Display Name Only Log In - Coming April 2, 2013

[Anariodin]

This whole forum post makes me lols. I appreciate your short, long, very long, and duck answers. And since I am not a complete n00b at security, I am glad to see this change.

[LarryRow]

OK - you caught me. I'm only spending a few minutes on each answer. The reason there has usually been a day delay in answering the questions is that I'm writing up the answers out of office hours most of the time.

 

I know I speak for most (all?) of us when I say that going the extra mile is really appreciated. In my view, this amount of communication goes way beyond the expectations of a reasonable customer. So thanks! (Implied corollary: it would be a counterproductive mistake to hold every member of the swtor team accountable to this level of feedback! Okay, fellow swtor players?)

 

So it sounds like most people are worried that, on the surface, a readily obtainable (by an attacker) username is less secure than a maybe-secret email address. You have continually told us that there are other systems in place to ensure security beyond just username/password, but unless I missed it, you've been kind of vague about what they are. Perhaps shedding some (but not too much) light on what those systems are would alleviate some concerns.

[Acer]

Literally only posting to check and make sure my display name matches my forum name.

[Jadescythe]

I think the part of this thread that makes me lol the most is that you can already log in using display name now. So I'm not sure how people could possibly feel their security is more in jeopardy by taking the other login option away as currently they could obtain either to access your acct (along with password of course).

 

Second on my list of things in this thread that make me lol are the ridiculously awesome dev responses.

 

As a side note, GET A SECURITY KEY.

[Chickensevil]

So I applaud you in your almost desperation in attempting to educate users on security. I also work a very similar job to yours, and have basically given up trying to educate my some 200k+ users... its almost impossible. We have mandatory training, briefings, education material... and sadly... people still make the same stupid mistakes all the time.

 

Of course we, for the most part, have the luxury of just blocking access to things which cause us the most trouble, because it is our network... you on the other hand, have to account for everyone having access and can't be so cynical about it...

 

Good luck on trying to get these people to understand why everyone in the world knowing your display name really doesn't matter... Here is a thought for everyone else...

 

Do you work for a company in which you actually have a company email address?

If you do, is this email address some semblance of your name?

Is this also what you use to log in to the company's network?

 

If you answered yes to these questions, which I am most certain that you did, then ask yourself, does the fact that someone knows either your company email address or your name in any way make your account log in less secure? Keeping in mind that most people can EASILY datamine your name from the company's website, or even through other random phishing techniques... heck even just guessing common first and last names!

 

For those who maybe dont work for a company where you have a company email and login, I will let you in on a secret, everyone I know of does their systems in this fashion. The government, Microsoft, Google, and yes, even Bioware all utilize these things. Why?

 

1. Your email address looks more profession when it contains your.name@company.com

2. It is easier to remember your login ID when it is your own name

3. It is easier for others to find your contact information if, you guessed it, they know your name.

 

This does nothing to take away from security. So then why does it matter if some randomly thought up username that you likely use all over the internet as your avatar is a big deal if it is also used to log in to the site and the game? Your avatar is an anonymous identifier you use... I mean... hey... we could switch to making you use your real name as both your display on the website and also your login ID.

[Warwench]

This whole forum post makes me lols. I appreciate your short, long, very long, and duck answers. And since I am not a complete n00b at security, I am glad to see this change.

 

same here. i know more than most about different things and with everything taken into account, this change is good, for the better and will continue to enhance what is already VERY good account security. there is a reason there are not huge threads on the forums with people complaining their accounts got hacked.

 

and I can tell you, it's not because the bad guys aren't trying.

[RavensBloodyClaw]

Dear Jeebus you people are all idiots. Had you been using only your user name to log on to the website and the game client this whole time, this would not even be an issue.

 

The display name I use here is used only here and nowhere else. It does not even come close to the email address I use for it and the password here is not the same as my email address password. You don't have to have your passwords match nor do you have to match your user name to the first part of your email address.

 

Also the security question answers are meaningless as you can provide any sort of an answer for them. e.g.

Q. Where were you born?

A. I like hooters or A. banana

 

Due to the fact I have been on the net for 20+ years, I have accumulated literally hundreds of user names and passwords and security questions. The majority I can actually remember, but I still have them on a spread sheet which is encrypted on a encrypted thumb drive. Not one of my accounts has ever been hacked or been a part of a website that has been hacked and user names stolen. That's not to say a website wasn't hacked, just that my accounts were never hacked nor stolen.

 

I want to know how many of you out there have had an account that has been hacked?

[Pscyon]

how often have we actually heard about accounts being hacked?

 

I despise how the term is usually misused as badly as it is, because most of the time people aren't "hacked"; they either give away their account info to phishing, people they shouldn't have trusted or have it stolen by keyloggers and other types of malware. In the majority of cases account theft is due to carelessness and/or stupidity. Few and far between are the times people lose their accounts due to someone sitting down and actively highjacking their account by circumventing or figuring out the password...

[Warwench]

Just to put this in perspective.

 

given adequate other controls (which they obviously have).

 

It doesnt matter if I have your login ID (whether it's email or username).

 

it matters if I have that, and your password.

 

Since your email is generally static (and usually reasonably unique, ie generally only you use it at each website you sign up to).. when various websites get hacked (which happens a lot) and a email/password combo ends up on a rather large list, chances are much better than you have used the same email and password here.

 

if you use a username, chances of you using the same username and password on multiple sites is slimmer, as it's not unique to you (ie bob@bob.com is unique to bob if it's his email address, but TheBob might be already taken so on here he is BobTehAwsum).

 

I know from doing security on some large authentication systems that every time there is a massive password dump from a newly hacked site, there is a LARGE increase in successful logins to the systems i was monitoring.

 

You guys only need to think about your account, Phil needs to think about all the accounts and has access to much more data, so having been in a similar position I both agree with and trust him.

 

TL;DR email is unique to you, username might not be. password reuse chance is much lower.

[VarKoE]

LULZ. You're not reading Phillip_BW's posts, are you?

 

Incompetent? He seems extraordinarily competent!

 

Nerf Phillip. He is clearly OP

 

Thanks for the security tips Phillip.

[Andryah]

Nerf Phillip. He is clearly OP

 

LOL.

 

He is teh security boss.... buff him.. don't nerf him.

 

And I love they way he is effectively pwning the nonsense in this thread, while remaining politely British and not needed to get all midieval on them. Above all else, the Brits are most often polite and civilized, even when pwning others into mudsauce.

[jedimasterjac]

I, personally, see no purpose in it. BioWare/EA neither gains nor loses anything. E-Mail is used on practically every large MMO Website, along with other account hubs. If, somehow, this will save money or something, then I can understand (Though that doesn't make sense). This doesn't improve security, rather removes one extra barrier in the way of hacking an account. Has EA ever heard of "Don't fix what ain't broken", or do they insist on 'fixing' it until it does break?

[TomWhiting]

Remove your Authenticator/Security Key and you will be asked to answer your Security Questions whenever your IP changes.

 

That's not 'verification' , that's an industry standard practice, built into the software that EA/BW is using. That's not security, that's a cookie, nothing more, it's session based. As soon as your IP changes, the cookie/session expires. You'll find you also have to login every time your session expires.

 

Incompetent? He seems extraordinarily competent!

clearly not, if he's advocating this as a 'security enhancement'.

The upshot is that accounts will be in an even more secure state as of April 2nd.

HAHAHAHAHAHAHAHAHAHAHAHA

Thanks for providing a good laugh, but that's all it is, just a laugh

One of the first things any good security expert will tell you is to remain as hidden as possible, to give out as little information as possible. Guess what, you've already given out one of my pieces of login information. Sure, it's only one, but it's STILL one of my pieces of login information. More secure? HARDLY.

 

Adding IP verification? GREAT, thanks for giving yet another way for my account to be locked. What, never heard of a DDOS before? It's called 'distributed' for a reason, because it's spread out across multiple networks and blocks. So, now, you've just provided some script kiddie a quick and easy way to lock my account. Genius, thanks man!

 

you can

 

ALREADY USE YOUR DISPLAY NAME TO LOG IN

This was NOT ALWAYS THE CASE

Whenever this changed, was a huge step back in security.

And I love they way he is effectively pwning the nonsense in this thread

 

Oh, he's not pwning anything, just proving how little he actually knows about security here. Go on, believe his garbage if you want, but he's not actually pwning anything.

 

This being changed from private (email) based login to public name login was ridiculous in the first place. To force individuals to use the public name to login is just ridiculous. Basically, what's being said here by a self proclaimed 'security expert':

 

Go ahead, leave your credit card numbers out in the public.

After all, hiding them is, well, it's stupid, because there's "other" forms of validation and security available

[Andryah]

I, personally, see no purpose in it. BioWare/EA neither gains nor loses anything. E-Mail is used on practically every large MMO Website, along with other account hubs. If, somehow, this will save money or something, then I can understand (Though that doesn't make sense). This doesn't improve security, rather removes one extra barrier in the way of hacking an account. Has EA ever heard of "Don't fix what ain't broken", or do they insist on 'fixing' it until it does break?

 

there is benefit in at least reading Phillips posts in this thread if you don't want to bother reading anything else in the thread.

 

They have already said several times that they want your email address disconnected so that it can become part of more customer self-service features. So, while they have not announced the specifics yet, it clearly has benefit for Bioware and for customers (given how backed up live customer support gets, and someone needs to update/change their key authenticator or any of a dozen other actual internal account releated updates.

 

And NOOOOO.. it does not remove any barrier to hacking an account...also covered at length in this thread.

Edited March 7, 2013 by Andryah

[iamthehoyden]

Within SWTOR we will not be changing the system to allow custom questions. More options than there are currently has been looked at a few times already, and I'm sure it will come up as a topic internally again. With regards to the custom questions, while most people are very polite with the answers, the questions themselves are also used as voice verification for Customer Services, and impolite custom questions are something we would like to protect our CS staff from when a disgruntled player could otherwise be impolite.

Thank you for the reply. I hadn't considered the impolite questions issue. That makes sense. More options would be much appreciated. As it stands, it appears that I will have to use the current security questions as de facto password entries and squirrel away the answers somewhere safe, wherever that may be given household moves and such.

 

It's a bit disconcerting to have to purposefully misuse a security system in order for it to actually function as a security measure.

 

Your responses are much appreciated. Very impressed.

[TangledDruid]

You'd think this is the FIRST rule they teach you in CSO school.

 

Actually, the first thing you learn is the difference between Identification, authentication, and authorization

[TangledDruid]

I just want to pipe in and make a point or two.

I have a functioning Identification/Authentication/Authoriztion system on top of a few of the applications I have created.

 

When I got to a high number of users, the number one problem was people who forgot their username, or forgot what email address they used when they signed up, or were irritated someone before them got their user name. when my customer got tired of the support calls to help these people, *that* was when I changed my system to use email addresses.

 

To be clear, email addresses as logins are *convenience* feature for forgetful/lazy/disinterested users.

As a logical extension to that, account information for forgetful/lazy/disinterested users are much easier to steal.

 

To follow someone else's credit card analogy, this not akin to leaving credit card numbers public. a credit card number is akin to the "authorization" part of Indentify/authenticate/authorize

 

This would be akin to leaving the persons name out.

You know, like a phone book

[Andryah]

I hadn't considered the impolite questions issue. That makes sense.

 

After nearly going catatonic last night watching a /general chat channel that yanked me hard back into the worst memories of any random day in Barrens chat in WoW.... yeah..I can totally relate to what Phillip said about impolite questions and such from any random account holder if they were given freedom to make their own questions.

 

Personally, I also do what Phillip does, I pick nonsquitur answers to the questions and then record them inside my secure password manager for future reference.

Edited March 7, 2013 by Andryah

[DaRoamer]

Oh, he's not pwning anything, just proving how little he actually knows about security here. Go on, believe his garbage if you want, but he's not actually pwning anything.

 

I'm sorry, what are your qualifications again?

Edited March 8, 2013 by DaRoamer

[-Ember-]

I can't seem to log in with my bloody display name. - _ -

[Andryah]

I can't seem to log in with my bloody display name. - _ -

 

Just a thought... you have two "-" in your display name. Might be something bugged about that.... so give them a shout about it and see what's up

Edited March 8, 2013 by Andryah

[dacentabaal]

You know what gets me the most out of all this and is making me laugh about all these complaints?

 

So many people are complaining about something that is already in place and already able to be done. Basically you can already use you Display Name to login so it makes no difference if they remove the ability to use Email Address or not. If you are afraid of someone knowing and trying to use your Display Name to hack your account, you are already to late. I just find it funny that people are overlooking this and making a fuss about it.

 

So why even complain about them removing the ability to use your Email and only use your Display Name? It is better to not use an email address after all.

 

Anyways that is just my view on it.

 

This guy got it in a nutshell ^

[Darkgrace]

I'm sure much of this has been mentioned in the thread, but this seems like a poor move

 

I do understand that compromises are a huge impact to the company, and that there are many people with terrible security habits. I'm fully on board with making things more secure, and reducing the ticket wait time by reducing compromises but this doesn't appear to be a solution to that

 

When used properly (i.e. unique e-mail and password just for TOR), the e-mail system is just better. Its not visible to others, so its not as vulnerable to domestic compromises, or "revenge attacks" where they try to lock you out of the system with incorrect login attempts, its changable at any time, it provides a secondary layer that must be discovered should an exploit in TORs website occur that would allow brute force attempts and also of great concern, if its your login people tend to keep it more updated and thus can get important e-mails from the TOR staff (like presumably notices of password changes and such, so they can get their account back sooner and minmize the damage

 

I think a security education effort, more pubilcised bonuses for security keys, security key contest reward giveaways, etc would be better use of time. The nice thing about a security key is it changes you being compromised, from any of a number of techniques to "you have specific malicious software on your computer" which more or less takes the user error/poor security habits out of the picture

 

I think its also worth mentioning that explotive compromises (performed by companies to the sell gold) are mostly performed by:

 

1. Phising. Tricking people into replying to a bad e-mail, going to a look-a-like site, etc. In these cases, the info is compromised regardless of the form, at least with the e-mail, you can change to a new just for ToR address and are right as rain again.

 

2. Keylogging. If you have bad software on your computer, they get your info regardless of how complex it is or if its an e-mail or username. Again, being able to change from one just for TOR to another, is the ideal recovery from this

 

3. Using massive lists of information compiled from previous website compromises. This one only comes into play if you (foolishly) use the same info on other sites, and those sites have been compromised. While this one is being addressed by the change, a simple education that "hey maybe its not a good idea to use the same password and e-mail you were using back when Sony was hacked" seems more on point. Great loading screen tip anyone?

 

So, its far worse against domestic attacks or actual hacking, is harder to recover from for the common tactics used commercially, and only has a leg up if you are using the same contact info at another site that has been compromised.

 

Now if this is a "we can't use e-mails anymore in germany due to legal reasons so we'll say security cause everyone likes things to be more secure" or what have you, that's fine. Just give us easy and secure access to change the username, confess the true reason, and lets move on. As far as security goes though, this seems to be a step backwards

 

-- my 2 creds

[Warwench]

I'm sure much of this has been mentioned in the thread, but this seems like a poor move

 

I do understand that compromises are a huge impact to the company, and that there are many people with terrible security habits. I'm fully on board with making things more secure, and reducing the ticket wait time by reducing compromises but this doesn't appear to be a solution to that

 

When used properly (i.e. unique e-mail and password just for TOR), the e-mail system is just better. Its not visible to others, so its not as vulnerable to domestic compromises, or "revenge attacks" where they try to lock you out of the system with incorrect login attempts, its changable at any time, it provides a secondary layer that must be discovered should an exploit in TORs website occur that would allow brute force attempts and also of great concern, if its your login people tend to keep it more updated and thus can get important e-mails from the TOR staff (like presumably notices of password changes and such, so they can get their account back sooner and minmize the damage

 

I think a security education effort, more pubilcised bonuses for security keys, security key contest reward giveaways, etc would be better use of time. The nice thing about a security key is it changes you being compromised, from any of a number of techniques to "you have specific malicious software on your computer" which more or less takes the user error/poor security habits out of the picture

 

I think its also worth mentioning that explotive compromises (performed by companies to the sell gold) are mostly performed by:

 

1. Phising. Tricking people into replying to a bad e-mail, going to a look-a-like site, etc. In these cases, the info is compromised regardless of the form, at least with the e-mail, you can change to a new just for ToR address and are right as rain again.

 

2. Keylogging. If you have bad software on your computer, they get your info regardless of how complex it is or if its an e-mail or username. Again, being able to change from one just for TOR to another, is the ideal recovery from this

 

3. Using massive lists of information compiled from previous website compromises. This one only comes into play if you (foolishly) use the same info on other sites, and those sites have been compromised. While this one is being addressed by the change, a simple education that "hey maybe its not a good idea to use the same password and e-mail you were using back when Sony was hacked" seems more on point. Great loading screen tip anyone?

 

So, its far worse against domestic attacks or actual hacking, is harder to recover from for the common tactics used commercially, and only has a leg up if you are using the same contact info at another site that has been compromised.

 

Now if this is a "we can't use e-mails anymore in germany due to legal reasons so we'll say security cause everyone likes things to be more secure" or what have you, that's fine. Just give us easy and secure access to change the username, confess the true reason, and lets move on. As far as security goes though, this seems to be a step backwards

 

-- my 2 creds

 

Lots of buzzwords

 

Stop thinking about your account, start thinking about millions of accounts where people commonly use the same email and password across multiple sites. Email is unique. bob@bob.com controls his account, so really only he can use it across the many sites. therefore when one site gets hacked and bobs password and email are stuck up on the internet, he gets added to large lists that bad guys run on auth systems.

 

if bob uses a login name, he doesn't own it or control it and so it can't be unique across all the sites he logs into. If Bob123 is exposed via an attack, the bad guys have a much higher hit ratio, they have no idea Bob123 on Site X is NotBob on SWTOR.

 

Everytime a new site gets hit, you see the list run against sites to try and find accounts using the same password. this makes it a little harder.

[Warwench]

Oh, if you want an example of why emails are kind of sucky, go to Pwned List

 

http://pwnedlist.com

 

They collect the email addresses from website leaks/dumps and you can check if your email/password has been leaked.

 

You will be surprised.

 

*edit in case anyone is concerned. Pwned List is legit, it's a service you can use to alert you if your details have been leaked/compromised, it's also used by LastPass (great password service btw) to alert people when they are affected by a security compromise of a site.

Edited March 8, 2013 by Warwench