Please don't make me retype my password every time I start the game.

If I'm not mistaken, asking me for my password each time the game starts actually lowers my account security. If the game remembers my password, I can use a password manager like LastPass to generate a unique, strong password, and the game can remember it for me. But if I have to retype the password each time I log in, that means I need a password I can remember, so it's not going to be as strong, and it will probably be a password shared with several other games.

Vote for account security. Vote for auto-remembered passwords!

http://xkcd.com/936/

Also, i believe there is/ was a mod for retaining the user and password in the fields. However, the file itself isn't encrypted.

It's the one advantage of playing the game through Steam - I infrequently have to enter username/password. I've only had to do it once or twice.

I don't think I've had to do it more than once, I'm playing through Steam if that helps...

I'd rather they keep trying to make the game than spend timing dealing with a relatively minor inconvenience.

You can copy-paste into the field if you want a large, secure password.

Just go to the following directory.

\media\ui\alpha\start\start_alpha.js

Not sure the exact line but it should read something like:

Self.password=kickoff.observable('yourpassword');

Stick your password in there.

Obviously don't have a password you use anywhere else!

It remembers my password.

And I'm quite sure that an app remembering passwords has nothing to do with security. If anything, it would technically lower security since the password is saved on a computer, which is hackable.

I'm no security expert, but yeah. Doubt it actually improves security.

Either way, PA remembers my password.

When I switched to steam it logs me on automatically, but before I had the same "problem". I would suggest activating it on steam.

Okay, where do I find my Steam key so I can activate the game on Steam?

In the Uber Store you can convert you key to a steam key. But be WARNED it can not be converted back! Also in the past there were times that the steam version was extra buggy/laggy.

https://store.uberent.com/Store/PreOrder?titleId=4

As this is in fact login to an online service, and thus an online attack, saving the password is actually making your account less secure.

And again, with online attacks, length and complexity of password is way less important than having an unique password for the service. The main attacks will mostly be re-trying passwords from other hacked places (or if Uber is hacked, retrying that username / password on other systems), keylogging while you log in, or attacking the password recovery system (most likely, your email).

So in summary, the security threats are now:

• Re-use of password from a hacked
• Active keylogger running on the machine while logging in
• Attack on password recovery systems (email address)

Note that brute force / dictionary attack isn't even on the list.

With the password saved locally, you (security wise) only add a new vector in addition to the other mentioned:

• Malware reading the username / password from the disk

And if you re-use the password on other places, that can then directly compromise your account on those places too.

However, there is a way to do it that does not involve directly saving the password. You could, on successful login, create a token on the server - that could be keyed to for example the client's IP address or subnet - which the client can later use to authenticate with.

Edit: Granted, there are some migrating factors with saving password. Login keylogging is less of an issue then, since you don't actually have to type in the password as often. And malware getting the password from the disk need to be written specifically for PA, while keyloggers tend to snap up everything

A new launcher is in the works, and one of the things it should be able to do is take the initial password and pass it to the client. The reason we don't do that already is there is no real secure channel through which to pass that information. And as we're generally opposed to transmitting passwords around in plain text, that's why you have to enter your password twice currently.

Does this mean that the password wont be available to UI mods anymore? Moving the password out of the js would be a great improvement to security.