Security Feature

Got something on your mind about the project? This is the correct place for that.


Forum rules

This forum is for feature requests, content changes additions, anything not a Bug in the software.
Please report all bugs on the Support Forums

User avatar
deepthought
Warrior
Warrior
Posts: 314
Joined: 01 Sep 2014, 10:32
Location: India

Security Feature

Post by deepthought »

There have been lots of accounts getting hacked into and many people leaving the game because of it. In the light of these events i would suggest to implement account logins should be possible only with a single ip address. It's a little cost we pay but our accounts will be safe. Another feature is to implement the no of login attempts. After certain limit, the account cant be login and can only be login after the user has responded through email and password is reset.
Last edited by deepthought on 08 Mar 2015, 16:36, edited 3 times in total.
I'm as cool and comforting as the porcelain tiles on your bathroom floor during an evening of vomiting.
Steingej Eisenserg
Peon
Peon
Posts: 22
Joined: 06 Nov 2014, 20:11

Re: Security Feature

Post by Steingej Eisenserg »

idk but where i come from theres dynamic ips handed out by my provider... actually i have a different ip like every day... the other thing is ppl logging in from mobile or from another wlan... the only way for me to make this work is use some proxy...
not to dissappoint u or sth
User avatar
prsm
TMW Classic
TMW Classic
Posts: 1587
Joined: 24 Mar 2009, 17:18

Re: Security Feature

Post by prsm »

Its been my experience we have very few people being hacked, we do have people giving away there username/password and then being exploited.

lesson to be learned here, don't give away your username/password.
ego is the anesthesia that deadens the pain of stupidity!
User avatar
deepthought
Warrior
Warrior
Posts: 314
Joined: 01 Sep 2014, 10:32
Location: India

Re: Security Feature

Post by deepthought »

Even without sharing id and password, there have been hacks. For example take the Salah case. Recently Octopus account was hacked. I would atleast look forward to implement the minimum no of tries for id and passwords.
I'm as cool and comforting as the porcelain tiles on your bathroom floor during an evening of vomiting.
User avatar
prsm
TMW Classic
TMW Classic
Posts: 1587
Joined: 24 Mar 2009, 17:18

Re: Security Feature

Post by prsm »

afaik Salah was a scammer not a hacker. I have never heard that octupus got hacked either.
ego is the anesthesia that deadens the pain of stupidity!
User avatar
AnonDuck
TMW Adviser
TMW Adviser
Posts: 645
Joined: 02 Jan 2009, 04:19
Location: Catland

Re: Security Feature

Post by AnonDuck »

The server does rate-limit authentication requests. If you choose even a half-decent password nobody should be able to easily bruteforce it.

If it were possible to hack accounts that practice good security we'd have GM and admin accounts getting pwnt left and right. That's not happening.

As far as I'm aware everyone who's ever been "hacked" either gave their account info to someone or had an obvious username and picked something like 12345 as their password. I've even seen people download tmw_cheat.exe that's a keylogger/trojan..

We can't protect against stupid. :alt-1:
Head of the TMW Illuminati
User avatar
TRGN
Peon
Peon
Posts: 48
Joined: 28 Jan 2015, 12:33

Re: Security Feature

Post by TRGN »

My IP always changes when i open my computer.
Siegfried
Novice
Novice
Posts: 60
Joined: 03 Jun 2013, 20:03

Re: Security Feature

Post by Siegfried »

deepthought wrote:There have been lots of accounts getting hacked into and many people leaving the game because of it. In the light of these events i would suggest to implement account logins should be possible only with a single ip address.
As Eisenserg already stated, dynamic (always changing) IP adresses stand against this idea. But what would be possible is to limit logins to some IP range. But that range would have to be configured by the user himself, not preset by some admin. You could f.ex. configure your account to be usable only from the IP range of your provider. And you could choose not to limit it, if you often use mobile access. If you let the user configure that, it would add slightly to security. The increase of security is not very high though.
cerc
Newly Registered User
Posts: 7
Joined: 16 Feb 2015, 08:33

Re: Security Feature

Post by cerc »

Siegfried wrote:
deepthought wrote:There have been lots of accounts getting hacked into and many people leaving the game because of it. In the light of these events i would suggest to implement account logins should be possible only with a single ip address.
As Eisenserg already stated, dynamic (always changing) IP adresses stand against this idea. But what would be possible is to limit logins to some IP range. But that range would have to be configured by the user himself, not preset by some admin. You could f.ex. configure your account to be usable only from the IP range of your provider. And you could choose not to limit it, if you often use mobile access. If you let the user configure that, it would add slightly to security. The increase of security is not very high though.

How hard is it to remember a 10 digits password?
And why would you give it to anyone, thats stupid.
User avatar
deepthought
Warrior
Warrior
Posts: 314
Joined: 01 Sep 2014, 10:32
Location: India

Re: Security Feature

Post by deepthought »

Im not an expert so i dont know how to fix the dynamic ip thing. After a bit googling i think there are measures which can be taken even for dynamic ips. I used to play this game cyber nations which only allows 1 account for 1 home. Even if you two different computers with two brothers, its not allowed. Even thought there are dynamic ips, their GM used to find out the ones with two nations and ban them. I dont know how they do it.

Mad Camel,

I heard that when Frost was gm his alt's account were scammed or hacked by Jat Lee/Salah. I don't think someone like Frost would share his id/password or run any untrusted programs. I dont exactly know what happened but someone who's been here more like you should know.
I'm as cool and comforting as the porcelain tiles on your bathroom floor during an evening of vomiting.
cerc
Newly Registered User
Posts: 7
Joined: 16 Feb 2015, 08:33

Re: Security Feature

Post by cerc »

deepthought wrote:Im not an expert so i dont know how to fix the dynamic ip thing. After a bit googling i think there are measures which can be taken even for dynamic ips. I used to play this game cyber nations which only allows 1 account for 1 home. Even if you two different computers with two brothers, its not allowed. Even thought there are dynamic ips, their GM used to find out the ones with two nations and ban them. I dont know how they do it.

Mad Camel,

I heard that when Frost was gm his alt's account were scammed or hacked by Jat Lee/Salah. I don't think someone like Frost would share his id/password or run any untrusted programs. I dont exactly know what happened but someone who's been here more like you should know.
Dont you have about 4 accounts plus the ones you got from SAXUM/bluecloud, doesn't that mean that you will be able to use only one?
User avatar
deepthought
Warrior
Warrior
Posts: 314
Joined: 01 Sep 2014, 10:32
Location: India

Re: Security Feature

Post by deepthought »

cerc wrote:
deepthought wrote:Im not an expert so i dont know how to fix the dynamic ip thing. After a bit googling i think there are measures which can be taken even for dynamic ips. I used to play this game cyber nations which only allows 1 account for 1 home. Even if you two different computers with two brothers, its not allowed. Even thought there are dynamic ips, their GM used to find out the ones with two nations and ban them. I dont know how they do it.

Mad Camel,

I heard that when Frost was gm his alt's account were scammed or hacked by Jat Lee/Salah. I don't think someone like Frost would share his id/password or run any untrusted programs. I dont exactly know what happened but someone who's been here more like you should know.
Dont you have about 4 accounts plus the ones you got from SAXUM/bluecloud, doesn't that mean that you will be able to use only one?
I dont mean to limit the no of accounts. I never said to limit the no of accounts. I gave that example to say that there are maybe some methods by which we can know two accounts from same person even though its dynamic ip.
I'm as cool and comforting as the porcelain tiles on your bathroom floor during an evening of vomiting.
DragonStar
Peon
Peon
Posts: 38
Joined: 08 Jan 2015, 13:12

Re: Security Feature

Post by DragonStar »

I think it could improve account security if players would be able to set a whitelist of IP addresses for accessing their accounts, including IP ranges and masks to account for dynamic IPs, and any IP not on the list trying to log in to the account would fail, with an e-mail sent warning of the login attempt, and a link to add that IP to the whitelist.

Just choosing a good password should be enough in general though, so long as the password is sent to the server encrypted when logging in, otherwise for instance if someone would log in to their account on an insecure wi-fi hotspot, anyone sniffing the data would get their password.
User avatar
AnonDuck
TMW Adviser
TMW Adviser
Posts: 645
Joined: 02 Jan 2009, 04:19
Location: Catland

Re: Security Feature

Post by AnonDuck »

DragonStar wrote:...so long as the password is sent to the server encrypted when logging in, otherwise for instance if someone would log in to their account on an insecure wi-fi hotspot, anyone sniffing the data would get their password.
Unfortunately this is not currently the case. With the current codebase we can have either cleartext passwords on the network or cleartext passwords stored on the server. Since the server stores e-mail addresses and many people use the same password everywhere... we went with hashed passwords on the server. Otherwise if the database were to leak the ramifications would extend far beyond TMW.

4144 is currently working on a replacement for the current server. I'm hoping I'll have the time to integrate a truly secure authentication mechanism before it goes live. Optional whitelisting of IP addresses and/or e-mail pingbacks when a new IP address wants to authenticate is something I'll look in to.

For the new auth and password storage method https://en.wikipedia.org/wiki/Salted_Ch ... _Mechanism looks pretty good. Just have to find a simple library that implements it..
Head of the TMW Illuminati
User avatar
Altus Institute
Novice
Novice
Posts: 155
Joined: 20 Oct 2014, 10:06
Location: The most far away Place

Re: Security Feature

Post by Altus Institute »

MadCamel wrote: and many people use the same password everywhere...
MadCamel wrote:Optional whitelisting of IP addresses and/or e-mail pingbacks when a new IP address wants to authenticate is something I'll look in to.
Saying indirectly that people are stupid you try to track them indirectly?
Does the Mana World project works for Microsoft or Google or else?
Coz its seems you use the same language to talk about ppl and wanting to use the same method to track them.
OFC FOR THEIR OWN SECURITY :lol:
be clear on this : only the ppl who know how its works disturb the others, creating problems and bringing their own solution (ofc not more secure that another one).
MadCamel wrote:With the current codebase we can have either cleartext passwords on the network or cleartext passwords stored on the server.
why you do have my password in cleartext?

I went on the Hercule test server and.....surprise !!! i can activate my main char there.
Can someone explain to me why all my chars are on A test server??

Its like as bringing a bot on the main server....how a guy can connect ON the main server a modified char (crazy tree)???
Or like Jat Lees brother who scamming ppl...how it is possible? Because the guy know how its works, the brothers works on the project...why not adding something with a back door....like my dear Big Brother.

So lets talking about security...who protect us from you?
Yes you right : NOTHING.
So dont bring your solution saying ppl using the same password everywhere.
You wanted it? So you have it, now not complain, seems you are not enough busy to understand why ppl using the same password everywhere.
All of this use password : cb, cb2, parking, pc, tablet, email, email2, diablo, sims city, forum, wiki, phone (phone2?), children phone, pc at work, security password at work....and more.

i hope its the last time you talking about "me" like that.
Even if i dont understand all your mess, i see you.
ty.
19:24:32 wushin So, can you do something?
19:24:52 Altus I can do nothing.
19:25:07 wushin So you are highly capable of doing nothing?
19:25:20 Altus yerp =D
19:25:31 wushin Crap, im only highly capable of doing something...=/
19:25:34 cassy Its ok wu-wu, we all needs to start somewhere...
19:25:43 deepthought wtf
19:25:46 wushin .....
19:25:52 cassy *pokes* deepthought
Ange Alus Banshee User
Remus Bull Rager Warrior Lv99
Maulne Bull Rager Warrior
Basilic Lazurite Dark Speed Mage
Post Reply