Security

Stone Dip implements a number of security features to help protect you from account theft and to help protect honest players from losing out to cheats. This document explains a few of these features but please be aware that other security mechanisms may be in place that are not documented here. Also please be aware that no system is 100% secure, these features are in place only to help prevent exploits and no guarantees are made.

The features mentioned in this document assume the use of Javascript is enabled in your browser. Some features will not function without Javascript support as some processing must be performed client-side to ensure a safe transfer of sensitive data.

Registration

Before transfering the data you fill out during registration, your password is encrypted to an MD5 hash. MD5 is one-way encryption and cannot be reversed to the original input. This means that if anybody is listening in on the transfer, the data they receive will not be your password in its normal form, and thus is not useful to an attacker trying to access other websites you may share the same password on. However, it is still not advised that you use the same password on multiple websites.

Logging In

When you log in, your password is not transfered and thus cannot be stolen by an attacker listening to the transfer. Instead, your password is encrypted to an MD5 hash. Your IP address is then prefixed to the hash, and a new MD5 hash of the entire string is created. This hash is placed in a cookie along with your username. The password you input to the form is then removed so as not to be transfered.

Each time your browser makes a requests to Stone Dip, the server takes the MD5 hash it received during registration and prefixes your IP to it to create a new MD5 hash that should match the hash in your cookie. If your IP has changed, the hash will not match and you will be logged out. This means that the cookie is useless to an attacker, even if your IP is known to them.

Back to Stone Dip