Jump to content

Is BW trying to get something past us with login change?

KALELSAB

By KALELSAB
in General Discussion

 Share

Recommended Posts

KALELSAB

KALELSAB

Posted
Posted

Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

 

How are both true?

 

They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?

Link to comment
Share on other sites
Icebergy

Icebergy

Posted
Posted

What do you mean how are both true? You need more than an email and a log in to access someone else's account anyways. If I gave you my login and password right now and you tried to log in to my account, you would get stopped by my authenticator. If I did not have an authenticator, it would ask you my secret questions since you are not on my recognized computer.

 

Is it that hard to accept that Bioware knows more about security than you do?

Link to comment
Share on other sites
Andryah

Andryah

Posted
Posted
Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

 

How are both true?

 

They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?

 

Answered multiple times already by Phillip (and some forum members) in the official thread stickied up at the top of the forum.

Link to comment
Share on other sites
KALELSAB

KALELSAB

Posted
  • Author
Posted
What do you mean how are both true? You need more than an email and a log in to access someone else's account anyways. If I gave you my login and password right now and you tried to log in to my account, you would get stopped by my authenticator. If I did not have an authenticator, it would ask you my secret questions since you are not on my recognized computer.

 

Is it that hard to accept that Bioware knows more about security than you do?

 

What I mean is that they say no one can lock the account by failed attempts (currently they would have to know my email address, but with the change they just need my user name, which is available to anyone.)

 

And

 

They say that the account can't be locked out by someone. So how are both true?

Link to comment
Share on other sites
Vandicus

Vandicus

Posted
Posted

Well first off, currently its possible to use either display name or email. The email is much more likely to be stolen in a phishing attempt. Reducing it to one can only be more secure than having 2 login methods. A lot of people seem to be missing this fact.

 

As for your talk about brute forcing and account locking

 

http://www.swtor.com/community/showpost.php?p=5955636&postcount=98

 

Apparently they have systems in place, which they can't tell us about without reducing the effectiveness of the systems.

Link to comment
Share on other sites
KALELSAB

KALELSAB

Posted
  • Author
Posted
Answered multiple times already by Phillip (and some forum members) in the official thread stickied up at the top of the forum.

 

I got the quote from Philip and that is why I posted this so someone can explain it to us. My issue is people locking the account because they want to be malicious. All they need is the login in name currently to do so. With this change, everyone will have access to the user name.

Link to comment
Share on other sites
Rafaman

Rafaman

Posted
Posted

Hmm... don't know. I frequent many forums on various topics and they have various methods of validation. No biggie. These forums are unique as most MMO forums are in that your login allows access to more than just posting so... I'll take their word that it is what it is.

 

Whatever the case may be, I don't think they are trying to get something past us. This change is going to generate a lot of work for them. There will be churn, tickets, etc. etc. while people figure it out which BW will have to deal with. Net, net, it must be an important change for them otherwise they would not go through the churn.

Link to comment
Share on other sites
KALELSAB

KALELSAB

Posted
  • Author
Posted
Troll. Seriously these posts are getting nuts. Read the answers to already asked questions before you start posting more conspiracy threads, etc.

 

I did read every post on this subject. Thanks for the advise. I am trying to understand how BW is going to prevent account lockouts. They claim there are going to be "something" in place. Their answers contradict and that is why this post was started.

Link to comment
Share on other sites
Icebergy

Icebergy

Posted
Posted

If they say 'we can't go into specifics for security reasons', they can't go into specifics for security reasons. Do you really want to give potential hackers more info just to satisfy your curiosity?

 

They say they have a system in place, I'll believe them till I see otherwise. Its your choice if you do the same. But really, you are not the security expert you seem to think you are.

Link to comment
Share on other sites
DarthTHC

DarthTHC

Posted
Posted

Yes, they're obviously trying to put one over on us.

 

They're going to start with what might be the best account security system in any MMO and pull the wool right over our eyes to make it even more secure and more self-servicy.

 

Please read http://www.swtor.com/community/showthread.php?t=607377 that thread, especially Phillip_BW's posts therein. Or you can find them via the very convenient DevTracker feature: http://www.swtor.com/community/devtracker.php

Link to comment
Share on other sites
ARIZONAMAN

ARIZONAMAN

Posted
Posted
I did read every post on this subject. Thanks for the advise. I am trying to understand how BW is going to prevent account lockouts. They claim there are going to be "something" in place. Their answers contradict and that is why this post was started.

 

Your title suggests troll. But of course, this company is blatantly trying to pull one on us, because that's how all evil companies work, right?

Link to comment
Share on other sites
DarthTHC

DarthTHC

Posted
Posted
I did read every post on this subject. Thanks for the advise. I am trying to understand how BW is going to prevent account lockouts. They claim there are going to be "something" in place. Their answers contradict and that is why this post was started.

 

You have my login ID. Do your best to lock out my account. When you are done, let me know and I'll log in.

Link to comment
Share on other sites
Kubernetic

Kubernetic

Posted
Posted (edited)
Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."

 

How are both true?

 

They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?

 

Maybe the security team that gets paid to think of things like this... has a.... plan...?

 

Maybe it uses security reroute techniques like the security questions that prevent having to lock out a user while still preventing brute force attacks.

 

Do you really have the computer security credentials to second-guess them?

 

1 black helicopter inc W.

 

Righteous. :)

Edited by Kubernetic
Link to comment
Share on other sites
ninjonxb

ninjonxb

Posted
Posted (edited)

Ok, First I will not claim (like some people) that I know anything about security. I am a programmer but security not my thing.

 

Second. They never said that an account won't be locked out (at least I don't think so). What they said was there are other systems in place to avoid the problem or make it so you can fix it yourself.

 

There is A LOT more going on and being sent to their servers, then you typing in your username and password, it checking those against a database and seeing if they match. Including the IP address.

 

They have already said there are other systems in place. Some of these systems are during the check process (so invisible to you) and at the recovery part (so only trigger if you tell it to)

Edited by ninjonxb
Link to comment
Share on other sites
Andryah

Andryah

Posted
Posted
I got the quote from Philip and that is why I posted this so someone can explain it to us. My issue is people locking the account because they want to be malicious. All they need is the login in name currently to do so. With this change, everyone will have access to the user name.

 

Apparently you did not understand then.... BECAUSE HE HAS EXPLAINED SEVERAL TIMES that they have systems in place to prevent it. ;)

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...