FYI: check and change login passwords ASAP

**SaberMaxwell** · 10-08-2022 11:03 AM

Originally Posted by Aurikai

Using OTP with FFXIV login is painful, bad enough you need to enter password every time, but OTP also. There's a thing called OAuth that issues security tokens once you pass all authentication checks so you don't need to provide this stuff every time, apparently Blizzard can implement this but not SE. Cumbersome login processes always forces bad security habits by users.

Convenience and security are ever on opposite sides of a spectrum.

**Aurikai** · 10-08-2022 11:13 AM

Originally Posted by SaberMaxwell

Convenience and security are ever on opposite sides of a spectrum.

No they aren't, OAuth is easily fixes this, this isn't host based security, doubt you have a clue about IAM systems, so not surprised you would say something that naive.

Lots of banks and other institutions use that same technology to ease logins, even Office 365 does, even Blizzard, so you're just making excuses for SE spending poorly on security because you lack knowledge of how it works.

**SaberMaxwell** · 10-08-2022 11:16 AM

Originally Posted by Aurikai

No they aren't, OAuth is easily fixes this, this isn't host based security, doubt you have a clue about IAM systems, so not surprised you would say something that naive.

My guy, I merely stated a pretty standard security adage which holds true almost no matter what. It's why "layered defenses" are better no matter what kind of system you're trying to create. No need to get hostile.

"No authorization or authentication standard is guaranteed to protect your information. If your information is available online, it’s susceptible to being stolen. If hackers breach a server of any service that you use, they could potentially take your login information or personal information, like name, address, and credit card information. [...] What makes OAuth great is that it restricts how many third-parties know your passwords. No, that doesn’t mean your personal information is 100% safe. But, by reducing how many entities have your passwords, you’ll lessen the chance that your passwords will get compromised."

**Aurikai** · 10-08-2022 11:24 AM

Originally Posted by SaberMaxwell

My guy, I merely stated a pretty standard security adage which holds true almost no matter what. It's why "layered defenses" are better no matter what kind of system you're trying to create. No need to get hostile.

"No authorization or authentication standard is guaranteed to protect your information. If your information is available online, it’s susceptible to being stolen. If hackers breach a server of any service that you use, they could potentially take your login information or personal information, like name, address, and credit card information. [...] What makes OAuth great is that it restricts how many third-parties know your passwords. No, that doesn’t mean your personal information is 100% safe. But, by reducing how many entities have your passwords, you’ll lessen the chance that your passwords will get compromised."

No you stated a blanket statement that had nothing to do with the topic at hand, which was OAuth would make it easier for users to login. Saying nothing is 100% secure is like saying you should never drive or fly because cars aren't 100% safe, it's pointless thinking and completely dismissive. You can make excuses for SE not implementing that technology all you want, nothing you've said has provided any relevant counter arguments for why they shouldn't.

**Boblawblah** · 10-08-2022 11:28 AM

Originally Posted by Aurikai

No you stated a blanket statement that had nothing to do with the topic at hand, which was OAuth would make it easier for users to login. Saying nothing is 100% secure is like saying you should never drive or fly because cars aren't 100% safe, it's pointless thinking and completely dismissive. You can make excuses for SE not implementing that technology all you want, nothing you've said has provided any relevant counter arguments for why they shouldn't.

Saying "convenience and security are on opposite sides of the spectrum" isn't defending SE, take a step back, you're attacking someone who isn't against you.

**Aurikai** · 10-08-2022 12:02 PM

Originally Posted by Boblawblah

Saying "convenience and security are on opposite sides of the spectrum" isn't defending SE, take a step back, you're attacking someone who isn't against you.

Then why make that generalized statement at all? It's not relevant to the discussion which is WHY SE hasn't implemented this for users convenience.

**DPZ2** · 10-08-2022 11:38 AM

Originally Posted by Aurikai

No you stated a blanket statement that had nothing to do with the topic at hand, which was OAuth would make it easier for users to login. Saying nothing is 100% secure is like saying you should never drive or fly because cars aren't 100% safe, it's pointless thinking and completely dismissive. You can make excuses for SE not implementing that technology all you want, nothing you've said has provided any relevant counter arguments for why they shouldn't.

The authentication method may be one you prefer, but it is not the be-all-and-end-all you assume.

The major problem with OAuth as used by Blizzard is that it requires you to have a cell phone or tablet in order to use it. If you don't have one (and it appears to be required for the 'instant' authentication you appear to be pushing), it becomes much more cumbersome to use than a physical authenticator.

**Aurikai** · 10-08-2022 12:07 PM

Originally Posted by DPZ2

The authentication method may be one you prefer, but it is not the be-all-and-end-all you assume.

The major problem with OAuth as used by Blizzard is that it requires you to have a cell phone or tablet in order to use it. If you don't have one (and it appears to be required for the 'instant' authentication you appear to be pushing), it becomes much more cumbersome to use than a physical authenticator.

OAuth has nothing to do with the authentication, you can do OAuth with username and password, it's merely a framework for exchanging temporary tokens to KNOWN devices. The fact that I even need to explain this, shows your way out of depth and shouldn't be arguing this. It's used on every single mobile app you have that doesn't require login every time, most bank websites, and a lot of other companies. I guess you guys know more Microsoft, Okta, Apple, Google, and thousands of others who use this technology every day, apparently Sony is the leader in technology according to your standards.

This is why hardly participate on these forums, SE can do wrong to most posters here, no matter the facts stacked against them.

**Raoabolic** · 10-08-2022 12:22 PM

Originally Posted by Aurikai

OAuth has nothing to do with the authentication, you can do OAuth with username and password, it's merely a framework for exchanging temporary tokens to KNOWN devices. The fact that I even need to explain this, shows your way out of depth and shouldn't be arguing this. It's used on every single mobile app you have that doesn't require login every time, most bank websites, and a lot of other companies. I guess you guys know more Microsoft, Okta, Apple, Google, and thousands of others who use this technology every day, apparently Sony is the leader in technology according to your standards.

This is why hardly participate on these forums, SE can do wrong to most posters here, no matter the facts stacked against them.

*looks down at the tokens*
*looks up*
Aren't these just fancy internet cookies with some extra steps, m8?

Thread: FYI: check and change login passwords ASAP

Thread Tools

Search Thread

Display

Hybrid View