Why not have NCSoft IDs for accounts?
NCSoft accounts are being transitioned to emails.
Having a random account name isn’t any safer. For emails, someone has to first know your email and second, guess you’re playing the game. For random named accounts, they can obtain your account name by getting your email and requesting a password reset / lost account. Either way, it all comes down to your email and password.
Originally, GW1 accounts used your registered email to login. It wasn’t until the NCSoft account merger that they offered @ncsoft accounts. The NCSoft account name was never actually used for anything, except to login to the NCSoft master account website.
If you wanted to, you could always register your account under a unique email, making a new email or alias each time.
Here’s what I mean.
Example 1, as it is now: Some undesirable finds out your account information somehow or another, say a keylogger that doesn’t get detected right away. They automatically know what e-mail address it’s registered to so they can attempt (and quite possibly succeed, especially if you don’t use a different password) to log in to your e-mail as well and have free reign with your account.
Example 2, as it would be: Some undesirable finds out your account information somehow or another. However, since they would only know a semi-random user name instead of the e-mail it’s registered to, they would somehow need to find out your e-mail as well to get past authentication or do much of anything, unlike now where finding out the account info automatically means finding out the e-mail address.
The NCSoft account name was never actually used for anything, except to login to the NCSoft master account website.
Except that’s wrong, I remember using my NCSoft ID to log into Guild Wars and that’s why I brought it up, I thought (and obviously still think) it was better that way.
If you wanted to, you could always register your account under a unique email
That’s what I did, the problem is that the way it is now they automatically know what my e-mail address is if they find out my login information somehow.
Oh God, please no.
The farther we can keep this game from NCSoft, the better.
And unlike most comps that NCsoft produce for Anet. Is still its own entity.
Here’s what I mean.
Example 1, as it is now: Some undesirable finds out your account information somehow or another, say a keylogger that doesn’t get detected right away. They automatically know what e-mail address it’s registered to so they can attempt (and quite possibly succeed, especially if you don’t use a different password) to log in to your e-mail as well and have free reign with your account.
Example 2, as it would be: Some undesirable finds out your account information somehow or another. However, since they would only know a semi-random user name instead of the e-mail it’s registered to, they would somehow need to find out your e-mail as well to get past authentication or do much of anything, unlike now where finding out the account info automatically means finding out the e-mail address.
Why is there a keylogger in scenario 1 and not in scenario 2? If your system is compromised it does not matter one bit how you login to the game.
That’s what I did, the problem is that the way it is now they automatically know what my e-mail address is if they find out my login information somehow.
And? The whole point of using that single-purpose email is that it doesn’t matter if it gets compromised.
The master account name was the username of the NCSoft account. The GW1 username was another account name under the NCSoft account.
The only scenario where a name based username would protect you is when the attacker knows your login info but not your email and to login an email verification is needed. Even then, compared to an email based username, it’s really only protecting you if you have a weak or the same password on your email.
Name based usernames are generally private, so only the owner should ever know it. In this sense, to hack accounts, they use lists of emails to see if the email is registered to an account. If it is, they hack the email and gain the account name. If they know the account name already, you got phished or keylogged. If you got keylogged, they know everything. If you got phished, then they would know your login info and your IP (if they knew the email was needed though, they would have also phished that, but let’s pretend they didn’t). Using your IP, they can try to track you around the net and get your email from places you’ve been (typically from fansites via ads) or alternatively, if the account’s verification process is IP based, they can attempt to proxy near your location to bypass it, depending on how strict the verification is.
If you factor in other security measures, such as authenticators, the differences between the two types of usernames becomes so insignificant that the email should be used simply because you’re more likely to remember it.
I think using email addresses is worse than using a poorly conceived password. It’s very much like using your SSN for everything. Sure, some people have a gazillion email accounts… but not everyone does and a lot of those are ultimately tied to your true email address in the end. Far smarter to use a custom login ID than to use one’s email address because IT is very likely to be used in multiple places. In essence, it’s like using your SSN because it is unique to you, but it is not hidden to anyone because everyone asks for it. It’s the one known in the equation… it’s an email address. The only unknown is the password… and that is often easily cracked because most folks don’t like complicated passwords or use the same one rather than memorize a gazillion passwords.
I personally detest using my email address as a login ID. But I am forced to by just about every conceivable online address out there. And they all have my email address because of it. Any one of which could be hacked or sell it off to others. Might as well be using my SSN… everyone already knows that too… thanks to over usage in the early 80’s/90’s. Email address is not the solution… it’s part of the problem… too unique and too used. Makes it easier for hackers, not harder.
If your system is compromised it does not matter one bit how you login to the game.
It’s entirely possible that only your game account info would be compromised, whether by design of the virus or catching it after your account info is compromised but before your e-mail info is compromised.
And? The whole point of using that single-purpose email is that it doesn’t matter if it gets compromised.
This makes absolutely no sense, if your account info AND e-mail info is compromised that’s a lot worse than having only your account info compromised. The only reason I don’t want my e-mail compromised is to keep my account more secure, except the way it is now that’s more difficult than it should be because of how I log in to the game.
If you factor in other security measures, such as authenticators, the differences between the two types of usernames becomes so insignificant that the email should be used simply because you’re more likely to remember it.
I considered that and I don’t think it’s insignificant or I wouldn’t have made the thread.
Either way I just figured it wouldn’t be hard to implement since that’s how user names were handled in Guild Wars for a time. It also wouldn’t need to be mandatory if people would rather use their e-mail to log in instead, but I obviously would rather not.