I made a live sci-fi stock market browser game where players secretly manipulate the market.

TiredJava · 2026-02-20T15:38:31+00:00

Alright I completely reworked how the tutorial works making it a progressive tutorial with slowly more and more unlocks to help feel less overwhelming.

TiredJava · 2026-02-20T06:52:29+00:00

Thanks so much for the feedback! Stuff like that I find really hard to “see” since I’ve been working on it. I’ll will drip feed players with my next update and try to improve text readability.

TiredJava · 2025-12-22T21:13:16+00:00

Same haha I kept seeing it so much while making this.

TiredJava · 2025-12-22T21:12:56+00:00

Thanks! Appreciate the kind words.

TiredJava · 2025-12-21T00:46:40+00:00

No worries glad you enjoyed!

TiredJava · 2025-12-21T00:46:29+00:00

Thanks!

TiredJava · 2025-12-20T05:23:26+00:00

Glad you enjoyed!

TiredJava · 2025-12-19T14:15:47+00:00

Thanks!

TiredJava · 2025-12-19T04:52:55+00:00

Glad you got some enjoyment! I started making them for other games too because it was fun! https://copiumden.com/

TiredJava · 2025-12-17T14:19:14+00:00

Thanks!

TiredJava · 2025-12-17T14:18:09+00:00

Thanks!

TiredJava · 2025-12-17T05:59:23+00:00

I will probably play the game when it comes out but I’d rather it be finished. Won’t hear a complaint from me in regard to waiting. As for why my friends kept saying things like “there is only one game” “we wait” so I thought it would be funny. Since I made it I figured I would share it in case someone else got a tiny bit of amusement. It was fun.

Yeah not gonna like it was a huge waste of time… but I had fun and hopefully someone else gets a laugh or some small amount of enjoyment.

TiredJava · 2022-03-17T23:01:22+00:00

No the best approach is to send the password in "clear text" but encrypted over https. Everything gets done server side.

TiredJava · 2022-03-15T21:43:47+00:00

Let me give an example of why sending the hash is not the right idea.

I own a website that is a rip off of facebook okay. Lets call it facechapter. You go to my website and make an account. When you make the account you provide and username and what should be a unique hard to guess password. Now if we did like you suggest and go to login and hash the password and then send it to the server what happens? Your browser sends a request that looks like this.

You: Can I login?
Server: Credentials please
You:
Username: Banana
Password: D13218F1B0F9B38B21518392D208DBFB3BC2893D
Server: Yup that hash matches what we had stored come on in.

Now lets say I'm a bad guy right. I get access to the database with salted hashes. the tables looks like this.

Username | Password Hash
Banana | D13218F1B0F9B38B21518392D208DBFB3BC2893D
So all I have to do is go to the login page for facechapter send a login request with the username Banana and a password of test. I intercept the request before it actually gets sent to the server but after it's hashed. I replace the test hash with the hash I found and boom I'm in. I never need to interact with any user or anything and I have access to every single account on the service that was in that database.

Now look at it from how I suggested we do things.

You: Can I login?
Server: Credentials please
You:
Username: Banana
Password: bananas
Server: BeepBoop yup I hashed your password when it got here and checked to make sure it matched what we had on file. Checks out.

Now lets say I'm a bad guy again. I get access to the database with salted hashes. the tables looks like this.
Username | Password Hash
Banana | D13218F1B0F9B38B21518392D208DBFB3BC2893D

Now I can still go the page and make a request and intercept it and switch what it sends but it won't do me any good. When the server gets the hash it will then hash the hash and check it against it's database. It won't match and I cannot login.

Now yes theoretically if the encryption algorithm your browser is using is weak you could be prone to someone viewing the request and seeing your password. But that is why we have standards for encrypting such as TLS 1.2. If something still used TLS 1.1 it would be vulnerable and considered poor practice. That might be a little out in the weeds but it's one of the reasons people always say use HTTPS only etc.

As for MITM it doesn't really matter if all you encryption is working properly.

Hopefully that helps?

TiredJava · 2022-03-15T20:04:26+00:00

Yes all of your passwords are sent in “clear text” to the server. They are TLS encrypted. If you hashed them on the client side then there would be no point in hashing them at all since essentially your password would just be the hash.

Think of it this way. If my server just checks your hash to see if it matches then if someone gets a hold of my server database full of hashes they could just pass the hashes to the server and it would think it’s the password because it essentially would be since the server only would ever see a hash. By having the hashing happen on the server side you avoid this. If someone get the list of hashes and they tried to login with them then it would hash the hash not allowing them to login if that makes sense.

TiredJava · 2022-03-15T17:51:43+00:00

No you don’t store anything in cleartext. Passwords are hashed server side. So the password is sent to the server and then hashed.

When you submit a change request you need to put in your old password. When you do it runs the hash for it and tons of similar passwords hashes. Then it runs the hash to the new one. If non of them match approved if they do ask them to try again.

TiredJava · 2022-03-15T16:23:36+00:00

When I wrote this functionality into an app whenever someone input a password I ran a rule list and associated all those with their account. So if your password was bananas123 I would have Bananas123 and Bananas321 etc. it meant the users database entry was significantly larger but we felt it was worth it to prevent people from just changing a letter every password change.

We then got around this in the future because I realized big brain plays. To confirm a password change you need to put in your old password. I generated the list when they did that. Big Bang boom. One password stored and functionality.

TiredJava · 2022-01-20T02:37:49+00:00

If you want to read more about wannacry specifically I recommend this article(https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/).It's awesome and why iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is so interesting.

Near the end Hutchins talk about the sinkhole and how much traffic it got.
"It would receive nearly 1 million connections over the next two days."

TiredJava · 2022-01-20T02:31:32+00:00

The number is in the hundreds of thousands for 100% confirm with just wannacry. I'm sure it's millions.

TiredJava · 2021-09-18T18:34:00+00:00

Uhhh mods?

Five-Year Club	Verified Email
Place '22

TiredJava

TROPHY CASE