Forums-->Ideas and suggestions-->
Author | Improving security of our accounts |
Instead of storing our usernames and passwords (and possibly recovery emails) in plaintext (or using reversible encryption), admins should consider improving their security and storing our login credentials as well as emails in an encrypted format.
Eg: When you click "Forget Password" and type in your "Character Name" and "Recovery Email", game sends you a mail on your Email ID which shows your username and password in simple word format (which is bad).
Some references to understand why it is bad:
1. https://stackoverflow.com/questions/1197417/why-are-plain-text-passwords-bad-and-how-do-i-convince-my-boss-that-his-trea sur
2. https://security.stackexchange.com/questions/7118/what-to-do-about-websites-that-store-plain-text-passwords
A suggestion to the community: Since most people have a tendency to reuse their passwords (bad! bad! bad!), I would recommend never using the password you use for this site for any other website.
Read: https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-been-pwned/
Why do I care?
I don't play this game anymore but log in from time to time just to see how things are going. Today I stumbled upon this thread:
https://www.lordswm.com/forum_messages.php?tid=2650189
So naturally I went to one of my previous accounts (which was Jailed by BOW) to see my registration date and what caught my eye was that my account had been unjailed, done some illegal transfers and then jailed again which is really crappy to say the least. That is why I care.
Thank you! | First step: Serve the site over TLS (or https) | for shubhamgoyal:
Wow, I didn't even notice that. | If there is sufficient interest, we can collaboratively develop an open source version of lordswm without the assets (unless lordswm permits) in Go and React, hosted on AWS (and AliCloud for Chinese users) with proper security practices. Then, we can hand that over to the admins. There is a lot of event-related logic we wouldn't be able to recreate and hand over but my hypothesis is that a Go server with good frontend architecture would make it easy to add the kinds of events admins create nowadays. We could do the smugglers' or pirates' as an example. It would probably make lordswm's devs much more efficient.
I have wanted to do this before but it is a year-long project if I do it alone and part-time. I am trying to limit my full-time involvement to just 1 startup these days and so, I should be able to take out a few productive hours each week. If a few folks here are interested and commit the same, 3-4 of us could have a decently written open sourced version in maybe 6 months.
As an incentive to switch, I would add 10,000 dollars of AWS credits to the AWS account when handing over. Hopefully, the game we all love won't have ancient technology supporting it.
P.S. - Every project's stack gets outdated when it gets out of the startup phase and doesn't iterate often enough. The game still runs and runs well, for the most part. But security has been neglected. Without any sophisticated toolkit, I am able to do SQL injections or see passwords of other users over-the-air. That is not good. |
Back to topics list
|