may simply try to log in with any email address they can get their hands on and attempt to brute-force the passwords. Guild Wars 2 went through a few security contortions after release and heavily recommended that your GW2 email address NOT be used for any other purpose, to minimize the risk of this kind of attack.

 

On the flip side, our display names are very visible to US, here -- but we're all subscribers. While this could lead to personally-motivated hacking, I imagine the sheer volume of that pales in comparison to the sort of email address farming sketched out above.

You are right, I can't go in to a lot of detail. Account Take Overs in our industry is a very big deal, and we treat that very seriously. I would say one thing and only thing only is needed to protect a player's account on SWTOR as well as pretty much every other company's website and/or game and/or bank out there:

Use a different password on your email account and if possible secure it using two-factor authentication such as Two-Step for GMail.

I can't stress how important that is for everybody! It should go without saying, but there you go. I've said it.

Yeah, this is a very very bad idea.

So now, in order to hack my account, you need to figure out my email address (which is unique to SWTOR) and my password.

 

After this change, you will know that my username is Rankyn because it's plastered all over the forum and all you're left to do is try to figure out my password.

You've essentially done 50% of the work for anyone trying to hack my account.

 

If security is the real issue then our usernames need to be a 3rd option that is neither our email address or our forum name.

Actually today an attacker also needs to know the answers to your Security Questions. In the future (more news in the next few weeks) that will require the attacker to also know your email account password. We also monitor for brute force attacks and have other systems in place to mitigate that type of threat.

Granted, for people, who are unable to keep their own space at least somewhat secure, it might actually be an improvement, but answer me this...

 

Is the login process acepting unlimited false entries ?

 

Option A: it does.

Result: The possibility of a brute force hacking attempt to my account incresed by a magnitude. So far a potential hacker had to brute force my mail-addy and the password and get both right at the same time... you do not get info, if the username or the password was wrong, you only get info, that something was wrong. Also you would be unable to specifically target me, as you cannot know, which login my chars have. In the future, you will have my login already and "only" need to brute force my password.

 

Option B: it does not allow unlimited false entries...

Result: After X false attempts, the account is automatically suspended for security reasons.

Further result: Everyone who dislikes a posting I did can take my screen name and try to login on my account... do this 20x false and my account is automatically suspended... Of course, my security is not compromised in this scenario, but I got the hassle with getting my account back to working properly.

 

So while I do understand more than a bit of security issues, I do not see, how this change increases my security.

I can't go in to more detail other than to say that you are missing a bunch of security controls we have in place that make both of your scenarios incorrect. Both scenarios were thought of (and dozens more) and mitigated by both our existing solution as well as the added measures we are putting in place.

does that mean that if i sign in with that name, i play that specific character? if so what happens to all my other characters, do i have to sign them in by name too? seems like an aweful lot of remembering for people like me who have 12 characters.

We are only changing how you log in to your account - your characters stay tied together as part of that overall account. No need to worry!

Using email as a login is moronic, i have played mmos since everquest was in beta. Ive been hacked once and it was when wow changed their logins to emails. Ever since then ive always had to create a new and seperate email for games dumb enough to use email as your log in.

Personally I use 'Plus Addressing'. Every site I visit has a unique email address regardless of username, and a unique password to boot. I also use Password Safe (sourceforge project) to keep track of them all. If you were to ask my what my password is to a particular site, I wouldn't have a clue! I don't know the username most of the time either of course!

I dont see this being a huge change or drop in security, as it has already been possible to log in with either the account email or forum name for a long time.

I do see it being a problem for people who rarely use the forums and may not remember their forum names. There will definitely need to be notifications sent via email about this.

 

I also see it being an issue for those who may have previously played the game and return for the expansion. If it has been long enough they likely will not remember their forum name, and who knows what sort of hoops they would have to jump through in order to retrieve the name.

We are also putting in a 'I forgot my account name' feature which will email you the name - we too thought of all the players that might not see the messaging or even come back after April 2nd.

Have I mentioned that people need to make sure their own email account is as secure as possible?