Password & Authentication Security
Every password in VvW is hashed using bcrypt with work factor 12. We never store plaintext passwords — not in logs, not in debug output, not anywhere. When you register, your password is immediately hashed before it touches the database. The hash is what lives on our servers.
We authenticate using JWT (JSON Web Tokens) with a 24-hour expiry. Tokens are signed with a 256-bit secret key rotated every 90 days. If you log out, the token is added to a Redis blocklist so it cannot be reused even if intercepted before expiry.
We do not implement "remember me" tokens with long-lived secrets. Your session refreshes on each login. If your account is ever compromised, a password change immediately invalidates all active sessions.
Session Management
All game actions are validated server-side. Your client sends requests; our server decides whether they're valid. The client never has authority — it only has display state. This means even if someone modifies their browser's JavaScript, they cannot grant themselves gold, XP, or items.
Each sensitive action (Prestige, large gold transactions, PvP attacks) requires a fresh token claim. We cross-reference your character ID against the JWT payload on every authenticated endpoint.
Rate Limiting & Brute Force Protection
Login attempts are rate-limited to 5 per minute per IP and 10 per hour per username. After 10 failed attempts on a single account, we trigger an email verification step before allowing further attempts.
All game action endpoints are rate-limited via Redis. For example, the hunt endpoint is limited to 1 request per 800ms per character. This prevents automated botting scripts from gaining unfair XP/gold advantages.
| Endpoint | Rate Limit | Enforcement |
|---|---|---|
| POST /auth/login | 5/min per IP | Redis sliding window |
| POST /battle/hunt | 1/800ms per char | Redis token bucket |
| POST /arena/attack | 1/5s per char | Redis token bucket |
| POST /shop/buy | 10/min per char | Redis counter |
| POST /trade/create | 5/min per char | Redis counter |
Anti-Cheat Design
The most important anti-cheat principle: the server is the authority, always. Client-side numbers are display only. Every damage calculation, every gold award, every XP gain is computed server-side using the character's actual database stats.
Cooldowns are enforced in Redis, not on the client. When you complete a dungeon, the server records last_dungeon_attempt in Redis with a TTL. If you try to run it again before the cooldown expires, the server rejects the request regardless of what the client claims.
Stat sanity checks
Every computed stat is bounds-checked. If ATK comes out above 10,000, the server flags the account for review. This catches edge cases from exploit attempts or data corruption. Abnormal values trigger a soft lock pending manual review rather than allowing a corrupted state to persist.
We analyze action timing patterns. Real players have irregular timing; bots are perfectly consistent. Accounts with suspiciously regular request intervals (±20ms variance over 200+ requests) are flagged for CAPTCHA challenge.
What Data We Store (and Don't)
We store: username, email (hashed for storage), character data, game logs (action type, timestamp — no content), IP address of last login (for fraud detection, 30-day retention).
We do not store: plaintext passwords, payment card data (Stripe handles all payments, we only store subscription status), personal names or addresses, location beyond country code.
Responsible Disclosure Program
Found a security vulnerability? We want to hear from you before anyone else does. Our responsible disclosure policy:
- Report to security@duskmaw.com with full reproduction steps
- We acknowledge within 24 hours and patch critical issues within 72 hours
- Reporters of valid, significant vulnerabilities receive in-game rewards and public acknowledgment
- We do not pursue legal action against good-faith researchers following this policy
We do not have a formal bug bounty with cash rewards yet — but we're building toward that. All valid submissions are acknowledged and rewarded with premium in-game currency.
Play With Confidence
Your account and data are protected by multiple layers of security. VvW takes security seriously — not as a feature, but as a foundation.
Create Your Account →