I've started work on the basic systems for it. You can see my progress so far at
http://www.advancedcontent.net/zorm/RPG/.
I'm working on authentication things now. I intend to use SHA-1 and a salt to hash the passwords for storage in the database. Should I try and use javascript to hash the passwords before the client sends them to the server? Does anyone have a secure method of generating a salt?
Thinking through this project I also realized I'll need protection against bots and such at various stages in the game. One obvious place this is needed is at account registration. It will require an email and a link will be sent to that email in order to activate the account. Is there anything that can be done about those 'one' time use email accounts? My general feeling is there isn't a whole lot that can be done. The other thing that will be needed is some sort of CAPTCHA to prevent automated registrations and playing of the game. I'll make some simple checks that will try and detect 'bot' like activity, if its triggered a CAPTCHA will be shown and no other actions allowed until it has been passed.
This brings me to my next point on the CAPTCHA. The simple text ones have been broken and are often insanely hard to read even by humans, clearly this won't work. My idea was to show a simple picture and give 4 options for what the picture is(the options and picture will all be a single image). Then the user enters the letter of the correct option to pass the test. The problem with this is that the picture can't be truely random because I don't know of a way to reliably generate pictures of objects. So I'll likely end up with 5-10 pictures, would performing simple transformations on them be enough to stop something from recognizing them? My other thought is that perhaps I'm overthinking this and such measures won't be needed as its unlikely someone smart enough to solve the problem will play my game anyhow.