[STATUS] Forum/MP server login changes for Wesnoth 1.10

[shadowmaster]

Hi there!

Wesnoth 1.8 and previous versions did not require registered users to validate their forum account registrations before becoming able to log into the MP server with their credentials. This oversight often lent itself to abuse by troublemakers, and it was thus corrected starting with version 1.9.8 of the MP server and MP client code. Wesnoth 1.10.0 was released on January 29th.

In order to clean up the forum database and get rid of useless registrations, we are going to purge old, unused forum accounts (registered before the start of 2012) whose registrations were never confirmed via email, and were never used to log into the official/primary MP server (server.wesnoth.org).

The purge is scheduled to take place on Sunday, February 12th 2012, and it should not incur any downtime for MP or forum users.

The number of accounts affected is close to 2,500, and it’s suspected that most of them are inactive spambot registrations. All of the affected accounts necessarily have a post count of zero, since it’s not possible to post in the forums without logging in, which requires validating your registration first.

Nonetheless, it is also possible a few of these accounts were registered in order to reserve usernames in the multiplayer server. Since we don’t have any way to verify this, it is your responsibility to validate your registrations via email now and in the future! The Wesnoth.org staff and the Battle for Wesnoth Project members will never use your email address to send you spam, nor will it be published for use by third-parties anywhere unless you choose to do so in your accounts settings in the User Control Panel. The use of throwaway addresses is discouraged since it may create a security problem or make it impossible to help you if you ever need to reset your password.

Users who never confirmed their registrations won’t be able to log into the current 1.10 MP server until they do so. We urge you to download and try Wesnoth 1.10-rc1 or log into the forums to make sure your registered accounts still work. If they do not, and you have lost access or forgotten the email address you used to register them, please either contact me directly or send a group PM to the Forum Administrators to request assistance.

Regards

EDIT: Since there seem to be some doubts about this: No, this does not affect UNREGISTERED users in any way whatsoever. There is a difference between an unconfirmed registration and a name that’s never been registered in the first place.

[Warfall]

Hello,

i think it could be nice to know if an account will be able to meet the expectation described in the post i'm currently answering. And rather than annoying you with individual posts on the theme: "is my account ok ?", may i suggest that validated accounts will receive an administrative post just displaying the status "ok for wesnoth 1.10+". For sample, i already had received two similar posts from "dev. team", regarding various policies on wesnoth servers and forums.

Regards

Hi there!

Wesnoth 1.8 and previous versions did not require users to validate their forum account registrations before becoming able to log into the MP server with their credentials. This oversight often lent itself to abuse by troublemakers, and it was thus corrected starting with version 1.9.8 of the MP server and MP client code.

Today, Wesnoth 1.10 Release Candidate 1 (which you should MUST test, by the way) was released, in preparation for the expected release of Wesnoth 1.10.0 in—hopefully—a couple of weeks.

In order to clean up the forum database and get rid of useless registrations, we are going to purge old, unused forum accounts (registered before the start of 2012) whose registrations were never confirmed via email, and were never used to log into the official/primary MP server (server.wesnoth.org).

The purge is scheduled to take place on Sunday, February 8th 2012, and it should not incur any downtime for MP or forum users.

The number of accounts affected is close to 2,500, and it’s suspected that most of them are inactive spambot registrations. All of the affected accounts necessarily have a post count of zero, since it’s not possible to post in the forums without logging in, which requires validating your registration first.

Nonetheless, it is also possible a few of these accounts were registered in order to reserve usernames in the multiplayer server. Since we don’t have any way to verify this, it is your responsibility to validate your registrations via email now and in the future! The Wesnoth.org staff and the Battle for Wesnoth Project members will never use your email address to send you spam, nor will it be published for use by third-parties anywhere unless you choose to do so in your accounts settings in the User Control Panel. The use of throwaway addresses is discouraged since it may create a security problem or make it impossible to help you if you ever need to reset your password.

Users who never confirmed their registrations won’t be able to log into the current 1.10 MP server until they do so. We urge you to download and try Wesnoth 1.10-rc1 or log into the forums to make sure your registered accounts still work. If they do not, and you have lost access or forgotten the email address you used to register them, please either contact me directly or send a group PM to the Forum Administrators to request assistance.

Regards

[shadowmaster]

i think it could be nice to know if an account will be able to meet the expectation described in the post i'm currently answering. And rather than annoying you with individual posts on the theme: "is my account ok ?", may i suggest that validated accounts will receive an administrative post just displaying the status "ok for wesnoth 1.10+".

That would create a lot of noise, hence it’s not being considered. You are perfectly able to tell by yourself whether your accounts are validated or not.

[Cold Steel]

I am actually quite saddened to hear wesnoth is abandoning quick and simple access to multiplayer without registration.

I never encountered any troublemakers and have always had positive experiences online.

[shadowmaster]

It will still be possible to use the MP server without registering. The only change is in the way the server handles unconfirmed registrations, as said above.

[Cold Steel]

Bah, damn my reading comprehension.

[xtifr]

The use of throwaway addresses is discouraged since it may create a security problem or make it impossible to help you if you ever need to reset your password.

Can you expand on this point? I've never heard of any security issues related to throwaway addresses, and the password-reset issue can easily be dealt with if your throwaway address provider supports either whitelists or temporarily refilling the address quota (both of which are features available from any reputable provider).

Honestly, this is the first time I've heard anyone but spammers (and Facebook, who are the next best thing) object to throwaway addresses.

[pauxlo]

The use of throwaway addresses is discouraged since it may create a security problem or make it impossible to help you if you ever need to reset your password.

Can you expand on this point? I've never heard of any security issues related to throwaway addresses, and the password-reset issue can easily be dealt with if your throwaway address provider supports either whitelists or temporarily refilling the address quota (both of which are features available from any reputable provider).

I think there might be a misunderstanding of the word "throwaway address". If emails to this address still can reach you (and don't reach anyone else), they are fine. If you have no way of getting mails to these addresses, the admins can't reach you to confirm your password reset. If the address could be reused by someone else after you threw it away, this person can take over your account (which you normally don't want, and neither want the forum/MP server admins).

[xtifr]

I think there might be a misunderstanding of the word "throwaway address".

Perhaps, in theory, but I've never heard of a throwaway address provider that didn't offer some option to route around in need, to address just such problems.

Checking Wikipedia, I see the following:
* Spamgourmet (the grand-daddy of throwaway address providers) has both whitelists and quota refilling
* Mailinator simply stores incoming mail temporarily, so you can always find something if you need to. Not what I'd call an ideal solution, but certainly adequate.
* Trashmail ... ok, I stand corrected. The Trashmail article doesn't mention workarounds. I'd advise not using Trashmail addresses with Wesnoth without doing more research on the service than I'm willing to bother with right now.

I admit I'm spoiled by the high quality and flexibility of the (free, non-profit, open-source) Spamgourmet service, and was assuming that its competitors were at least trying to be competitive.

[energyman76c]

So lazy bastards like me who only post once in a long while don't have anything to worry about?

[Dugucloud]

Here I am.

[shadowmaster]

So lazy bastards like me who only post once in a long while don't have anything to worry about?

Exactly. Only people who didn’t complete their registration and never used their name in the MP server are affected.

[MRDNRA]

So I would assume I'm ok then having also used my name on the server. (I really don't want to download currently our internet connection would probably not be able to handle it, since we moved house and changed ISPs our connection is slower than ever and I just used speedtest.net to measure our connection and got 0.23Mbps download. Even with relatively fast speeds (1.5Mbps or more) before it takes about half an hour or so to download any new version of Wesnoth.)