How We Protect Your Account

Security isn't an afterthought at VvW — it's built into every layer. Here's exactly what we do to keep your account and data safe.

All Systems Secure

HTTPS enforced site-wide · Passwords hashed with bcrypt · No plain-text storage

Technical Protections

HTTPS Everywhere

All traffic is encrypted via TLS 1.3. HTTP is permanently redirected to HTTPS. Strict Transport Security (HSTS) is enforced.

Password Hashing

Passwords are hashed using bcrypt (cost factor 12) before storage. We never store, log, or transmit plaintext passwords.

Secure Sessions

Session tokens are cryptographically random (256-bit), stored as HttpOnly cookies, and expire automatically after inactivity.

Rate Limiting

Login and registration endpoints are rate-limited to prevent brute-force attacks. Repeated failures trigger temporary IP lockout.

CSRF Protection

All state-changing requests require a CSRF token validated server-side. Cross-site request forgery attacks are blocked.

Email Verification

New accounts require email verification before play. Account recovery flows use single-use, time-limited tokens sent to your registered email.

Our Security Promise

Phishing warning:

VvW staff will never ask for your password. If someone claiming to be VvW support requests your password or account credentials, it is a scam. Report it to security@duskmaw.com.

Coming Soon

How to Keep Your Account Safe

  1. Use a unique password — don't reuse passwords from other games or websites. A password manager makes this easy.
  2. Use a real email address — you'll need it for account recovery. Check it regularly and keep it secure.
  3. Don't share your account — sharing credentials violates our Terms of Service and makes it impossible to recover your account if something goes wrong.
  4. Beware of fake "free gem" sites — third-party sites offering free gems often harvest login credentials. Only top up at the official shop.
  5. Log out on shared devices — if you play from a school or library computer, always log out when you're done.
  6. Report suspicious activity — if you notice unfamiliar logins or missing items, contact support immediately.

Frequently Asked Questions

All passwords are hashed using bcrypt (cost factor 12) before being stored in our database. We never store, log, or transmit plaintext passwords — not even internally.
TOTP-based 2FA (Google Authenticator, Authy, etc.) is currently in development. Email verification for account recovery is already active. We'll announce 2FA availability on Discord and in the blog.
Use the Forgot Password flow immediately to reset your credentials. Then email support@duskmaw.com with your username and a description of what happened. Include any approximate dates so we can review server logs.
No. All payments are processed by Stripe (PCI DSS Level 1 certified). VvW never sees or stores your full card number — only a tokenized reference used for subscription management.
We collect your username, email address, and gameplay data (character stats, inventory, battle history). We do not collect location data, device IDs, or sell data to advertisers. See our full Privacy Policy for details.

Report a Security Issue

Found a vulnerability? We take security reports seriously and respond within 48 hours. Please disclose responsibly — do not exploit or publicize issues before we've had a chance to fix them.