IT opens chrome browser, I hit manage accts it tells me enter my gmail account then it wants my Personal gmail PASSWORD ?? are you kidding me? IM going to give the game my personal information? Am i confused what goes in the Manage account Email? my email then it asks for password .. if i hit nothing it takkes me to gmail. as if to tell me to log in to my gmail then i can PLAY daoc again. WHAT? please someone get back to me i had a group waiting for me. SO your saying anyone who knows how to hack through the game or devs could access my personal emails and anything in my email. When i logged in the last 2 weeks I DID not give anyone permission or put in my gmail password to gain access I made a new pw specifically for this account to log in. Altho it is connected to my email it is NNOT my personal email access pw. so 2000 some people are now vulnerable to being hacked into their email? please stop me now cuz im ranting cuz i love playing this shard but im not giving anyone personal access to my email.

I have not had my gmail open ever when i played this game now its telling me leave your gmail open so we have access to your email in order to play the game?

No other games use this .. You had a launcher i put in info that was not my gmail info. I logged in i played. up til this reboot tonight. Now it wants me to open up gmail in order to play the game. Please revert this so we can come back some of us do not take chances with our email personal info etc. post here when the launcher is back to how it was, so i can log in again to play. thanks

We didn't change the OpenID part of the launcher at all. You still authenticate the same way as yesterday, a week ago, or a month ago.

Please read this: http://openidexplained.com/
And this: https://en.wikipedia.org/wiki/OpenID

Then look at the URL in your browser when you're asked to enter your password

We don't get to see your password.

Im sorry I do not understand why it asks me to log into my GMAIL account in order for the game to LAUNCH. I am someone who is protective and vigilant to protecting info and pw and virus and trojan and phish. I do not do anything I feel is giving someone access to my puter or mail.

I read the explaination and all i read was a token is generated that goes away after a few moments to enter the launcher or something. UM? What is the problem of having an account that is not associated with your personal Gmail password to log in? ask me to log in via my Facebook I have no problem with that but not my personal gmail / keeping my gmail open in a browser so anyone could try to hack it. I dont get it?

OpenID won't bother you for the same information over and over again. THIS exactly what i mean. THIS means someplace your information is being stored available to hackers to use at their leisure and if they can hack into pentagon and banks etc do you think they cant get into an OPEN ID? .. Like i said I dont have a problem logging in with twitter or facebook but not a personal EMAIL. I never keep my information on REMEMBER ME, even in my browser. Open ID is so you dont have to fill in forms gazillion times. Well for me i fill them in I am not leaving my info available some place stored. So what im saying is other games like all the games we all have played have separate log in accounts. Just the new games that play on Facebook and such are the NEW thing era of whatever you call this. I am not comfortable with OPEN ID i mean even the name says HELLO come take my info. ug... well I guess if i want to play daoc id have to play the HORRIBLE non classic.

Thank you so much for the opportunity to get to play on the shard for the time I have been able to play. And for the response.. definitely appreciated. Love the shard love the people .. but not giving my info up.

You read the wrong explanation.

Please read this: http://openidexplained.com/
And this: https://en.wikipedia.org/wiki/OpenID



The OpenID login asks you to authenticate yourself with an OpenID provider, which can either be (a) Google, (b) Facebook, (c) Microsoft, or (d) a legacy password account. You have to stick with whatever you selected on the first login when creating your account.

If you created your account using your gmail address, we can only authenticate you against that account, so you have to proof that you are in fact the owner of the gmail account. To do that, OpenID redirects you to google.com/gmail, at which point you have to enter your password if you are not already logged in. Please notice the "google.com" in the URL -- the password page is run by Google, not us.
After telling Google who you are, google can tell us that you, in fact, are the owner of said email address. At no point in time did we see your password, or account content. We only know your email address.

OpenID won't bother you for the same information over and over again

This means that you don't have to enter "yet another password", because we actually don't store any password for your account at all. We just ask Google/the identity provider you choose to confirm to us that you are who you are.

Thank you that is a great flow chart to explain OpenID. Yet why am i still uncomfortable?

I read this and this is possibly why in wikia you gave me i read the section with Phishing. So really why is OPEN ID safe ? Why are we not just using the assured method of logging into a game account. Separate accts and couldnt you use the method many forums use as authenticate you are you by relaying a text line back to forum mod and it accepts and allows you access. It seems Uthgard is asking to be sure we are who we say we are when logging in. We have traversed the login method tried and true since 1998 when we logged into games such as Ultima online, and that is 18 yrs of logging into a game the same way now this new method comes along that seems highly invasive. I Guess i feel the way some do .. If its not broken dont fix it. (but fix the bugs LOL)
Anyway here is what the OPEN ID wikia says under phishing.
Here is what it says:
Phishing[edit]
Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishing attacks.[28][29][30] For example, a malicious relaying party may forward the end-user to a bogus identity provider authentication page asking that end-user to input their credentials. On completion of this, the malicious party (who in this case also controls the bogus authentication page) could then have access to the end-user's account with the identity provider, and then use that end-user's OpenID to log in to other services.

In an attempt to combat possible phishing attacks some OpenID providers mandate that the end-user needs to be authenticated with them prior to an attempt to authenticate with the relying party.[31] This relies on the end-user knowing the policy of the identity provider. In December 2008, the OpenID Foundation approved version 1.0 of the Provider Authentication Policy Extension (PAPE), which "enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used."[32]

Privacy / Trust Issue[edit]
Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem.[33] However, this problem is not unique to OpenID and is simply the state of the Internet as commonly used.

The Identity Provider does, however, get a log of your OpenID logins; they know when you logged into what website, making cross-site tracking much easier. A compromised OpenID account is also likely to be a more serious breach of privacy than a compromised account on a single site.

Authentication Hijacking in Unsecured Connection[edit]
Another important vulnerability is present in the last step in the authentication scheme when TLS / SSL are not used: the redirect-URL from the Identity Provider to the Relying Party. The problem with this redirect is the fact that anyone who can obtain this URL (e.g. by sniffing the wire) can replay it and get logged into the site as the victim user. Some of the Identity Providers use nonces (number used once) to allow a user to log in to the site once and fail all the consecutive attempts. The nonce solution works if the user is the first one to use the URL. However a fast attacker who is sniffing the wire can obtain the URL and immediately reset a user's TCP connection (as an attacker is sniffing the wire and knows the required TCP sequence numbers) and then execute the replay attack as described above. Thus nonces only protect against passive attackers but cannot prevent active attackers from executing the replay attack.[34] Use of TLS/SSL in the authentication process eliminates this risk.

You might be concerned, and I understand that, but there is nothing forcing you to use the more known OpenID partners like google, facebook, twitter, microsoft etc.

Personally I created a new OpenID account specific for Uthgard.
I did not go around the third party options like google, facebook, twitter, microsoft etc, simply because I do not trust them.
They do not follow the privacy laws in my country; so I do not use them!

The reason OpenID is getting wide spread is because people do not have to remember account details for every single service they use. (Which traditionally leads to weaker passwords)
This is something the common person will appreciate.
However, this create big data concerns, and let us not get into that here.

Jaidlyn wrote:Phishing[edit]
Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishing attacks.[28][29][30] For example, a malicious relaying party may forward the end-user to a bogus identity provider authentication page asking that end-user to input their credentials. On completion of this, the malicious party (who in this case also controls the bogus authentication page) could then have access to the end-user's account with the identity provider, and then use that end-user's OpenID to log in to other services.

Uthgard is the relying party, so in this case you are saying you don't trust us.

You can also easily prevent being redirected to a bogus identity provider page by checking the URL at the top of the browser. If the hostname doesn't end in ".google.com", don't enter your password there.

Privacy / Trust Issue[edit]
Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem.[33] However, this problem is not unique to OpenID and is simply the state of the Internet as commonly used.

We, as the relying party, trust google.com/facebook.com/microsoft.com to not lie to us about your identity. Whether we have this trust or not, however, should not be your issue, since it only affects the relying party, not the end user.

The Identity Provider does, however, get a log of your OpenID logins; they know when you logged into what website, making cross-site tracking much easier. A compromised OpenID account is also likely to be a more serious breach of privacy than a compromised account on a single site.

Note that a session on uthgard.org is currently valid for 7d, so you only need to re-authenticate after those 7 days.

Authentication Hijacking in Unsecured Connection[edit]
Another important vulnerability is present in the last step in the authentication scheme when TLS / SSL are not used: the redirect-URL from the Identity Provider to the Relying Party. The problem with this redirect is the fact that anyone who can obtain this URL (e.g. by sniffing the wire) can replay it and get logged into the site as the victim user. Some of the Identity Providers use nonces (number used once) to allow a user to log in to the site once and fail all the consecutive attempts. The nonce solution works if the user is the first one to use the URL. However a fast attacker who is sniffing the wire can obtain the URL and immediately reset a user's TCP connection (as an attacker is sniffing the wire and knows the required TCP sequence numbers) and then execute the replay attack as described above. Thus nonces only protect against passive attackers but cannot prevent active attackers from executing the replay attack.[34] Use of TLS/SSL in the authentication process eliminates this risk.

Uthgard is using TLS, so doesn't apply here.


Please make sure you understand what you are reading.

@Krokodil, just wanted to post in a topic you have posted in so you get a notification: are aware that nobody can login?

Yes, I got a phone call this morning telling me that .

See here for more info: viewtopic.php?f=15&t=37209&start=30