Colonello Posted August 17, 2014 Author Share Posted August 17, 2014 Hello everyone, I'm trying to keep my players accounts in game as secure as possible once it launches. This is especially important if player moderators (users who can kick, take top priority in mute requests, etc) are created. Does anyone have any ideas on how to improve account security and prevent account hi-jackers? If theres any tutorials for this please link them below also.Note: I am also using EO 3 if that makes any difference. Link to comment Share on other sites More sharing options...
Mohenjo Daro Posted August 17, 2014 Share Posted August 17, 2014 Hmm, well I suppose you could have the player put in an E-Mail and save the IP address and if the player is logged in from a different computer then they get an email confirmation…? Link to comment Share on other sites More sharing options...
Colonello Posted August 18, 2014 Author Share Posted August 18, 2014 > Hmm, well I suppose you could have the player put in an E-Mail and save the IP address and if the player is logged in from a different computer then they get an email confirmation…?I like this idea. It kind of reminds of RuneScape's old protection system. Link to comment Share on other sites More sharing options...
Mohenjo Daro Posted August 18, 2014 Share Posted August 18, 2014 Don't worry, I like it too… Now to give Johnson more work Link to comment Share on other sites More sharing options...
Vaughan Posted August 18, 2014 Share Posted August 18, 2014 * Don't send anything sensitive like a password over the wire in plaintext. Use encryption and public-private keys. Hash passwords before being sent.* Use one-time passwords and two-factor authentication to make man-in-middle and replay attacks useless.* Enforce reasonable password strength limitiations.* Prevent brute force login attempts; lock out users who try and send too many invalid requests (similar to forum software)* Authentcate all incoming traffic Link to comment Share on other sites More sharing options...
Colonello Posted August 18, 2014 Author Share Posted August 18, 2014 > * Don't send anything sensitive like a password over the wire in plaintext. Use encryption and public-private keys. Hash passwords before being sent.> * Use one-time passwords and two-factor authentication to make man-in-middle and replay attacks useless.> * Enforce reasonable password strength limitiations.> * Prevent brute force login attempts; lock out users who try and send too many invalid requests (similar to forum software)> * Authentcate all incoming trafficThese are all excellent ideas. I'll definitely look in to these! Link to comment Share on other sites More sharing options...
xXaden Posted August 19, 2014 Share Posted August 19, 2014 all of the ideas previously mentioned are excellent.if your wanting to take security a step forward you need to collect a little more information about the machines in use,Motherboard Mac AddressHard Drive Serial NumberIP AddressBetween those 3 pieces of information (be sure to declare in your eula) you can enforce a ban even if they attempt to get around it.we all know ip addresses change, but other information does not unless its a different machine.Most big time games allow 3 computers to be bonded to an account.programming it so if its an unidentified machine trying to change account settings or even logging in, then it has to enter in a verification codethats sent via email to account holder to prevent fraud. Link to comment Share on other sites More sharing options...
Vaughan Posted August 19, 2014 Share Posted August 19, 2014 > all of the ideas previously mentioned are excellent.> > if your wanting to take security a step forward you need to collect a little more information about the machines in use,> > > > Motherboard Mac Address> > Hard Drive Serial Number> > IP Address> > > > Between those 3 pieces of information (be sure to declare in your eula) you can enforce a ban even if they attempt to get around it.> > we all know ip addresses change, but other information does not unless its a different machine.> > Most big time games allow 3 computers to be bonded to an account.> > programming it so if its an unidentified machine trying to change account settings or even logging in, then it has to enter in a verification code> > thats sent via email to account holder to prevent fraud.Note: Don't use this to enforce a ban. The client can spoof this info. Link to comment Share on other sites More sharing options...
xXaden Posted August 20, 2014 Share Posted August 20, 2014 > Note: Don't use this to enforce a ban. The client can spoof this info.the client would have to match it packet for packet (and they would need the source code and what packets to attack) and that means somebodies hardware would have to be compromised because its impossible to obtain that information especially when its sent with encryption on creating the character and logging in. how would the hacker get the machine id, hdd serial and everything in one swoop and on top of that dont you think the server would be coded to check and reference the original signup information ? when coded properly it would be accessing windows apis and sending the information encrypted and without source code thats nearly impossible to guess all the right numbers to be granted access. we are talking about account security here right ? lol.. Link to comment Share on other sites More sharing options...
Colonello Posted August 21, 2014 Author Share Posted August 21, 2014 Thank you everyone for the ideas and I'll see if I can get some or most of the implemented to my game once I have the funds. :D I'm setting this topic to solved but if anyone has any other suggestions feel free to share them. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now