I just can't imagine why they would bother implementing this if they didn't have some reason. I have no idea what sinister motive they could be pursuing, so I will give them the benefit of the doubt and grant that it's probably for better security.

All your tech amateurs and arm-chair analysts claiming you will leave the game if they implement this should sleep on it.

• removing email address from login - no issue with it and understand the change
  
• forcing my display name as my login - major issue with it
  

 

Any wannabe script kiddie can get a list of usernames now, just simply by browsing the forums. You are now giving 1/3 the information to any person browsing the forums. This is NOT more secure.

Sometimes even half, as some folks cannot be bothered to get the security key app.

Why?? You use the website to manage your game account and also to buy things like Cartek coins.. The website is merely an extension to the game.. It makes sense that they are the same..

Neither of the previous MMOs I played had this "feature" - all account management and store purchases occurred within the games themselves. NCSoft didn't even provide their own forums, so everyone used guildwiki (NC did eventual start their own wiki). Turbine had forums but they covered both LoTRO and DDO.

Websites getting hacked is an everyday occurrence, games not so often.

NO PART OF MY LOGIN SHOULD BE PUBLICLY VISIBLE

This, this, a thousand times this.

You'd think this is the FIRST rule they teach you in CSO school.

OK, to be constructive;

I, too, recommend inplementing a totally separate log-in name for the game/website. You could still give us the option of using our display name to log-in but you could then use this to ADD another layer of security to our accounts - after, say, 3 failed attempts to log in, instead of going straight to our security questions, the FIRST question you'd ask is "what is your log-in name?"

Sometimes even half, as some folks cannot be bothered to get the security key app.

Well not everyone has a smartphone. And I am told by friends who have used the app that if you want to stop using it you have a hard time getting rid of it from your account (for instance when you have a new phone).

The security key used to be €12 (in the US it was something like $4). Now its €4.33 (better but still too expensive in my opinion) but it has been out of stock for months.

Yes. And when your account is blocked due to the numerous failed hack attempts... guess what? You have to dial to the Bioware CS that already proved as a total bull..t..

Have you prepared to a 5hrs waiting on the line to just get reset your account to be allowed you to log in?

No, they have thought beyond the need for the 5 hour queue. If someone attempts to log in to your account the first thing the website does is compare their location to the last location YOU logged in from. If it's not the same it assumes it's NOT YOU who is logging in. That person then has 4 or 5 attempts to guess your password. If he fails then the account is locked for HIS IP, not YOURS. You will still be able to log in just fine

If somehow the attacker guesses your password before it's locked they STILL can't log in. They would need to know the answer to the one of the security questions you filled in when you made the account.

I know most forum posters think they're smarter than the devs but as Phillip said they've already considered all these scenarios and have systems in place to prevent them.

I will not claim to be security expert like many here do (I do have some knowledge), and I remain neutral on this subject.

Display name login has been working since F2P launched (or maybe even since lvl 15 trial), and it didn't seem to cause any problems, people just did not know about it.

What I am concerned about however, is that this seems one more step away from including something I really wanted, and that is Origin overlay in game, to be able to chat with other people in other EA games...

My two pence (cents)

Allow accounts to change their account name now before this is mandatory. Some users have awkward user names that I am sure they don't want to have to type in each time (unless they use a password manager). I myself would like to change is to something i would rather be seen as however the email I sent to CS via the account page gave me a few weeks later a cut and paste response and nothing happened.

Allow users to modify their user name under the EA/Bioware global account option as seen on the main EA website or via this website I honestly don't mind but please allow us to change the user display name asap.

As has been stated earlier in the thread, we've been able to use our display names to log in for a while now. At the moment you can either use your email or display name, after 2nd April you'll only be able to use your display name so technically it's increased security by getting rid of one of the options.

That said, I have to agree with the general consensus that if anything should be used it should be the email address as this is not publicly available, or the ability to have a separate forum name.

The fact that we have it to where we can log in with out forum handles now is quite ridiculous. I don't know about you, but I don't want ANY part of my login information on public display.

Whoever made this decision, please have them fired....out of a cannon into the sun.

...Person B's account is going to become locked out, is it not?

It is not, please see 5 posts above

So after having to go through the hassle of creating a new email address - still no idea what that was about - now I use an ID that's readily available!

which dumb tweet came up with that idea?

I don't like it one bit.

Well least now they can push harder at "offering" the security key system.

I must say that my secondary WoW account with the security key has never been hacked, unlike my prime account was before I got the key. But I do not like more steps, not being integrated in Origin (specially after the big push for email address changes and name changes after they destroyed the old forums at launch)

Sounds like somethomg for THIER conveinence, not ours

How is using your display name any different now then any other form you may use? If you use Twitter, people know your user name as well. Let's get real here. Any site can be hacked and customer's information can be stolen meaning passwords and login information.

Now that being said, unless you know me personally, you will not know 1) my password, 2) the email address I use to reset my password and 3) the answers to my questions.

When answering the questions, you do not have to actually use an answer that matches the question. The question could ask for your favorite vacation spot and you could say, Warpedmonkies and the system wouldn't know if t was an actual place or not.

Think people, no one at EA is going to ask you for your account information. So if you get an IM from someone stating that they are from EA and need your email address to authenticate you or your going to be booted and banned, you know it's a scam.

Can anyone one of you actually guess what my email address is? How about guessing the email of other people here? I really and truly doubt that anyone would be able to guess anyone else email and then guess that password. If you're smart you have a multitude of passwords and names for different sites.

I myself have 30+ email addresses for various sites on various email providers. Some are site specific and others are for the the type of sites. It's not the end of the world or swtor. You'll all live.

 

Option B: it does not allow unlimited false entries...

Result: After X false attempts, the account is automatically suspended for security reasons.

Further result: Everyone who dislikes a posting I did can take my screen name and try to login on my account... do this 20x false and my account is automatically suspended... Of course, my security is not compromised in this scenario, but I got the hassle with getting my account back to working properly.

This ^

*** Bioware/EA if you can't manage security properly then please find another way, a fob token or something.

This is ridiculous.

As the poster says - if i was pvping a people hated me or whatever they could attempt to log in as me several times and get my account suspended (if they knew my forum handle). This is a stupid idea.

you haven't hired Julio Torres by any chance? he's full of stupid ideas.

@Phillip Holmes,

SWTOR Head of Security ..omg the Senior Manager of Security here at Star Wars !! nothing else .. amazing !

but sorry master senior head man of general quarter of the great center of security, your new system isridiculous !!

i want to change my display name right now !

- a simple subscriber, member of the imperial fleet, future free to play if all is going like that..do you understand : no money ! -

No, they have thought beyond the need for the 5 hour queue. If someone attempts to log in to your account the first thing the website does is compare their location to the last location YOU logged in from. If it's not the same it assumes it's NOT YOU who is logging in. That person then has 4 or 5 attempts to guess your password. If he fails then the account is locked for HIS IP, not YOURS. You will still be able to log in just fine

 

If somehow the attacker guesses your password before it's locked they STILL can't log in. They would need to know the answer to the one of the security questions you filled in when you made the account.

 

I know most forum posters think they're smarter than the devs but as Phillip said they've already considered all these scenarios and have systems in place to prevent them.

Quoted to emphasize what DaRoamer has shared. /2-thumbs-up

There is an interesting psychology at play in a lot of posts in this thread, which is also why so many people have weak passwords (over-reliance on loginID): the assumption (or dependence) on a login-ID as a strongpoint of log-in authentication. It's not, and never has been in the modern era. A good analogy is the typical corporate employee loginID and password. The whole company probably knows your loginID (since it will often be the first half of your email address, or sometimes a nickname derived directly from it), but nobody knows your password and your employer requires you to use a strong password. Same principle applies here.

The strongpoints in security for login authentication in the modern era is strong passwords + secret questions + IP tracking/interlock + Authenticators. LoginID is not really a factor in the security layering. Yeah, it can add some layer of extra requirement... but it's NOT where security empahasis is applied in modern security processes. If it was, then they would require you to use a "strong" id which they do not and never have.

So, let's state it clearly and emphatically: loginIDs are not where security lies. It only identifies you to the authenticator process so that the actual security interogation and validation can then be applied.

Now, some will probably say... OK... then why not just use the email address?? Because your email account is how Bioware communicates with you about your account (like when you make changes to your account, including changing your email address)... so it needs to be separate and disconnected from actual login authentication. Separaing it adds another layer of security (in the context of hacking and robbing your account). And it is worth noting (as Phillip did earlier) a players email address also needs to be better protected by the player then probably the majority of players actually do.

The real mistake (if we want to insist there be one) on Bioware's part was using email addresses to begin with. They were drawn into it by Origin probably in the early days. But whatever, they are removing it beginning in April.

This ^

 

*** Bioware/EA if you can't manage security properly then please find another way, a fob token or something.

This is ridiculous.

 

As the poster says - if i was pvping a people hated me or whatever they could attempt to log in as me several times and get my account suspended (if they knew my forum handle). This is a stupid idea.

 

you haven't hired Julio Torres by any chance? he's full of stupid ideas.

Hilarious..... except the hypothetical you quoted is inaccurate.

It's pretty simple to put anti-griefing measures in place with existing systems to prevent this. In fact, it's clear that they already exist, and have since launch. But hey... feel free to try to grief forum members and see what happens. They will lock-out your IP (since it is not recognized and validated for the account you are trying to grief), and then look it up to see in their database to see what actual SWTOR account validly uses your IP and then send you a ban notice for attemting to hack someone elses account.

The only real griefing vulnerability is another family member inside your own IP range set....and that really is a family behavior problem, not a security problem.

Actually today an attacker also needs to know the answers to your Security Questions. In the future (more news in the next few weeks) that will require the attacker to also know your email account password. We also monitor for brute force attacks and have other systems in place to mitigate that type of threat.

I haven't read the 15 pages since this was posted, so forgive me if this has already been pointed out.

I sincerely hope that this does not mean that I have to give BW my e-mail account password! I will *not* be doing so. It would be tragic to lose customers over something so stupid.

I don't like this, if you are going to make us log in with our display names at least make it so we can change our display names at least one time.

I was going to write the same thing.

LET US CHANGE DISPLAY NAME. ONCE.

(or more times, if you wish, I won't complain)

I was going to write the same thing.

LET US CHANGE DISPLAY NAME. ONCE.

(or more times, if you wish, I won't complain)

Out of curiosity..... WHY?

I see a lot of people asking for this... but why? What difference does it make?

I sincerely hope that this does not mean that I have to give BW my e-mail account password! I will *not* be doing so. It would be tragic to lose customers over something so stupid.

Um... where on earth did you even get the idea that Bioware would need/want your email password???????

Of course not!!! They never said they would, and there is absolutely no reason for them to have it.