The Elder Scrolls Online

Maintenance for the week of February 23:
· [COMPLETE] NA megaservers for maintenance – February 23, 4:00AM EST (9:00 UTC) - 12:00PM EST (17:00 UTC)
· [COMPLETE] EU megaservers for maintenance – February 23, 9:00 UTC (4:00AM EST) - 17:00 UTC (12:00PM EST)
· [COMPLETE] ESO Store and Account System for maintenance – February 23, 4:00AM EST (9:00 UTC) - 12:00PM EST (17:00 UTC)

@accounthandle Displaying in guild rosters & chat. This needs to go ASAP!

Leave a Reply
  • HandofBane
    HandofBane
    ✭✭✭✭
    Keep up the good fight, brother. Brought this up at the AMA back on reddit, and it was ignored/overlooked by the devs in favor of questions about coffee...

    Too bad we can't link back on the long threads/poll we had back on the Sanguine board, I really don't feel like retyping that whole long post explaining exactly how this is can be abused and actually *is* a security issue.
  • Spritehawk
    Spritehawk
    ✭✭
    Next time you get a crash report option, take a minute to scroll through it. I thought it was very interesting. It had everything except my SIN #
  • ghuff07
    ghuff07
    Soul Shriven
    I agree with almost every comment in this thread. These are my three reasons not to display UserIDs in game:

    1. RP/immersion - I want to be known as my character to my guildmates and friends, not my UserID. And I don't like seeing it referenced in all of my guild chats.
    2. Privacy - Kind of related to #3 and I definitely picked the wrong UserID and am currently trying to change it via Support.
    3. Security - You can argue all day about security layers and the difficulty of hacking accounts, but why make it easier by displaying one of the data elements? That's a step backwards.

    Blizzard uses BattleTags for a similar game mechanic so we know it's possible to avoid displaying UserIDs to all.
    Edited by ghuff07 on April 2, 2014 12:30PM
  • M_Luminos
    M_Luminos
    ✭✭✭
    Darquer wrote: »
    @Vlas, I've been in IT for over 25 years in the largest companies in the world. I've run some of the largest IT shops. I would not hire you. Drop the idiocy about paranoia, etc. We are talking best practice and also about the confusion the login name versus the character name causes.

    I wouldn't waste my time even replying to a troll but hey, the game is down. I'm sure you think that's good too. It gives you time to troll.

    though I agree we ought to strive for "best practice"

    The end user will still insist on using "password" as a password, and the recovery question "your mother's maiden name" is really asking them what color was their favorite pair of shoes when they were five.

    Of course, they wont remember when signing up they thought mother's maiden name was too simple, and figured theyd remember what the REAL question was by associating mothers maiden name with a pair of shoes when they were five.

    In a perfect world end users would have passwords they could remember that were at least 7 characters long, with at least one capital letter, one number, and one special symbol reducing the chance of a successful brute force attack by a factor of more than 100,000,000

    All of my passwords are either a combination of english words, or latin words. Dictionary attacks would need multilingual support to crack them. And brute forcing 14 character alphanumeric password from a non standard language to get my in game gold is not worth the 3.9326 x 10^5 Years it would take a computer (for a very fast computer)

    The problem here then is key loggers. And who is responsible for keeping your computer virus free?

    Any way I look at it, password security is the responsibility of the user.

    Limited password attempts and trusted computers. Zenimax is doing fine. Though I would still like 2 factor authentication I'm not worried about my account security.

    Edited: Gooder grammar
    Edited by M_Luminos on April 2, 2014 12:53PM
  • HandofBane
    HandofBane
    ✭✭✭✭
    M_Luminos wrote: »
    Any way I look at it, password security is the responsibility of the user.
    And the followup cleanup of the failure of that security falls on... Zenimax customer service. So why not add in some additional security layers to make it less necessary for time to be spent dealing with compromised accounts (and potentially robbed guild banks affecting MANY accounts)? Do folks here really not consider that keeping it the way it is will result in even longer CS response times, and more worthless copy/paste replies that don't actually read the ticket because they are rushed with a backlog of problems they could have helped prevent happening in the first place?
  • Invisioblack
    Invisioblack
    ✭✭✭
    Darquer wrote: »
    @Vlas, I've been in IT for over 25 years in the largest companies in the world. I've run some of the largest IT shops. I would not hire you. Drop the idiocy about paranoia, etc. We are talking best practice and also about the confusion the login name versus the character name causes.

    I wouldn't waste my time even replying to a troll but hey, the game is down. I'm sure you think that's good too. It gives you time to troll.

    I love the talk about "Best Practices"... From a technology perspective the accounts are as safe as they can be. Security Through Obscurity is not a great plan.

    This is the security Schema as it sits -

    Log in tied to Physical Computer & IP Address - If either changes you need to re-validate that computer through your e-mail.

    If they have your e-mail - they have your account anyway. I use a separate account for my games and a different one for gaming site subscriptions[This prevents site vulnerabilities from getting me hacked]. It reduces the surface area exposed in MY e-mail account. However - in the end the account name could still be obtained from you if you do not use separate e-mail accounts by just hacking your e-mail.

    The best fix for this is authenticators. I am sure they are "on the list"
  • wolf81inIL
    wolf81inIL
    Soul Shriven
    TeRyn wrote: »
    So in the beta's ive been a huge supporter of getting rid of this feature. Ive made multiple threads, submitted multiple /feedbacks about this and for the majority seen that 75% of the playerbase want this removed(5% want it and 20% dont care). I dont feel like writing another long novel about this as i have before in the beta forum sections but this NEEDS to be addressed.

    1) Hacking: Yes you can argue all you want about having a mindbogglingly good password that you cant even remember without having to access your password keeper app on your phone or computer. But the fact of the matter is everyone has access to one half of your account information.

    2) Identify Protection: First off, and this mostly will apply to females but will also apply to some men. I have already seen multiple players use in part or whole, their real names as their handle. Ya all i'll say is this. Let the stalking begin.

    3) Immersion & Roleplayers: While i am not a huge RP'er there are those players who are. I cant even begin to imagine players who like to roleplay and having to deal with seeing names in guild chat like @pimpsbro1 or @mariobrosmash @pixiesex @81bobturnerx1.

    Those were probably the biggest factors ive read and talked with from other players.

    On a side note, i think the intention Zen had was excellent as it allows everyone to keep in contact with a players multiple characters easier.

    Here are the solutions i have posted before.

    1) Get rid of it. Bye Bye, ex-nay-with-the-accounthandles-ay.

    2a) Keep the accounthandles ingame and a valid way to keep track of a players multiple characters, but add an account "Nickname" in replace of it being displayed. This will be displayed in the guild roster and in guild chat along with in your friends list. This "nickname" will have no link to your account login information.

    2b) Keep the accounthandles ingame and a valid way to keep track of a players multiple characters, but instead of the accounthandle being listed on the guild roster, in guild chat or in the friends list default to "current character being played by player/account".

    Currently the guild roster and friends list shows the @accountname, hovering your mouse over the @accountname will show you the name of the character they are on. Simply swap this, character name defaults in guild roster & chat and hovering over character name shows @accounthandle.

    IMO 2B seems the easiest way to fix this problem but the underlying problems of 1 & 2 still factor in.

    So how would you guys like to see this handles

    1? 2a? 2b?

    Agreed, agreed, agreed agreed. This needs changed asap, at least give us the option to change this.
  • HandofBane
    HandofBane
    ✭✭✭✭
    Motivated since the servers are still busy being raised as undead. Warning: wall of text incoming, but something the devs/CS folks need to realize, and to help folks here who don't take the issue seriously to see just what potential risk there is in the current setup.


    How to hijack a TESO account through some slight social engineering in a few easy steps:
    1) Set up a website, using copy/pasted info from any of the variety of sources out there, with required registration to access. Registration process should require a confirmation email, a password for the site, and a request for the new user's account name (with reasoning given in step 2).
    2) Join any guild advertising for new members in /zone. Congratulations, you can now see those account names and have characters/permission access listings in an easily visible format. Advertise in /guild that you have set up a website with helpful info for the game, but want it restricted to guild members only, so it will ask for their @handle to confirm they are actually in the guild (thus alleviating concerns that there is something devious in the works).
    3) Take the new list of emails, passwords, and @handles, then start testing each email account to see who uses the same passwords for everything. This actually includes far more people than you expect, especially people who want to feel high tech without knowing what they are actually doing. Any of those accounts you now have access to? Hold off on doing anything til you complete the next step.
    4) Start sending out official looking emails (easy to copy, since folks have been so kind as to repost some of the email replies they got from Customer Service all around the web) suggesting there has been an account issue, and they need to log in to verify the account is theirs, using that @handle from earlier to make it look more official. Believe it or not, people actually buy into this if the email is well written with proper English. Set up the link in the email to point to a very similar looking site to the one we are on now. You now have everything you need to get into their account at your leisure, including email access to their own personal accounts to get around the "we will send you an email if we don't recognize the computer" system that is in place now.
    5) Pilfer, redistribute to other accounts, profit. And for extra evil, delete the characters so customer service has an even tougher time with their resources tied up trying to recover the characters and determine was is actually missing and what was just deleted.

    There you go, I just broke the current security system. Folks can come in here saying "This is why you need personal password security habits!", but that means nothing when you figure just how many people out there are... not wise enough to realize all the mistakes they are making in regards to their own password security, and firmly believe either "I am fine" or "It won't happen to me! That only happens to other dumb people!"

    I expect this post to get nuked by a mod at some point, but this MUST be addressed. Especially with no authenticators being made available to us.
  • wolf81inIL
    wolf81inIL
    Soul Shriven
    I stated this in the other thread too but felt the need to post here as well.

    My other concern is my character name. I have used this name for years, in one form or another. I identify with it. I want my guildmates to identify me with it too. That's not really possible at this time. This isn't as much of a concern as an annoyance, but it's still a big deal.
  • kewl_ESO
    kewl_ESO
    andrei_baruub17_ESO wrote: »
    Add the fact that there are no player name plates.. i cant recognize ANYguildmates or ANYONE for that matter in game. Its like mindless no-name people running around me. Nothing matches with TS.. and YOUR IN GAME NAME THAT YOU CHOSE MEANS NOTHING. You wanted to make a game thats immersive, and you completely negated our CHOSEN NAMES? are you people working there at ZOS.

    agreed, I see a big problem when trying to team up with guildmates and trying to find out who's who. Going to be bigger when everyone has a few toons they use and trying to remember what userID has what char names for which class.

    If anything... guild chat should show the current toons name so can be seen in party widow later. So with the game wanting 1 name to connect the account to all guilds. Someone mention a "nickname" which that would work to show in guild window as a tab to sort by just like player name or level etc.

  • TeRyn
    TeRyn
    ✭✭✭
    Bump to keep the devs aware of this till it gets fixed. More peoples opinion wanted as well.
  • JoeBenet
    JoeBenet
    Yeah, this definitely needs to go. Just use our character names.. I don't get why that is a problem.
  • Migoda
    Migoda
    ✭✭✭✭
    TeRyn wrote: »
    Currently the guild roster and friends list shows the @accountname, hovering your mouse over the @accountname will show you the name of the character they are on. Simply swap this, character name defaults in guild roster & chat and hovering over character name shows @accounthandle.
    Agreed! I'm voting for this simple change since beta. For example, me and my guild mates are used to doing some roleplay in our guild chat faily often and showing account handles instead of character names there is greatly killing immersion for us.


    Edited by Migoda on April 2, 2014 10:42PM
    AGT - Archäologische Gesellschaft Tamriels
  • achimb16_ESO3
    achimb16_ESO3
    ✭✭
    +1 for OP
  • Saera
    Saera
    ✭✭✭
    I have to agree with the OP, especially with #1.

    #3 made me lol, not the roleplaying feature, but teh fact that yeah @pixiesex etc lol made me giggle... i love to rp and am glad that I do not have a funky username,
  • Aria
    Aria
    ✭✭✭
    I have no issue with the way things work at the moment, personally like the fact that people cant hide behind their different character names (Gold sellers for example) all you have to do is report / ignore one name and its the account not just that one character thats taken care of.


    Silver Dragon Legion
    "The adult, casual no drama guild you've been waiting for!"
  • TeRyn
    TeRyn
    ✭✭✭
    Up she goes.
  • Sakiri
    Sakiri
    ✭✭✭✭✭
    ✭✭
    nzblustone wrote: »
    Vlas wrote: »
    Except that when you are in a guild, you are in a guild for all characters... so it is logical to have one single name for it. Thus the account name.

    Think it through man... how else will you remove confusion of the guild leaders.
    Guild Leaders worth their coin are not so easily confused. Most MMOs in the past just display your currently logged in character name in guild rosters and chat and it is a completely acceptable system.

    So as a guild leader of a guild with hundreds of people, the GM needs to keep track of alts manually.

    What if someone invited in a hurry and forgot to make a note? Its happened, leaving me to go wtf when no one answers who it is and I get kvetched at when I gkick the unknown, usually by the main.

    If youd have told me who the hell you were when I asked...
  • Arawn
    Arawn
    ✭✭✭
    You can hide the accounthandle with a pseudo that you determine under settings.
    For example you have as accounthandle:
    Snoopy87@gmx.net

    Under Settings you say Accounthandlenick = PoorDog
    You confirm and this is saved in the accountbackgroundinfo as pseudo.
    Now when you login you will be shown as PoorDog for friends or guild.
    But the system can still work with the accounthandle in the background.
    Functions are not changed and this is just a tricky display fix.

    For Zenimax this shouldn't be so difficult to build in.

    Edit: Corrected a logical failure i wrote.
    Edited by Arawn on April 3, 2014 1:43PM
  • Silliab16_ESO
    Silliab16_ESO
    Soul Shriven
    I think the greatest problem people have with it is that it is the account name that gets displayed. If you could just choose a pseud that gets displayed instead there would be less outrage about it.
  • Saerydoth
    Saerydoth
    ✭✭✭✭
    All they have to do is change the game login system, so you log in with your email address instead of the account name. And keep the account name as-is.

    I'm totally fine with the @userid in friends lists, guild chat, etc. No problems whatsoever. But yeah, I do agree that probably shouldn't be what you use to log in.
    Edited by Saerydoth on April 3, 2014 9:22AM
  • karldavy149b16_ESO
    karldavy149b16_ESO
    ✭✭✭
    AGREED giving away 50% of your login infomation everytime u talk is not cool have a function to hide it ... or nickname it

    STILL I GUESS ITS BETTER THAN GIVING AWAY YOUR EMAIL ADDY EVERY TIME YOU TALK SO I CAN C WHY U CHANGED IT BUT REALLY NOT A VERY SECURE PRACTICE REGARDLESS OF THE PIN TO EMAIL WHEN LOGGING IN FROM NEW COMPUTER



  • Left_Hand
    Left_Hand
    ✭✭✭
    To be honest this doesn't bother me the least, and Zenimax did give ample warning that the system would work like this before the game launched, those you who had "silly" or your real name as account names are able to change them through support before and after launch. Not sure what the problem is, and in a single server environment this is the best option to distinguish characters.
  • Stautmeister
    Stautmeister
    ✭✭✭
    This is the response i got for bringing up this issue.

    We understand there may be some concerns surrounding the userID being visible to other players in-game. We have a multi-tiered system in place to improve your security, and there are many other facets to login security besides the basic credentials in The Elder Scrolls Online. Your security is of the utmost importance, and we go to every length to make sure your information is safe and secure.
    The process of getting personal information from a userID is extremely difficult, if not virtually impossible. To recover a userID associated with a specific e-mail address and password, you need the first name, last name, and e-mail address of the account owner. Provided that is correct, you are still required to answer a security question, provide the correct answer, and then be sent an e-mail with a reset link. Simply attempting to put the required information into the website will not give the attacker any information.
    There are quite a few layers of authentication, as well as the security of your trusted e-mail to protect you. This is all coupled with additional security not exposed to the player or potential hacker that protects you as well.

    And im one of those people who get influenced even more because i cannot change my forum name :)

    I have no issue with 1 account name though.
    An orc marrying a wood elf?! Enjoy your Borsimer mutants!
  • reagen_lionel
    reagen_lionel
    ✭✭✭✭
    I agree with everything here. Been adamant about this and chat bubbles for the longest back in beta. Why go through all the hassle trying to change it for so many people?

    And trying to communicate with people in your own guild is a mess because of this as well. Why not just simply show the character names and have it show people's ID when hovering over it instead like the most logical thing to do?

    I'll continue to send /feedback about this ingame too.
    Edited by reagen_lionel on April 3, 2014 9:57AM
  • TeRyn
    TeRyn
    ✭✭✭
    Sending my guild mates to read up on this.
  • Endalaure
    Endalaure
    Soul Shriven
    I can agree with a lot that was said here.

    I personally do not care about name-plates. I think it's more fun to learn to identify with guildmates, etc, if you can recognize them by their appearance/gear/weapon/etc. For some it may be harder if their PCs can't support the higher graphic detail without suffering some in-game performance.

    However, I do not like that my account username is the first and more prominent name listed. With all the people who are playing, I can't remember the account name and up to 8 additional in-game character names these people may have. In guild chat, half the time I'm not 100% sure who I'm talking to.

    Thank you, also, those who mentioned you can have your user-name changed. I did not know that.

    And I also did not know that when you block someone, you block all 8 potential characters they have. Which I think is amazing.
  • caryhammub17_ESO
    caryhammub17_ESO
    ✭✭
    Easily fixed, Champions online, STO, and Neverwinter did it easy. You set a user name, and then a game handle, you log in with the user name to your account, and when in game you show up as charactername@gamehandle in chat. You cannot make the handle, and the username the same, or contain a large similar section.

    Agreed, Needs to be fixed, I do not like the username being out there, aad I would also like to be able to adjust my forum handle, since it was given to me by the company during beta, and it contains part of my real name.
  • TeRyn
    TeRyn
    ✭✭✭
    Bump!
  • TeRyn
    TeRyn
    ✭✭✭
    Bumpity bump.
Sign In or Register to comment.