Account Security and visible information
Posted: Mon Dec 21, 2020 6:00 pm
I wanted to be up front with this, as I was recently troubleshooting an issue for one of our players who had forgotten their account name, and discovered on an overlooked line of code which was saving raw text of the CONNECT command to our command log. The command log is not accessible by anyone on the team besides myself, but it is still a concern, as I'd rather NOT have seen all your passwords if I could have helped it.
I take security very seriously and have all aspects of accounts pretty locked down. There's not supposed to be any way for me, or any other member of the CLOK team, to see your password. Passwords are salted with a unique string per account and hashed in an irreversible algorithm. The only information we can see is your account name, your email address, and a list of IP addresses you've used to connect to your account with. This information is not even publicly available to the entire GM team, and is only accessible by Noctere or I with tools to access our database directly, should we need to troubleshoot something with an account. We do not even see your account names in-game, assuming they differ from your nicknames.
I apologize for this oversight with the command log. It has since been corrected, but any connection attempts that were made from the release of the account system will persist in the server logs. If you wish to change your password, there should be an option to do so on the login menu after you first connect to your account.
Additionally, there have been a couple people that have emailed me with problems accessing their account and have included their passwords. Please, don't do this. We don't need your password for anything and I'd be more comfortable not knowing.
I am currently on a vacation from work and am planning on spending some time with my family over the next week, but creating a tool to recover accounts via email address is on the top of my priority list. This will be the next big change/addition that I do, but may not be available before Christmas. If you need assistance with account recovery, just email us from the email address you registered your account with, but please do not include your password. We don't even really need your account name as long as the email matches up.
I take security very seriously and have all aspects of accounts pretty locked down. There's not supposed to be any way for me, or any other member of the CLOK team, to see your password. Passwords are salted with a unique string per account and hashed in an irreversible algorithm. The only information we can see is your account name, your email address, and a list of IP addresses you've used to connect to your account with. This information is not even publicly available to the entire GM team, and is only accessible by Noctere or I with tools to access our database directly, should we need to troubleshoot something with an account. We do not even see your account names in-game, assuming they differ from your nicknames.
I apologize for this oversight with the command log. It has since been corrected, but any connection attempts that were made from the release of the account system will persist in the server logs. If you wish to change your password, there should be an option to do so on the login menu after you first connect to your account.
Additionally, there have been a couple people that have emailed me with problems accessing their account and have included their passwords. Please, don't do this. We don't need your password for anything and I'd be more comfortable not knowing.
I am currently on a vacation from work and am planning on spending some time with my family over the next week, but creating a tool to recover accounts via email address is on the top of my priority list. This will be the next big change/addition that I do, but may not be available before Christmas. If you need assistance with account recovery, just email us from the email address you registered your account with, but please do not include your password. We don't even really need your account name as long as the email matches up.