Security
This page describes the current status of security and privacy in AAGRINDER.
Security
Authentication
In AAGRINDER, players authenticate with their passwords. The password is chosen when the account is created and needs to be at least 1 character long. The password may contain any characters.
The password is transmitted to the server in plaintext. However, if you are using a https connection, this transmission will be encrypted.
On the server, the password is hashed and salted using bcryptjs and then saved in a MySQL database. The relevant part of the code can be found here. The plaintext password does not persist in memory on neither the client or the server.
There is currently no functionality for changing an account's password. If you want your password changed, you should contact the server administrator to reset your account (progress in the game will not be lost).
There is an alternative mode called Running in insecure mode which can be enabled by toggling a server setting. We call it "insecure" to decrease the confusion between the similar words "authentication" and "authorization". If enabled, passwords will be completely ignored at login, and the client will not prompt the user for password.
