It seems entirely reasonable to me, even sensible, that a mud and most online games would log practically everything (except maybe passwords…, hashing is pointless if the admin can find it in the logs…) in terms of input and maybe even some notion of user actions. It might be a little unsafe privacy wise, but it ensures that you can do precisely as you suggested and simply check the logs. You could also tell then who did what, and in case of a crash figure out what might have caused it and have enough information to recover from loss of data (i.e. you would know who gained levels, xp, etc and when and how).

Frankly, I wouldn't think an online, multiplayer game shouldn't store it's passwords as plaintext. Especially since it seems trivial to implement a basic one way hash on passwords. That would mean that getting a hold of the password wouldn't be a free ticket it. You might have to institute email/other based password recovery systems eventually though, since you'd have to perform a password reset and it might be a tad hard to verify that the person logged is in fact the actual "owner" of the player.

I plan to offer two factor authentication for my users if they choose. I think any serious security scheme these days at least should offer it.

I think two factor authentication is overkill for a lot of things, except maybe bank accounts and other places where monetary transaction occur, one of the places where serious security makes sense.

There's tons of games doing it, and frankly, if I am going to spend hundreds of hours on your game I want a "serious security" scheme. I wouldn't make it mandatory, but it's not too hard to offer it as an optional added security for players.

Point taken. How are you planning to implement it?

P.S. If this going to devolve into security discussion, I vote for a new thread.

You can use the 'Spawn' button whenever you feel its appropriate. It'll start a new topic and link back to the post that started it! No need to vote :D