Security Feature
Forum rules
This forum is for feature requests, content changes additions, anything not a Bug in the software.
Please report all bugs on the Support Forums
- deepthought
- Warrior
- Posts: 314
- Joined: 01 Sep 2014, 10:32
- Location: India
Security Feature
There have been lots of accounts getting hacked into and many people leaving the game because of it. In the light of these events i would suggest to implement account logins should be possible only with a single ip address. It's a little cost we pay but our accounts will be safe. Another feature is to implement the no of login attempts. After certain limit, the account cant be login and can only be login after the user has responded through email and password is reset.
Last edited by deepthought on 08 Mar 2015, 16:36, edited 3 times in total.
I'm as cool and comforting as the porcelain tiles on your bathroom floor during an evening of vomiting.
-
- Peon
- Posts: 22
- Joined: 06 Nov 2014, 20:11
Re: Security Feature
idk but where i come from theres dynamic ips handed out by my provider... actually i have a different ip like every day... the other thing is ppl logging in from mobile or from another wlan... the only way for me to make this work is use some proxy...
not to dissappoint u or sth
not to dissappoint u or sth
Re: Security Feature
Its been my experience we have very few people being hacked, we do have people giving away there username/password and then being exploited.
lesson to be learned here, don't give away your username/password.
lesson to be learned here, don't give away your username/password.
ego is the anesthesia that deadens the pain of stupidity!
- deepthought
- Warrior
- Posts: 314
- Joined: 01 Sep 2014, 10:32
- Location: India
Re: Security Feature
Even without sharing id and password, there have been hacks. For example take the Salah case. Recently Octopus account was hacked. I would atleast look forward to implement the minimum no of tries for id and passwords.
I'm as cool and comforting as the porcelain tiles on your bathroom floor during an evening of vomiting.
Re: Security Feature
afaik Salah was a scammer not a hacker. I have never heard that octupus got hacked either.
ego is the anesthesia that deadens the pain of stupidity!
Re: Security Feature
The server does rate-limit authentication requests. If you choose even a half-decent password nobody should be able to easily bruteforce it.
If it were possible to hack accounts that practice good security we'd have GM and admin accounts getting pwnt left and right. That's not happening.
As far as I'm aware everyone who's ever been "hacked" either gave their account info to someone or had an obvious username and picked something like 12345 as their password. I've even seen people download tmw_cheat.exe that's a keylogger/trojan..
We can't protect against stupid.
If it were possible to hack accounts that practice good security we'd have GM and admin accounts getting pwnt left and right. That's not happening.
As far as I'm aware everyone who's ever been "hacked" either gave their account info to someone or had an obvious username and picked something like 12345 as their password. I've even seen people download tmw_cheat.exe that's a keylogger/trojan..
We can't protect against stupid.
Head of the TMW Illuminati
Re: Security Feature
My IP always changes when i open my computer.
Re: Security Feature
As Eisenserg already stated, dynamic (always changing) IP adresses stand against this idea. But what would be possible is to limit logins to some IP range. But that range would have to be configured by the user himself, not preset by some admin. You could f.ex. configure your account to be usable only from the IP range of your provider. And you could choose not to limit it, if you often use mobile access. If you let the user configure that, it would add slightly to security. The increase of security is not very high though.deepthought wrote:There have been lots of accounts getting hacked into and many people leaving the game because of it. In the light of these events i would suggest to implement account logins should be possible only with a single ip address.
Re: Security Feature
Siegfried wrote:As Eisenserg already stated, dynamic (always changing) IP adresses stand against this idea. But what would be possible is to limit logins to some IP range. But that range would have to be configured by the user himself, not preset by some admin. You could f.ex. configure your account to be usable only from the IP range of your provider. And you could choose not to limit it, if you often use mobile access. If you let the user configure that, it would add slightly to security. The increase of security is not very high though.deepthought wrote:There have been lots of accounts getting hacked into and many people leaving the game because of it. In the light of these events i would suggest to implement account logins should be possible only with a single ip address.
How hard is it to remember a 10 digits password?
And why would you give it to anyone, thats stupid.
- deepthought
- Warrior
- Posts: 314
- Joined: 01 Sep 2014, 10:32
- Location: India
Re: Security Feature
Im not an expert so i dont know how to fix the dynamic ip thing. After a bit googling i think there are measures which can be taken even for dynamic ips. I used to play this game cyber nations which only allows 1 account for 1 home. Even if you two different computers with two brothers, its not allowed. Even thought there are dynamic ips, their GM used to find out the ones with two nations and ban them. I dont know how they do it.
Mad Camel,
I heard that when Frost was gm his alt's account were scammed or hacked by Jat Lee/Salah. I don't think someone like Frost would share his id/password or run any untrusted programs. I dont exactly know what happened but someone who's been here more like you should know.
Mad Camel,
I heard that when Frost was gm his alt's account were scammed or hacked by Jat Lee/Salah. I don't think someone like Frost would share his id/password or run any untrusted programs. I dont exactly know what happened but someone who's been here more like you should know.
I'm as cool and comforting as the porcelain tiles on your bathroom floor during an evening of vomiting.
Re: Security Feature
Dont you have about 4 accounts plus the ones you got from SAXUM/bluecloud, doesn't that mean that you will be able to use only one?deepthought wrote:Im not an expert so i dont know how to fix the dynamic ip thing. After a bit googling i think there are measures which can be taken even for dynamic ips. I used to play this game cyber nations which only allows 1 account for 1 home. Even if you two different computers with two brothers, its not allowed. Even thought there are dynamic ips, their GM used to find out the ones with two nations and ban them. I dont know how they do it.
Mad Camel,
I heard that when Frost was gm his alt's account were scammed or hacked by Jat Lee/Salah. I don't think someone like Frost would share his id/password or run any untrusted programs. I dont exactly know what happened but someone who's been here more like you should know.
- deepthought
- Warrior
- Posts: 314
- Joined: 01 Sep 2014, 10:32
- Location: India
Re: Security Feature
I dont mean to limit the no of accounts. I never said to limit the no of accounts. I gave that example to say that there are maybe some methods by which we can know two accounts from same person even though its dynamic ip.cerc wrote:Dont you have about 4 accounts plus the ones you got from SAXUM/bluecloud, doesn't that mean that you will be able to use only one?deepthought wrote:Im not an expert so i dont know how to fix the dynamic ip thing. After a bit googling i think there are measures which can be taken even for dynamic ips. I used to play this game cyber nations which only allows 1 account for 1 home. Even if you two different computers with two brothers, its not allowed. Even thought there are dynamic ips, their GM used to find out the ones with two nations and ban them. I dont know how they do it.
Mad Camel,
I heard that when Frost was gm his alt's account were scammed or hacked by Jat Lee/Salah. I don't think someone like Frost would share his id/password or run any untrusted programs. I dont exactly know what happened but someone who's been here more like you should know.
I'm as cool and comforting as the porcelain tiles on your bathroom floor during an evening of vomiting.
-
- Peon
- Posts: 38
- Joined: 08 Jan 2015, 13:12
Re: Security Feature
I think it could improve account security if players would be able to set a whitelist of IP addresses for accessing their accounts, including IP ranges and masks to account for dynamic IPs, and any IP not on the list trying to log in to the account would fail, with an e-mail sent warning of the login attempt, and a link to add that IP to the whitelist.
Just choosing a good password should be enough in general though, so long as the password is sent to the server encrypted when logging in, otherwise for instance if someone would log in to their account on an insecure wi-fi hotspot, anyone sniffing the data would get their password.
Just choosing a good password should be enough in general though, so long as the password is sent to the server encrypted when logging in, otherwise for instance if someone would log in to their account on an insecure wi-fi hotspot, anyone sniffing the data would get their password.
Re: Security Feature
Unfortunately this is not currently the case. With the current codebase we can have either cleartext passwords on the network or cleartext passwords stored on the server. Since the server stores e-mail addresses and many people use the same password everywhere... we went with hashed passwords on the server. Otherwise if the database were to leak the ramifications would extend far beyond TMW.DragonStar wrote:...so long as the password is sent to the server encrypted when logging in, otherwise for instance if someone would log in to their account on an insecure wi-fi hotspot, anyone sniffing the data would get their password.
4144 is currently working on a replacement for the current server. I'm hoping I'll have the time to integrate a truly secure authentication mechanism before it goes live. Optional whitelisting of IP addresses and/or e-mail pingbacks when a new IP address wants to authenticate is something I'll look in to.
For the new auth and password storage method https://en.wikipedia.org/wiki/Salted_Ch ... _Mechanism looks pretty good. Just have to find a simple library that implements it..
Head of the TMW Illuminati
- Altus Institute
- Novice
- Posts: 155
- Joined: 20 Oct 2014, 10:06
- Location: The most far away Place
Re: Security Feature
MadCamel wrote: and many people use the same password everywhere...
Saying indirectly that people are stupid you try to track them indirectly?MadCamel wrote:Optional whitelisting of IP addresses and/or e-mail pingbacks when a new IP address wants to authenticate is something I'll look in to.
Does the Mana World project works for Microsoft or Google or else?
Coz its seems you use the same language to talk about ppl and wanting to use the same method to track them.
OFC FOR THEIR OWN SECURITY
be clear on this : only the ppl who know how its works disturb the others, creating problems and bringing their own solution (ofc not more secure that another one).
why you do have my password in cleartext?MadCamel wrote:With the current codebase we can have either cleartext passwords on the network or cleartext passwords stored on the server.
I went on the Hercule test server and.....surprise !!! i can activate my main char there.
Can someone explain to me why all my chars are on A test server??
Its like as bringing a bot on the main server....how a guy can connect ON the main server a modified char (crazy tree)???
Or like Jat Lees brother who scamming ppl...how it is possible? Because the guy know how its works, the brothers works on the project...why not adding something with a back door....like my dear Big Brother.
So lets talking about security...who protect us from you?
Yes you right : NOTHING.
So dont bring your solution saying ppl using the same password everywhere.
You wanted it? So you have it, now not complain, seems you are not enough busy to understand why ppl using the same password everywhere.
All of this use password : cb, cb2, parking, pc, tablet, email, email2, diablo, sims city, forum, wiki, phone (phone2?), children phone, pc at work, security password at work....and more.
i hope its the last time you talking about "me" like that.
Even if i dont understand all your mess, i see you.
ty.
19:24:32 wushin So, can you do something?
19:24:52 Altus I can do nothing.
19:25:07 wushin So you are highly capable of doing nothing?
19:25:20 Altus yerp =D
19:25:31 wushin Crap, im only highly capable of doing something...=/
19:25:34 cassy Its ok wu-wu, we all needs to start somewhere...
19:25:43 deepthought wtf
19:25:46 wushin .....
19:25:52 cassy *pokes* deepthought
ஜAnge Alus Banshee User
ஜRemus Bull Rager Warrior Lv99
ஜMaulne Bull Rager Warrior
ஜBasilic Lazurite Dark Speed Mage
19:24:52 Altus I can do nothing.
19:25:07 wushin So you are highly capable of doing nothing?
19:25:20 Altus yerp =D
19:25:31 wushin Crap, im only highly capable of doing something...=/
19:25:34 cassy Its ok wu-wu, we all needs to start somewhere...
19:25:43 deepthought wtf
19:25:46 wushin .....
19:25:52 cassy *pokes* deepthought
ஜAnge Alus Banshee User
ஜRemus Bull Rager Warrior Lv99
ஜMaulne Bull Rager Warrior
ஜBasilic Lazurite Dark Speed Mage