Probaly part of their new cross-platform cross media Real name system, they are working on connecting each system they work whit and may be working whit at a later date. from random logings/db's/systems to a "simple" cheap to maintain/use system for them, less freedom and security for users.
just a single step among many to make all systems ready to go.
Using emails as logins was a really bad system from a security standpoint. EA / SWTOR copied what Blizzard & Battle.net did, amongst other things, as an assurance that SWTOR would be popular.
It was a cruddy move by Blizzard to even install such a system, and a cruddy move to all those who followed (blindly) what others were doing.
EA doesn't innovate much, they just copy others.
It's a good thing if EA starts requiring unique logon names (not emails). WoW was that way, but then Blizzard tied personal identity with a customers account, which was bullshit. Security No-No.
But it's not EA's own initiave that is driving this. There is widespread talk about systems that use personal identification (email) as login. Many other systems have already poo-poo'ed this approach.
You do realize they didn't say unique login ID, correct? They are talking about using your "Display Name" instead. If you want to be secure then you do what FFXI did in the begining.
[mod edit]
You'll have to clue me in as to what a Display Name is, versus a unique login name/ID.
In SWTOR your Display Name is your name on the Forums. It's there for any and all to see.
[mod edit]
[mod edit]
In the post, a Display Name will be required to login to the game. Isn't that unqiue?
[mod edit]
Give EA one step at a time. They just got Display Names for SWTOR after a year.
Do you really see a separate forum logon as that important? What would you like to hide?
[mod edit]
Yes, I do see a seperate froum logon as that important. What would I like to hide? Why my log in information of course.
[mod edit]
Personally I'd rather just have one login for the game AND the forums. I see no reason to separate the two.
EA is (as usual) behind the times, and they are only now drifting away from emails as logins. That is a good step. Asking for a separation of game vs forum login accounts is rediculous.
[mod edit]
A "Hacker" can easily use a readily available legal script to collect display names from a forum. This is half of your login information. If they have half of your login information all that is left is your password.
Many people ignore security advice and use common passwords, these will be the first to cry foul (From your posts and how uninformed you seem I believe you will be in this group). Currently you have unlimited attempts to guess passwords, while their security specialist has stated they plan on adding extra security I do not have confidence in them when they make such a inexperienced mistake like using a displayed name as a security measure so I expect the rest will be at risk as well.
[mod edit]
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
SOE uses account name and password for your account with extra display name, and can use a differnt display name for each of their games.
Not sure if EA gives unlimited guesses, but if they used EAs method then hackers are half way there to getting access to your account compared to SOE
With SOE hackers have to guess your username AND password, with EA/Blizzard all hackers have to guess is your password.
I think email is more risky than forums, as your email address can get picked up when you email, whereas if you do not post on forums which you can not as F2P/Preffered then you are safe. Also I had my email address on my CV and I then had my WOW account hacked, and I think it was from the CV, but now I use a different email for CV
Using emails as logins was a really bad system from a security standpoint. EA / SWTOR copied what Blizzard & Battle.net did, amongst other things, as an assurance that SWTOR would be popular.
It was a cruddy move by Blizzard to even install such a system, and a cruddy move to all those who followed (blindly) what others were doing.
EA doesn't innovate much, they just copy others.
It's a good thing if EA starts requiring unique logon names (not emails). WoW was that way, but then Blizzard tied personal identity with a customers account, which was bullshit. Security No-No.
But it's not EA's own initiave that is driving this. There is widespread talk about systems that use personal identification (email) as login. Many other systems have already poo-poo'ed this approach.
You do realize they didn't say unique login ID, correct? They are talking about using your "Display Name" instead. If you want to be secure then you do what FFXI did in the begining.
The move is asinine as is anyone that believes this is a good idea.
You'll have to clue me in as to what a Display Name is, versus a unique login name/ID.
In SWTOR your Display Name is your name on the Forums. It's there for any and all to see.
I mean you do know what Display means right?
Display - Make a prominent exhibition of (something) in a place where it can be easily seen
Your defense is to be sarcastic. Beautiful defense?
In the post, a Display Name will be required to login to the game. Isn't that unqiue?
You can't be that daft. Lets say I'm playting some random game called "Global Defense Panty Raid". My Display name is GrayGhost79, my unique login in is youcan'tbethisdaftKarteli27. No one sees my unique login name, but when I post on forums you do see GrayGhost79 because that is my display name.
Give EA one step at a time. They just got Display Names for SWTOR after a year.
Do you really see a separate forum logon as that important? What would you like to hide?
ps- insults aren't going to further your cause.
Yes, I do see a seperate froum logon as that important. What would I like to hide? Why my log in information of course.
You would like to hide your login information for the forums ... is that whats imporant to you? Or would you like to hide what you have to say? So you can be a nice guy in the game, then turn around and talk trash? Two separate lives .....
Personally I'd rather just have one login for the game AND the forums. I see no reason to separate the two.
EA is (as usual) behind the times, and they are only now drifting away from emails as logins. That is a good step. Asking for a separation of game vs forum login accounts is rediculous.
Let me try and say this without throwing any well deserved insults your way.
A "Hacker" can easily use a readily available legal script to collect display names from a forum. This is half of your login information. If they have half of your login information all that is left is your password.
Many people ignore security advice and use common passwords, these will be the first to cry foul (From your posts and how uninformed you seem I believe you will be in this group). Currently you have unlimited attempts to guess passwords, while their security specialist has stated they plan on adding extra security I do not have confidence in them when they make such a inexperienced mistake like using a displayed name as a security measure so I expect the rest will be at risk as well.
You keep insulting, and throwing some bullshit about well deserved insults. Shoot.. Just throw them.
You talk of security, yet I wonder? Maybe.
This thing is, what a hacker can gleam is not what happens in real life.
Hacking isn't "easy". It's a major corredinated effort, mostly for some sort of financial gain. Occasionally just to show weaknesses.
In, the lower paragraph of your post, are you saying EA gives an unlimited amount of guesses? It's a hard read.
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
Please type more coherently next time! Thanks. BTW- it's not that easy to hack.
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
Please type more coherently next time! Thanks. BTW- it's not that easy to hack.
His posts were perfectly coherent. It's pretty low to blame others for your lack of reading comprehension. Learn from your mistakes and better yourself in the process.
Publicly visible account names, and they consider this good for security?
I must be misreading this.
Ken Fisher - Semi retired old fart Network Administrator, now working in Network Security. I don't Forum PVP. If you feel I've attacked you, it was probably by accident. When I don't understand, I ask. Such is not intended as criticism.
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
Please type more coherently next time! Thanks. BTW- it's not that easy to hack.
His posts were perfectly coherent. It's pretty low to blame others for your lack of reading comprehension. Learn from your mistakes and better yourself in the process.
And what key point did you gleam from those posts?
I'll start, you fill in the rest.
Grayghost79:
1 - The logon system won't be as secure with an email logon as it will with a Display Name. (post #3)
2 - The Display is an attrocity because it reveals half of a users identify. (post #8)
3 - Speak of how easy it is to hack. (post #31) LOLOL Whooo whooo whoop whoop
4 - Denial of previus statements about social engineering as being considered hacks, yet, a post to Enlighten me via social downplaying / "better than you complex". (post #34)
And those key posts were obvious, Shame on me. All the op was doing was discussing the Display Name, but thanks for jumping in.
This respond from Phillip Holmes, SWTOR Head of Security is rather long LOL but for all who wants answers there we go:
So in case you haven't come across me before (most haven't!), I'm Phillip Holmes, the Senior Manager of Security here at Star Wars: The Old Republic.
I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.
Some responses below - apologies if I don't reply to every question...
Quote: Originally Posted by Icebergy
well that's... weird, since the whole point is the game uses our origin accounts
No change. Your account is still linked to Origin, however you will continue to log in to Origin using your email address as their security implementation is still different. There is no link to your SWTOR Display Name in Origin so no added risk...
Quote: Originally Posted by bigheadbrandon
I don't understand how this help security. No one knows what email I use to log in. Everyone knows your 'Display Name'. Granted they need to know the security questions, but knowing each persons display name is one less barrier IMO.
So two things here. Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account. We are implementing a few other measures (more news on that in the few weeks!) to ensure that account take over risk is mitigated.
I would recommend you make sure you use a very different password for your email account to anything you use elsewhere though. I know that is just common sense, but it's very very important. If possible use a dual-factor authentication system like the Two-Step solution that can be used on top of GMail.
Quote: Originally Posted by WSS_Toxin
A) EAware redefining terms AGAIN. Display Name = Forum "Handle" for those curious.
While at first blush it would seem that going from Email ( usually unknown/private ) to Handle ( very public ) there may seem to be a risk to security for hacking. I for one would expect to have A LOT of hacking attempts given how many people "love me" here. What you have is a fall back to the "questions" you were asked to associate with your account. These are triggerred if you don't log in from a consistante IP. Update your questions and change your password to be 10+ characters long with at least 2 Upper case, 2 lower case letters, 2 numbers, and 2 special characters. Nothing to worry about.
Understandably, we have spent a lot of effort in making sure the new system will mitigate hacking attempts, especially of the brute-force variety. As mentioned above, there will be more news on this in the next few weeks.
Quote: Originally Posted by JPryde
I hope this is a joke, if not it's really really really really really really stupid. A step backwards. Pretty much everywhere let's you use your e-mail as login anymore and more are moving towards that, not away from.
My market research as a security professional tells me otherwise. Sorry to disagree here.
Quote: Originally Posted by morfius
exactly
no one "knows" my e-mail or my real identity but everyone on these forums knows my username
my mind is conjuring scenes where some butthurt player has a tiff with another and begins trying to hack an account where 1/2 of the login information is available for the world to see
Attempts at hacking of our site are not tolerated at all. Doing so would get that player in a lot more trouble than it any gain they think they might be able to get.
Quote: Originally Posted by Yaesive
Additionally I am wondering if we will see a purge of inactive User accounts to free up possible accounts for new player?
No purge planned - the game is way too young to be thinking of removing old accounts, especially as a lot of those accounts have game data associated with them and we would like our players to be able to return to everything they left behind if they do leave.
Quote: Originally Posted by Jenovan
Yeah, this is a very very bad idea. So now, in order to hack my account, you need to figure out my email address (which is unique to SWTOR) and my password.
After this change, you will know that my username is Rankyn because it's plastered all over the forum and all you're left to do is try to figure out my password. You've essentially done 50% of the work for anyone trying to hack my account.
If security is the real issue then our usernames need to be a 3rd option that is neither our email address or our forum name.
Actually today an attacker also needs to know the answers to your Security Questions. In the future (more news in the next few weeks) that will require the attacker to also know your email account password. We also monitor for brute force attacks and have other systems in place to mitigate that type of threat.
Quote: Originally Posted by JPryde
does that mean that if i sign in with that name, i play that specific character? if so what happens to all my other characters, do i have to sign them in by name too? seems like an aweful lot of remembering for people like me who have 12 characters.
We are only changing how you log in to your account - your characters stay tied together as part of that overall account. No need to worry!
Quote: Originally Posted by Mallorik
I dont see this being a huge change or drop in security, as it has already been possible to log in with either the account email or forum name for a long time. I do see it being a problem for people who rarely use the forums and may not remember their forum names. There will definitely need to be notifications sent via email about this.
I also see it being an issue for those who may have previously played the game and return for the expansion. If it has been long enough they likely will not remember their forum name, and who knows what sort of hoops they would have to jump through in order to retrieve the name.
We are also putting in a 'I forgot my account name' feature which will email you the name - we too thought of all the players that might not see the messaging or even come back after April 2nd.
Have I mentioned that people need to make sure their own email account is as secure as possible?
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
Please type more coherently next time! Thanks. BTW- it's not that easy to hack.
His posts were perfectly coherent. It's pretty low to blame others for your lack of reading comprehension. Learn from your mistakes and better yourself in the process.
And what key point did you gleam from those posts?
I'll start, you fill in the rest.
Grayghost79:
1 - The logon system won't be as secure with an email logon as it will with a Display Name. (post #3)
2 - The Display is an attrocity because it reveals half of a users identify. (post #8)
3 - Speak of how easy it is to hack. (post #31) LOLOL Whooo whooo whoop whoop
4 - Denial of previus statements about social engineering as being considered hacks, yet, a post to Enlighten me via social downplaying / "better than you complex". (post #34)
And those key posts were obvious, Shame on me. All the op was doing was discussing the Display Name, but thanks for jumping in.
Point #1 is where you seem to be having trouble (unless i'm reading YOUR post wrong). He's saying the opposite of that. He's saying that an email login would be more secure than a Display Name login, since everyone on the forums can see the Display Name, but only those with access to EA/ Bioware's account database can get your email (although if they have access to account info, they can get your pass too).
Now, with Sevenstar's post, Philip Holmes states "Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account."
This is kind of confusing on a couple of levels:
First is the way he says "Not everybody knows your Display Name." "Not everybody" could mean different things. For instance, does he mean only the people on the forums will see your Display Name, since clearly the people on the forums aren't "everybody". Or does he mean only EA/Bioware staff and you know it? I dunno, maybe I'm looking too far into that and I'm just arguing semantics.
Another thing that is confusing, is that he states people need to figure out your email account to take over your SWTOR account. Well, can't people log into the game/forums using just the Display Name and password? Or do you need to log into Origin first, THEN type your Display Name and password? If you don't need to log into Origin first, what's to stop someone from using your Display Name, somehow getting/guessing your password, and causing havoc to your character(s)?
This whole thing is rather confusing and needs to be stated more clearly in my opinion.
I read Phil's post and several things crossed my mind.
First, it is nice to see a DEV actually post.
That said, he came off pretty imperious, which had been a knock on Bioware since Jump Street on this project.
He clearly mistated some shit about Steam. (WHich I guess is the arch nemesis os Origin).
Why hasn't he shown up on the months of endless threads in regard to security key issues, both activation, use, reactivation, availability, etc.
Not to mention the various authentication issues surrounding attempt to buy cartel cash, errror# whateveer, etc.
That and the other DEV post from the day is the third?, fourth?, fifth, community management team introducing themselves saying they are going to be more proactive. And yet they never make an appearance in this thread.
All in all, I can't figurre out why Bioware, with yet another round of layoffs, is devouting resources to a non-issue. I can't figure this out is a positive or negative way. It just seems like change for "I have no idea why's" sake.
All in all, Bioware Austin seems like a rather disjointed and muddied staff.
Who knows? Maybe I'm trying to glean too much from this change in policy.
All in all, it's hard to trust either the rudder or the navigator; or one hand doesn't know what the other hand is doing when the other hand is clapping by itself.
It's bewildering I tell ya. (From an observationalist point of view, this certainly doesn't make SWTOR less intresting though.)
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
Please type more coherently next time! Thanks. BTW- it's not that easy to hack.
His posts were perfectly coherent. It's pretty low to blame others for your lack of reading comprehension. Learn from your mistakes and better yourself in the process.
And what key point did you gleam from those posts?
I'll start, you fill in the rest.
Grayghost79:
1 - The logon system won't be as secure with an email logon as it will with a Display Name. (post #3)
2 - The Display is an attrocity because it reveals half of a users identify. (post #8)
3 - Speak of how easy it is to hack. (post #31) LOLOL Whooo whooo whoop whoop
4 - Denial of previus statements about social engineering as being considered hacks, yet, a post to Enlighten me via social downplaying / "better than you complex". (post #34)
And those key posts were obvious, Shame on me. All the op was doing was discussing the Display Name, but thanks for jumping in.
Point #1 is where you seem to be having trouble (unless i'm reading YOUR post wrong). He's saying the opposite of that. He's saying that an email login would be more secure than a Display Name login, since everyone on the forums can see the Display Name, but only those with access to EA/ Bioware's account database can get your email (although if they have access to account info, they can get your pass too).
Now, with Sevenstar's post, Philip Holmes states "Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account."
This is kind of confusing on a couple of levels:
First is the way he says "Not everybody knows your Display Name." "Not everybody" could mean different things. For instance, does he mean only the people on the forums will see your Display Name, since clearly the people on the forums aren't "everybody". Or does he mean only EA/Bioware staff and you know it? I dunno, maybe I'm looking too far into that and I'm just arguing semantics.
Another thing that is confusing, is that he states people need to figure out your email account to take over your SWTOR account. Well, can't people log into the game/forums using just the Display Name and password? Or do you need to log into Origin first, THEN type your Display Name and password? If you don't need to log into Origin first, what's to stop someone from using your Display Name, somehow getting/guessing your password, and causing havoc to your character(s)?
This whole thing is rather confusing and needs to be stated more clearly in my opinion.
Using a unique ID instead of an email is more secure overall, since a compromised account doesn't reveal the corresponding email tied to it. I couldn't care less about forum users. Use the official forums at your own risk .. they are garbage anyways. That clear enough?
I'd rather have a secure account than have some shitty forum access where only shills and trolls hang out.
If anything, push for a block of forums so that only subscribers can see them. Problem solved?
** there are some good Roleplay sections, like SevenStar showed. Those should be possibly made public, since they contain a lot of original content that should be accessible to those interested.
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
Please type more coherently next time! Thanks. BTW- it's not that easy to hack.
His posts were perfectly coherent. It's pretty low to blame others for your lack of reading comprehension. Learn from your mistakes and better yourself in the process.
And what key point did you gleam from those posts?
I'll start, you fill in the rest.
Grayghost79:
1 - The logon system won't be as secure with an email logon as it will with a Display Name. (post #3)
2 - The Display is an attrocity because it reveals half of a users identify. (post #8)
3 - Speak of how easy it is to hack. (post #31) LOLOL Whooo whooo whoop whoop
4 - Denial of previus statements about social engineering as being considered hacks, yet, a post to Enlighten me via social downplaying / "better than you complex". (post #34)
And those key posts were obvious, Shame on me. All the op was doing was discussing the Display Name, but thanks for jumping in.
Point #1 is where you seem to be having trouble (unless i'm reading YOUR post wrong). He's saying the opposite of that. He's saying that an email login would be more secure than a Display Name login, since everyone on the forums can see the Display Name, but only those with access to EA/ Bioware's account database can get your email (although if they have access to account info, they can get your pass too).
Now, with Sevenstar's post, Philip Holmes states "Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account."
This is kind of confusing on a couple of levels:
First is the way he says "Not everybody knows your Display Name." "Not everybody" could mean different things. For instance, does he mean only the people on the forums will see your Display Name, since clearly the people on the forums aren't "everybody". Or does he mean only EA/Bioware staff and you know it? I dunno, maybe I'm looking too far into that and I'm just arguing semantics.
Another thing that is confusing, is that he states people need to figure out your email account to take over your SWTOR account. Well, can't people log into the game/forums using just the Display Name and password? Or do you need to log into Origin first, THEN type your Display Name and password? If you don't need to log into Origin first, what's to stop someone from using your Display Name, somehow getting/guessing your password, and causing havoc to your character(s)?
This whole thing is rather confusing and needs to be stated more clearly in my opinion.
Using a unique ID instead of an email is more secure overall, since a compromised account doesn't reveal the corresponding email tied to it. I couldn't care less about forum users. Use the official forums at your own risk .. they are garbage anyways. That clear enough?
I'd rather have a secure account than have some shitty forum access where only shills and trolls hang out.
If anything, push for a block of forums so that only subscribers can see them. Problem solved?
** there are some good Roleplay sections, like SevenStar showed. Those should be possibly made public, since they contain a lot of original content that should be accessible to those interested.
A unique ID is only better if others can't see it. Even if they lock the forums down to subscribers only, other subscribers can still see your Display Name. While that may be less people that can see that info, those other subscribers should in no way have access to that info. Do you really think because they're subscribing that they're not capable of having malicious intents like trying to steal an account?
Also, while I do agree that the official forums are garbage, people that post there should not be subject to account security threats, even if you don't care about those users.
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
Please type more coherently next time! Thanks. BTW- it's not that easy to hack.
His posts were perfectly coherent. It's pretty low to blame others for your lack of reading comprehension. Learn from your mistakes and better yourself in the process.
And what key point did you gleam from those posts?
I'll start, you fill in the rest.
Grayghost79:
1 - The logon system won't be as secure with an email logon as it will with a Display Name. (post #3)
2 - The Display is an attrocity because it reveals half of a users identify. (post #8)
3 - Speak of how easy it is to hack. (post #31) LOLOL Whooo whooo whoop whoop
4 - Denial of previus statements about social engineering as being considered hacks, yet, a post to Enlighten me via social downplaying / "better than you complex". (post #34)
And those key posts were obvious, Shame on me. All the op was doing was discussing the Display Name, but thanks for jumping in.
Point #1 is where you seem to be having trouble (unless i'm reading YOUR post wrong). He's saying the opposite of that. He's saying that an email login would be more secure than a Display Name login, since everyone on the forums can see the Display Name, but only those with access to EA/ Bioware's account database can get your email (although if they have access to account info, they can get your pass too).
Now, with Sevenstar's post, Philip Holmes states "Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account."
This is kind of confusing on a couple of levels:
First is the way he says "Not everybody knows your Display Name." "Not everybody" could mean different things. For instance, does he mean only the people on the forums will see your Display Name, since clearly the people on the forums aren't "everybody". Or does he mean only EA/Bioware staff and you know it? I dunno, maybe I'm looking too far into that and I'm just arguing semantics.
Another thing that is confusing, is that he states people need to figure out your email account to take over your SWTOR account. Well, can't people log into the game/forums using just the Display Name and password? Or do you need to log into Origin first, THEN type your Display Name and password? If you don't need to log into Origin first, what's to stop someone from using your Display Name, somehow getting/guessing your password, and causing havoc to your character(s)?
This whole thing is rather confusing and needs to be stated more clearly in my opinion.
Using a unique ID instead of an email is more secure overall, since a compromised account doesn't reveal the corresponding email tied to it. I couldn't care less about forum users. Use the official forums at your own risk .. they are garbage anyways. That clear enough?
I'd rather have a secure account than have some shitty forum access where only shills and trolls hang out.
If anything, push for a block of forums so that only subscribers can see them. Problem solved?
** there are some good Roleplay sections, like SevenStar showed. Those should be possibly made public, since they contain a lot of original content that should be accessible to those interested.
A unique ID is only better if others can't see it. Even if they lock the forums down to subscribers only, other subscribers can still see your Display Name. While that may be less people that can see that info, those other subscribers should in no way have access to that info. Do you really think because they're subscribing that they're not capable of having malicious intents like trying to steal an account?
Also, while I do agree that the official forums are garbage, people that post there should not be subject to account security threats, even if you don't care about those users.
The portion in yellow is something I hope we can all agree on. It is sad that Phillip Holmes has stated that having a seperate unique login is to expensive in EA's eyes because it really would be the best option.
"We did look at using a secondary 'login only' display name, but sadly this would create more confusion and increase costs associated with support of the new system rather than decrease existing support costs."
Originally posted by tiefighter25 WTF arre they doing?
Who the hell knows? I reached level 16 on the free to play thingamy - and because of the old "play to level 16 trial" set up on their former business model (according to a post I read in their forum), I got blocked from playing. To rectify that situation I had to google it and found the answer in a forum! In a game THIS big, that in itself mystified me.
The solution was to register my email address instead of just a username.
Not days later I get the "display name only login" email.
I think the devs on swtor need to go play something reeeeally amateurish and update their skills.
what i want to know is...why do you people that don't play this game care if they change the way they keep their game secure? lol
this forum is just a gigantic train wreck created only by people that don't play this game and i just cant look away.
We all have an interest in SWTOR and I think we all play the game to some degree, but not heavily, or just waiting for that awesome update like the SSSP where it will turn SWTORs space element into a game like EVE/STO/SWG
Anyway, this does affect everyone who has played the game at some point, even if not playing it now. If there is an awesome update that brings people back to the game, but then find account hacked and chars deleted or something, then will not come back. Forum names are easy to try as you just pick through forum names anywhere on the internet and try them. Is your forum display name on SWTOR the same as it is here? Do not answer that If it is then part of your SWTOR log in details are known (or someones elses is if another user has taken it) even if you do not post on the forums, but with emails you can create a unique one for each game, and from many different providers with various different aliases too.
I hope they allow people to change the usernames, as no doubt people would have chosen a different username, if knew it was going to be a log in name as well. For EA to change it now from email to display name is a violation of our data, which can have a knock on effect as hackers can use peronal info for other things like Bank Accounts. People who hack into MMO accounts are not necesssarily after your game stuff, but to get more info to help get into your bank accounts etc.
Just as an FYI about this. I have multiple email accounts, and on one of those that has no relation to SWTOR an email was sent to me about this. Now being suspicious I hover over some of the things on the page, and they seem to want to take me to a bogus site. as an example "follow us on twitter" forwards me to the same place every other clickie does. So beware, someone is phishing hard for your account info with this upcoming change.
what i want to know is...why do you people that don't play this game care if they change the way they keep their game secure? lol
this forum is just a gigantic train wreck created only by people that don't play this game and i just cant look away.
Just because I'm not playing right this minute does not mean I won't be playing in the future. I want to protect the work (yes, it felt like work, but sometimes I'm in the mood for that).......I want to protect the work I've done on my character by my account NOT GETTING HACKED. I imagine a lot of people that aren't presently playing feel the same way. Just because you're not playing at the moment doesn't mean you want your account hacked. I feel like saying "duh" here. Think.
Comments
Probaly part of their new cross-platform cross media Real name system, they are working on connecting each system they work whit and may be working whit at a later date. from random logings/db's/systems to a "simple" cheap to maintain/use system for them, less freedom and security for users.
just a single step among many to make all systems ready to go.
I don't see how it's hard to read, it clearly states they currently allow unlimted attempts at guessing the correct password.
And even with my limited skills I can write a script to do data collection on websites. It takes all of 10-20 minutes to throw together then its a run and leave thing. Thats if I want to take the 10-20 minutes to throw one together. You can get a slew of them online for free, though I wouldn't advise this unless you are an online security minded individual because you can easily get a virus.
You are wrong about how hard it is compromising accounts. Compromising accounts is fairly easy. I can send out emails right now if I wanted to and end up with a few dozen accounts with out any effort. If I want to brute force my way into SWTOR accounts it would take a few hours with just scripts to get a few hundred accounts. Though I have no interests in doing so.
Again, I have limited skill and these are easy things for me.
SOE uses account name and password for your account with extra display name, and can use a differnt display name for each of their games.
Not sure if EA gives unlimited guesses, but if they used EAs method then hackers are half way there to getting access to your account compared to SOE
With SOE hackers have to guess your username AND password, with EA/Blizzard all hackers have to guess is your password.
I think email is more risky than forums, as your email address can get picked up when you email, whereas if you do not post on forums which you can not as F2P/Preffered then you are safe. Also I had my email address on my CV and I then had my WOW account hacked, and I think it was from the CV, but now I use a different email for CV
Star Trek Online - Best Free MMORPG of 2012
Ah we're on different levels. I don't consider social enginerring via emails as hacking. It's theft, not hacking.
I fail to see where it says unlimited tries for SWTOR logins.
ALSO, if you publically attack another website, it's against the law. You'll go to jail, just saying.
Want a nice understanding of life? Try Spirit Science: "The Human History"
http://www.youtube.com/watch?v=U8NNHmV3QPw&feature=plcp
Recognize the voice? Yep sounds like Penny Arcade's Extra Credits.
Data gathering isn't an attack, it's also not illegal. Corporations do this among other things to gather information.
Also yes, we are on different levels because I never said social engineering via emails was hacking, you failed to comprehend what was typed. You tried portraying account compromising as an excessively difficult task. I attempted to enlighten you by explaining how easy it is.
Please type more coherently next time! Thanks. BTW- it's not that easy to hack.
Want a nice understanding of life? Try Spirit Science: "The Human History"
http://www.youtube.com/watch?v=U8NNHmV3QPw&feature=plcp
Recognize the voice? Yep sounds like Penny Arcade's Extra Credits.
His posts were perfectly coherent. It's pretty low to blame others for your lack of reading comprehension. Learn from your mistakes and better yourself in the process.
Consume. Be silent. Die.
Publicly visible account names, and they consider this good for security?
I must be misreading this.
And what key point did you gleam from those posts?
I'll start, you fill in the rest.
Grayghost79:
1 - The logon system won't be as secure with an email logon as it will with a Display Name. (post #3)
2 - The Display is an attrocity because it reveals half of a users identify. (post #8)
3 - Speak of how easy it is to hack. (post #31) LOLOL Whooo whooo whoop whoop
4 - Denial of previus statements about social engineering as being considered hacks, yet, a post to Enlighten me via social downplaying / "better than you complex". (post #34)
And those key posts were obvious, Shame on me. All the op was doing was discussing the Display Name, but thanks for jumping in.
Want a nice understanding of life? Try Spirit Science: "The Human History"
http://www.youtube.com/watch?v=U8NNHmV3QPw&feature=plcp
Recognize the voice? Yep sounds like Penny Arcade's Extra Credits.
This respond from Phillip Holmes, SWTOR Head of Security is rather long LOL but for all who wants answers there we go:
I will be posting a more detailed synopsis of the upcoming changes in the next few weeks - I just have one or two ducks left to line up before I do that.
Some responses below - apologies if I don't reply to every question...
I would recommend you make sure you use a very different password for your email account to anything you use elsewhere though. I know that is just common sense, but it's very very important. If possible use a dual-factor authentication system like the Two-Step solution that can be used on top of GMail.
no one "knows" my e-mail or my real identity but everyone on these forums knows my username
my mind is conjuring scenes where some butthurt player has a tiff with another and begins trying to hack an account
where 1/2 of the login information is available for the world to see
So now, in order to hack my account, you need to figure out my email address (which is unique to SWTOR) and my password.
After this change, you will know that my username is Rankyn because it's plastered all over the forum and all you're left to do is try to figure out my password.
You've essentially done 50% of the work for anyone trying to hack my account.
If security is the real issue then our usernames need to be a 3rd option that is neither our email address or our forum name.
I do see it being a problem for people who rarely use the forums and may not remember their forum names. There will definitely need to be notifications sent via email about this.
I also see it being an issue for those who may have previously played the game and return for the expansion. If it has been long enough they likely will not remember their forum name, and who knows what sort of hoops they would have to jump through in order to retrieve the name.
Have I mentioned that people need to make sure their own email account is as secure as possible?
SWTOR Head of Security
Sith Warrior - Story of Hate and Love http://www.youtube.com/watch?v=sxKrlwXt7Ao
Imperial Agent - Rise of Cipher Nine http://www.youtube.com/watch?v=OBBj3eJWBvU&feature=youtu.be
Imperial Agent - Hunt for the Eagle Part 1http://www.youtube.com/watch?v=UQqjYYU128E
Point #1 is where you seem to be having trouble (unless i'm reading YOUR post wrong). He's saying the opposite of that. He's saying that an email login would be more secure than a Display Name login, since everyone on the forums can see the Display Name, but only those with access to EA/ Bioware's account database can get your email (although if they have access to account info, they can get your pass too).
Now, with Sevenstar's post, Philip Holmes states "Not everybody knows your Display Name, and an attacker will need to figure out your email account in order to attempt to take over your SWTOR account."
This is kind of confusing on a couple of levels:
First is the way he says "Not everybody knows your Display Name." "Not everybody" could mean different things. For instance, does he mean only the people on the forums will see your Display Name, since clearly the people on the forums aren't "everybody". Or does he mean only EA/Bioware staff and you know it? I dunno, maybe I'm looking too far into that and I'm just arguing semantics.
Another thing that is confusing, is that he states people need to figure out your email account to take over your SWTOR account. Well, can't people log into the game/forums using just the Display Name and password? Or do you need to log into Origin first, THEN type your Display Name and password? If you don't need to log into Origin first, what's to stop someone from using your Display Name, somehow getting/guessing your password, and causing havoc to your character(s)?
This whole thing is rather confusing and needs to be stated more clearly in my opinion.
Consume. Be silent. Die.
I read Phil's post and several things crossed my mind.
First, it is nice to see a DEV actually post.
That said, he came off pretty imperious, which had been a knock on Bioware since Jump Street on this project.
He clearly mistated some shit about Steam. (WHich I guess is the arch nemesis os Origin).
Why hasn't he shown up on the months of endless threads in regard to security key issues, both activation, use, reactivation, availability, etc.
Not to mention the various authentication issues surrounding attempt to buy cartel cash, errror# whateveer, etc.
That and the other DEV post from the day is the third?, fourth?, fifth, community management team introducing themselves saying they are going to be more proactive. And yet they never make an appearance in this thread.
All in all, I can't figurre out why Bioware, with yet another round of layoffs, is devouting resources to a non-issue. I can't figure this out is a positive or negative way. It just seems like change for "I have no idea why's" sake.
All in all, Bioware Austin seems like a rather disjointed and muddied staff.
Who knows? Maybe I'm trying to glean too much from this change in policy.
All in all, it's hard to trust either the rudder or the navigator; or one hand doesn't know what the other hand is doing when the other hand is clapping by itself.
It's bewildering I tell ya. (From an observationalist point of view, this certainly doesn't make SWTOR less intresting though.)
Using a unique ID instead of an email is more secure overall, since a compromised account doesn't reveal the corresponding email tied to it. I couldn't care less about forum users. Use the official forums at your own risk .. they are garbage anyways. That clear enough?
I'd rather have a secure account than have some shitty forum access where only shills and trolls hang out.
If anything, push for a block of forums so that only subscribers can see them. Problem solved?
** there are some good Roleplay sections, like SevenStar showed. Those should be possibly made public, since they contain a lot of original content that should be accessible to those interested.
Want a nice understanding of life? Try Spirit Science: "The Human History"
http://www.youtube.com/watch?v=U8NNHmV3QPw&feature=plcp
Recognize the voice? Yep sounds like Penny Arcade's Extra Credits.
Karteli: I don't understand why you are going Defcon 1.
The switch in policy is odd because now people automatically have your login handle, and can now brute force the password.
Bioware may add counter-measures to attempt to prevent account highjacking, but the switch in policy seems to unnecessarily add security issues.
This is not a game-killing bug; but really friggin' weird.
what i want to know is...why do you people that don't play this game care if they change the way they keep their game secure? lol
this forum is just a gigantic train wreck created only by people that don't play this game and i just cant look away.
A unique ID is only better if others can't see it. Even if they lock the forums down to subscribers only, other subscribers can still see your Display Name. While that may be less people that can see that info, those other subscribers should in no way have access to that info. Do you really think because they're subscribing that they're not capable of having malicious intents like trying to steal an account?
Also, while I do agree that the official forums are garbage, people that post there should not be subject to account security threats, even if you don't care about those users.
Consume. Be silent. Die.
You are watching the train wreck of people watching a train wreck. It's like a fractal or something.
The portion in yellow is something I hope we can all agree on. It is sad that Phillip Holmes has stated that having a seperate unique login is to expensive in EA's eyes because it really would be the best option.
"We did look at using a secondary 'login only' display name, but sadly this would create more confusion and increase costs associated with support of the new system rather than decrease existing support costs."
i can go to jail for EAbashing? but i dont wanna go to jail...cant we just make a new law
fractals are good,,i always have two for breakfast, theres so many of them under my bridge
Who the hell knows? I reached level 16 on the free to play thingamy - and because of the old "play to level 16 trial" set up on their former business model (according to a post I read in their forum), I got blocked from playing. To rectify that situation I had to google it and found the answer in a forum! In a game THIS big, that in itself mystified me.
The solution was to register my email address instead of just a username.
Not days later I get the "display name only login" email.
I think the devs on swtor need to go play something reeeeally amateurish and update their skills.
Not to mention being three weeks early.
We all have an interest in SWTOR and I think we all play the game to some degree, but not heavily, or just waiting for that awesome update like the SSSP where it will turn SWTORs space element into a game like EVE/STO/SWG
Anyway, this does affect everyone who has played the game at some point, even if not playing it now. If there is an awesome update that brings people back to the game, but then find account hacked and chars deleted or something, then will not come back. Forum names are easy to try as you just pick through forum names anywhere on the internet and try them. Is your forum display name on SWTOR the same as it is here? Do not answer that If it is then part of your SWTOR log in details are known (or someones elses is if another user has taken it) even if you do not post on the forums, but with emails you can create a unique one for each game, and from many different providers with various different aliases too.
I hope they allow people to change the usernames, as no doubt people would have chosen a different username, if knew it was going to be a log in name as well. For EA to change it now from email to display name is a violation of our data, which can have a knock on effect as hackers can use peronal info for other things like Bank Accounts. People who hack into MMO accounts are not necesssarily after your game stuff, but to get more info to help get into your bank accounts etc.
Star Trek Online - Best Free MMORPG of 2012
This space reserved for pithy comment.
I don't think they're handing out HALF your log in info, it says you will log in ONLY with your display name. So how is THAT even remotely secure?
President of The Marvelously Meowhead Fan Club
Just because I'm not playing right this minute does not mean I won't be playing in the future. I want to protect the work (yes, it felt like work, but sometimes I'm in the mood for that).......I want to protect the work I've done on my character by my account NOT GETTING HACKED. I imagine a lot of people that aren't presently playing feel the same way. Just because you're not playing at the moment doesn't mean you want your account hacked. I feel like saying "duh" here. Think.
President of The Marvelously Meowhead Fan Club