about as secure as any other forum; use a no-descriptive user name and a complex or randomly generated password. about the best you can do.

I'm not too sure about how Secure they are, it's like most other accounts/forums or whatever.

You can download Mods from the Mods Menu ingame but all the info for Mods and discussions about Mods are on the website/forums and require you to login for that.

But theres nothing wrong with how Secure accounts are tbh.

The game is totally worth playing and so fun.

fairly sure you need a factorio forum account to use the ingame mod downloader, not 100% but pretty sure.

The question that comes to my mind is, why SHOULD it be secure? Do you plan on storing any sensitive data in your factorio account? Surely you're not intending to use the same password as for your online banking or something?

I really don't understand why you would need any security on a game account...

No account is secure. I'd personally recommend not to input any detail that you use anywhere else, unless you absolutely have to. Use a passeord manager for passwords and random values for anything else (username, name, date of birth). Do this for all your online accounts.

I know i'm a little late to respond to my own discussion but now is better than later

[quote=Estelyen The question that comes to my mind is, why SHOULD it be secure? Do you plan on storing any sensitive data in your factorio account? Surely you're not intending to use the same password as for your online banking or something?

I really don't understand why you would need any security on a game account... [/quote]

(edit no i don't why i cant quote Estelyen's post)

The main reason i'm somewhat concerned that factorio accounts are secure is because its going to be linked to my steam account.

Originally posted by qojnopufu No account is secure. I'd personally recommend not to input any detail that you use anywhere else, unless you absolutely have to. Use a passeord manager for passwords and random values for anything else (username, name, date of birth). Do this for all your online accounts. [/quote:

I know that no account is 100% "secure" but some security is better than no security.

I don't think that the Steam and Factorio accounts are linked like some other games do. Where you sign in with your Steam account. I could be wrong, but I don't think Factorio does that.

Originally posted by still__alive:

I don't think that the Steam and Factorio accounts are linked like some other games do. Where you sign in with your Steam account. I could be wrong, but I don't think Factorio does that.

They most definitely are. You have to link your Steam account as a proof of purchase. Without linking, you can't download mods or play MP on official servers.

How vulnerable that makes your Steam account depends mostly on Valve and their implementation. Usually "account linking", "log in with Facebook", etc., are (or rather, should be) implemented in such a way that even if there is a breach of the third-party service, your Steam/Facebook/whatever account is safe. See, for example, here: https://en.wikipedia.org/wiki/Oauth

Originally posted by piccolo255:

Originally posted by still__alive:

I don't think that the Steam and Factorio accounts are linked like some other games do. Where you sign in with your Steam account. I could be wrong, but I don't think Factorio does that.

They most definitely are. You have to link your Steam account as a proof of purchase. Without linking, you can't download mods or play MP on official servers.

How vulnerable that makes your Steam account depends mostly on Valve and their implementation. Usually "account linking", "log in with Facebook", etc., are (or rather, should be) implemented in such a way that even if there is a breach of the third-party service, your Steam/Facebook/whatever account is safe. See, for example, here: https://en.wikipedia.org/wiki/Oauth

Oh yeah, forgot about that part.

They most definitely are. You have to link your Steam account as a proof of purchase.

That doesn't imply an actual link - all they need to to is check once if you own the game on Steam when you try to create an account, at which point you have two completely independent accounts (Steam and Factorio.com).

Given that it's possible to buy directly from Factorio.com without having a Steam account at all I would guess that the two accounts are not strongly linked.

If you buy from Factorio.com and get a Steam account later they will give you a Steam key which can be redeemed without linking the accounts.

Originally posted by AlexMBrennan:

They most definitely are. You have to link your Steam account as a proof of purchase.

That doesn't imply an actual link - all they need to to is check once if you own the game on Steam when you try to create an account, at which point you have two completely independent accounts (Steam and Factorio.com).

That's a good point. This could be "weak" linking, where the Factorio account is associated to a Steam account, but the confirmation is only done once, not "strong" linking, where the game account is essentially replaced with a Steam account and it checks in with Steam every time you log in to the game.

In that case, it would be enough for them to store your Steam ID as proof. Of course, any other potential weak points are still here for that first check :)

Anyway, I did a bit of digging, and I think I found the Steam docs for this (Steam Web API).
Documentation top: https://steamcommunity.com/dev
Terms of Use: https://steamcommunity.com/dev/apiterms
Usage documentation: https://developer.valvesoftware.com/wiki/Steam_Web_API

The most relevant passage is this one:

Steam OpenID Provider

Steam can act as an OpenID provider. This allows your application to authenticate a user's SteamID without requiring them to enter their Steam username or password on your site (which would be a violation of the API Terms of Use.) Just download an OpenID library for your language and platform of choice and use https://steamcommunity.com/openid as the provider. The returned Claimed ID will contain the user's 64-bit SteamID. The Claimed ID format is: https://steamcommunity.com/openid/id/<steamid>

The OpenID buttons required by Valve if you use this function are the same ones as those on the Factorio homepage, so I'm pretty sure that's what they're using. More about OpenID here: https://en.wikipedia.org/wiki/Openid

Originally posted by jackthegamer161:

The main reason i'm somewhat concerned that factorio accounts are secure is because its going to be linked to my steam account.

Linking your Steam account doesn't pass any information to Factorio from your account. Removing any tech speak, in a very general sense it looks something like this.

Website sends request to authenticate user to Steam and a 'secret key' value that is established in regular intervals between Steam and said website.
Website redirects user to Steam's authentication server.
Steam verifies account user entered correct information.
Steam sends a signed response that's based on the 'secret key' and redirects user back to website.


Your account information is verified by Valve on Valve's server and never leaves the server. The cryptographic key just contains parameters to verify the identities of all parties involved. I use identity loosely as Steam is only verifying that your password and account name is correct, they can't tell if it's actually 'you'. As a general rule though, you always want to check the url of the site you are redirected to. This isn't the case with Factorio's website, but faking Steam's authentication process is quite common, but the url will always give it away.

It will always, without exception begin with the following for 'logging in through Steam' on another website:

https://steamcommunity.com/openid/login?openid.claimed_id

Scrutinize the spelling because there are things like steamcommunitay, steamcommunitey, steamcommunity etc that exist to 'trick' users into giving up their information. The vast majority of people losing access to their Steam accounts are losing it through things of this nature i.e. a user created vulnerability, rather than any outside security vulnerability.