Petition to add 'Remember me' to the login screen

[AttiasBarak 25]

We really need it, It's super annoying to type in the password every time.
Not only that, it's way more secure than typing in the password every time and it can actually save you(DE) money in the long term.

Summery:

• No need to type in the password.
• Less time spent on login.
• Can use stronger passwords.
• More secure against keyloggers.
• More secure when logging in public places.
• Less requests from the login server due to less typos.

Example:

[Lazarow 1,484]

This is a good idea but I dont get the more secure part, if someone has access to your device they can simply open the game and do whatever they please

[Chewarette 5,301]

42 minutes ago, AttiasBarak said:

• More secure when logging in public places.

Erm... So that everyone and their mother can log in to your account is somehow more secure ?

[(NSW)Fiftycentis 275]

30 minutes ago, Chewarette said:

Erm... So that everyone and their mother can log in to your account is somehow more secure ?

Well, just deactivate the remember me in those situations, and let the disconnect option not keeping the password saved

[SergioSebastian 0]

Would be a nice addition indeed.

Besides it's better to have that option than not at all.

[vomder 1,457]

Wouldn't it be better for it to be a 'Remember me on this device" option instead? 

[RedDirtTrooper 2,229]

I'd settle for even being able to put it in a command line option and save it that way. My PC is secure, I'm not worried about anyone using my personal shortcut to access my account.

[AttiasBarak 25]

On 2019-08-10 at 9:25 PM, RedDirtTrooper said:

I'd settle for even being able to put it in a command line option and save it that way. My PC is secure, I'm not worried about anyone using my personal shortcut to access my account.

 

On 2019-08-10 at 2:53 PM, Lazarow said:

This is a good idea but I dont get the more secure part, if someone has access to your device they can simply open the game and do whatever they please

Well if untrusted people have access to your device then you shouldn't this feature...  
Or they can add pin system on top of it so you still wont have to type in your password.

On 2019-08-10 at 3:02 PM, Chewarette said:

Erm... So that everyone and their mother can log in to your account is somehow more secure ?

I meant that it's more secure to say login with YOUR PC in public places.

On 2019-08-10 at 8:59 PM, vomder said:

Wouldn't it be better for it to be a 'Remember me on this device" option instead? 

It's less secure and doesn't work 90% of the time (in most software) so nah, Just login once and you're good to go.

On 2019-08-10 at 9:25 PM, RedDirtTrooper said:

I'd settle for even being able to put it in a command line option and save it that way. My PC is secure, I'm not worried about anyone using my personal shortcut to access my account.

That is a terrible idea on so many levels.
Also your computer isn't really secured if it's connected to the internet...

[NoSpax 721]

Am 10.8.2019 um 13:21 schrieb AttiasBarak:

We really need it, It's super annoying to type in the password every time.
Not only that, it's way more secure than typing in the password every time and it can actually save you(DE) money in the long term.

Summery:

• No need to type in the password.
• Less time spent on login.
• Can use stronger passwords.
• More secure against keyloggers.
• More secure when logging in public places.
• Less requests from the login server due to less typos.

 

The things I marked in bold contradict your idea so hard, it makes it even easier to hack accounts. The red one is flat out BS.

1. As soon you save the password in a file, this file becomes a target for malware specialized to steal data. This also counts for tokens and hashes, you never save them.

2. "More secure against keyloggers." That's what 2FA was made for. 

3. Did I read that correctly? "More secure when logging in public places." How? Is SHA256/EDCSA+AES encryption too weak for you? 

If you want to skip logging in so badly, make a macro.

 

vor einer Stunde schrieb AttiasBarak:

Or they can add pin system on top of it so you still wont have to type in your password.

So I have to type a PIN instead of the password? Great choice. Wait, wait, how we protect the PIN with another?

Input the PIN for the saved PIN, which unlocks the password and have me type 2FA code! Cool. 

 

Zitat

It's super annoying to type in the password PIN every time.

Defeats the purpose, right?

 

What's really missing is a DE-AUTH. I want to deauthorize other devices then the one I am currently logged in, so those are forced to enter 2FA to authorize.

 

 

[AttiasBarak 25]

12 hours ago, NoSpax said:

The things I marked in bold contradict your idea so hard, it makes it even easier to hack accounts. The red one is flat out BS.

1. As soon you save the password in a file, this file becomes a target for malware specialized to steal data. This also counts for tokens and hashes, you never save them.

2. "More secure against keyloggers." That's what 2FA was made for. 

3. Did I read that correctly? "More secure when logging in public places." How? Is SHA256/EDCSA+AES encryption too weak for you? 

If you want to skip logging in so badly, make a macro.

 

So I have to type a PIN instead of the password? Great choice. Wait, wait, how we protect the PIN with another?

Input the PIN for the saved PIN, which unlocks the password and have me type 2FA code! Cool. 

 

Defeats the purpose, right?

 

What's really missing is a DE-AUTH. I want to deauthorize other devices then the one I am currently logged in, so those are forced to enter 2FA to authorize.

1. Stronger password: not having to type in the password every time mean that you can use a password manager with random generated password (without the need to copy paste it each time that you want to play)

2. Keyloggers: if you have a keylogger and you already saved your password then you don't type it again which mean that the keylogger cant pick it up.

3. Public: I meant that you don't need to hide your keyboard when you typing in your password in public places.

4. Server requests: less login attempts => less requests => less processing & traffic => less heat, power etc... => save money (and the environment a bit)
It doesn't seems much but in the long run (few years) we are talking about thousand of dollars (and some dead animals)

5. Saving the password: you obviously not saving it as plain text and the authorization service should check if the device is friendly. 
Which mean that even if a hacker has your encrypted password he cant use it or know what the actual password is.

6. Macro: it's basically the same as saving your password as plain text, Nty.

7. PIN: you can use PIN code if you already logged in on the device (as I said its for people who share there computer with others)
And the PIN is client side, it just unlock the logging process and it can be even 4 digit numbers.
it need to be secured enough to keep your brother from your account on your shared PC for example.

[NoSpax 721]

1. I don't use password managers. After I came across one, where you needed to select the window, the password belongs in, I instantly ditched it. This can be intercepted, as SendKeys() is bad. Yeah, I know there are more elegant API solutions.

2. That's true. It can pick up the PIN, though. And any failed attempt putting it in.

3. You are correct. But they can see you entering the PIN, which is shorter and easier to remember then a 23-digit password. Might as well enable Creator Mode to hide the email, which is actually a really nice feature (which should be seperated as "Privacy Mode", what if I want to play normal, but hide only my Email?)

4. I am not really sure, why you have to emphasize that. a failed login for 10000 players should sum up to 1-10MB, while on the other hand 10000 people download 35GB at the same time as an constant stream. You see my point? 

5. If it is not saved as plain text, where is the key for that file? Embedded in the client? Stored on the server? In the latter case, you even add another request on top of the already existing auth, which saves even less power. If the file is encrypted using a hardcoded key, it's basically a deathtrap. Once you get the hands on that key (either by datamining or disassembly), you can decrypt the password file of other people too, which instantly bypasses the new Security-Layer you propose. And it's not gonna stop there. If someone has your email and password, no one is gonna stop that person to go to the website, change your password and open a ticket with a request to change the email, while you are locked out for that time. At this point, I don't know if 2FA takes effect, I never had to enter it on the website - yet. If your PC was a Laptop and it is stolen, yeah, that's different as the device is still authorized. And no, a password on your laptop will stop no one, which knows what they have to do. 

Also, if your PIN is the key, you even worsened the security. Let's say your password is "aw34tgbu3§$56ivqtfguifb4", and you lock that behind a 4-digit PIN... When your change the PIN, you may have to enter the password again unless it is buffered and rewritten into the file. And what is harder to crack in terms of password lenght and entropy?

6. Ok, I admit it's a garbage idea. Let's forget that one. But I am sure at least one warframe player uses that, albeit very low possibilty

7. Depending how it's done, your brother will go to google and enter some keywords and may get a virus ridden program, which brute forces all 9999 combinations of your PIN. And that won't take long (client side has no lag). And because the program is a virus written for Warframe, will stay undetected for days.

BUT and thats a big BUT (and I am emoting a handshake), there may be a way to realize that. it may have a different approach, which takes the password (semi-)completely out of the equation.

[AttiasBarak 25]

On 2019-08-17 at 5:28 PM, NoSpax said:

1. I don't use password managers. After I came across one, where you needed to select the window, the password belongs in, I instantly ditched it. This can be intercepted, as SendKeys() is bad. Yeah, I know there are more elegant API solutions.

2. That's true. It can pick up the PIN, though. And any failed attempt putting it in.

3. You are correct. But they can see you entering the PIN, which is shorter and easier to remember then a 23-digit password. Might as well enable Creator Mode to hide the email, which is actually a really nice feature (which should be seperated as "Privacy Mode", what if I want to play normal, but hide only my Email?)

4. I am not really sure, why you have to emphasize that. a failed login for 10000 players should sum up to 1-10MB, while on the other hand 10000 people download 35GB at the same time as an constant stream. You see my point? 

5. If it is not saved as plain text, where is the key for that file? Embedded in the client? Stored on the server? In the latter case, you even add another request on top of the already existing auth, which saves even less power. If the file is encrypted using a hardcoded key, it's basically a deathtrap. Once you get the hands on that key (either by datamining or disassembly), you can decrypt the password file of other people too, which instantly bypasses the new Security-Layer you propose. And it's not gonna stop there. If someone has your email and password, no one is gonna stop that person to go to the website, change your password and open a ticket with a request to change the email, while you are locked out for that time. At this point, I don't know if 2FA takes effect, I never had to enter it on the website - yet. If your PC was a Laptop and it is stolen, yeah, that's different as the device is still authorized. And no, a password on your laptop will stop no one, which knows what they have to do. 

Also, if your PIN is the key, you even worsened the security. Let's say your password is "aw34tgbu3§$56ivqtfguifb4", and you lock that behind a 4-digit PIN... When your change the PIN, you may have to enter the password again unless it is buffered and rewritten into the file. And what is harder to crack in terms of password lenght and entropy?

6. Ok, I admit it's a garbage idea. Let's forget that one. But I am sure at least one warframe player uses that, albeit very low possibilty

7. Depending how it's done, your brother will go to google and enter some keywords and may get a virus ridden program, which brute forces all 9999 combinations of your PIN. And that won't take long (client side has no lag). And because the program is a virus written for Warframe, will stay undetected for days.

BUT and thats a big BUT (and I am emoting a handshake), there may be a way to realize that. it may have a different approach, which takes the password (semi-)completely out of the equation.

 2. So? the PIN suppose to be locally on your system, if a hacker know your PIN he cant do anything with it except if he remote control your PC and login.

3. Again the PIN is locally.. 

4. To get more points.

5. There are many many ways to do that, DE will choose the one that is best suit for their systems.

7. First of all cage him, Second if this does happen your brother will have access to your account but the one who wrote that software wont.
And in this extremeish example the current system will fail so so so much worse if your brother were to install a keylogger on your machine.

[SECURATYYY 296]

I would love for it to be an option. Don't make it mandatory, and don't fluff bs reasons to make the idea more attractive, but it would certainly be handy.

 

I've typed my password in before when the borderless window was open, but it typed it into the window behind it. When I hit enter, it hit enter on the window behind it. ohsh!t.gif. Now because of that I always manually click login.

[(NSW)Fiftycentis 275]

20 hours ago, SECURATYYY said:

I've typed my password in before when the borderless window was open, but it typed it into the window behind it. When I hit enter, it hit enter on the window behind it. ohsh!t.gif. Now because of that I always manually click login.

It happened to me once, typed it on discord, luckily a server not wf related so no link for that password to something, but I know it happened to other guys too