Deep Silver / Saints Row.com

  By Shamus   May 2, 2014   65 comments

Pretty much the moment I logged into Saints Row 4 for the first time, the game was trying to get me to sign up for the Saints Row website. You know: Create an account! Social media! Online with your friends as on the internet with special offers! It’s the sort of thing that has the stench of a lumbering corporate behemoth throwing gang signs and trying to talk with tweens about their Facechats and InstaGramming.

One of the features hooked in to having an account was being able to save and load a character design independently from your save game. (Share your designs with friends!) I ran into a situation where I had a character I liked, but I wanted to start a brand-new game with them. So okay. I’ll try this website business and see how it works out…

  1. I try my usual bullshit throw-away login I use on sites I don’t care about. The username exists, which means I’ve created an account. (Probably in Saints Row 3.) I try the normal passwords and they don’t work.
  2. I try the “forgot my password” button a few times. It claims to send an email. Never does. I should note that it doesn’t ASK for my email, which means if someone else is using this name then I’m spamming them with password request emails. The user should be prompted for the email, and if it doesn’t match the existing email the password reset message shouldn’t be sent. Barring that, the site should notify the user where it IS sent, so they know where to look and can tell if they’re trying to recover an account they don’t own. Blindly sending an email is the worst of both worlds: It’s inconvenient for the user but also insecure in that it can be used to harass and confuse the unwary.
  3. Fine. I’ll just create a new account. I run through it, and fill in the REQUIRED fields of home address with dummy info, since there is no reason Deep Silver should be asking for this. The account we’re creating here is only for the purposes of playing a game, and there is never a situation where they would need to know where I live. It’s just another chunk of personal info that could be harvested if their site was ever hacked. Stop asking for more info than you need.
  4. Account created, but I can’t log in. I try several times. It just says “name or password incorrect”. Maybe I mis-typed my password both times when creating the account? Unlikely, but it can happen.
  5. I use the password recovery. Once again, no email is ever sent. Nothing.
  6. Fine. Create ANOTHER account. I run through the account creation and give it another try. I’m REALLY careful to make sure I’m typing everything correctly.
  7. Still can’t log in. No emails have been sent for any of these accounts.
  8. Whelp, time to ask for help. Let’s see… where is the “report a problem” button? There doesn’t seem to be one. Nor is there a “contact us” page. There’s nothing. There is no place where you can contact anyone related to this website. I could run up the chain and go for their corporate contacts at parent company Koch Media GmbH (assuming they’re available and I can find them) but this has already sucked away a half hour of my life and I’m not going to spend another half hour sending bug reports to distant parties who can’t help me and won’t do anything about the problem.
  9. Twitter maybe? Nope, the Saints Row Twitter was last updated nine months ago. It was obviously used to spew marketing when the game was fresh and I’m sure nobody is paying attention now.

I wonder how long the site has been non-functional like this without anyone noticing? I would ASSUME it works for existing users, and just new account creation is broken? This is exactly how you end up with hacked servers: Pay some web monkey to make the graphics, create a login system to soak up the personal info of your users, then ignore the whole thing for ages while the data piles up. Eventually a hacker will find your dusty server, long out-of-date and bulging with personal info. They’ll make off with it and use that info to get more info, and it will be weeks before you even realize you have a problem.

The website – for all its pretensions to social networking – is actually designed to fend off communication. It also continues a trend I’ve observed where the companies least qualified to protect your information are the most likely to ask for more than they need. It’s obvious Deep Silver doesn’t care about this, or the thing would be working. It’s like the Rockstar Social Club and the Ubisoft Whatever Thing. Management doesn’t have a vision. They just know that Social Web is a Thing and We Should Be Doing it.

It’s not a huge deal, but since this really is a sad display of apathy I thought I’d post this here as a way of shaming the site. Also, let this be a warning to other companies wanting to put login screens in your videogames, like a child that wants a puppy: Managing user accounts is a big responsibility. The consequences for doing it poorly are sometimes extreme. If you don’t plan on taking care of it, then don’t get one.


202020565 comments? This post wasn't even all that interesting.


  1. krellen says:

    I wonder if the problem lays in the fact that Deep Silver actually has nothing to do with the SaintsRow.com website. I know that site existed when SR3 was just coming out, so it might be a relic from the THQ days that actually never got transferred over to Deep Silver when the sale happened.

  2. ET says:

    One more reason I argue that most websites should just use something like OpenID, or at the very least, let you log in with your FB or Google account. So many companies are new to logins/passwords/etc, and there’s so many things to get wrong. :|

    • Steve C says:

      I trust something like Google to put a lot of effort into security. It’s important for them. It needs to be. Google is constantly being attacked by hackers every second of every day. However another company’s portal using Google accounts as a login may have some half-assed flaw. Now a hacker doesn’t need to break Google’s security, all they need to do is break into the half-assed website and they will have all of the much more valuable Google info.

      For example- Heartbleed. Google wasn’t affected by Heartbleed. So many other websites were. If one of those websites used a Google account login then now your Google account was affected by Heartbleed.

      Logging in with your FB or Google account gives another datapoint for marketing and tracking information. You are agreeing to share information with both companies. You have no idea how their partnership is structured. I never ever allow login info from one website to contaminate another. If the only option is FB or Google (which I’ve seen) then I don’t even use the website at all.

      • Ingvar M says:

        Well, that’s not quite how OAuth and OpenID actually work.

        What happens is that the site you want to log into (let’s call it A) sends you to the site that is providing the authentication (Google or Facebook, in your example) and you log in to that site, without giving A any of your authetication details. Then, when you have logged in to Google or Facebook, you are redirected back to A, with a secret token that basically means “the authenticator authenticated this”.

        So if A is suffering from, say, Heartbleed, the only things that are compromised are “things on site A” and possibly “the ability to act as you on site A”, not anything on any other site.

      • ET says:

        Yeah, that’s not how logging with OpenID, Facebook, or Google works. Ingvar’s explanation is correct, in that the website you’re trying to log into never gets any info about your Google account, or Facebook account, or whatever. All that the website does, is basically open up another tab/window in your browser, which goes to Google/Facebook/OpenID, asking for Google/Facebook/OpenID to verify their identity. So you log in as normal to Google/Facebook/OpenID, and then Google/Facebook/OpenID says “OK, this person is who they say they are.” None of the info in your account gets sent to the first website; ONLY they acknowledgement that Google/Facebook/OpenID has verified your identity.

        So, after belabouring the point, the upshot is that, if you’re logging into a website and all it has is Facebook/Google as login options, then it’s exactly as secure as logging into Facebook/Google themselves – because that’s exactly what you’re doing. On top of that, your Facebook/Google account is not at all at risk, outside of the normal threats that they normally deal with every day.

        • Steve C says:

          As Tizzy said, that’s how it should work. That doesn’t mean that’s how it works.

          Let’s say little websites that don’t have the capability to do security properly go with Google/FB/whatever and cross site requests. Most implement it properly. Some implement it poorly so it’s not secure. Some purposely implement it in a way to phish for valid login credentials. How do you tell the difference between those three? It’s too easy to capture keystrokes in that situation. Soon as you have keystrokes you have login information for a 3rd party website. You are trusting them to properly open a tab to google. You are trusting them not to perform a man in the middle attack on some of your most sensitive accounts.

          • ET says:

            When the user logs into a website, using Facebook, it’ll say facebook.com in their browser, and their browser will also show that the identity of the website has been verified as actually Facebook. (Just to be clear, this happens in a separate window/tab, so that the user can see that they’re currently going to facebook.com and then later going back to the other website.) I don’t see how someone could do any keylogging, unless the user is willing to put their Facebook credentials into a website which is not Facebook.

      • Andrew_C says:

        Actually Google were affected by Heartbleed,they use OpenSSL extensively. It was one of their researchers who discovered the bug, and they delayed announcing it’s discovery until they were fully patched against it.

  3. Daemian Lucifer says:

    On the subject of colossal security blunders,Im surprised you havent covered heartbleed at all.

    • MadTinkerer says:

      XKCD already summarized it pretty well.

      • Daemian Lucifer says:

        Well yes,thats the explanation of WHAT the bug is.However,what I am very curious to find out is how the fuck did a 1990s bug end up being so widespread on the 2010s systems?

        • krellen says:

          That’s surprisingly simple as well: because the vast majority of the internet is run on unfunded open-source systems supported by a handful of people. Whether or not they knew about this security breach years ago, other aspects of the system simply seemed more vital to fix than the breach, and they only had so much time (and no funding) to do it in.

          And since the support was “open source”, the systems using that open source project were probably also largely unfunded and understaffed. Add to that the responsibility of patching to the new version when the fix was done and you get a lot of people seeing something as more important than this breach to spend their extremely limited time on.

          Basically, the breach existed because companies are cheap assholes who keep getting told by society and consumers that it’s not only okay for them to be cheap assholes, it’s also expected.

          So folks need to stop telling people that companies exist to make money. It’s part of the problem.

        • Peter H. Coffin says:

          Not a 1990s bug. It’s a 2012 bug. Earlier versions didn’t have the feature that caused the problem.

          And it’s not a problem that will get fixed by just funding it. It takes a kind of practiced, customary rigor that even “professional” programmers just don’t have, because their knowledge of the WHOLE SYSTEM under which they are working just isn’t there.

          Here’s some examples: http://insanecoding.blogspot.com/2014/04/libressl-good-and-bad.html

  4. Jokerman says:

    I actually liked the Rockstar social club thing, it had some nice features… at least with gta 5, hadn’t touched it until my second playthrough of that game.

  5. This article seems relevant (and it’s hysterical): Programming Sucks.

    “Remember that stuff about crazy people and bad code? The internet is that except it’s literally a billion times worse. Websites that are glorified shopping carts with maybe three dynamic pages are maintained by teams of people around the clock, because the truth is everything is breaking all the time, everywhere, for everyone. Right now someone who works for Facebook is getting tens of thousands of error messages and frantically trying to find the problem before the whole charade collapses. There’s a team at a Google office that hasn’t slept in three days. Somewhere there’s a database programmer surrounded by empty Mountain Dew bottles whose husband thinks she’s dead. And if these people stop, the world burns. Most people don’t even know what sysadmins do, but trust me, if they all took a lunch break at the same time they wouldn’t make it to the deli before you ran out of bullets protecting your canned goods from roving bands of mutants.”

    I’m sure the case here is far different, but the heck with it, it made me grin.

  6. Septyn says:

    “I’ll just create a new account. I run through it, and fill in the REQUIRED fields of home address with dummy info.”

    It’s amazing how many companies associate my fake web names with 1600 Pennsylvania Avenue.

    • Bubble181 says:

      I’m European, and use that address all the time :P

    • Dreadjaws says:

      There’s at least a small number of companies that have no problem believing I live in 221B Baker Street. You would think they have filters for this sort of thing. They don’t.

      • Daemian Lucifer says:

        Well no filters is certainly better than filters like these.

        • KMJX says:

          Apparently if I used the password “fdG69AD81!a” it would be easier to crack than if I used “Look at my pony, my horse is amazing. Give it a lick”.

          (yes I differentiated “pony” and “horse” even though the origin is “horse” for both sentences. Just because I’m afraid that if they crack “horse” once they would immediately know it is in the password twice)

          • krellen says:

            This is true, because that phrase is so long. The random characters would be safer than a five-or-six word phrase, though.

            • Daemian Lucifer says:

              Unless that phrase is “God save the queen”,and you are brittish,no it wouldnt.Keep in mind that you wont have a clue that its a code phrase,how long it is,how long each word is,what language is used,etc(unless its a crappy protection,that is),so youd have to guess practically everything.And covertly extracting a code phrase out of someone is not that easy,especially if its a random thing(like Blueberry horse flying kazoo).And brute forcing is just out of the question,even if you are going to use just dictionary words.

              • krellen says:

                Except the concept of using random words is already out there, and brute forcing those is a lot easier than brute forcing random strings, so a lot of crackers are going to be focused on doing that now.

                • Daemian Lucifer says:

                  Even if you limit the number of words to 10000,which is less than one full language dictionary,and even if you limit the phrase to 4 words,you will get the same strength as a 6 symbols password,which is way more harder to memorize.And adding just a single word from another language you know will skyrocket the strength of your passcode.Or just adding punctuation,like a question mark at the end,or parentheses,or quotation marks.So no,brute forcing phrases is definitely not easier.

                  • krellen says:

                    “Way harder to memorise” requires a citation. Results may vary. Offer not available in all countries.

                    I also find your “10000 words” thing kind of high-balling. The vast majority of words in any language are represented by 1 or 2 thousand, not 10. But even there you’re still wrong at five words.

                    Here’s the math:
                    11 random symbols: 95^11 possibilities. Roughly 5.75×10^21 searchspace
                    5 random words: 10000^5 possibilities. Exactly 1.00×10^20 searchspace

                    11 random symbols is fifty times as secure as five random words.

                    Take the wordspace down to 2000 instead of 10, and this remains true at six words as well, which is exactly what I said.

                    • Daemian Lucifer says:

                      ““Way harder to memorise” requires a citation”

                      Well then tell me what is easier to memorize “*,Tg>#” or “Baboon runs purple boycott”?

                      As for the rest,first when I said “a random thing”,the usual method is opening a dictionary on a random page and picking a word,and dictionaries do have over 10000 words in almost every language.But even if you go just by words known by an average speaker,here is an answer that suggest that 10000 words known by an average speaker is a good estimate for spanish and english(you dont have to use a word in active conversation in order to know it).Also,theres the whole thing of various forms of words(due to tenses and other changes)being considered one word in such estimates,yet are to be considered different words for cryptography.Same goes for letter capitalization.

                      Second,where did I ever say that a 5 word passphrase is stronger than an 11 symbol password?Ive said 4 and 6,but youve just shown that I may have been a bit conservative with that,since a 5 word passphrase is stronger than a 10 symbol password.And even if we include your limit of 2000 words,include no capitalization and no punctuation marks,a 4 word phrase will still be 20 times as strong as a 6 symbol word(160*10^11 vs 7.35*10^11),so my conservative estimate still stands.

                      Which brings us to the third point,and that is including foreign words and punctuation(including just a few common punctuation marks like ., !? increases the complexity of a 2 word passphrase 216 times),which does not increase the complexity of memorizing a phrase,but sure does increase the complexity of brute forcing it(“resulthorse” is not any harder to remember than “result:horse”,but including the option of just that one symbol makes it twice as long to brute force).

                    • ET says:

                      I don’t have any scientific studies sitting in front of me, but I’m pretty sure humans are better at memorizing words than random punctuation. People don’t really ever memorize random punctuation in random positions and random orders. The percent symbol is always used when talking about percentages, or sometimes it’s modulus, from math class. The exclamation point is always used at the end of command or exclamation sentences. Periods always go at the end of sentences, unless it’s a decimal in a number. Etc. So, people don’t have practice remembering where these things go, since they go where the English language tells them to go. Words, on the other hand, are going into different positions all the time, to create new sentences.

                      So, yeah, 11 random gibberish characters might be stronger than a 5-word phrase, but the phrase is much, much easier to memorize, because people already have practice with putting words in different orders.

                    • krellen says:

                      Okay, look. The central problem with the “use a bunch of words you’ll remember” system is that words, phrases, and sentences match clear, identifiable patterns, and those patterns can then be used to more easily crack passwords based off those structures – and the more people preach the gospel of “use a phrase instead!”, the more widespread systems to crack those sorts of passwords will become.

                      There is literally no system you can construct to attack a random string of characters; the only method available is attempting every combination of characters. And random strings don’t have to be random, they only have to appear random. D0g$c4T!sNaKe isn’t a random string, but for purposes of cracking, it might as well be. And I’ve already memorised it.

                      Nothing is completely secure. Thinking you’re being clever, you’re outsmarting the crackers, you’re being super safe is the first step towards creating a breach.

                    • ET says:

                      Yes, your 11-character password is secure, but normal, fallible humans are probably only going to be able to remember like, four random characters, which is much much less secure. The point is, we need to maximize the ratio between the password strength, and the difficulty in remembering that password. Starting with a set of easy-to-remember items to construct passwords is much better than just telling people to remember longer strings of punctuation, because the length is already longer than they can remember.

                      Furthermore, you’re assuming that passwords constructed with words follow patterns. Choosing several words randomly from a list of words is by definition the same as choosing several characters randomly from a set of characters. So, yes, if your password is a sentence following normal English rules, then it’s easily crackable. Don’t do that.

                    • Daemian Lucifer says:

                      @krellen

                      Hold on there,are we talking brute forcing or other methods of decryption?Because yes,your 11 string password may be safe from cracking,but its not safe from spyware,for example.

                      Yes,nothing is 100% safe,but I was not talking that.I was merely pointing out that passphrases can be just as safe as passwords.Sure,l33t speak is safe,but unless you constantly type stuff like that its not that easy to remember.Phrases,on the other hand,like “Ciao bella,I’m leaving!”,are just as safe,but easier to remember for more people.Unless someone knows exactly what my thought process was when coming up with that phrase,they wont be able to guess that one with any conventional means either.

                  • TMTVL says:

                    There are password managers out there, you know? Try looking into LastPass or KeePass. They can store passwords for you and they can be synced across computers. In fact, there’s even ways to set up temporary use for using them on untrusted computers.

          • Peter H. Coffin says:

            However, that shorter password is more secure if you only use it on one single site, and use that other one on every site you log into.

    • Humanoid says:

      There’ll probably be millions of non-Americans who live at postcode 90210 too.

      Smarter to have an “address” in a sales tax-free state though.

    • swenson says:

      Ha! Me too. We should all go have a slumber party at our clearly real and not at all fake address. Think the owners would mind?

  7. Dreadjaws says:

    Well, I played Saints Row 4 for the first time a few weeks ago and I successfully uploaded a character into the system, so I guess your theory of it actually working for existing accounts is correct (I already had an account from Saints Row 3).

    But yeah, this stuff is annoying. They’re all so worried about doing something because “everyone else is doing it” that they don’t realize “everyone else” is actually putting some care into it.

    It happens everywhere, of course. It’s the same reason that after The Matrix every action movie included some bullet time effect, even if it made no sense or it was actually detrimental. They care so much about doing something that’s popular that they don’t stop for a moment to try to figure out why it’s popular, so we end up with half-assed efforts at best.

  8. Infinitron says:

    Yep, sounds like a relic of THQ. If they don’t want to support it they should patch it out.

  9. Raygereio says:

    I wonder how long the site has been non-functional like this without anyone noticing?

    People know. The password recovery at saintsrow.com not working has been a thing for years. Likely no one with decision-making-powers at Deep Silver cares.
    Shamus, if you haven’t solved this already. Try the passwork recovery at THQ.com. If that fails, send an email to saintaccount@deepsilver.com.

    Also I had a fun problem where I created an account at saintsrow.com, but didn’t remember that I had made an account at thq.com years ago with the same account name, but different email and password.
    The saintsrow.com site didn’t inform me of this during account creation, but after I finished creating my account it apparently decided to overwrite the email and password I inputted, with the email and password of the thq.com account (again without informing me).
    To be fair: Deepsilver support did help me recover the account. But still…

    • Fawkes says:

      Like Raygereio says, people do know; at least enough that a few posts showed up when I went through this same situation when I played SR4 last. I — honestly can’t tell you how I fixed it. I am replying to Raygereio though because I believe that it did involve basically skipping the actual Saints Row site and instead using THQ.com to recover the password. That or it involved using a secondary reset password link I found via google searching and the point is that —

      This is all a ridiculous amount of hoops to jump through to use a character creator! Especially when all I wanted to do was transfer a character from SR3 to SR4. It’s even worse in that the game itself seemed to only accept one account, the one already connected to the Steam Name. At the time at least, it seemed that making a new account wasn’t even an option.

      (If all else fails, yeah, try the direct E-Mail recommended above.)

  10. Eruanno says:

    AHA. I’m not the only one. I had the exact problem you describe, Shamus. Eventually I just said fuck it and gave up because the whole thing was convoluted and stupid :<

  11. Pat says:

    Reminds me of when I tried to change my password for Crysis 2 after their database had been compromised. Instead of changing my password I somehow ended up creating a second account on the same e-mail address (which should not have been possible) at which point I ended up with two accounts both of which didn’t function correctly.

    What was worse imo was that I was for some reason refused access to the forums using either account and Crytek’s support mail (and all other e-mail addresses mentioned on their site) seems to be out of use or simply refusing to respond. EA couldn’t help me and all I got out of them was that “they where aware of the problem” (..that Crytek support is unavailable).

    Long story short, I still haven’t managed to change my password and now refuse to buy Crytek games.

  12. el_b says:

    I am scared to reinstall Company of heroes opposing fronts, Because I have no idea if it will work now that relic that no longer exists. It has this ridiculous force update and login system that takes about an hour and a half to get past. on the bright side I copied all of the patch files onto my external hard drive so I should be able to Just place them back on the right folder as not have to wait so long if it does work.

    bioshock games would be a massive pain as well I imagine, since not only do they use Windows live which no longer exists, but there was a bug meaning that when you uninstalled it it didn’t give you any of your BULLSHIT three install limit back, so you had to contact the company to ask for permission to install your own again… I believe the company broke up recently.

    beyond all of the moral and ease of use concerns with digital rights management, the fact that it can brick your game if the company dies is far worse.

  13. Nick-B says:

    And people WONDER why people are flocking to indies? It’s not because of the cheap price. It’s not because of the innovative story. It’s not because of the use of satisfying pixel-art or 16-bit era graphics in place of bleeding edge (and buggy) pixelshaders and shiny voxels. It’s not because they make games that cater to a specific niche, and don’t water it down to make it “mass market” appealing (which ends up making it mediocre, but at least everyone half-likes it, instead of half of everyone 100% liking it!).

    Nope, it’s not for all those reasons. It’s because despite the large use of social media to talk to their customers, indie devs mostly believe social media should stay the fuck out of my video games, and hardly – if ever – slip social facepages and instatwits into the games themselves.

    • ET says:

      I started trying to write a witty, concise, sarcastic remark about how social media is supposed to be used by people to interact socially, and not abused by companies trying to sell stuff… Then it became a run-on sentence longer than this explanation, because of all the BS companies are doing. :S

  14. aquagosh says:

    The only time I’ve used any sites like that was for Fable..2? Or maybe 3? There was a pre-order bonus where you could design a random NPC who would then show up in your game. You went to the site, selected between about a half dozen presets for hair, face, body, dress. You gave them your gamertag, and when you played the game, the NPC you designed would show up in the game. Not a big deal, but it was kinda neat.

  15. The Specktre says:

    I don’t know if anyone else has mentioned this, but I actually tried using this feature recently, only I knew my username, email, and password. I tried SEVERAL times, I didn’t actually count. I thought I maybe had my hands on the wrong keys, or I wasn’t being careful, or various other things.

    I think their site may be borked, or dead. It’s funny that we checked this out at around the same times, more or less.

  16. Andrew_C says:

    I’m sure everyone has mentioned it already but that Saint’s row website has been borked since it was put up before the release of Saint’s Row 4. Sometimes it works, sometimes it doesn’t.

    I’ve corresponded by email with Deep Silver’s customer support, they are aware of the issues, but don’t seem concerned by them.

    As far as I can tell, one issue is that their system isn’t creating the accounts properly. If you bug them enough, they will set the account up so you can log in when the site is working. The email I used was saintaccount@deepsilver.com but I have no idea if they still respond to it.

  17. AlecW says:

    Thanks for this sort of ‘consumer advice with a Message’ material Shamus.
    It’s always been a great read from you.

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!