So, I just tested registration and authorization and have some comments and suggestions. At first sight these things might seem not so important, but in the end it all may cause a really bad first impression of your server, security issues and hundreds of forum topics like “Y CANT I REGISTER??!!”, “Y CANT I CONNECT??!!” and “SOME1 STOLE MY ACCOUNT OMG!!!” http://lineage2classic.com/register — website and LIVE-server account registration form has: Username field. It should be Account Name, isn’t it?No Password Confirmation field. It is useful, prevents from typos in a password.Uncomfortable order of fields. Most registration forms are ordered like Account Name, Email, Password, Password Confirmation, Security Code and people used to it.Bad error explanation implementation. Error message describes only one field at time and disappears after 4 seconds. Instead, it should indicate all the wrong fields with explanations, like on this forum registration form. Moreover, it should validate fields while typing — that would make registration faster and more comfortable. Unsafe field check implementation. It is implemented on a client side via JS so it could be easily hacked — edited and turned off. Instead, it should be working on a server side via PHP and AJAX.Rough error descriptions. They all must be the same style — short and clear, with no exclamation marks. For example, when I am trying to register an account with non-ASCII symbols in name it says “Username does not fit the name scheme: only a-Z and numbers are allowed, 2 to 64 characters”. Instead, it should say “Numbers and Latin letters only.”Weak Password rules. “Min. 6 characters!” is not enough. Obvious passwords (like 123456, qwerty, asdfgh, abc123, password, 1-2 repeating symbols, the same as Account Name) should be banned, space should not be counted in password length, minimum length can be raised up to 8-10 symbols. Moreover, it should calculate the password strength to encourage users to register safe passwords: long ones, with mixed cases, numbers and symbols. I would also allow using printable ASCII characters only, because I am not sure if other symbols will work in a game client.Incorrect Email length rules. It is not “Min 6 and max 30 characters!” According to RFC standards it is 3 to 254 characters long with maximum 64 characters long local-part. I would recommend using not regular expression but some good third-party function to validate email (like FILTER_VALIDATE_EMAIL in PHP) and leave error description simple “Invalid email.” Serious mistakes in the business logic. “Username is taken” error when email is taken, “Password min. 6 characters!” error when password is longer than 15 characters, “Username 2 to 64 characters” error when account name is 2 characters long.No email confirmation letter. It not only protects from bots, it also proves that user’s email is real and working. And it is not so hard to implement.http://account.lineage2classic.com/ — OBT-server account registration form: Has no error explanations at all. “Something went wrong, try again!” is really confusing.Has the same weak Password rules. Rules that allow register a password that consist of spaces only or contains non-ASCII — both of them do not work in the game client.Allows registering multiple accounts with the same email.http://lineage2classic.com/ — website authorization form has: Login field. It should be Account Name, isn’t it? Moreover, it should be Account Name or Email because most people have dozens of nicknames or pseudonyms that they use as their Username or Account Name and only a couple of emails. So authorization on the website with the email seems reasonable. Insecure error messages. “Wrong password, try again!” means “Account with this name is registered.” Captcha. It’s annoying. Is it really necessary here?I highly recommend fixing and improving all that before release. I also recommend implementing password recovery by email and password change on the website before release too.
