Campaign Security

[Bale Nomad]

I just purchased an Ultimate subscription to try out FG2. I noticed a username and password field are available fields when you create a new campaign, so I created a test campaign to try those fields. When I later select that campaign to load, it shows the username, and the password field is blank. When I start the campaign, I am not prompted for a password.

I scoured the campaign files looking for any vestige of the password - an xml tag, a mysterious hashed value, anything - and found nothing.

Does this mean that when I have the port forwarded as recommended (as it is now) anyone with a demo version of FG2 and my ip address can come barging into one of my games uninvited?

[Trenloe]

The GM is not prompted for the password. They should only need to enter it once for a specific campaign - i.e. the password is assigned to one campaigns, not all of your campaigns. If the "Password:" field for your campaign is blank when you start the campaign then players won't be asked to enter a password.

[Bale Nomad]

I started another instance on my computer and joined the game with the password on it, and I did not get prompted for a password. I started an instance on another computer, using a default demo version install, and joined the game without being prompted for a password. Is the player prompted for a password only when they are connecting from outside the local network?

[Nickademus]

You should be prompted when joining with localhost.

The one time I found I wasn't being prompted, I discovered that I put the password in the GM name slot instead...

[damned]

with around 4 billion active ip addresses the only times a random person has landed in my game turned out to be someone i had played with very recently and they connected to the wrong alias. Ive also done the same - gone to land in one GMs game and landed in anothers

[Nickademus]

I had a player hop into one of my prep session in a campaign that was to be exported to a module (not for actual play). Since then I put a password on my prep sessions.

[Bale Nomad]

I think I figured out what happened. When I created the campaign with the password on it (we'll call it campaign 1), I entered both a username and password in the correct fields, and then I clicked the FG "Start" button. When I selected it to load again, the password was not displayed in the bottom left panel of the campaign selection window, and the username appeared to be simply a text label instead of a text entry field, so I thought the password was not being displayed to protect it. I then connected from a player session and was not prompted for a password. I thought it odd that the password would be protected with no apparent way to change it through the options, and I went searching for at least a password XML tag in the campaign files thinking I would find a hashed value somewhere.

I created another campaign with a username and password (campaign 2), and this time I pressed the <Enter> key after entering the password in its field on the new campaign setup panel before clicking the "Start" button. I was once again able to connect to the campaign from a player session without being prompted. I exited the GM session, and the next time I went to load campaign 2, I saw the password in the field in the bottom left panel of the campaign selection window. This time the player session was prompted for the password.

I went back to campaign 1 and clicked the space next to the "Password:" label on the campaign selection window, and was able to enter a password. Once again, I clicked the "Start" button without pressing the <Enter> key and connected with a player session with no password prompt. The next time I loaded campaign 1, I was prompted for the password in the player session.

There seems to be a bug of some kind with entering data into the password field. It seems the password field is inconsistent when it comes to accepting values. I am using FG Ultimate v.3.2.3.

[Bale Nomad]

It would be nice to have an explanation of the security feature in the documentation. It also would be nice to know if at least the username or password are protected in transit instead of being sent as clear text. There are plenty of threats to all our computers and personal information out there on the internet, regardless of how small a target we think we are. When it comes to automated tools that search for any and every vulnerability, no target is too small.

[damned]

It would be nice to have an explanation of the security feature in the documentation. It also would be nice to know if at least the username or password are protected in transit instead of being sent as clear text. There are plenty of threats to all our computers and personal information out there on the internet, regardless of how small a target we think we are. When it comes to automated tools that search for any and every vulnerability, no target is too small.

In the real world there are plenty of targets that are "too small". Time is money for hackers too. You attack those targets that give you a return on your effort. BTW to anyone else reading this Im not giving advice on securing or not securing your network your game your life...
Without any real knowledge of the password feature I suspect it is sent using either plain text or very basic encryption...
The password is stored in a plain text file called campaign.xml in plain text.

<password>123456789</password>

[Zacchaeus]

I've never felt the need to enter a password so I've never explored this. However I just started a new campaign, entered a password and tabbed out of the password field and then clicked start. When I attempt to join my own game now I am prompted for a password. On closing and reopening the campaign I see both the username and password on the bottom left panel. Sounds like you need to move focus away from the password field after entering it for it to work first time.