A Discussion On Account SecurityHeroes comes with a lot of improvements for users to manage their account. I wanted to make a quick post covering how they work so everyone's on the same page.
Standard Security PracticesThis means salting+hasing passwords, forcing SSL on all pages, forcing email confirmation on signup and when making any significant changes to account settings. This is nothing special and should be expected from any online service but it's still worth mentioning as it's the foundation on which everything else tends to rely.
HWID WhitelistSharing accounts in online games is a very common practice. As game owners we might not like it because of the headaches inevitably caused when someone tries to scam you or take your items but we know it will never be fully prevented. Our job is to make sure that players are aware of the risks they are taking, and have the tools to keep themselves as safe as possible.
When logging into your dashboard on our website you will notice there is a HWID Whitelist feature. It is off by default but we will strongly recommend those who are concerned with the safety of their in-game items enable it (and in the cases of scammed characters we will turn it on for them to avoid repeat issues).
When enabling or disabling the feature, the server will send an email to your registered address confirming the change. This is necessary for obvious reasons so that you don't accidentally lock yourself out of your account and to make sure if someone has access to your username/password, they can't simply turn off the safety features you have.
Once enabled, when you log into the game it will check if your computer has been verified to use that specific character, if not it will check if a validation email has been sent within the past 10 minutes (to avoid spam). It will generate a shared authentication token and will send an email to the registered account warning them that someone is trying to access their account.
When following the link in your email, you will be able to Block or Allow the computer in question as well as assigning a nickname to it. Blocked connections simply blocks that computer sending new email requests to your account. You should obviously still change your account details but you can be confident they wont be able to play unless they also have access to your email. When clicking allow, it whitelists the computer permanently - or until you remove it from your dashboard.
Removing blocked/allowed computers from the dashboard simply re-triggers the standard validation procedure when that computer is next used.
Login HistoryIf you are suspicious that someone else is using your account, you can log in on your dashboard to view a history of everyone who is logging into your account. This includes the following details.
Time of login
IP used
Nickname (if any) of computer
It's worth noting that computer nickname is a very useful feature to identify who is using your computer. Simply turn on HWID whitelist and name each computer something unique (EG: "HomePC" "Joe'sPC") and you can easily tell who is using your account at a glance.
In-Game ProtectionPlayer can 'lock' their items using an in-game interface. Locked items cannot be dropped, traded or sold except to players they have added as "Trade partners". Adding a trade partner and unlocking an item each has a 7 day confirmation period which means that you can easily trade valuable items between your alternate characters or even trusted friends without worrying about them being lost.
Players who lose items by PKing large amount of players have their items confiscated which involves a similar 7 day waiting period before the slayer may claim their rewards. In the case of your account being compromised, as long as you bring it to our staff's attention within a week, restoring lost items will be very trivial and will not involve inconveniencing any other players.
Obviously there's plenty more we could talk about but I just wanted people to be aware of some of the improved security features added to the game as we're pretty happy with how they turned out. Obviously the project is constantly evolving and growing and improvements will continue to be made.
