4 replies to this topic

[Th3 James]

Add that for the client and the website. It is a pretty standard feature and one less password entry a day would make my life a little easier.

I enter passwords about 50 times a day when I am at work (I.T. support at a hospital)

My passwords are unique for every service/site, it would be nice to forget 1 of them and just have my password remembered. If I forget I can simply reset.

Thank You for taking the time to read this if you got this far.

Have a nice day.

[ArcDemon]

I think this is is done deliberately. Look at just about every other MMO/online only type game, they've all had to go this route because account theft is a real risk and a liability to the company. Some have gone even farther with 2-factor authentication.

[Th3 James]

Really hope I don't have to buy a RSA token generator and go through that **** every time I want to play.

if the passwords are salted and hashed what's the problem?

Or let me authorize my machine to remember it and only have 1 computer active per account then make me authorize any other machine through email code ala steam.

[ArcDemon]

Th3 James, on 06 January 2013 - 02:48 PM, said:

if the passwords are salted and hashed what's the problem?

Hashing (done properly with salting) is something done server side to protect your password there. On the client side encryption or hashing won't protect the password from a trojan because the client needs all the codes to unencrypt it before sending it to the server. If you just send the encrypted or hashed password to the server, then that becomes the only 'password' you need to steal and you're right back where you started.

Basically you can protect the password on the server (by making it so the server doesn't know your password, but can recognize it when it sees it), during transit to the server (public key encryption) but on your own machine anything goes. If the MWO client can figure out how to load and send your saved password, a trojan running on your machine can too.

[Th3 James]

ArcDemon, on 06 January 2013 - 03:38 PM, said:

Hashing (done properly with salting) is something done server side to protect your password there. On the client side encryption or hashing won't protect the password from a trojan because the client needs all the codes to unencrypt it before sending it to the server. If you just send the encrypted or hashed password to the server, then that becomes the only 'password' you need to steal and you're right back where you started.

Basically you can protect the password on the server (by making it so the server doesn't know your password, but can recognize it when it sees it), during transit to the server (public key encryption) but on your own machine anything goes. If the MWO client can figure out how to load and send your saved password, a trojan running on your machine can too.

Everything you said is accurate and is completely reasonable. I still wish they gave me the option even though it isn't the most secure process. I would be willing to accept some TOS that would absolve PGI from anything in the event my password and account was stolen. If I had spyware or any trojans running on my machine I would have alot more to worry about before Mechwarrior.

I will quit my rant and just accept the fact that I will have to manually enter it every single time. I should probably change my password to something less secure. 15 unique characters with upper and lower case + symbols and numbers seems a bit excessive for mechwarrior.