Why Account Security Matters
Browser-based games are frequent targets for account theft because they are accessible from any device, often have less security infrastructure than native game clients, and their in-game economies create real-world value for stolen accounts. In VvW specifically, high-level characters with rare gear, large gold reserves, and established clan memberships are valuable targets.
Account theft in VvW can result in:
- Gold and item theft: An attacker can sell your gear on the Auction House and transfer the gold to their own account within minutes.
- Character deletion: Though VvW has a 72-hour recovery window for deleted characters, if you do not notice in time, the deletion becomes permanent.
- Reputation damage: An attacker using your account to scam other players, grief clan members, or violate terms of service can result in bans applied to your account.
- Lost progress: Even if the account is recovered, any items traded or gold spent during the compromise may not be fully recoverable.
The good news: with basic security practices, account theft is almost entirely preventable. The vast majority of compromised accounts used weak passwords, reused credentials from other breached sites, or fell for phishing links.
Strong Password Best Practices
Your password is the first and most important line of defense. A strong password for your VvW account should follow these guidelines:
- Use at least 12 characters. Longer passwords are exponentially harder to crack. A 12-character password with mixed character types would take millions of years to brute-force with current technology.
- Mix character types. Include uppercase letters, lowercase letters, numbers, and special characters. "NightBlade#42Fang!" is far stronger than "nightblade42".
- Never reuse passwords. If you use the same password for VvW and another site, and that other site suffers a data breach, attackers will try your credentials on VvW automatically. This is called "credential stuffing" and is the number one cause of game account theft.
- Do not use personal information. Your character name, clan name, birthday, pet's name, or any information visible on your social media profiles should never appear in your password.
- Use a password manager. Tools like Bitwarden (free), 1Password, or the built-in password managers in Chrome and Firefox generate and store unique, strong passwords for every site. You only need to remember one master password.
The strongest passwords are long random strings generated by a password manager. If you must create a memorable password, use a passphrase: four or more random words combined with numbers and symbols. Example: "Crimson7Moon$Howl!Dusk" is extremely strong and reasonably memorable.
How to Change Your VvW Password
- Log in to your VvW account.
- Navigate to Settings > Account > Security.
- Click "Change Password."
- Enter your current password, then enter your new password twice.
- Click "Save." You will be logged out of all other sessions automatically.
We recommend changing your password every 3-6 months, or immediately if you suspect any unauthorized access.
Session Management
A session is the browser connection between your device and VvW's servers. When you log in, a session token is created and stored in your browser. As long as that token is valid, you remain logged in without re-entering your password. Session management is critical because anyone with access to your session token can access your account without knowing your password.
Best Practices
- Always log out on shared devices. Library computers, school computers, internet cafes, and any device you do not personally own should never have an active VvW session. Use the "Log Out" button; do not just close the browser tab, as the session may persist.
- Do not check "Remember Me" on public devices. The "Remember Me" option extends your session token's lifetime. Only use this on your personal devices.
- Review active sessions regularly. VvW's security settings show all devices with active sessions. If you see a session from a location or device you do not recognize, end it immediately and change your password.
- Use private browsing on borrowed devices. If you must log in on someone else's device, use Incognito/Private mode. This ensures the session token and all cached data are deleted when the window is closed.
To review your active sessions: Settings > Account > Security > Active Sessions. You will see the browser, operating system, approximate location, and last activity time for each session. End any session you do not recognize immediately.
Recognizing Phishing
Phishing is the most common attack vector for game account theft. Phishing attempts trick you into entering your credentials on a fake website that looks identical to the real VvW login page. Here is how to recognize and avoid phishing.
Common Phishing Methods
- Fake login pages: You receive a link (via Discord DM, in-game chat, or email) that takes you to a page that looks exactly like VvW's login but is hosted on a different domain (e.g., "vampirevswolves.com" instead of "duskmaw.com"). Always check the URL bar before entering credentials.
- Fake GM messages: Someone impersonating a Game Master claims you need to "verify your account" or "confirm a suspicious login" by clicking a link. Real VvW staff will never ask for your password through in-game chat, Discord, or email.
- Free item scams: Messages promising free Blood Gems, rare items, or account upgrades if you visit a link and log in. These are always phishing attempts. VvW never distributes rewards through external links.
- Fake game update pages: A link claims you need to update your browser plugin or download a game update. VvW is browser-only with no plugins or downloads. Any page asking you to download software is fake.
VvW staff will NEVER ask for your password. Not in-game, not on Discord, not via email, not for any reason. If anyone claiming to be a GM asks for your password, they are an impersonator. Report them immediately.
How to Verify a Link
- Check the domain: The only legitimate VvW domains are duskmaw.com and subdomains of duskmaw.com. Any other domain is fake.
- Look for HTTPS: The real VvW site always uses HTTPS (look for the padlock icon). A phishing site may not.
- Hover before clicking: On desktop, hover your mouse over any link to see the actual URL in the bottom-left corner of your browser. If the displayed URL does not match duskmaw.com, do not click.
- When in doubt, navigate directly: Instead of clicking a link, open a new tab and type duskmaw.com manually. Then navigate to whatever page was referenced in the message.
Trading Scam Prevention
The in-game trading system and Auction House are common venues for scam attempts. Here are the most frequent scams and how to avoid them.
- Item swap scam: A trader shows a valuable item in the trade window, then quickly swaps it for a worthless item with a similar icon before you confirm. Always verify the exact item name, stats, and rarity in the confirmation dialog before accepting any trade.
- Overpayment scam: Someone offers to buy your item for far above market price but asks you to pay a "listing fee" or "insurance deposit" first. Legitimate buyers never ask sellers to pay anything.
- Outside-game trading: Someone offers to buy your items or gold for real money through PayPal, cryptocurrency, or other external payment. This violates VvW's terms of service and can result in a permanent ban. It is also a common scam vector where the buyer initiates a payment reversal after receiving the items.
- Clan invitation scam: A fake high-ranking clan invites you and asks you to "prove your commitment" by giving items or gold to a clan officer. Legitimate clans never ask for item deposits from recruits.
Always use the Auction House for valuable transactions. The Auction House provides escrow protection: your gold is only released to the seller when the item is delivered, and vice versa. Direct player-to-player trades have no such protection and are riskier for high-value items.
What to Do if Your Account is Compromised
If you suspect unauthorized access to your account, act immediately. Speed is critical because every minute gives the attacker more time to steal items, sell gear, or cause damage.
- Change your password immediately. If you can still log in, go to Settings > Account > Security > Change Password. Use a completely new password that you have never used anywhere.
- End all active sessions. In the same security settings, click "End All Other Sessions." This logs out the attacker from all devices.
- Check your inventory and gold. Note anything that is missing. Screenshot your current inventory, Auction House listings, and recent trade history.
- Contact support. Submit a support ticket through the Contact page with the subject line "Account Compromised." Include your username, the approximate time you noticed the breach, and screenshots of any missing items or suspicious activity.
- Check your email security. If your VvW account was compromised via a phishing link, the attacker may have your email credentials too. Change your email password and enable two-factor authentication on your email account.
- Review linked accounts. If you used the same password on other gaming sites or services, change those passwords immediately.
VvW's support team investigates compromise reports within 24 hours. In confirmed cases of unauthorized access, we can roll back item and gold transfers, restore deleted characters (within the 72-hour window), and ban the attacker's accounts. However, some damage may not be fully reversible, which is why prevention is far more effective than recovery.
Privacy Settings
VvW offers several privacy settings that reduce your exposure to social engineering and targeted attacks.
- Hide online status: Prevents other players from seeing when you are online. Accessible in Settings > Privacy.
- Restrict trade requests: Limit who can send you trade requests: anyone, friends only, or clan members only. Reduces exposure to trade scams.
- Block whispers from strangers: Allow private messages only from friends and clan members. Most phishing attempts come through whispers from unknown accounts.
- Hide character details: Prevent non-friends from inspecting your gear and inventory. This makes you a less obvious target for account thieves who look for high-value accounts.
Two-Factor Authentication
VvW supports optional two-factor authentication (2FA) for an additional layer of security. When 2FA is enabled, logging in requires both your password and a time-based code from an authenticator app on your phone.
Setting Up 2FA
- Install an authenticator app on your phone: Google Authenticator, Authy, or Microsoft Authenticator are all supported.
- In VvW, go to Settings > Account > Security > Two-Factor Authentication.
- Click "Enable 2FA." A QR code will be displayed.
- Scan the QR code with your authenticator app.
- Enter the 6-digit code displayed by the app to verify the setup.
- Save the backup codes provided. These are one-time-use codes that allow you to log in if you lose access to your authenticator app. Store them securely (not on your phone).
We strongly recommend enabling 2FA for all accounts. With 2FA enabled, an attacker who obtains your password still cannot access your account without physical access to your phone. It is the single most effective security measure available to you.
What if I Lose My Phone?
Use one of your backup codes to log in, then disable and re-enable 2FA with your new device. If you have lost both your phone and your backup codes, contact support through the Contact page with proof of account ownership (original registration email, character details, transaction history) to request a manual 2FA reset. This process takes 48-72 hours for security verification.
Frequently Asked Questions
Can someone hack my account through in-game chat?
Not directly. In-game chat is text-only and cannot execute code on your device. However, clickable links in chat can lead to phishing sites. Never click links from unknown players. If a link looks suspicious, ignore it and report the sender.
Is it safe to use browser autofill for my VvW password?
Yes, if your device is personally yours and password-protected. Browser autofill (Chrome, Firefox, Edge) stores passwords securely and is far safer than using a weak, memorable password. Do not use autofill on shared or public devices.
Can VvW staff see my password?
No. VvW stores passwords using industry-standard bcrypt hashing. Even our database administrators cannot see or recover your actual password. If you forget your password, you must reset it; no one can retrieve the original.
Should I use a different email for my VvW account?
Using a dedicated email address for gaming accounts is a strong security practice. If your primary email is compromised in a breach, your VvW account remains unaffected. Free email providers like Gmail and Outlook make creating a dedicated gaming email easy.
What information should I never share?
Never share your password, email address, security question answers, 2FA backup codes, or session tokens with anyone. VvW staff will never ask for any of this information. Additionally, avoid sharing screenshots that show your email address in account settings.