« News

Nov
24

Vendetta Online 1.8.237

VO 1.8.237 includes:

- Enhanced password security. Maximum password length has been increased to 64 characters.
- Fixed problem with video options not getting saved.
- Increased default settings for Adreno 320-based Android devices.
- Removed storms in Deneb.

The biggest news in this update are the major security improvements added with our new password handling system. Note: In order to take advantage of these improvements, you MUST update your password on the game website. We don't prevent you from re-using your old password, but we strongly recommend taking advantage of the new 64-character password length by making a fairly long, memorable passphrase using random words, the benefits of which are described in this famous xkcd comic. In fact, an xkcd fan even created this common word password generator to serve that purpose.

For those interested in the technical details, I'll elaborate a little more. The old password system was quite state of the art for the time when it was created (the late 90s), albeit with far too short of a password character limit. The new design is very much like the old one, which was always similar to bcrypt, but is now enhanced with bcrypt's ability to increase the password CPU-cost in the future. This will let us react to the changing landscape of possible brute-force attacks, and increase security dynamically as necessary (and informing our userbase of the changes if/when they should occur). The current CPU cost is designed to take half a second for the game client to hash on a 1ghz NVIDIA Tegra2-based mobile device. We intend to also thread the client's hashing of passwords, to make the computation process less intrusive on the user interface, at which point we may increase the cost further.

Beyond this, we've improved the cryptographic randomness of the unique salt used to strengthen each password hash, as well as the nonce used to mitigate replay attacks. These have always been features of the protocol, we've just updated and improved them.

In addition, the game server and website still retain the measures to slow down any remote brute-force password attacks, which we added some time ago to mitigate the password length limitations we had at the time.

Of course, all of these technical measures are in vain if the end-user chooses a password that is too short and too easy for computers to guess. So please consider making a new and longer password for the game, perhaps a phrase of random words, and keep it unique to Vendetta Online! Don't use it anywhere else.

In other news, we enhanced the default settings for devices with the Adreno 320 GPU used in the Nexus 4, Asus Padfone 2 and other recent devices. These settings are utilized on first runtime, so existing Nexus 4 players may wish to delete their config.ini and wgaf.cfg from /sdcard/VendettaOnline and allow the game to re-configure itself.

We wish a Happy Thanksgiving to all our US players, and a great weekend to everyone!