Username:    Password:    Remember Me?         

Message for Dev. Team - Reverie World Studios Forums

Go Back   Reverie World Studios Forums > Kingdom Wars > Technical Support
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 12-01-2013, 03:44 PM
kamtar kamtar is offline
Junior Member
 
Join Date: Dec 2013
Posts: 1
kamtar has a default reputation
Exclamation Message for Dev. Team

Hello,
Today I must used the Password Recovery and what i saw. Your website sent me my password.
I cannot understand which person/persons are able to write code which save password (personal data!) of thousand users into a database. This is such a fail like a paper vault.
I must appeal on dev. team change it!
Reply With Quote
  #2  
Old 12-02-2013, 09:29 AM
Hi11Zone's Avatar
Hi11Zone Hi11Zone is offline
Reverie World Studios - Community Manager
 
Join Date: Apr 2013
Posts: 825
Hi11Zone is a glorious beacon of lightHi11Zone is a glorious beacon of lightHi11Zone is a glorious beacon of lightHi11Zone is a glorious beacon of lightHi11Zone is a glorious beacon of light
Default

Pm me i'd love to help!
__________________
Official DOF Live Stream:
http://www.twitch.tv/ReverieWorld
My Amazing Steam Group http://steamcommunity.com/groups/Hi11zonesGamingLounge
Reply With Quote
  #3  
Old 01-19-2014, 05:33 AM
thatpvpguy thatpvpguy is offline
Junior Member
 
Join Date: Aug 2013
Posts: 8
thatpvpguy has a default reputation
Default

hes saying your security sucks
which it does
Reply With Quote
  #4  
Old 01-20-2014, 09:08 AM
Konstantin Fomenko's Avatar
Konstantin Fomenko Konstantin Fomenko is offline
Reverie World Studios - Producer & Design Director
 
Join Date: Mar 2007
Posts: 4,769
Konstantin Fomenko has extremely good reputationKonstantin Fomenko has extremely good reputationKonstantin Fomenko has extremely good reputationKonstantin Fomenko has extremely good reputation
Default

Quote:
Your website sent me my password.
Our security is not something to be proud of - but we have some layers of protection. We do not store any sensitive information for our users like credit cards, home address e.t.c. Only username and passwords. The website form you were using communicates to a secure database on a separate server reserved for all the user info. So payer info is not stored on our website like you`ve assumed.

Could we make security better? Given time yes. But is it worth the investment of time and funds that our team can spend on making the game better? Amateur hacker migght not be able to get the info, someone much more advance - there is a chance, but all they can get is separate entrees of username and password - that hold no real value, other than the small % that someone uses the same username/password somewhere - but most people pick unique in-game nicks, and there is no good way to track this, as we don`t even store user IP.
Reply With Quote
  #5  
Old 01-28-2014, 10:08 AM
Myso Myso is offline
Junior Member
 
Join Date: Jan 2014
Posts: 1
Myso has a default reputation
Default

This issue is always my first port of call with any new account creation.

The clear fact that you are storing all passwords as plain text makes you the first port of call to ANY level of hacker as password scraping is a VERY sought after type of information gathering, you don't just open the door to your own site but expose unwary users to security issues on other sites using the same information they use here, because not everyone uses different credentials elsewhere.
So you owe it to your customers to protect their information above all else! regardless of how small it may be.

All that needs to be done is to MD5/SHA1 the password with a Salt to prevent easy reading and have anyone really wanting this info to waste a LOT of CPU time, and if the user forgets their password just create a random array of password characters for them to login, so they can change it. It's more than simple & I really shouldn't have to suggest this in the first place!

Don't be so naive in thinking it won't happen to you! You have exposure on Steam and how many Steam users are involved in hacking? If you can't implement this simple security then what's to say your game coding doesn't have the potential to expose this data?

Maybe just think of the bad press and loss of business when all your users find their passwords were stolen due to the most simple of security fixes?

I just hope that when it happens you get forewarned of the data being disclosed & they give you time to fix it.
Reply With Quote
  #6  
Old 01-28-2014, 10:42 AM
Konstantin Fomenko's Avatar
Konstantin Fomenko Konstantin Fomenko is offline
Reverie World Studios - Producer & Design Director
 
Join Date: Mar 2007
Posts: 4,769
Konstantin Fomenko has extremely good reputationKonstantin Fomenko has extremely good reputationKonstantin Fomenko has extremely good reputationKonstantin Fomenko has extremely good reputation
Default

Well said. We are planning to remedy this later this winter before we continue to grow out player population.
Reply With Quote
  #7  
Old 02-03-2014, 06:08 PM
Frostshoxx Frostshoxx is offline
Junior Member
 
Join Date: Jan 2014
Posts: 2
Frostshoxx has a default reputation
Default

As a web/software developer I would recommend to put migration of clear text password to hashed password + salt as one of the top priority as well.

We had one of legacy projects that stored password in clear text. Although it is convenient for the client to obtain the password for their day-to-day operation (on behalf of their clients), it makes the system become risky target for bad guys trying to find information.

We basically did the following steps for conversion on the database site (not literally, but this is the overview).
1. Write shared helper method that create salt and hashed password.
2. Write shared helper method that create hashed password based on given salt.
3. Create two columns on the login table: Hashed Password and Salt.
4. Create a script that go through each entry on the login table and then convert clear text to hashed with new random salt.
5. Initially update the login validation to use both clear text/password until the conversion is done.
6. Remove clear text and login add/edit/delete method that use clear text altogether.

To work with less data entry is probably better..

Last edited by Frostshoxx : 02-03-2014 at 06:15 PM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump


All times are GMT -6. The time now is 06:31 PM.

ESRB Rated T
US/CANADA
PEGI 16
EUROPE
USK 16
GERMANY

privacy policy   |   Copyright © Reverie World Studios INC.

Kingdom Wars and Reverie World Studios are trademarks of Reverie World Studios, Inc. Developed by Reverie World Studios, inc. All Rights Reserved. All other trademarks are property of their respective owners.
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.