How We Protect Your Account
Security isn't an afterthought at VvW — it's built into every layer. Here's exactly what we do to keep your account and data safe.
HTTPS enforced site-wide · Passwords hashed with bcrypt · No plain-text storage
Technical Protections
HTTPS Everywhere
All traffic is encrypted via TLS 1.3. HTTP is permanently redirected to HTTPS. Strict Transport Security (HSTS) is enforced.
Password Hashing
Passwords are hashed using bcrypt (cost factor 12) before storage. We never store, log, or transmit plaintext passwords.
Secure Sessions
Session tokens are cryptographically random (256-bit), stored as HttpOnly cookies, and expire automatically after inactivity.
Rate Limiting
Login and registration endpoints are rate-limited to prevent brute-force attacks. Repeated failures trigger temporary IP lockout.
CSRF Protection
All state-changing requests require a CSRF token validated server-side. Cross-site request forgery attacks are blocked.
Email Verification
New accounts require email verification before play. Account recovery flows use single-use, time-limited tokens sent to your registered email.
Our Security Promise
- We never store your password in plain text
- We never sell your personal data to third parties
- We never share your email address with advertisers
- We never ask for your password via Discord, email, or support chat
- We never store payment card details — all payments go through Stripe (PCI DSS Level 1)
- We log security events (logins, password changes) so you can detect unusual activity
VvW staff will never ask for your password. If someone claiming to be VvW support requests your password or account credentials, it is a scam. Report it to security@duskmaw.com.
Coming Soon
- Two-Factor Authentication (TOTP / Authenticator App) — in development
- Login history page — see all recent logins with IP and location
- Active sessions manager — view and remotely revoke logged-in devices
- Security notifications — email alert on password change or new login from unrecognized device
How to Keep Your Account Safe
- Use a unique password — don't reuse passwords from other games or websites. A password manager makes this easy.
- Use a real email address — you'll need it for account recovery. Check it regularly and keep it secure.
- Don't share your account — sharing credentials violates our Terms of Service and makes it impossible to recover your account if something goes wrong.
- Beware of fake "free gem" sites — third-party sites offering free gems often harvest login credentials. Only top up at the official shop.
- Log out on shared devices — if you play from a school or library computer, always log out when you're done.
- Report suspicious activity — if you notice unfamiliar logins or missing items, contact support immediately.
Frequently Asked Questions
Report a Security Issue
Found a vulnerability? We take security reports seriously and respond within 48 hours. Please disclose responsibly — do not exploit or publicize issues before we've had a chance to fix them.