Security and computer games.

[WinnieTaylor]

The designers of computer/cell phone games have made games difficult to use because of security concerns.  I am constantly encountering this for games that allow different configurations.  I am always asked for password words and user ids.  If you don't have that information, you are sent down the rabbit hole.  Apps are written for cell phones and don't always work well with for PCs.  Why anyone would prefer a cell phone over a PC, to play games, is a mystery to me.  Security is not an issue for console games. I should have stayed with consoles.  Security concerns have taken over our society.  I love Vintage Story and the ability to use different configurations, but security issues are ruining it for me. 

[Dilan Rona]

in the case of vintage story, the need to log in to vintage story is to make sure only those that paid for Vintage Story can play it.

As for your other concerns, there are security measures even on consoles. Do I need to mention Nintendo, and the Switch 2...?

[Mrozak]

13 hours ago, WinnieTaylor said:

I love Vintage Story and the ability to use different configurations, but security issues are ruining it for me.

What security issues?
VS has some security issues? I mean KNOWN security issues? Or even theoretical security issues?
Like if i run a server, somebody can exploit some weakness to take over my machine???

[Dark Thoughts]

I genuine fail to understand what you're struggling with regarding VS?

[Mrozak]

15 hours ago, WinnieTaylor said:

I love Vintage Story and the ability to use different configurations, but security issues are ruining it for me.

Wait, after reading it all again, i think maybe i understand what you mean...
By "different configurations" you probably mean mods, right?
And in that context, by "security issues" you mean the possibility that by connecting to some server your client may automatically download some mod which could contain some malicious code?

Yeah, that is always the possibility if you connect to random modded servers.
I guess you have two options:

1. Play only vanilla, no mods.
2. Use precautions.
   - Do not run the game with elevated privileges.
   - Do not connect to random servers.
   - Download mods manually and scan them with some AV before using them (may still not be enough anyway).
   - Run the game in a secure sandbox (sure, malware capable of escaping does exist, but is relatively rare - if you combine all these precautions, you should be reasonably safe).

So if this is what you meant, then i understand.
But nothing is safe, nothing ever was safe, nothing ever will be.
Any SW, games included, has the potential to be exploited, and the only thing you can do is "be careful".

[hstone32]

It used to be consoles were designed from the ground up with their own tailor-made architecures, and games were made to take advantage of real-time scheduling and whatever other hardware processes the console designers included (it's the reason why retro emulation will never be flawless). Security was never an issue back then.

nowdays, console designers just bum off of intel/ARM and amd/nvidia. Consoles today are basically just worse desktop computers.

[Krougal]

@Mrozak Since op is complaining about the inconvenience my guess is they are referring to an issue I have seen with switching multiple versions where you start getting prompted for your username and password for the game frequently, which can be annoying, but considering how many far worse DRM schemes are out there, I'll take it.

What you bring up are actually far more serious issues, and that is sound basic advice to protect yourself from any software you are unsure of.

It's also good that they host the VS mods, since that means they assume some responsibility for making a good faith effort to protect you from malicious code, but really there is no substitute for doing your own due dilligence.

Unfortunately that is just the world we live in. I wouldn't even install software updates on business systems from a trusted partner without checking the MD5 hash to make sure it wasn't tampered with. The threats are very real, and while nobody should panic, they do need to be taken seriously.

My gaming rig I might be sloppy with, but I don't conduct financial transactions on it.

Edited August 12, 2025 by Krougal

[Mrozak]

@Krougal Aaah, OK, thanks for the translation
True, that is annoying - i have currently both rc3 and rc4 installed, and every time i run one after the other, to test something, i have to login again.
Fortunately i am not switching between them too often, but i can see how super annoying that could be.

[wildforester]

Most annoying thing that brings up the account login is when you play vs on two different devices

[WinnieTaylor]

I understand when playing online (multiple players) the need for security.  I'm playing strictly standalone.  I understand having to log on to prove you own the game, but other than that, I don't understand the need for security.  I'm not struggling to play VS, just complaining like a 75-year-old.  I like VS, just trying to understand.  Obviously, I'm in over my head! 

[Voldemort]

54 minutes ago, WinnieTaylor said:

I understand when playing online (multiple players) the need for security.  I'm playing strictly standalone.  I understand having to log on to prove you own the game, but other than that, I don't understand the need for security.  I'm not struggling to play VS, just complaining like a 75-year-old.  I like VS, just trying to understand.  Obviously, I'm in over my head! 

Go vote for Stop Killing Games. Developers will later be forced to change the game so that it doesn't require an internet connection or a login every time you want to play offline.

The biggest problem with Vintage Story is that if the developers decide to stop and shut it down, the game will become unplayable because it uses a license key system. I hope this will be changed soon.( You don't own game )
https://www.stopkillinggames.com/eci

Edited August 13, 2025 by Adnyeus

[Thorfinn]

You can disable the authentication check on your server, @Adnyeus. I learned that when they were having trouble keeping the auth servers up. Downside is you are now wide open to anyone, including pirated copies, and whitelists no longer work, since you no longer have Anego making sure that the person is who he says he is.

Oh, and you don't have to log in for offline play. You just have to be offline.

Edited August 13, 2025 by Thorfinn

[zand]

4 hours ago, Adnyeus said:

Go vote for Stop Killing Games. Developers will later be forced to change the game so that it doesn't require an internet connection or a login every time you want to play offline.

The biggest problem with Vintage Story is that if the developers decide to stop and shut it down, the game will become unplayable because it uses a license key system. I hope this will be changed soon.( You don't own game )
https://www.stopkillinggames.com/eci

Greetings Adnyeus,

When you log into VintageStory, the auth server hands out a signed session key along with your account name and UID, which are all currently saved to clientsettings.json. When you start the game, the game checks to see that these settings and signature are valid. In the event that the settings are valid, it tries to authenticate to the auth server with them. In the event that the game cannot contact the auth server and the signature is valid, the game will go to the main menu in offline mode without requiring you to login.

To simply put it, after logging into the client, you can install the game onto a different offline PC and copy your clientsettings.json to it and be able to play the current version of the game till the end of time.

Edited August 13, 2025 by zand

[cosmobeau]

On 8/11/2025 at 3:23 PM, WinnieTaylor said:

The designers of computer/cell phone games have made games difficult to use because of security concerns.  I am constantly encountering this for games that allow different configurations.  I am always asked for password words and user ids.  If you don't have that information, you are sent down the rabbit hole.  Apps are written for cell phones and don't always work well with for PCs.  Why anyone would prefer a cell phone over a PC, to play games, is a mystery to me.  Security is not an issue for console games. I should have stayed with consoles.  Security concerns have taken over our society.  I love Vintage Story and the ability to use different configurations, but security issues are ruining it for me. 

I unfortunately have the experience of hosting a server, where 9/10 people can play, and the people who can't, even after fucking with their security settings and firewall, can't seem to connect.

With people from around the world connecting to my server, and making sure the two or three outliers doubled checked their info, I can't help but to think it's some kind of security issue, nat type, the way the program is usually initially flagged as potentially dangerous bc it's a outside dev download, or what.

I can't really say what it is though, or I wouldn't have this problem. It is frustrating though.

[Mrozak]

5 hours ago, Thorfinn said:

Oh, and you don't have to log in for offline play. You just have to be offline.

Are you sure? ...the first moment i start VS after installing it, i am greeted with a "login" screen, and unless i supply my valid login credentials (and get verified), i cannot play the game, not even in single player.
Without logging in at some point and then having a valid token somewhere thanks to that, i cannot play the game.

EDIT: i am not complaining, just saying.

Edited August 13, 2025 by Mrozak

[Cladow]

8 hours ago, Adnyeus said:

Go vote for Stop Killing Games. Developers will later be forced to change the game so that it doesn't require an internet connection or a login every time you want to play offline.

The biggest problem with Vintage Story is that if the developers decide to stop and shut it down, the game will become unplayable because it uses a license key system. I hope this will be changed soon.( You don't own game )
https://www.stopkillinggames.com/eci

Some corrections:

1) SKG's European Citizen's Initiative has closed since the start of August, with 1.4M (not yet verified) signatures.

2) SKG's requirements are for unsupported games to remain playable, it does not ask for actively supported games (such as VS) to remove DRM.

EDIT: you did correctly say "will later" and not "immediately on taking effect"

Also should be noted: since the initiative cannot and does plan to be retroactive, that would, as I understand, only affect games launched after the initiative takes effect. I'd make an (not entirely informed) guess, that it would not apply to games that were just updated or were merely active after it takes effect.

Edited August 13, 2025 by Cladow
I can't read

[Cladow]

27 minutes ago, Mrozak said:

Are you sure? ...the first moment i start VS after installing it, i am greeted with a "login" screen, and unless i supply my valid login credentials (and get verified), i cannot play the game, not even in single player.
Without logging in at some point and then having a valid token somewhere thanks to that, i cannot play the game.

EDIT: i am not complaining, just saying.

Zand's comment is more accurate, you do need a valid key and signature in clientsettings.json, which you get when signing in. If the key and signature are present and valid, the game will try to contact the auth server to verify the data, and if it fails to contact the server, the game will go into offline mode.

EDIT: ah, you already pointed that out.

Edited August 13, 2025 by Cladow
Illiteracy

[Thorfinn]

4 hours ago, Mrozak said:

Are you sure? ...the first moment i start VS after installing it, i am greeted with a "login" screen, and unless i supply my valid login credentials (and get verified), i cannot play the game, not even in single player.
Without logging in at some point and then having a valid token somewhere thanks to that, i cannot play the game.

EDIT: i am not complaining, just saying.

Oh, that's what you meant. I thought you were talking about when you bounce between versions and/or computers with the same ID. Yes, I'm pretty sure you need that first token. Though I don't see that as unreasonable. Otherwise there wouldn't be much to stop one from handing out a bajillion copies of the game, and development funds drops precipitously. At least this way, there is at least some hope that pirates are at some risk of there being something malignant in the cracked versions they find.

I suppose you could change the model to some microtransaction scheme, though that would chase me and I'm sure a lot of other people away. I don't mind logging in again. I'm getting pretty fast at it. But I would not link a credit card to a game, ever.

[LadyWYT]

I suppose if typing password is the issue, could just make an option to remember the player's password so they no longer need to type it every time they switch versions and whatnot. They'd just need to type it the once, in theory, the first time they ever boot the game. That being said...that's also a security risk, but I would argue in that case it's a risk the user is willing to take when they check the remember password box.

[radfast]

12 hours ago, Thorfinn said:

You can disable the authentication check on your server, @Adnyeus. I learned that when they were having trouble keeping the auth servers up. Downside is you are now wide open to anyone, including pirated copies, and whitelists no longer work, since you no longer have Anego making sure that the person is who he says he is.

Oh, and you don't have to log in for offline play. You just have to be offline.

Don't disable the authentication check unless there's a specific reason to like the auth servers went offline (which hasn't been the case for a good long time now), or Anego Studios stopped supporting the auth server completely (which is unlikely ever, unless there is Armageddon in which case we'll all have bigger concerns than the VS auth server...). 

@WinnieTaylor Can you please be more specific about the "security issues" ruining things for you?  I start the game tens or hundreds of times a day while testing things, and have not encountered any security issues. 

@LadyWYT Normally the game stores the player's password (more precisely, a token generated after the player enters a valid username+password) inside the clientsettings.json file in the VintagestoryData folder.  There are 4 situations where the password might need to be re-entered frequently:

1.  deleting that settings file (or the OS deleting it, for example because it's kept in a temp folder or a RAM drive or other place where it can't stay permanently)

2.  manual Log Out, e.g. so that another person can play on the same machine using a different game account

3.  (most likely) one person using 2 different PCs to play on the same game account (e.g. home + college) - that's totally allowed by the way!

4.  a person has multiple installations of the game which have also been manually configured to use different data folders

In situations (3) and (4), there is a solution.  One working clientsettings.json file can be copied to other data folders or to VintagestoryData folder on another PC, so that then the password does not need to be re-entered.  Note it must be a "working" file: I mean copy specifically the clientsettings.json file immediately after a successful login and exit the game to save it.  As a side-bonus, this will also copy any custom key bindings or macros etc to both places.  It will also copy the graphics settings and other settings of course, those might need to be adjusted if there are different graphics requirements for the 2 different game installations.

[Voldemort]

17 hours ago, Thorfinn said:

You can disable the authentication check on your server, @Adnyeus. I learned that when they were having trouble keeping the auth servers up. Downside is you are now wide open to anyone, including pirated copies, and whitelists no longer work, since you no longer have Anego making sure that the person is who he says he is.

Oh, and you don't have to log in for offline play. You just have to be offline.

I have log out from my vintage story and i cant play game without log in

[Thorfinn]

5 hours ago, radfast said:

unless there's a specific reason to like the auth servers went offline (which hasn't been the case for a good long time now),

Huh. I could have sworn they were not working sometime late winter, January or February, for a while. No one was able to get authorized, and it gave some loopy error, while we could all connect to other similar things like GOG Galaxy and Steam. Maybe they were just being slammed from all the new users? Dunno. But I know I have valid keys, and a solid internet, and was not able to get authenticated. A couple days later, everything was back to normal.

[Voldemort]

11 hours ago, Cladow said:

Some corrections:

1) SKG's European Citizen's Initiative has closed since the start of August, with 1.4M (not yet verified) signatures.

2) SKG's requirements are for unsupported games to remain playable, it does not ask for actively supported games (such as VS) to remove DRM.

EDIT: you did correctly say "will later" and not "immediately on taking effect"

Also should be noted: since the initiative cannot and does plan to be retroactive, that would, as I understand, only affect games launched after the initiative takes effect. I'd make an (not entirely informed) guess, that it would not apply to games that were just updated or were merely active after it takes effect.

Thanks for explenation 

[Thorfinn]

2 minutes ago, Adnyeus said:

I have log out from my vintage story and i cant play game without log in

Oh, I never log out. Didn't even know it was an option.

[Voldemort]

@radfast
It would be better for people who own a game to have full control over it. For example, why should we need to log in if we want to play offline? If I wanted to play online, I would log in without a problem. But I don't see any reason to log in when I'm not planning to do any online activity with other people.

Edited August 13, 2025 by Adnyeus