Posted in Announcements
August 11, 2020
Feature Requests Banner

 

Feature Requests have launched, and registration is now open! Visit our registration page to create your account.

Registration

Your username is public and will be seen by other players. Your email address is not public and cannot be seen by other players.

A verified email address is required for all accounts. A verification email will be sent to you, and clicking the link in that email is required to activate your account. You will be able to login once activated.

Registering allows you to utilize various community features throughout our website. This is also the same account you will use to access the game during the upcoming stress test.

Security

We take the security and protection of user data seriously. In our monitoring of RF service providers, we find not only poor practices being followed, but severe negligence in some cases. Such negligence can quickly lead to exposure of sensitive data, or worse.

Did you know that traditionally, RF Online stores user account passwords in plain text? Every version of RF Online that we have seen suffers from the same problem.

I'm sure you probably know RF has very "basic" password requirements. Well, did you also know RF Online login servers have no brute force protection? Once you have a valid account username, you're a password table away from getting into the account, all without being noticed while doing so. Exposure of account usernames in traditional RF is very dangerous!

From an administrative standpoint, sure, the usernames and passwords are stored in "binary", but all it takes is a simple conversion to see the true data. Let's demonstrate...

Here is a traditional RF account table:

Traditional RF Account Table

 

Looking pretty normal, right? We can't see any of the data, not even the ID. Everything is "gibberish" as far as a human eye can see.

However, if I just add a simple conversion to convert the binary into a string, look what happens:

Traditional Converted RF Account Table

 

I can now see all account IDs and passwords in plain text. Since the database stores the plain text strings as straight binary conversions, it is very easy to convert them back to something a human can read. If you know hexadecimal, you can probably read them without converting them.

This is of course very concerning from a user data standpoint. Certain risks are understood, but user passwords should never be so plainly stored.

I cover this because it is important for you as a private individual to understand how your data is being used in traditional versions of RF. If that isn't enough, your FireGuard and bank passwords are stored with the same method, and GameCP's typically offer features to grant permissions for additional staff to see this data. This is pretty standard across most RF Online game services.

Rebuilding RF to us means rebuilding everything. Not just the game, but how players think of and interact with the game, as well as player confidence in the security of their account progression.

So, how are we different?

Password Format

Passwords on our service are hashed one-way using bcrypt. Unlike other RF services, we are not able to reverse or see your password in any way.

If we want to go exploring around the database, this is all we see:

New Hashed Passwords

 

If your password is lost, the only recovery method is setting a new password. Initiating recovery sends a link to your email address which allows you to set a new password.

We also allow up to 64 characters in your password with no symbol restrictions.

Privacy Policy

We are dedicated to the security and privacy of your personal information.

Our Privacy Policy covers how we use the information you submit to us and will be updated over time. We will notify you of changes via a message to your email address.

Future: Two-Factor Authentication & Beyond

While not currently available, we wanted to go ahead and announce our plans to implement two-factor authentication (2FA). 2FA will require you to use a one-time password generated by an authenticator app or device to access your account. This will take player security to the next level!

The best part? 2FA will be available for both our website as well as the game! Your one-time password, if enabled, would be required to access your account in any form throughout our community in addition to your existing password. Like FireGuard, but with an actual purpose. Entering a 2FA code would also be required for changing specific account information such as your email address.

We are also very open to feedback regarding security. Chat with us in Discord and let us know what you think!

If you have a specific idea in mind already, register and try out Feature Requests!

Feature Requests

Feature Requests are just one way we are involving you directly in the game development process. If you have ever wanted to see a specific feature in RF, our Feature Requests board is your place to finally plan out your idea!

System Highlights

With Feature Requests, you can:

  • Submit a game feature idea to the public board
  • Review ideas submitted by other members
  • Vote on the ideas you want to see implemented
  • Retract your vote on ideas where you changed your mind
  • Discuss features with other players by leaving comments within the request

Have an idea? Visit Feature Requests and let us know what you're thinking!


Dev Log #2 is next. We can't wait to show you more about the game!