Korruption

[dsheroh]

What about deriving a unique salt for each password from the username? 

Unique salts per account are a Very Good Thing.  Using a single salt which is identical for all accounts still allows an attacker with access to your user database[1] to trivially determine whether two or more users have the same password.

Using the username, or something easily derived from it, as salt is not such a good thing because this greatly reduces the entropy of the salting space.  The point of salting is that a rainbow-table-style attack will need to have hashes computed for a large proportion of potential salt values in order to succeed.  If you're using the username as salt, then an attacker only needs to precompute hashes for three potential salts ("root", "admin", and "administrator") to have a very good chance of obtaining superuser access to your system.

Standard practice, therefore, is to generate a unique (pseudo-)random salt for each account and store this salt (as plaintext, so that it's recoverable) in the user database along with the password, usually as a prefix to the hashed password itself.  Yes, this means that an attacker with access to the user database will also have the salts available to him, but the point of per-user salts that they are entropic (random), not that they are secret.

An additional fixed, hidden salt or other extra input to the hashing algorithm aside from the password and per-user salt can help to improve security further, but not by as much as you might think, since an attacker with access to your user database is likely to also have access to your code and configuration as well, so they can easily discover any fixed salt/extra input simply by looking for it.

Finally, as Harkins said, "It doesn't matter that md5 is 32bit, sha1 and md5 are both designed to be as fast as possible so if he's going to suffer from the unlikely scenario that someone swipes his database they'll brute force it just as fast. So the Right Answer is bcrypt, but he's in great shape and it's far more important for him to work on gameplay than defend himself against esoteric attacks that will likely never come."  If and when serious security becomes a legitimate need, speed will be the enemy and bcrypt will be the answer.  But it's not a legitimate need at this point.  Don't spend too much time or effort on warding off serious attackers until after you've produced something that would be worth their while to attack.


[1]  Remember that such an attacker is the only attacker that salts matter against.  If they don't have access to your user database, then how that database stores information is completely irrelevant to its security.

[Nox]

There are several other paying systems, paying by card etc.

Still, it would be an absolute setback and difficulty will not change this, unless you create an array of (not annoying) options how a player can defend himself. Anyway, 'd see the "die = start again" rather for a different, swifter and shorted type of game.

[Quotation]

I don't have a credit/debit card, and my dad refuses to pay, he says that if I want a paid domain, paid host etc,
I have to raise the money myself. So I'm just hoping that by next year, he will have changed his mind, or the sanctions
will have been lifted on Sudan, or I'm back in England.

I'm noticing a re-occuring anti - death theme  , I'm trying to ask myself, is there any way I could make death not
be the end of you, but still have consequences. Or  if death could be the end of you, what could I add to make
so players defend themeselves, (as you said nox). Suggestions would be welcome. I will ponder whilst I code.

[Chris]

You can pay directly via credit/debit card in some host providers. And yes, you are still able to get debit card if you are underage in most countries. Althrough, lack of PayPal will severly limit your further options (advertising, services, collecting donations form players, etc)... I would redesign the game to be a niche small one.

"It is very difficult to kill people" plus "There are also decentives  for the killer" is watering down the concept. Permadeath games are fun because death is frequent and easy. You get the thrill because of the constant danger. If you make the dieing part rare why not removing it altogether?

Permadeath would work best in very short, intense, low player count games. Take a look at Counterstrike. This game got not famous because of permadeath, but because each game last for 5 minute. Imagine it working if the matches were like 30 minutes each? Nope, only combination of short play + permadeath made Counterstrike the cult game. Both of the concepts alone would not work. These work because of synergy (2+2=5).

Your concepts combination is like 2+2=3. Even if you polish them to maximum these will always give suboptimal results at most.

[Quotation]

I will try and get the paypal sorted out.

Lets say I were to remove the perma - death. What would a meaningful consequence of death be. Could you lose some items, money, stats (which arn't very important in this game). The only problem is that eventually some players would be so far ahead that new players wouldn't stand a chance. The old players would own a large number of business's, they would be in control of all major institutions. Argh O_O

[Chris]

Read "Game Design" board, there are topics that would answers some of your questions (especially "consequences of death" and "everlasting vs reset" topics).

The old players would own a large number of business's, they would be in control of all major institutions. Argh O_O

There is only one solution that really works. Periodic resets. You could try some tricks with everlasting model, but these are half effective at most (and most solve it by making something like non obvious hidden partial resets). Are you ready to pay the price? Are you willing to go for resets?
Alternatively, you could just ignore the issue and accept that older players will always be on top

You sound very reasonable, which is rare. So I will give you a true advice, which I do rarely too since most people feel offended when I do it Make a list of games that are similar to your game. Look how they solved similar things in such games. Do not attempt making "original" game. Only noobs attempt making original games and fail trying. Attempt making a unique game. A non original game can be unique. Find a game you like and is similar to your ideal game, take that game and fix it. Add features that were missing in that game. That way you will make a unique game that is not original (and game being not original is a good trait, not bad one).
Your deadline of 8 months is too long. To my experience the first deadlined project will go 3 times over budget (8*3=21 months in your scenario). This will kill your stamina and spirit. I absolutely recommend to fit the "on paper" deadline below 6 months, it is already stretching the odds to the fullest. Also arrange twice the project time for fixes and polishes after the launch (so, for a project that is on paper 6 months expect 6*3+(6*3*2)=54 months in reality, at least that numbers would be accurate if you were me ).

[Quotation]

I'm reluctant to implement resets, I've seen many players quit games because of resets. I leaning more towards persistant with penalties for death. The whole cash, money, weapons, stats thing becomes less important due to the nature of the game. Real life skills such as diplomacy will get you to the top faster than 5000 attack.

The deadline has been moved to Jaunary 9th - same day as the southern sudan referendum. Korruption is no longer rougelike, but it's still persistant.

[133794m3r]

since it seems that you're using php just use bcrypt at it's lowest setting something like a complexity of 02 since it's immensely more secure than sha and also will slow them down if something bad happens. I'd say to use scrypt but there's currently not an easy to use way of obtaining it for PHP and i'm not going to worry about it until i get something that's truly worthwhile and then i might end up attempting to write a php extension of it.

[Chris]

The whole cash, money, weapons, stats thing becomes less important due to the nature of the game. Real life skills such as diplomacy will get you to the top faster than 5000 attack.

So, it will be like one of those Facebook "social" games? The more friends you have the more powerfull you are and all the strategic choices during the game means nothing?

That's one of the most frustrating things about game design, the further you proceed the more yes/no decisions you have to make and with each anwer a part of your beloved game has to die

[dsheroh]

I'm noticing a re-occuring anti - death theme  , I'm trying to ask myself, is there any way I could make death not
be the end of you, but still have consequences. Or  if death could be the end of you, what could I add to make
so players defend themeselves, (as you said nox). Suggestions would be welcome. I will ponder whilst I code.

For what it's worth, I absolutely love the idea of permadeath (or at least meaningful death) as a concept.  Making it work in practice is much more difficult, especially for longer-running games, as Chris has pointed out.

I do agree with you that making it hard to kill someone else is likely a big piece of getting permadeath to work.  If every fight ends with someone dying, then it's just not going to work unless you restrict attacks to only be against players who are currently online and allow both players to have an active role in the fight.  Otherwise it's just "Bam!  You're dead!" at random through no fault of your own, quite likely with nothing you could have done to prevent it, which many players will find frustrating.  The substantial majority of fights should end with someone injured and fleeing or (as with historical dueling) have a defined non-lethal victory condition - "first blood", "until one yields", "to unconsciousness", "to the pain", etc.

(As a side note, it's sad how few games include non-lethal combat options.  The average bar fight is conducted with fists, not swords, after all.)

There are two other major pieces that I see as necessary for permadeath to work in a long-running, persistent game:

1)  It needs to be quick and easy to start a new character.  If it takes two hours to get a character going and they get killed in five minutes, then nobody's going to continue after their first death.  (Note that I said "start", not "create" or "roll up" - I'm also including the time to get the character into the game and able to truly participate.)

This and the "hard to kill" point combine into a single key fact:  You must be able to maintain a high ratio of active playing time to starting-over time.  Instant-rez, no-penalty systems take the easy way out by reducing the starting-over time to as close to zero as is humanly possible (if nothing else, you still have to be not-playing long enough to wait for someone to rez you or to return to where you died before you can continue with what you were doing).  Permadeath inherently increases the starting-over time, so you need to instead minimize the frequency of starting over.

2)  Unless progression in the game is purely a matter of player skill (e.g., Counterstrike), there needs to be some mechanism in place for each new character to gain new stuff based on how the player's prior characters fared.  The simplest option is to have some fraction of XP and/or resources carry over, but there are other possibilities, such as having unlockable abilities where, once one of your characters accomplishes X, then all of your future characters will have access to ability Y.  (Add in a handful of default abilities that everyone gets and limit each character to, say, three abilities, and this approach can avoid inflating the power level of older characters, since actually taking ability Y on a given character means giving up another ability.  The point here is that you can give experienced players more options when building a new character.  It doesn't have to be about making their new characters more powerful.)

The whole cash, money, weapons, stats thing becomes less important due to the nature of the game. Real life skills such as diplomacy will get you to the top faster than 5000 attack.

So, it will be like one of those Facebook "social" games? The more friends you have the more powerfull you are and all the strategic choices during the game means nothing?

He said "real-life skills such as diplomacy", not "spamming all your friends to click a 'join my family/clan/guild/whatever' link".  I'm not sure why you're assuming that he means the latter.

And diplomacy is a strategic choice, as is isolationism.

[Chris]

The whole cash, money, weapons, stats thing becomes less important due to the nature of the game. Real life skills such as diplomacy will get you to the top faster than 5000 attack.

So, it will be like one of those Facebook "social" games? The more friends you have the more powerfull you are and all the strategic choices during the game means nothing?

He said "real-life skills such as diplomacy", not "spamming all your friends to click a 'join my family/clan/guild/whatever' link".  I'm not sure why you're assuming that he means the latter.

And diplomacy is a strategic choice, as is isolationism.

No helping please! It is his dilemma how to answer this and to take sides. By answering such extreme questions he is forced to take sides which helps greatly in clarifying/deciding what the main focus of the game is

It's not like he can have both real life diplomacy skills and player driven strategic skills, eventually he will be forced to choose. Also he can not please us both, since our tastes are very different, he has to choose the target player as well.
Besides, real life politics/diplomacy *is* spamming potencial followers to support your cause/vote for you

[Quotation]

I back after my brief period of inactivity. I will take the time to answer your very nice questions. I seem to be having a spot of trouble with mah config.

Code: [Select]

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'nobody'@'localhost' (using password: NO) in public_html/Login.php on line 67

[Nox]

"public_html" is kinda weird name for folder for application

anyway... you can see from the error message that you're trying to connect without specifying credentials

why not show us the code?

[Quotation]

No worries, fixed. Checked out my file manager, and it turns out my config.php file was corrupted whilst being uploaded. Get registering dudes

[Quotation]

Korruption is currently being revamped. A new design is currently being formulated, and should be up and running today.

Perma-death has been re-instated. Going along with dsheroh's idea, there will be six abilities that you can add to your character upon creation. Two extra ability slots can be unlocked (how, I haven't decided yet.) This is so that players can add any abilities they unlocked on their previous character's that they don't want to lose.

Diplomacy is not spamming facebook friends on this game, although I hope to add some form of facebook integration, e.g being able to post updates to your wall about the game.

This game will be mostly skill based, with stat's only being important for career's such as the army.