Improve security?

[Colonello]

Hello everyone, I'm trying to keep my players accounts in game as secure as possible once it launches. This is especially important if player moderators (users who can kick, take top priority in mute requests, etc) are created. Does anyone have any ideas on how to improve account security and prevent account hi-jackers? If theres any tutorials for this please link them below also.

Note: I am also using EO 3 if that makes any difference.

[Mohenjo Daro]

Hmm, well I suppose you could have the player put in an E-Mail and save the IP address and if the player is logged in from a different computer then they get an email confirmation…?

[Colonello]

> Hmm, well I suppose you could have the player put in an E-Mail and save the IP address and if the player is logged in from a different computer then they get an email confirmation…?

I like this idea. It kind of reminds of RuneScape's old protection system.

[Mohenjo Daro]

Don't worry, I like it too… Now to give Johnson more work

[Vaughan]

* Don't send anything sensitive like a password over the wire in plaintext. Use encryption and public-private keys. Hash passwords before being sent.
* Use one-time passwords and two-factor authentication to make man-in-middle and replay attacks useless.
* Enforce reasonable password strength limitiations.
* Prevent brute force login attempts; lock out users who try and send too many invalid requests (similar to forum software)
* Authentcate all incoming traffic

[Colonello]

> * Don't send anything sensitive like a password over the wire in plaintext. Use encryption and public-private keys. Hash passwords before being sent.
> * Use one-time passwords and two-factor authentication to make man-in-middle and replay attacks useless.
> * Enforce reasonable password strength limitiations.
> * Prevent brute force login attempts; lock out users who try and send too many invalid requests (similar to forum software)
> * Authentcate all incoming traffic

These are all excellent ideas. I'll definitely look in to these!

[xXaden]

all of the ideas previously mentioned are excellent.

if your wanting to take security a step forward you need to collect a little more information about the machines in use,

Motherboard Mac Address

Hard Drive Serial Number

IP Address

Between those 3 pieces of information (be sure to declare in your eula) you can enforce a ban even if they attempt to get around it.

we all know ip addresses change, but other information does not unless its a different machine.

Most big time games allow 3 computers to be bonded to an account.

programming it so if its an unidentified machine trying to change account settings or even logging in, then it has to enter in a verification code

thats sent via email to account holder to prevent fraud.

[Vaughan]

> all of the ideas previously mentioned are excellent.
>
> if your wanting to take security a step forward you need to collect a little more information about the machines in use,
>
>  
>
> Motherboard Mac Address
>
> Hard Drive Serial Number
>
> IP Address
>
>  
>
> Between those 3 pieces of information (be sure to declare in your eula) you can enforce a ban even if they attempt to get around it.
>
> we all know ip addresses change, but other information does not unless its a different machine.
>
> Most big time games allow 3 computers to be bonded to an account.
>
> programming it so if its an unidentified machine trying to change account settings or even logging in, then it has to enter in a verification code
>
> thats sent via email to account holder to prevent fraud.

Note: Don't use this to enforce a ban. The client can spoof this info.

[xXaden]

> Note: Don't use this to enforce a ban. The client can spoof this info.

the client would have to match it packet for packet (and they would need the source code and what packets to attack) and that means somebodies hardware would have to be compromised because its impossible to obtain that information especially when its sent with encryption on creating the character and logging in. how would the hacker get the machine id, hdd serial and everything in one swoop and on top of that dont you think the server would be coded to check and reference the original signup information ? when coded properly it would be accessing windows apis and sending the information encrypted and without source code thats nearly impossible to guess all the right numbers to be granted access. we are talking about account security here right ? lol..

[Colonello]

Thank you everyone for the ideas and I'll see if I can get some or most of the implemented to my game once I have the funds. :D I'm setting this topic to solved but if anyone has any other suggestions feel free to share them.