Inform the user about the risks of sharing their NeosVR password

[imagitama]

Describe the bug?

When you sign up and your username matches something in Neos, the game prompts you for your Neos credentials so it can verify your ownership of the username and download your old files.

This is really sketchy especially if people re-use their passwords which is scarily common.

Ideally you would use OAuth or some other token to represent your access to their account but I assume Neos' OAuth system is down? A quick search says they support it.

You should at minimum inform the user about the risks of sharing your password like this and strongly suggest that they change their password before and after this process.

To Reproduce

N/A

Expected behavior

N/A

Screenshots

N/A

Additional Context

N/A

Reporters

No response

[imagitama]

It looks like this game is made by the same devs as Neos so maybe this isn't an issue after all? 🤔

[JackTheFoxOtter]

The credentials you are asked to enter as part of migrating from an compatible infrastructure are not stored, and they are only used to authenticate with the external infrastructure to a) ensure you own the username on that infrastructure, and b) log the migration task in so that it can migrate your account content.

The login info is not stored beyond that. As a general good practice, you should never reuse passwords across multiple services, but that's unrelated to the implementation here. It is necessary to log into the external infrastructure if you want to migrate an account. If users have concerns about that, they can always choose not to migrate their account. (Although that also means they won't be able to use their username if it is reserved for them).

[imagitama]

As a general good practice, you should never reuse passwords across multiple services

Of course but do you trust your users to do that? No way.

My point is that you have a responsibility to the user to explain how this works and to change their Neos password if they re-use it.

But after doing some digging it appears that the devs of this game used to be/are devs for Neos so the issue of "trust" isn't so much of an issue. When I was prompted to do the migration I was extremely sus before I learned this.