Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
Tags
redonihunter18 days ago (1 edit)

Sandboxing is a concept. It means running a game in an environment, where it does not have access to critical things. Games that run in a browser are sandboxed. Games that run on Android are mostly sandboxed. Games that run on an admin privileged windows user account are the opposite of sandboxed.

You asked for authenticators, so I assumed you are interested in security. Trying out new and indie games exposes you to amateur level developers and if you are unlucky, to malware. It is of course mostly a Windows problem that exists for decades. Any malicous programm could read the cookies of your browser. And any badly programmed app could mess with your system settings, or leave clutter at places where no clutter is supposed to be.

The sandbox method the itch app uses is to create a new user that has not the right to read the files of your main account. The game when started by the itch app runs as that user and only can mess with the files of that user.

If you use 2fa, print out the scratch codes. They are needed to restore your account, if you lose your phone with the 2fa app.

Regarding dangers on itch, you might be interested in 

https://itch.io/t/1659440/psa-beware-the-try-my-game-scam

quote from the itch creator: "On itch.io, it is safe to view the page, but do not download any untrusted software" "Treat any page you encounter with suspicion if you are unable to vet the creators in any way."

This goes for pages encountered in recent or by random browsing as well. Scammers spam their malware and not all gets cought in time before some unsuspecting user finds the page. Some of the games in your collections went missing, because they were malware - if you are the type of user that puts games in collections to view later. Others are missing because the developer deleted it, or other reasons.

Reply
Mausakrobat2818 days ago

You  are right and I have to admit I get slightly confused now. I wanted to start paying for stuff or when I reached a certain amount payed I thought maybe I protect the account a bit better. So i wanted to know what I need for that. 

From what I understood you think sandbox mode is enough right? I think I understood that concept now. 

I just have the question if I have to go trough any complicated or "make a new second password" situations when  I allow Itch.io to run with that second account your spoke about.

I have it on another gaming client that two step authentificator and know it as something that helps to protect your account. I'm however  rather unsure in situations like this and it felt like here it's more complicated.


Soooo when I pay for stuff or payed enough I want to protect my account and my games,  well naturally everything else too if you can help it you know.  I lost my train of thoughts, but I wanted to see what I really need since I hate all that download 20 apps even when your phonw is full or create 25 accounts stuff. 

My stuff wasn't always this sorted so I might be just a bit  worried I have to search for hours for a stray password again.

I hope it's still clear what I want now and I haven't explained to much.

Reply
redonihunter18 days ago(+1)

Sandbox is just a tool, that is cheap to use. That soft sandboxing is little effort and when the itch app handles it, it should be easy enough. If you manually set it up, you would have to shift right click the exe and select run as, and enter password and user. I would not use it to test suspected malware. But rather as a precaution, like driving with a seat belt, even when not expecting a car crash. And just like a seat belt, it will not protect against driving from a cliff. It protects against user level attacks, like stealing your session cookie. Those attacks are very nasty, as they circumvent 2fa and password completely (this is not an itch specific problem).

To protect your machine, you should up your scepticim. I made a tips thread about that. In short, do not trust the new and shiny things, even when hosted on itch. Itch has no account verification, so anyone could be an impostor (yes, just like in Among Us, which incidentally is also hosted on itch). But this is general anti-scam advice. Do not trust strangers on the net, the phone, the mail, on a self publishing store... , even if they say they are royality from other countries and have money to give to you.

Reply
Mausakrobat2818 days ago

Okay thank you this is helpful.

Well with all that my biggest question is always, just in chase there should be any reason I want to or have to remove it, would it be easy?

I don't know where this is coming from anymore, but I always feel like I install it, encounter something that needs me to remove it and i have big trouble to figure out how to remove it without causing any troubles for everything else. (Like those savefiles I think you described are tucked away there)

What I still have not understood, the account that is created, is that like a  camouflage for the account? I remember that it sounded like you keep your account and everyone knows or sees you as Mausakrobat28 but either the folder or your account is somewhere names user3812 (whatever) 

I know I know,  I guess i had some bad experiences and now I'm also figuring this out in english even if it feels easy enough to undertand.

I just keep asking myself these "what if" things.

Soooo what I wanted to know from you before and since the 2fa is different from what I know from steam in how it seems to work a bit, Is sandboxing in your eyes enough at the moment or do I need 2fa and sandbox?   

It starts to sound like 2fa might not be needed in this chase....or wait it's late but you might be actually meaning that I should get both because they kind of both protect one said of the coin a bit.

Thank you again, I hope it's still alright for you to help me a bit further should I still remember something tomorrow.

It starts to feel like i'm to careful again, but now I'm even a bit tired and I just remember your link. I take a look tomorrow I guess.

Reply
redonihunter18 days ago

I believe you are mixing up some things.

The sandbox user is on your computer. It is a windows user. You are on windows, are you not? You realize you can have an admin user, a regular user and a regular user with admin privileges? Regular users cannot access data from other users. That is all there is to it.

2fa is just the concept of having two separate tokens. One is the password. Another one can be phone, email, a special device, whatever. The method used on itch is "totp" and you need a totp app for that. Print out the one time codes, should you decide to use it. 

Regarding what is "enough". Running games not with your main account, is just a very effective method to gain much security for a little bit of effort. Especially on itch, since sadly many people abuse this platform.

Reply
Mausakrobat2817 days ago(+1)

Okay I guess I understand that, but I didn't had the need to use a second account yet so I guess I wasn't totally aware.

I'm still curious if you would use both methods.

Also do I need to install much stuff again, replay things and whatever?

The most annoying thing I can image at the moment is running into  a situation I can't solve or get myself out of and  that I really need more GB for all the app stuff I probably need soon.

I was only told to maybe not use the newest games and see if someone mentioned a lot of problems viruses or odd things in the comment section. I also usually stay away from stuff that doesn't even show any pictures since that gives me a low effort feeling.

Reply
redonihunter17 days ago

Both things are protecting from different things. Since you asked about installing things twice, you did not understand how this sandbox method works. I already told all there is to it. So maybe read other explanations on the net on the topic, maybe they explain things better.

Just be aware that itch is not steam. If you only play popular games, sandboxing should not be necessary. And by popular I do not talk about that shiny new game you saw on steam that is now free on itch - those are malware most of the time.

I was only told to maybe not use the newest games and see if someone mentioned a lot of problems viruses or odd things in the comment section. I also usually stay away from stuff that doesn't even show any pictures since that gives me a low effort feeling.

Good advice. But be aware that it is trivial to copy description and screenshots from an existing project and publish it on an old hacked account.

Reply
Mausakrobat2817 days ago

Alright, I might have someone that I can go trough this whole thing again to make sure i understood it, the english while I understand much might be an extra layer of difficulty for me here.

I compared this to a windows account that I saw on many PCs  years ago, like do you want to log in as "Motiz" , as "admin" or "family"

That I barely rememember, but I filled in the blanks and thought you might not be sharing with the other account what I'm using here. 

At this point it feels like the only thing still confusing me based on you telling me it sounds like I still haven't understood it correctly.

Maybe I actually need to see it to make sure I don't missunderstand it just by imaging the wrong thing or something like that.

I just didn't imaged that I do that sandbox thing, have a second account and just continue like normal. 

Me saying I need to install everything again might be because I expected a fresh account. I...try to search for exampled now, maybe I just need to see it. Thank you for the help it does feel like you told me everything there is.

Reply
redonihunter17 days ago(+1)

https://de.wikipedia.org/wiki/Sandbox

https://itch.io/docs/itch/using/sandbox.html

It is the same as run as administrator, only in the opposite. You do not log in as that player, you just start the games this way. Should you decide to run all itch games this way, you might want to copy some of your save games over. The link above has some explanation how to do this.

To answer your earlier questions, I use 2fa, but later found out, that it will not protect against account hacking by credential stealing. Mixed feelingers here. And I do not use the itch app, but I sometimes use the same method of sandboxing manually. Generally, I just do not download suspicous games, but wait a while. I put them on collections for later viewing. Chances are, after some weeks, the comments and ratings will indicate better, what kind of game it is, and if I would like it. Also, most scams are gone till then. Stumbling on old scams is the exception, but it can happen.

Reply
Mausakrobat2817 days ago

Thank you, I believe for now were done here and I will really take my time going over it again in a day or two. For now I just see if I can still fit that onto my phone and  be a bit more patient with promising ideas with these games. I understand a bit more now that Itch.io is pretty much more open to this stuff happening than.

One last time. This time I understood and I am reading it a bit to late again, I use my current main account or whatever way I just start everyday, but the sandbox mode creates another "fake User" folder with which I use to play the games.

So old account, but the new account or folder pretty much only acivates during my gaming sessions. my explanation is messy but I have that image in my head that I just boost the game, I remember something about a passwort okay....and then play it.

Sooo are there any multiplayer games on Itch.io? Now it would be interessting if this could become in any way annoying. 

I stop here I'm to tired, I will learn not to answer these that late. Still a bit to lazy but I will do my homework soon, thank you for the links.

Reply
View more in thread
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies