PDA

View Full Version : Security enhancements



Ktalah
28th March 2005, 06:48 AM
With all the hackings that keep occuring I think that maybe it might be wisdom to make some improvements to the security of accounts.

The first thing I came up with was a selloff password. Basically you would have to input a password (different from your normal password) whenever you attempted to selloff weapons to a value higher than the one you picked. In example, you're a top player and you're really paranoid about being sold off. Hence you make your value for which a password is required 0. You're unlucky enough to be hacked, but they cannot sell off your armory without the password. This could be applied to vacation mode to.

You should have to input your password to change email or password, this would make javascript 'hacks' less effective. On the topic of javascript, the 'change commander' script could be countered quite efficiently by giving players a couple of hours in which they could revert to the previous commander (or lack of), and/or adding a password.

I dislike the insecurity of the password retrieval system, but I cannot immediately think of anything logical that could be done by the admins, users can simply not use free web based e-mails.

I think it's important that any enhancements are made on the basis that if anyone doesn't want to be more secure they don't have to be. Hence most of these modifications would only be prohibitive if you set them up that way.

riddle
28th March 2005, 06:57 AM
very nice idea, having a separate password for selloffs/training and making only required with a training/selloff of more than x number would most likely solve the current problem.
of course if people still used their same password or chose not to set it up then it would be their choice.

for the commander change? simply also require the secondary password no need to give players ability to revert to previous commander

Phyrus
28th March 2005, 07:12 AM
your suggestions are good, but it will be redundant once the admins put in email confirmation into the game.

Ktalah
28th March 2005, 07:17 AM
your suggestions are good, but it will be redundant once the admins put in email confirmation into the game.
I'm unsure exactly what you mean by this, or how it will prevent hacking. Explain?

Phyrus
28th March 2005, 07:21 AM
by means of when you request password/email/commander switch change, you will receive an email to state you have requested something and will be given a link to confirm this action. the only way around this is people being able to get into your inbox

Ktalah
28th March 2005, 07:30 AM
by means of when you request password/email/commander switch change, you will receive an email to state you have requested something and will be given a link to confirm this action. the only way around this is people being able to get into your inbox
Ah, well, this will not fix selloffs, and a fair amount of hacking can be done through the inbox. But I do see your point, it would fix a lot of the issues in the game's security.

eth
28th March 2005, 11:28 AM
How bout this: A user is prompted to change his password every 15 days or so. If he does not respond to 3 propmts, a warning shall be sent to him, about suspension of his account till he contacts the admins or a new ranks of moderators on KoC to reactivate his account and change his password. This shall also reduce hacking and shall also wake up slackers (ppl who stack too many turns and forget about playing).

EworTam
28th March 2005, 12:11 PM
People's accounts are de-activated if they dont log in for 3 weeks.

And changing your password every fortnight or so won't stop you being hacked.

variationpwnz
28th March 2005, 12:58 PM
your suggestions are good, but it will be redundant once the admins put in email confirmation into the game.

ow god you mean they're finally going to put in e-mail confirmation for change of e-mail. YAY. very nice idea about the selloff pasword, but if you can hack koc accounts, those passwords shouldn't be too hard either

EworTam
28th March 2005, 01:14 PM
Is that definetly going to be implaced? I hope so, I guess it would really reduce the amount of "hackings".