While having forums back again is a good thing. I really do not recommend forums to use the account user/pass.
This should have been a separate password that can be set in UO / mythic account portal.
+10 years in IT security, and worked for a number of MMOs/games. I can assure you this is a very very very bad idea.
Just be happy that they finally arrived in 2000 and don't complain ... 🙂 Just joking, but I am with you.
I could imagine that if something goes wrong, there will be no active account left to post here.
Many (almost every?) other video game companies uses the same login for their forums as their game.
I couldn't agree more with the OP, if this forum gets hacked it would be very bad...
Yeah even WoW does this, your forum account _is_ your account
A "quick and dirty" solution: until/if there is no separate PSW (I TOTALLY agree: ***VERY*** bad idea using the same PSW of the gaming accout to access the forum, expecially in today version of the cyberspace ("we are not in Neuromancer anymore, Toto!"), use the most "useless" of your accounts to register to this Forum. You know: the one whose chars/toons you only use as "mules" to hang-on at big IDOC, hoping to get some of the scraps the double class cheater/scripter guys don't hoover.
What? You don't have at least one "Mule" full account?
Suuuure! :-D
As you Americans say: "Pull the other one, it got bells on"... ;-)
Cheers
Ivenor
Tin foil on the windows, we'll be fine....
Agree with the OP ... I am retired after 40 years IT and the linkage of forums to account in any manner is really unsafe. TBH, I feel safer (account-wise) on other boards.
Someone come get me when things are better. Sorry, BS/EA ... this is a deal-breaker for me.
At least the other games usually allow two-factor authentication.
And they also authenticate new logins to the game before it'll let you on. (Bnet, HoN, LOL etc)
Many companies also allow setting a separate forum password. (BIStudios)
UO (at least a year or so ago) didnt allow long passwords or special characters. Wasnt until recently this got fixed.
This forumboard is untested. We dont know if it's an inhouse designed board (it seems like it, if you look at the login prompt - this if anything seems very insecure). Has it been pentested?
These forums are based on Vanilla Forums. Not sure what Single Sign-On solution they're using.
I have to confess, my game account is precious to me. Even the most robust online system has its weaknesses, and so I chose the lesser of two accounts for this. Then, as Drakelord pointed out, I promptly changed the password for the account afterwards.
That said, most MMOs do have their official forums this way. People tend to pay more attention to their words when they must consider the consequences of choosing them poorly.
Would have been nice if the forum system implemented some sort of character connection. A lot of other MMOs will let you select the character you wish to "post as".
Changing the password at Mythic changes it here also. I tested this by trying to sign in with a different browser.
On a side note, I wish the edit post function had no time limit. This extra comment to clarify creates clutter imo!
I notice several EMs have already posted in the new forums, and I imagine the devs will be as well. That, right there, is reason to believe that security is a high priority for Broadsword.
Think about it - if someone did figure out how to hack these forums, I'd have thought Mesanna's account would be the first target, closely followed by Kyronix and Bleak's accounts - not a player's account, no matter how many rares they own.
I may be overly optimistic, but if this is their choice of security models, then I doubt they've gone into it without thinking it through.
2FA should be incorporated for all account functions, and really should've been done long ago, but they do what they can.
When was the last time UO/BS/EA was hacked? I have been here for 20 years and I have never heard of them ever getting "HACKED" Have there been people lose accounts/items, yes. Does that mean UO was HACKED, no Most so called Hacked Accounts are from mistakes by the person using little to no common sense.
For things I log into frequently I change my passwords weekly.
and it wasn't fixed until the new account management for info's....lol
EA has had credentials leaked on a number of times after. Most of the times you just get an email saying your password has been reset as a security measure.
Broadsword uses mythics Auth. Not as widely attacked but trust me when I say that adding more services integrated into the same authentication always increases risks.
High? Probably not. But I don't like my forum credentials being used for an important game too. Forum credentials get entered via a web browser whose walled garden / VM could be exploited separately to log and pass on my password elsewhere.
I too find it concerning that these forums are directly linked to our master accounts, though I doubt the forum's backend stores our user credentials. Hopefully, there is something like a "user is authorized" property after registration - though I'd feel more secure if we could change our forum passwords to something else...
Most of EA's "hacking" woes relate to Pogo and Origin, revolving around credit card fraud. It wasn't just stolen cards, but purchases being made on user's accounts with the end product(s) going to someone else - this was mainly focused on FIFA.
As ridiculous as it sounds, EA/Origin also has a serious problem with randomly charging people's cards from other countries for their UO accounts. Most bank's fraud alerts go off when this happens and they sometimes block the charges (or charge back) which tends to cause EA to myopically ban the account for their own malfeasance.
