Security Improvements - Version 1.2.3

ZOS_GinaBruno · June 2014

With the release of update v1.2.3 tomorrow, we have also made some increased security improvements to our account system. As a result, everyone will be prompted to enter a new one-time password, regardless of whether or not you’ve entered one before. Your one-time password will be sent to the email address associated with your account for The Elder Scrolls Online.

If you have additional questions about what the one-time password is, or why we use it, please see this knowledgebase article.

If you receive Error 206 when entering your one-time password, please see this knowledgebase article.

SirAndy · June 2014

Error 206 when trying to enter my access code:
When entering the access code, players should ensure they have not accidentally added any spaces at the end. Otherwise, their code will not be accepted.

Really?

Please tell your web developers to look up the use of the trim() function to remove leading and trailing white-spaces from passwords entered in a web-form.
;-)

Auric_ESO · June 2014

SirAndy wrote: »

Error 206 when trying to enter my access code:
When entering the access code, players should ensure they have not accidentally added any spaces at the end. Otherwise, their code will not be accepted.

Really?

Please tell your web developers to look up the use of the trim() function to remove leading and trailing white-spaces from passwords entered in a web-form.
;-)

And for the people that DO have a space at the start or end of thier password?

SirAndy · June 2014

Auric_ESO wrote: »

And for the people that DO have a space at the start or end of thier password?

@Auric_ESO
This is about temp, one-time passwords sent to you by ZOS via email. They are in control of the characters used for those passwords.

The problem with leading or trailing spaces is that if you double click a word in an HTML email (like your temp password) and copy it to your clipboard, you often get trailing white-spaces since your mailing program is trying to be "smart" and copies trailing line-breaks, spaces or tabs with the actual word.

It would save ZOS a lot of hassle around 206 errors for their temp passwords if they simply didn't include white-spaces in those passwords and then used a trim() filter on the receiving end to automatically remove those before comparing the password.

;-)

Auric_ESO · June 2014

ah, gotcha, missed that part. I took your comment a bit out of context thinking it was for entering passwords and not the one-time pw's so your comment about parsing the entered code is appropriate.

Kangas · June 2014

SirAndy wrote: »

Error 206 when trying to enter my access code:
When entering the access code, players should ensure they have not accidentally added any spaces at the end. Otherwise, their code will not be accepted.

Really?

Please tell your web developers to look up the use of the trim() function to remove leading and trailing white-spaces from passwords entered in a web-form.
;-)

Oh man. You tell 'em. No excuse not to trim().

Ri_Dariit · June 2014

another "dumb" password verification. ZOS, poor word choice.

Security token = security improvement
login not showing up in game = security improvement
one-time-password = current security already active, henceforth not an improvement.

You're just hassling current subscribers, not enhancing their security.

Honestly, this is making me feel more annoyed than safe...

radiostar · June 2014

Hope this limits the security screens

Seravi · June 2014

Well as long as the emails are sent immediately it isn't a hassle. I've only had this happen one time, some blip on my connection even though my IP had not changed. Got the email as soon as I tried to log in again. I have seen many posts where folks are waiting hours or days to get them.

Just hope their mail servers are able to handle that hit they are going to get when the servers come back up.

melunkale · June 2014

I haven't gotten any emails, and I am getting error 108 when logging on at 6:43am EST 6/24/2014

fromtesonlineb16_ESO · June 2014

Seravi wrote: »

Well as long as the emails are sent immediately it isn't a hassle.

Last time I remember them doing this was a long time ago on the EU server, and people suffered for hours and days after with e-mails not arriving due to ZOS' mailing system not being able to handle the load.

fromtesonlineb16_ESO · June 2014

ZOS_GinaBruno wrote: »

If you have additional questions about what the one-time password is, or why we use it, please see this knowledgebase article.

That KB article doesn't answer my question: why are you inflicting this on us when history tells us many will have big problems for days afterwards.

Just HOW does this pain help us?

Auric_ESO · June 2014

melunkale wrote: »

I haven't gotten any emails, and I am getting error 108 when logging on at 6:43am EST 6/24/2014

Serves are not back up yet.

Slash8915 · June 2014

I agree with most of the other posters. I don't see how making us put in another one-time code is a "security update".

I honestly think ZoS employees are masochists. They always seem to do crap that will almost certainly cause huge backlash.

fromtesonlineb16_ESO · June 2014

ZOS_GinaBruno wrote: »

As a result, everyone will be prompted to enter a new one-time password

Nope didn't happen on either of my accounts I'm pleased to say, logged in just fine without this happening.

Seravi · June 2014

fromtesonlineb16_ESO wrote: »

ZOS_GinaBruno wrote: »

As a result, everyone will be prompted to enter a new one-time password

Nope didn't happen on either of my accounts I'm pleased to say, logged in just fine without this happening.

The update isn't complete yet. After they open the NA server today is when the email verification will kick in.

silent_banshee · June 2014

LOL, one-time passwords as a 'security improvement'? I'm sure there's more to their security improvement plan than just one-time passwords. Then again, maybe ZOS figures it's more worthwhile to have the player base feel safe rather than to be safe.

Kangas · June 2014

Auric_ESO wrote: »

SirAndy wrote: »

Error 206 when trying to enter my access code:
When entering the access code, players should ensure they have not accidentally added any spaces at the end. Otherwise, their code will not be accepted.

Really?

Please tell your web developers to look up the use of the trim() function to remove leading and trailing white-spaces from passwords entered in a web-form.
;-)

And for the people that DO have a space at the start or end of thier password?

I guess you are just trying to play Devil's advocate here. I don't know of a site that allows spaces at begin or end of a password. If it does it is probably not a site that should be accepting passwords.

Kangas · June 2014

silent_banshee wrote: »

LOL, one-time passwords as a 'security improvement'? I'm sure there's more to their security improvement plan than just one-time passwords. Then again, maybe ZOS figures it's more worthwhile to have the player base feel safe rather than to be safe.

There is more to it. If a site can send you your plain text password it means that password is stored and accessible on the site.

When (not if) a hacker compromises the ZoS site at some point and gets access to the password area what will they find? If they find plaintext passwords we are all in big trouble.
If on the other hand they find one way hashed passwords that can only be reset not reminded with an "I forgot my password" option then the hacker has no useful info with which to login to user accounts.

Hopefully the one time password changes are part of that larger scheme to protect our data and are therefore very worthwhile. We have seen way too many companies get breeched these days!

silent_banshee · June 2014

Kangas wrote: »

silent_banshee wrote: »

LOL, one-time passwords as a 'security improvement'? I'm sure there's more to their security improvement plan than just one-time passwords. Then again, maybe ZOS figures it's more worthwhile to have the player base feel safe rather than to be safe.

There is more to it. If a site can send you your plain text password it means that password is stored and accessible on the site.

When (not if) a hacker compromises the ZoS site at some point and gets access to the password area what will they find? If they find plaintext passwords we are all in big trouble.
If on the other hand they find one way hashed passwords that can only be reset not reminded with an "I forgot my password" option then the hacker has no useful info with which to login to user accounts.

Hopefully the one time password changes are part of that larger scheme to protect our data and are therefore very worthwhile. We have seen way too many companies get breeched these days!

That... makes a lot of sense

Like I said, I figure they're taking steps to make things more secure. I've just had a hard time tracking down any sort of literature on what they're doing specifically.

Thanks for the illuminating reply, I appreciate that you took the time.

EDIT: I should point out that I tend to get nervous about account security since the whole Playstation Network credit card details kerfuffle a few years back. I know, different company, but still it's something I think about.

Prince_Edward · June 2014

More than likely, something to do with heartbleed. Surprised no one has thought of that, I wonder why? Oh wait, my bad. I was assuming by all the implicitly "knowledgeable" comments, that everyone here had a comptia #,was a CCISP, or at least knew what CEH and (ISC)2 meant... silly me.

If you were a big company, who's primary revenue were IT based products, would you leave your costumers' (read as "money") tech security in the hands of some guy who thinks he's a Category 5 Ninja (hehe, nerdgasm) bc he has a sweet battlestation setup? No. You'll hire the guy with a plastic card that say "Sec+" on it.

Also, you can find out some of the above references here:
google.com

katkat42 · June 2014

I imagine ZO is simply repairing a hole in the chicken coop on their end, and the one-time password thing is just to make sure no foxes got in while the hole was open.

Deaf_Players_Rock · June 2014

ZOS_GinaBruno wrote: »

With the release of update v1.2.3 tomorrow, we have also made some increased security improvements to our account system. As a result, everyone will be prompted to enter a new one-time password, regardless of whether or not you’ve entered one before. Your one-time password will be sent to the email address associated with your account for The Elder Scrolls Online.

If you have additional questions about what the one-time password is, or why we use it, please see this knowledgebase article.

If you receive Error 206 when entering your one-time password, please see this knowledgebase article.

Where is this email with the password? Why don't I have it? When will I get it?

starlizard70ub17_ESO · June 2014

So when is this email with the password get mailed to us, I haven't received mine yet.

Insanyti · June 2014

Deaf Players Rock and Starlizard, do you two by any chance use Hotmail/Outlook? I use Gmail and received my email just fine but my boyfriend and another player who use Hotmail/Outlook have NOT received theirs yet.

Apparently the service is having issues. Sending AND receiving.

bruceb14_ESO5 · June 2014

Once you try to log in, the email gets sent, at least it worked for me. I thought there would be an email to everyone and was looking for it while patching, then realized it wasn't till logging.

CaffeinatedMayhem · June 2014

Hey guys - it's not your email provider, it's ZOS. I also use Gmail and have not received the security email. Customer support call wait time is over an hour.

I don't get irate at much, but this will push me over the line.

Edit: And according to phone support it's not because of 1.2.3 and I'm and idiot for reading the forums. And email support saw that I had a phone support ticket and closed me out.

WTF?! THIS IS WHY I"M QUITTING. THIS.

Not bugs, not "broken mechanics", not server downtime.

THE GAME LOCKING ME OUT AND CUSTOMER SERVICE TREATING ME LIKE A CRIMINAL.

Mix · June 2014

My email was sent (gmail too) as soon as I tried to log in. There is a separate password box that will pop up and ask for your "one-time" password code. I thought it was something that would have to go in the password box under my username, they need to update that message to be a little clearer. (or I am in the minority who didn't immediately try logging in as usual)

CaffeinatedMayhem · June 2014

Mix wrote: »

My email was sent (gmail too) as soon as I tried to log in. There is a separate password box that will pop up and ask for your "one-time" password code. I thought it was something that would have to go in the password box under my username, they need to update that message to be a little clearer. (or I am in the minority who didn't immediately try logging in as usual)

No, I did the same. I've finally gotten in, but still not going to renew. There's only so much crap I'll take. I love the game, but I'm tired of crappy customer service.

Syrrisdevlin · June 2014

as some of you know and others keep asking (I've just had a hard time tracking down any sort of literature on what they're doing specifically.) you will not find this because that info in itself is a security breech if they tell you what they are doing with their security and how they are doing it then you the hacker know what to expect and so on

Ps sorry for the unnamed quote I just copy pasted the most recent one I saw the pretty much said the same thing or asked the same question as to what exactly zos is doing with their security and why they are doing it

WebBull · June 2014

thatlaurachick wrote: »

Mix wrote: »

My email was sent (gmail too) as soon as I tried to log in. There is a separate password box that will pop up and ask for your "one-time" password code. I thought it was something that would have to go in the password box under my username, they need to update that message to be a little clearer. (or I am in the minority who didn't immediately try logging in as usual)

No, I did the same. I've finally gotten in, but still not going to renew. There's only so much crap I'll take. I love the game, but I'm tired of crappy customer service.

What did you do to finally get in? I tried to log in and was prompted for a "access code". I was emailed an access code and (not a temp password) and it doesn't work. Rechecked it doesnt work. I have gone through the entire process several times now.