Monthly Archives: May 2020

Bästa versionen av Dungeons & Dragons?

Den bästa versionen av Dungeons & Dragons är den jag just nu spelar med mina vänner.

Den bästa versionen av Dungeons & Dragons är också den omåttligt populära och aktuella versionen (5e). Och så resonerade även jag när jag skulle köpa D&D för ett tag sedan. Men, vad skulle inte vara bäst med 5e?

  • 5e finns inte på svenska
  • 5e är inte den enklaste versionen att lära sig och att spela
  • 5e kostar ca 1500kr för Players Handbook, Dungeon Masters Guide och Monsters Manual (det finns billigare starlådor, men om du vill fortsätta spela så räcker de inte)
  • Smaken är som baken: olika spelare gillar olika versioner olika mycket, så det kan hända att just du och din grupp faktiskt skulle föredra en annan version.

Låt mig ge en förenklad bild av olika versioner av D&D (se wikipedia för detaljer).

1974-1977-2000-2008-2014-
Original D&DClassic D&D
Advanced D&D (1e, 2e)
D&D 3eD&D 4eD&D 5e

Om man frågar sig vilket spel som är enkast men också genomarbetat och bra, så blir svaret Classic D&D. Det heter såklart bara Dungeons & Dragons, men det brukar kallas Classic eller Basic för att skilja ut det.

En rolig sak med Classic är att det släpptes på svenska i slutet av 1980-talet av Titan Games.

Dessa två boxar täcker spel för rollpersoner med graderna 1-14. På engelska finns ytterligare två boxar (Companion och Master Rules för graderna 15-36). Alla dessa fyra boxar finns samlade i en enda bok som heter Rules Cyclopedia som släpptes 1991.

I mångas ögon var och är detta den bästa versionen av D&D. Men produktionen lades ner i början av 1990-talet och självklart blev produkterna allt svårare att få tag i. Därför uppstod en rad retro-kloner, spel som inte heter Dungeons & Dragons, men som i väldigt stor utsträckning är samma spel – och som är kompatibla när det gäller äventyr och annat. Så för dig som vill spela “Classic D&D” i Sverige idag 2020 finns flera bra alternativ:

  • Rules Cyclopedia (print-on-demand eller PDF från dmsguild.com)
  • Monster & Magi (en svensk retroklon som finns på Bokus och Adlibris eller gratis nedladdning)
  • Svärd & Svartkonst (en svensk retroklon som är ännu enklare och inte så nära originalet)
  • Basregler och Expertregler från Titan Games (begagnat)
  • …eller någon av en stor mängd retrokloner på engelska, både i tryck eller som (gratis) nedladdning

Tvärt emot vad det först kan verka, så är detta inte på något vis en återvändsgränd för mycket nöje med D&D.

  • dmsguild.com säljer alla gamla D&D-äventyr som PDF (på engelska)
  • Monster & Magi erbjuder flera äventyr
  • Svärd & Svartkonst erbjuder flera äventyr

Är Classic bättre?

Jag har precis börjat spela Classic igen (Titan Games D&D) efter att ha spelat 5e ett tag, med blandade känslor. Det återstår att se om gräset är grönare på andra sidan. Det som talar för Classic är att det är ett enklare och snabbare spel. Om jag skulle spela med unga människor i Sverige så skulle jag absolut välja D&D Classic på svenska.

Det finns också en trend som heter OSR (Old School Revival) som handlar om att hitta tillbaka till rollspelens ursprung. Utan att gå in på detaljer så är min mening att rollspelen blev mer och mer avancerade under 80-talet och 90-talet – det fanns såklart en efterfrågan från spelare, och en marknad att tjäna pengar på. Sedan försvann intresset för bordsrollspel mycket på 2000-talet, och jag tror en bidragande orsak var dataspel (Diablo, World of Warcraft). Ett dataspel är alltid överlägset ett rollspel när det gäller möjligheten att hantera taktisk realism och djup på ett snabbt sätt. Men till slut ersätter inte dataspelen helt rollspelen – det är en annorlunda upplevelse. Och kärnan i vad som gör rollspelen unika fångas helt även i ett mycket enkelt klassiskt rollspel. Jag tycker på samma sätt att man kan ana med nyare versioner av D&D (inte minst 5e) att de är designade med dataspel i åtanke (också).

Jag har skrivet mer om OSR (länk).

En annan sak som kan upplevas som en fördel eller nackdel med Classic är att eftersom det är så enkelt, så är det också väldigt enkelt att hitta på egna husregler som passar din grupp.

Vilken retro-klon eller Classic-D&D är bäst?

Jag är inte alls i stånd avgöra vilken retroklon som är bäst, eller om den är bättre än Bas/Expert från Titan Games.

Men retroklonerna uppstod därför att originalet blev svårt att få tag i. Sedan några år finns Rules Cyclopedia att köpa tillsammans med allt gammalt som publicerats till classic (på dmsguild.com). Om allt det funnits tillgängligt 1995-2015, så hade det troligtvis inte funnit så många retrokloner.

Med det sagt så är självklart inte Rules Cyclopedia från 1991 det perfekta D&D i alla avseenden. Olika retrokloner har ändrat vissa saker i avsikt att förbättra. Så för den som jämför retro-kloner finns några huvudsakliga skillnader:

  • Ras som klass: I D&D är alv, halvling och dvärg egna klasser. Människor kan vara krigare, magiker, präster och tjuvar. Men det finns inga alv-tjuvar eller dvärg-präster. Många retrokloner gör annorlunda.
  • Räddningsslag: I D&D finns 5 olika typer av räddningsslag. I vissa retrokloner finns bara 1 räddningsslag, eventuellt modifierat av grundegenskap (som 5e), eller andra lösningar.
  • Pansarklass: I D&D har man PK9 utan rustning och PK3 med plåtrustning – lägre är bättre. I många retrokloner har man vänt detta (precis som i 5e) så att högre PK är bättre.
  • En del retrokloner är mer T20-baserade (medan D&D ofta använder 1T6 eller 2T6 för att avgöra saker).

Styrkan i Rules Cyclopedia är mer avancerade saker som ofta saknas i retroklonerna, och att det är omfattande och komplett

  • Regler ända till grad 36
  • Färdigheter och “Weapon Mastery”-regler
  • Många formler, monster, magiska föremål, osv
  • Regler för fältslag, mm

Min egen avsikt är nog att använda Titan Games D&D, men med Rules Cyclopedia som referens i bakgrunden (och i den händelse jag behöver hantera karaktärer över grad 14) eftersom det är precis samma spel.

För den som vill börja spela D&D på svenska så skulle jag föreslå Monster & Magi. Det finns regler upp till grad 20, och skulle man vilja plocka in saker från Rules Cyclopedia så tror jag det skulle gå bra.

Även om Svärd & Svartkonst känns väl minimalistiskt för mig, så finns det mycket intressant att läsa i den snygga regelboken! Det finns lite valfria regler för strid, perspektiv på erfarenhetspoäng och hur exempelvis vandöda (levande döda) hanteras som helt klart är bra nytänkande!

Jag har svårt att se att jag skulle rekommendera någon att leta efter D&D Titan Games begagnat när M&M och S&S finns.

För den som föredrar ett engelskt spel så tycker jag utgångspunkten är att originalet (Rules Cyclopedia) är det bästa alternativet. Men det finns många bra retroclones på engelska. De jag skulle titta på först är:

  • Basic Fantasy Roleplaying Game
  • Labyrith Lord
  • Lamentation of the Flame Princess
  • Sword & Sorcery

Slutsats

Det här med att välja D&D-version som passar för dig och din grupp är inte helt enkelt. För att verkligen kunna ha en riktig uppfattning måste man såklart provspela. Men om man vet vad som finns så är det nog lite lättare att göra ett klokt val när man köper ett spel.

Jag hade nog inte köpt D&D 5e förra året ifall jag kände till Rules Cyclopedia och Monster & Magi då.

D&D Ability Scores: How exceptional is your character?

D&D (and many other RPGs) have ability scores. You are supposed to roll 3d6 for each of them, but most often players want better scores and DMs allow methods that gives better scores.

Each ability has a value in the range 3-18 and it gives a bonus in the range -4 to +4 (for Classic D&D: -3 to +3).

Lets forget about child mortality and assume 3d6 is for those who reach adulthood (without racial ability modifiers). This would give that the average citizen of a fantasy world has a total ability value of 63 (6 x 10.5) and a bonus of 0. It makes sense that the player characters – adventurers – are better than average. Not everyone becomes an adventurer.

If we imagine our D&D town or village not to be so very different from how children grow up today, I think this is a reasonable way to think of it (approximately)

  • 1/4: most talented among siblings
  • 1/10: most talented kid on the street
  • 1/30: most talented in class
  • 1/200: most talented in school
  • 1/1000: most talented person in a village
  • 1/10000: most talented person in town
  • … and beyond that, exceptional and rare talent

How does this match ability scores and bonuses?

Ability Score

6 abilitiesBetter than
6347%
6453%
6558%
6663%
6768%
6873%Most talented sibling
6977%
7081%
7185%
7288%
73Best of 10Most talented kid on street
74Best of 14
75Best of 18
76Best of 24
77Best of 32
78Best of 45
79Best of 64
80Best of 92
81Best of 136
82Best of 205Most talented kid in school
83Best of 316
84Best of 499
85Best of 808
86Best of 1341Most talented person in village
87Best of 2287
88Best of 4009
89Best of 7237
90Best of 13472Most talented person in town

So, a character with an average score of 15 would have a total of 90. On one hand that is a person who would probably have received some attention for her talents when growing up. On the other hand, it is far from unrealistic that such a person exist.

Bonuses

So what about total bonuses?

Total Bonus
6 Abilities
D&D 5e
Better than
Best of
D&D Classic
Better than
Best of
045%41%
+155%59%
+266%75%
+375%87%
+483%/17
+589%/45
+6/15/135
+7/26/473
+8/50/1 924
+9/103/9 075
+10/229/49 840
+11/554/320 497
+12/1 476/2 435 080
+13/4 344/22 166 682
+14/14 251/246 959 710
+15/52 658/3 481 658 707
+16/221 926/65 692 122 012
+17/1 083 583/1 846 464 029 852
+18/6 251 574/101 983 687 214 006

What I find interesting with this is that it can somehow be connected to the background story of the character. If the character is just an unknown nobody who left her village for adventuring a total bonus of +6 (or +4 for Classic) is on the high side (a best-in-class-character would probably have recieved som attention). If, on the other hand, it is understood that the character is somehow distinguished, priviliged or meant for great deeds, it is not at all unreasonable with a total bonus of +12 (+8 in classic).

Even higher bonuses than that are very possible as long as it is understood that the characters are extraordinarily talented individuals in their society.

Other Rolling Methods

What if the DM allows other methods of rolling (Classic in parenthesis)?

~1/10 bad rollAverage roll~1/10 good roll
3d6-5 (-2)+0 (0)+5 (+2)Average person
2d6+6+4 (+2)+8 (+5)+12 (+8)Best in large class (~50)
4d6 drop worst+1 (+1)+6 (+4)+10 (+7)Best kid on street (~15)
5d6 drop worst 2+5 (+3)+9 (+6)+13 (+8)Best in small school (~100)
5e: [15, 14, 13, 12, 10, 8]+5 (+2)Best sibling
5e: My House Rule+6Best kid on street (~15)

What this table says, roughly, is that if the player rolls once using this method it is likely she will get the average outcome. Only about 1/10 she will get the bad result from the bad column, or the good result from the good column. It is not at all likely that any of your players will roll a +14 (+9) character (which would correspond to best one of 10 000, or most talented in town) with any of the methods.

Conclusion

From this little experiment, two things came to me.

First, when it comes to NPC, villains and heroes (Conan and Robin Hood if you like) sometimes the stats of such figures are published and they can seem ridiculously good. But that is quite fine. They may be one-in-a-million type of humans who really made a footprint in their time.

Second, most established methods for generating abilities will produce characters that are the most talented among their siblings or perhaps the most talented in their school. For a player to roll anything significantly better there are some ways:

  • Very much luck
  • Rolling very many times
  • Cheating
  • Inventing a very powerful method

I think, more than just focusing on the rolling and the methods, it makes sense to talk to they players and ask: who do you reasonably think your character is. If they are the son of Conan, or the only one girl selected by the archmage in the country to study magic because of her extraordinary talents, then very high ability scores are perfectly reasonable.

Source Code

The source code for this is written in JavaScript and runs with Node.js on your computer. It is not quite written to be published, but here it is anyway.

Parameters are hard coded in the top of main().

const objcopy = (obj) => {
  return JSON.parse(JSON.stringify(obj));
};

const num2prop = (n) => {
  if ( n < 0 ) return '' + n;
  if ( 0 < n ) return '+' + n;
  return ' 0';
};

const numcmp = (a,b) => {
  return +a - +b;
};

const abilities = () => {
  const ret = {};
  let i;
  for ( i=3 ; i<=18 ; i++ ) ret[i] = 0;
  return ret;
};

const dice3d6 = () => {
  const ret = abilities();
  let i, j, k;
  for ( i=1;i<=6;i++ ) for ( j=1;j<=6;j++ ) for ( k=1;k<=6;k++ ) ret[i+j+k]++;
  return ret;
};

const dice2d6p6 = () => {
  const ret = abilities();
  let i, j;
  for ( i=1;i<=6;i++ ) for ( j=1;j<=6;j++ ) ret[i+j+6]++;
  return ret;
};

const dice4d6drop = () => {
  const ret = abilities();
  let i, j, k, l;
  for ( i=1;i<=6;i++ )
    for ( j=1;j<=6;j++ )
      for ( k=1;k<=6;k++ )
        for ( l=1;l<=6;l++ ) {
          const a = [i,j,k,l];
          a.sort(numcmp);
          ret[a[1]+a[2]+a[3]]++;
        }
  return ret;
};

const dice5d6drop = () => {
  const ret = abilities();
  let i, j, k, l, m;
  for ( i=1;i<=6;i++ )
    for ( j=1;j<=6;j++ )
      for ( k=1;k<=6;k++ )
        for ( l=1;l<=6;l++ )
          for ( m=1;m<=6;m++ ) {
            const a = [i,j,k,l,m];
            a.sort(numcmp);
            ret[a[2]+a[3]+a[4]]++;
          }
  return ret;
};

const multiplestats = (dist,n) => {
  let ret = objcopy(dist);
  let i;
  for ( i=1 ; i<n ; i++ ) {
    ret = multiplestats_2(ret,dist);
  }
  return ret;
};

const multiplestats_2 = (total,one) => {
  let ret = {};
  let t, o, r;
  for ( t in total ) for ( o in one ) {
    r = num2prop(+t + +o);
    if ( !ret[r] ) ret[r] = 0;
    ret[r] += (total[t] * one[o]);
  }
  return ret;
};

const bonuses = {
  'Classic' : () => {
    return {
      '-3' : 0,
      '-2' : 0,
      '-1' : 0,
      ' 0' : 0,
      '+1' : 0,
      '+2' : 0,
      '+3' : 0
    };
  },
  '5e' : () => {
    return {
      '-4' : 0,
      '-3' : 0,
      '-2' : 0,
      '-1' : 0,
      ' 0' : 0,
      '+1' : 0,
      '+2' : 0,
      '+3' : 0,
      '+4' : 0
    };
  }
};

const ability2bonus = {
  'Classic' : (a) => {
    switch (a) {
    case 3: return '-3';
    case 4: case 5: return '-2';
    case 6: case 7: case 8: return '-1';
    case 9: case 10: case 11: case 12: return ' 0';
    case 13: case 14: case 15: return '+1';
    case 16: case 17: return '+2';
    case 18: return '+3';
    };
  },
  '5e' : (a) => {
    switch (a) {
    case 3: return '-4';
    case 4: case 5: return '-3';
    case 6: case 7: return '-2';
    case 8: case 9: return '-1';
    case 10: case 11: return ' 0';
    case 12: case 13: return '+1';
    case 14: case 15: return '+2';
    case 16: case 17: return '+3';
    case 18: return '+4';
    };
  }
};

const dist_ability2bonus = (distDice,version) => {
  const distBonus = bonuses[version]();
  const getBonus = ability2bonus[version];
  let a;
  for ( a=3 ; a<=18 ; a++ ) distBonus[getBonus(a)] += distDice[a];
  return distBonus;
};

const toPercent = (dist) => {
  const ret = {};
  const keys = Object.keys(dist).sort(numcmp);
  let total = 0;
  let i,k;
  for ( i=0 ; i<keys.length ; i++ ) {
    k = keys[i];
    total += dist[k];
  };
  total = 100 / total;
  for ( i=0 ; i<keys.length ; i++ ) {
    k = keys[i];
    ret[k] = dist[k] * total;
  };
  return ret;
};

const accumulate = (dist) => {
  const ret = {};
  const keys = Object.keys(dist).sort(numcmp);
  let acc = 0;
  let i,k;
  for ( i=0 ; i<keys.length ; i++ ) {
    k = keys[i];
    ret[k] = acc;
    acc += dist[k];
  }
  return ret;
};

const rounddecimals = (dist) => {
  let k,v;
  for ( k in dist ) {
  v = dist[k];
  if ( !Number.isInteger(v) ) {
    if ( v < 10 )
      dist[k] = '1/' + (100/v).toFixed(0);
    else if ( 90 < v )
      dist[k] = '1/' + (100/(100-v)).toFixed(0);
    else
      dist[k] = v.toFixed(1);
    }
  }
};

const main = () => {
//const rolldist = dice3d6();
//const rolldist = dice2d6p6();
//const rolldist = dice4d6drop();
  const rolldist = dice5d6drop();
//const bonus = '5e';
  const bonus = 'Classic';
  const rollcount = 6;
  const percent = true;
  const accumulated = true;
  const round = true;
  const printall = true;
  let workdata = [{ dist:rolldist , lbl:'Roll Dist'}];
  const last = () => { return workdata[workdata.length-1].dist; };
  if ( bonus ) workdata.push({
    dist : dist_ability2bonus(last(),bonus),
     lbl : 'Bonus: ' + bonus
  });
  if ( 1 < rollcount ) workdata.push({
    dist : multiplestats(last(),rollcount),
     lbl : '' + rollcount + ' stats'
  });
  if ( percent ) workdata.push({
    dist : toPercent(last()),
     lbl : 'Percent'
  });
  if ( accumulated ) workdata.push({
    dist : accumulate(last()),
     lbl : 'Accumulated'
  });
  if ( round ) workdata.forEach((w) => { rounddecimals(w.dist) });
  if ( printall )
    console.log(JSON.stringify(workdata,null,4));
  else
    console.log(JSON.stringify(last,null,4));
};

main();

Rollformulär Titan Games D&D

Här följer rollformulär för svenska Dungeons & Dragons av Titan Games.

Rollformular-TitanGames.pdfOriginal Spelarens Handbok, (C) Titan Games
Rollformular-DnD.pdfMitt eget rollformulär, 2 sidor, anpassade för mina husregler
Rollformular-DnD-2on1.pdfMitt eget rollformulär, båda sidorna bredvid varandra på en A4-sida

Simple Password Hashing with Node & Argon2

When you build a service backend you should keep your users’ passwords safe. That is not so easy anymore. You should

  1. hash and salt (md5)
  2. but rather use strong hash (sha)
  3. but rather use a very expensive hash (pbkdf2, bcrypt)
  4. but rather use a hash that is very expensive on GPUs and cryptominers (argon2)

Argon2 seems to be the best choice (read elsewhere about it)!

node-argon2

Argon2 is very easy to use on Node.js. You basically just:

$ npm install argon2

Then your code is:

/* To hash a password */
hash = await argon2.hash('password');

/* To test a password */
if ( await argon2.verify(hash,'password') )
  console.log('OK');
else
  console.log('Not OK');

Great! What is not to like about that?

$ du -sh node_modules/*
 20K  node_modules/abbrev
 20K  node_modules/ansi-regex
 20K  node_modules/aproba
 44K  node_modules/are-we-there-yet
348K  node_modules/argon2
 24K  node_modules/balanced-match
 24K  node_modules/brace-expansion
 24K  node_modules/chownr
 20K  node_modules/code-point-at
 40K  node_modules/concat-map
 32K  node_modules/console-control-strings
 44K  node_modules/core-util-is
120K  node_modules/debug
 36K  node_modules/deep-extend
 40K  node_modules/delegates
 44K  node_modules/detect-libc
 28K  node_modules/fs-minipass
 32K  node_modules/fs.realpath
104K  node_modules/gauge
 72K  node_modules/glob
 20K  node_modules/has-unicode
412K  node_modules/iconv-lite
 24K  node_modules/ignore-walk
 20K  node_modules/inflight
 24K  node_modules/inherits
 24K  node_modules/ini
 36K  node_modules/isarray
 20K  node_modules/is-fullwidth-code-point
 48K  node_modules/minimatch
108K  node_modules/minimist
 52K  node_modules/minipass
 32K  node_modules/minizlib
 32K  node_modules/mkdirp
 20K  node_modules/ms
332K  node_modules/needle
956K  node_modules/node-addon-api
240K  node_modules/node-pre-gyp
 48K  node_modules/nopt
 24K  node_modules/npm-bundled
 36K  node_modules/npmlog
172K  node_modules/npm-normalize-package-bin
 28K  node_modules/npm-packlist
 20K  node_modules/number-is-nan
 20K  node_modules/object-assign
 20K  node_modules/once
 20K  node_modules/osenv
 20K  node_modules/os-homedir
 20K  node_modules/os-tmpdir
 20K  node_modules/path-is-absolute
 32K  node_modules/@phc
 20K  node_modules/process-nextick-args
 64K  node_modules/rc
224K  node_modules/readable-stream
 32K  node_modules/rimraf
 48K  node_modules/safe-buffer
 64K  node_modules/safer-buffer
 72K  node_modules/sax
 88K  node_modules/semver
 24K  node_modules/set-blocking
 32K  node_modules/signal-exit
 88K  node_modules/string_decoder
 20K  node_modules/string-width
 20K  node_modules/strip-ansi
 20K  node_modules/strip-json-comments
196K  node_modules/tar
 28K  node_modules/util-deprecate
 20K  node_modules/wide-align
 20K  node_modules/wrappy
 36K  node_modules/yallist

That is 69 node modules of 5.1MB. If you think that is cool for your backend password encyption code (in order to provide two functions: encrypt and verify) you can stop reading here.

I am NOT fine with it, because:

  • it will cause me trouble, one day, when I run npm install, and something is not exactly as I expected, perhaps in production
  • how safe is this? it is the password encryption code we are talking about – what if any of these libraries are compromised?
  • it is outright ugly and wasteful

Well, argon2 has a reference implementation written in C (link). If you download it you can compile, run test and try it like:

$ make
$ make test
$ ./argon2 -h
Usage: ./argon2-linux-x64 [-h] salt [-i|-d|-id] [-t iterations] [-m log2(memory in KiB) | -k memory in KiB] [-p parallelism] [-l hash length] [-e|-r] [-v (10|13)]
Password is read from stdin
Parameters:
 salt The salt to use, at least 8 characters
 -i   Use Argon2i (this is the default)
 -d   Use Argon2d instead of Argon2i
 -id  Use Argon2id instead of Argon2i
 -t N Sets the number of iterations to N (default = 3)
 -m N Sets the memory usage of 2^N KiB (default 12)
 -k N Sets the memory usage of N KiB (default 4096)
 -p N Sets parallelism to N threads (default 1)
 -l N Sets hash output length to N bytes (default 32)
 -e   Output only encoded hash
- r   Output only the raw bytes of the hash
 -v (10|13) Argon2 version (defaults to the most recent version, currently 13)
 -h   Print ./argon2-linux-x64 usage

It builds to a single binary (mine is 280kb on linux-x64). It does most everything you need. How many lines of code do you think you need to write for node.js to use that binary instead of the 69 npm packages? The answer is less than 69. Here comes some notes and all the code (implementing argon2.hash and argon2.verify as used above):

  1. you can make binaries for different platforms and name them accordingly (argon2-linux-x64, argon2-darwin-x64 and so on), so you can move your code (and binaries) between different computers with no hazzle (as JavaScript should be)
  2. if you want to change argon2-parameters you can do it here, and if you want to pass an option-object to the hash function that is an easy fix
  3. options are parsed from hash (just as the node-argon2 package) when verifying, so you don’t need to “remember” what parameters you used when hashing to be able to verify
/* argon2-wrapper.js */

const nodeCrypto = require('crypto');
const nodeOs    = require('os');
const nodeSpawn = require('child_process').spawn;
/* NOTE 1 */
const binary    = './argon2';
// st binary    = './argon2-' + nodeOs.platform() + '-' + nodeOs.arch();

const run = (args,pass,callback) => {
  const proc = nodeSpawn(binary,args);
  let hash = '';
  let err = '';
  let inerr = false;
  proc.stdout.on('data', (data) => { hash += data; });
  proc.stderr.on('data', (data) => { err += data; });
  proc.stdin.on('error', () => { inerr = true; });
  proc.on('exit', (code) => {
    if ( err ) callback(err);
    else if ( inerr ) callback('I/O error');
    else if ( 0 !== code ) callback('Nonzero exit code ' + code);
    else if ( !hash ) callback('No hash');
    else callback(null,hash.trim());
  });
  proc.stdin.end(pass);
};

exports.hash = (pass) => {
  return new Promise((resolve,reject) => {
    nodeCrypto.randomBytes(12,(e,b) => {
      if ( e ) return reject(e);
      const salt = b.toString('base64');
      const args = [salt,'-id','-e'];
/* NOTE 2 */
//    const args = [salt,'-d','-v','13','-m','12','-t','3','-p','1','-e'];
      run(args,pass,(e,h) => {
        if ( e ) reject(e);
        else resolve(h);
      });
    });
  });
};

exports.verify = (hash,pass) => {
  return new Promise((resolve,reject) => {
    const hashfields = hash.split('$');
    const perffields = hashfields[3].split(',');
/* NOTE 3 */
    const args = [
        Buffer.from(hashfields[4],'base64').toString()
      , '-' + hashfields[1].substring(6) // -i, -d, -id
      , '-v', (+hashfields[2].split('=')[1]).toString(16)
      , '-k', perffields[0].split('=')[1]
      , '-t', perffields[1].split('=')[1]
      , '-p', perffields[2].split('=')[1]
      , '-e'
    ];
    run(args,pass,(e,h) => {
      if ( e ) reject(e);
      else resolve(h===hash);
    });
  });
};

And for those of you who want to test it, here is a little test program that you can run. It requires

  • npm install argon2
  • argon2 reference implementation binary
const argon2package = require('argon2');
const argon2wrapper = require('./argon2-wrapper.js');

const bench = async (n,argon2) => {
  const passwords = [];
  const hashes = [];
  const start = Date.now();
  let errors = 0;

  for ( let i=0 ; i<n ; i++ ) {
    let pw = 'password-' + i;
    passwords.push(pw);
    hashes.push(await argon2.hash(pw));
  }
  const half = Date.now();
  console.log('Hashed ' + n + ' passwords in ' + (half-start) + ' ms');

  for ( let i=0 ; i<n ; i++ ) {
    // first try wrong password
    if ( await argon2.verify(hashes[i],'password-ill-typed') ) {
      console.log('ERROR: wrong password was verified as correct');
      errors++;
    }
    if ( !(await argon2.verify(hashes[i],passwords[i]) ) ) {
      console.log('ERROR: correct password failed to verify');
      errors++;
    }
  }
  const end = Date.now();
  console.log('Verified 2x' + n + ' passwords in ' + (end-half) + ' ms');
  console.log('Error count: ' + errors);
  console.log('Hash example:\n' + hashes[0]);
};

const main = async (n) => {
  console.log('Testing with package');
  await bench(n,argon2package);
  console.log('\n\n');

  console.log('Testing with binary wrapper');
  await bench(n,argon2wrapper);
  console.log('\n\n');
}
main(100);

Give it a try!

Performance

I find that in Linux x64, wrapping the binary is slightly faster than using the node-package. That is weird. But perhaps those 69 dependencies don’t come for free after all.

Problems?

I see one problem. The node-argon2 package generates binary hashes random salts and sends to the hash algorithm. Those binary salts come out base64-encoded in the hash. However, a binary value (a byte array using 0-255) is not very easy to pass on the command line to the reference implementation (as first parameter). My wrapper-implementation also generate a random salt, but it base64-encodes it before it passes it to argon2 as salt (and argon2 then base64-encodes it again in the hash string).

So if you already use the node-package the reference c-implementation is not immediately compatible with the hashes you already have produced. The other way around is fine: “my” hashes are easily consumed by the node package.

If this is a real problem for you that you want to solve I see two solutions:

  1. make a minor modification to the C-program so it expects a salt in hex format (it will be twice as long on the command line)
  2. start supplying your own compatible hashes using the option-object now, and don’t switch to the wrapper+c until the passwords have been updated

Conclusion

There are bindings between languages and node-packages for stuff. But unix already comes with an API for programs written in different languages to use: process forking and pipes.

In Linux it is extremely cheap. It is quite easy to use and test, since you easily have access to the command line. And the spawn in node is easy to use.

Argon2 is nice and easy to use! Use it! Forget about bcrypt.

The best thing you can do without any dependencies is pbkdf2 which comes with node.js and is accessible in its crypto module. It is standardized/certified, that is why it is included.

Reading old Dragon Magazines in 2020

I discovered that old issues of the Dragon magazine are available free for download. When reading about old versions of Dungeons and Dragons there are often references to the Dragon Magazine.

I entertained myself browsing through the first 100 130 issues (June 1976 to August 1985) and took notes of articles I find can be of value today.

  • OD&D is mostly covered up to #25
  • After #25 most things refer to AD&D 1e (which for most practical purposes is quite compatible with OSR clones and Classic D&D)
  • There is virtually no content to be found specifically written for Classic D&D
  • There is a separate Dungeon magazine which also is downloadable for free, and which almost only contains D&D modules (adventures), so I have only noted a few such modules from Dragon magazine.

This is a list of articles I found in Dragon #1 – #130 that I found particularly relevant in 2020.

You are most welcome to give feedback on my list!

About D&D

#pagesTitle or type of article
77Gary Gagax on D&D
823On Realism (Joke)***
1615-16,21Gary Gagax on Realism, Game Logic and more****
1636Game Balance***
2417-19Gary Gagax on Melee in D&D
2628-Gary Gagax on OD&D and AD&D****
28Gary Gagax on OD&D and AD&D****
35TSR plans D&D and AD&D
3916-18Women want equality***
5214-15On Classic D&D by Holmes/Moldvay****
7645-52Index of previous Dragon Magazine
7726-29On Classic D&D by Mentzer****
8438-44On Companion D&D by Mentzer****
9512-13The influence of JRR Tolkien on D&D and AD&D***
1028-10Realms of role playing***
1038-10What the 2nd Edition will be like by Gary Gagax
10356Profile: Gary Gagax (never sleeps)***
10763Profile: Elmore
11241-64Index of previous Dragon Magazine
12240Gary Gagax “Farewell”**

Creatures (new AD&D 1e)

Creatures for AD&D 1e can probably be used with little effort in OSR gaming.

#pagesTitle or type of article
27The Horast
3043Crust
3239Crawling Claw
3356Frost
36Krolli
376-Neutral Dragons
3810-Dragons
427-15Demons, Devils, Spirits
4244Necroton and more
4488-Ice, various creatures
4566-Dust Devil, Sand Lizard
4810Sea, various creatures
5166Piranha Bat
5248-49Rhaumbusun (Crocodile-basilisk)
5430Jabberwock
5559
60
61
62
Devil Spider
Surchurr
Dyll
Poltergeist
***
**
**
****
6148-49Umbreas and more
626-11Dragons (faerie and more)
6528-30Dragons (yellow, orange, purple)
6620-21Oriental (different spirits)
6656-57Vultures, Hawk, Skeleton animals
7412-15Landragons (non flying dragons)
9020-23Bats, 6 types
918Goristro Demon
9444-54Creature Catalogue II
9538-39The many shapes of Apes***
10140-55Creature Catalogue III**
10220-28A collection of Canines (dogs)
1108-14Dracolich
11542-45Snakes
11638-44Sea Creatures
11864-67Spiders
11946-53Creatures of the Woods
12434-37Aaracockra
1347-14Dragons
13742-49Prehistorical animals
13822-35The ungrateful dead
13970-74Rare beasts of Forgotten Realms

Creature Lore

#pagesTitle or article type
1414-Interview with a Rust Monster
2531-33Interview with an Iron Golem
2542Vampires, Variety of**
2636Lich, Blueprint of****
507-12Dragons: Fighting strategies
7115-18Mind of the monsters
766-8On Beholders
7866-68Ecology of Mind Flayers
806-8Psycology of Dopplegangers
8127-28Ecology of a Basilisk
8718-20Ecology of a Dryad
8822-24Ecology of a Rust Monster
9229-31Ecology of Ettins
9424-26Ecology of Chimera
9522-26Ecology of a Cockatrice****
9725-27Ecology of a Gorgon
9919-20Ecology of Will-i-wisp
103
105
35-46
24
The Centaur Papers
10433-36Ecology of the Ochre Jelly
10616-17Ecology of the Maedar
10932-34Ecology of a Displacer beast
11550-54Ecology of a Harpy****
11632-35Ecology of a Minataur
11733-36Ecology of an Anhkheg
11942-44Ecology of the Korred
12456-57Ecology of a Gelatinous Cube
12510-12Ecology of the Greenhag
12629-34Undeads
12641-43The ecology of the Shade
12921-23Drow
13136-39Ecology of the Aboleth + Stats
13142-46Ecology of Hook Horror + Stats
13417-22
24-26
28-30
33-36
Give Dragons a Fighting Chance
Serpents (Dragons) and Sorcery
Dragotha (a Dracolich)
Ecology of the Red Dragon
13654-56The Golems Craft
13727-32Ecology of carnivorous plants
13942-43
86-89
Golems (hiding)
Ecology of spectator (+stats)

Greyhawk

#pagesTitle or article type
5218-24Birthplaces in Greyhawk
56
57
18-
13-
Countries
6314-17Sea Barons and more countries
86
87
88
89
90
30-34
23-27
8-11
20-24
24-28
Gods of the Seul Pantheon

Knowledge

These articles are mostly not about rules but other useful knowledge.

#pagesTitle or Type of article
2032-Demonic Possession
2250-54Pole Arms
2512-13Social classes in D&D
3221-Celts
3926-27Bows*****
4541-43History of Dwarves
4549-51Castles*** (historical)
5013-Raising a Dragon
526-13Clerics
5855-59Swords*** Quality of swords?
5916-20Gypsies
5949-55Halflings
606-14Elves
6128-33Gnomes
6325-31Humanoids (and their Deities)
6351-54Plan before you play
6367-71Coins*** (historical)
6547-53Celtic mythology
6556-62Law***
6563-65War
6818-22Ice Age Adventureing
697-15Runes
7224-29Barbarians*****
75
76
8-33
23-44
Hell and Devils
7554-57Orcish language
8014-16Five things to DMing Success
8022-28Castles
8512-14
15-17
Clerics: Special Skills & Thrills
Dragon Magazine #85
Clerics must be deity-bound
****
**
9030-33Political Game
9036-60Gladsheim / Norse Mythology + Module****
9118-34The Nine Hells Revisited
926-10Clerics – missions and playing
9312-17World Building
9324-30How to pronounce monster names
9410-16Large Scale Logistics
978-Deities and their faithful
986-10Dragon Hoards
9811-13Dragon Teeth
9815-16Dragons of Dragonlance
9822-24Detailing a fantasy world
9828-32Knowing whats in Store*****
998-10The neutral point of view (between good and evil)
10536-42,55Parallel gaming worlds
1068-12The laws of Magic*
10716-21The six abilities
10722-25Increasing ability scores
10812-20The Role of Nature
10928-30A dwarf’s beard is more than hair
11122-26Out-of-control campaigns
11310-26Welcome to Hades
1159-36Thieves
11538-40Clerics: Weapons of choice**
11628-30Aquatic Elves
11716-17Feuds and Feudalism
11740-42Fun without Fighting
11743-45Henchmen, Hirelings & Followers
1188-14,18-20Gladitorial Combat
11910-29Druids (several articles)
12244-45DMs ten commandments***
12316-30The Mystic’s College
12514-16Woodlands of the Realms (trees)
12518-19Code of Chivalry
12542-45Glory, Danger and Wounds
12615-24Vampires
1288-14Welcome to Waterdeep
13070-78If looks could kill
13228-32Trap Design
13327-33Roman Pantheon + stats
13518-19Usages of Rope
13526-29When Game Masters go Bad*****
13618-20The long arm of the law
13628-32Inns (with price lists)
13634-38Fifty ways to foil your players
13755-58Festivals
13844-49Plague
13936-40Speaking with Spirits

Magical Items

#pagesTitle
2624-Deck of Fate
3035-36Extranous Magic Items
7336-40100 Unusual Magic Items
7418-24Blades of the (Forgotten) Realms
7718-24Curses and nasty items
8034-36Treasures rare and wondrous
8228-30Magic Jewelry (13 items)
8626-28A few magic items
8914-18Six very special shields
9152-62Treasure Trove (47 magic items)
9949-52Seventeen new treasures (Magic Items)
10230-34,89-Nine Wands of Wonder
11546-47Nine magical harps
11746-47Nine magical masks
11748-51Magic rings
12564-67Magical maps of Greyhawk
12726-31Bows and Crossbows
13310-11Arrows (and Quivers)
13520-24Arrows

Modules (Adventures)

A few I found interesting.

#pagesTitle or article type
7842-56Citadel by the Sea
8035-45Adventure + City
9246-53Adventure
10243-54Valley of the Earthmother

Rules, Lists

These are optional rules, items and other lists.

#pagesTitle or type of article
3219-20Permanent Damage
2419Diseases
2923Rewarding Heroism*
2924-25Taverns & Inns + Menu*****
31Criticals & Below 0HP
324-5Poison
3430-31Beware of Quirks and Curses: Magic items are not always nice****
3847-48DM Hostile Magic Users
3934-35Criticals
43Witches
4860-62Instant Adventures***
5410-Ruins
59
60
6-10
16-21
Cantrips
5957-60Poison
6842-53+last 3Weather (Greyhawk)
776-13Tarot cards
787-33Psionics
816-17Poison
8214-19Healing Herbs
8310-19Gems
858-11First Aid
9946-48Magic Swords
10416-19Pick Pocketing (lists)
10622-23Doors: Open them if you dare
10714-15Reactions*
10828-29Cantrips for Clerics
10842-26The plants of Biurndon
11227-31Cloaked in Magic
1148-21Witches
1169-27Maritime Adventures
11722-24Dungeoneers Shopping Guide****
11822-29Jousting rules
12417-32Aerial Adventuring
13040Ingredients of (alchemists) potions
13377-80Berserkers (NPC class)
13646-48Recharge of magic items
13716-24Treasures of the Wild
14054-55Knives

Random World

#pagesTitle
1715Sights and Sounds***
2110Random Town Events***
4130Doors***
4932-33Names***
10514-18Wayfarers***
10530-35The well equiped victim***
11422-24Grave Encounters**
11548-49Dungeon floor design***
11560-61Doors (50 of them)****
12116-19Japanese Names**
13122-30Random Natural Caves
1368-14Random City
1378-14Hunting – whats for dinner
13734-41Weather system
13750-52Encounter tables wilderness (pre history)

Fiction / Short Stories

These should be Fantasy short stories.

#pagesTitle or type of article
1-7The Gnome Cache
214-Short Story
423-25Roads from Jakalla** Ok D&D, not much of litterature.
518-24Short Story
612-14The Forest of Flame****
712-15Short Story
1222-30Short Story
1322-28The Stolen Sacrifice*****
1510-11Short Story
15
16
23-
25-
Green Magician (1/2)
Green Magician (2/2)
31Short Story
386-Short Story
447-Short Story
467-Short Story
5450-51Short Story
5524-36The coming of the sword
5836Short Story
6031-32Short Story
6673-74Friends in High Places***
7111-13The blink of a Wizard’s eye*
7371-72Short Story
7911-12The Ordeal* (and not fantasy)
8118-22Short Story
8265-69Short Story
8326-30Short Story
8457-63Short Story
8528-35Valkyrie Settlement
8556-62A stone’s throw away (Dragonlance)
8659-63Short Story
8859-63Short Story
8955-61Short Story
9186-93Short Story
9355-61Short Story
9457-63Short Story
9560-67Desperate Acts
9863-67The forging of fear*****
9963-67Short Story
10022-32Short Story
10162-66And Adventuring To …
10564-68On the Rocks at Slabs
10869-75The Grey Stones
10970-75Valkyrie
11066-76The Wizards’ Boy
11362-71A Difficult Undertaking
11849-56Across the Fog-Grey Sky
11963-73The Pawns of Crux
12047-50Dragon Meat**** (humourous)
12151-63Love and Ale (Dragonlance)
12263-67The Prince’s Birthday
12363-67Palimpsest
12557-63The passing of kings
12644-49Well Bottled at Slab’s
12836-42The Spirit Way
12958-64The old ways are best
13042-49Shark Killer
13141-45Out of hand
13449-55Eyes of Redemptions
13555-60Karl and the Ogre
13641-45The curse of the Magus
13857-64Between Lightning and Thunder
13947-49The visitor
14047-51Flesh and Blood

Art – B/W

#pagedescription
2926
38
Three warriors and a horse
Warrior – roman style
**
***
398Dark Paladin****
4512
16
18
61
Alchemist
Coat of arms (Shield + Two axes)
Anvil with sculpture
Castle against night sky
****
***
***
*****
6322
28-30
Bandits
Goblins (3x)
**
***
6660Nobleman with Drinking Cup**
7110
19
22
54
Two old wizards
Elegant man with flute
Rogue with sword
Lich / Death god
****
**
***
****
727
10
58
Mounted knight
Female knight on Unicorn
Man with sword at wall
****
***
***
8538
45
49
58
77
Viking on Longship
Executioner
Orc with axe
Hung in tree by mob
Ruin: Gate & Trees
***
**
**
**
**
944Wizard (?)***
9829-32
62
Shop interiors: Smith, Leather, Tanner
Blacksmith
****
****
12019Angry dwarf with club****
1315
41,42
Two knights jousting
Dwarves
***
***
13213
24
40
53
A few ships
A Demon (?)
Woman drawing, man standing
Man and witch (?)
**
***
****
***
13448
69
Barbarian (?) with Dragon
Ogre
***
**
13545Wizard****
13918
19
26
27
36
Woman – tottooes in face
Wizard
Old Merchant
Two village women
Ritual and demon
***
****
***
***
**
14017
25
29
31
Old man in library
Portraits of priests/shamans (2)
Coat of arms (Dragons and swords)
Wizard (and dead/defeated man)
****
****
**
***

Art – Full Color

#pagedescription
666
7
Old man inspecting sword(s)
Monk in armory
****
****
7281Mounted knight and goblins***
9059Elmore: Dragon & Warriors*****
13315Warrior + Death Knight(?)****
13423Fighter / Dragon***
1377Hydra & Warrior***
13915Wizard***

D&D Classic: House Rules

I thinking about playing D&D Classic again for a more simple and old-school experience compared to D&D 5e. So I am basically talking about these versions:

  • Basic/Expert (B/X)
  • Basic/Export/Champion/Master/Immortal (BECMI)
  • Rules Cyclopedia

However, all rules are a bit subject to taste, and I will put a few house rules here. They may change over time. Some of these rules come from, or are inspired by, OSR clones (in particular the Swedish Svärd & Svartkonst).

Named Weapon

A character can name one weapon which gives +1 to hit and +1 to damage. Only one weapon can be named at a time, and change of weapons can only happen between adventures.

Sacrifice Shield

A shield can be destroyed to save the wielder from a strike that would otherwise give him 0HP. This can only happen once per combat.

Thieves can attack with Dexterity

Thieves can use Dexterity instead of Strength when they attack with a weapon doing at most 1d6 damage. Damage is still Strength.

Two handed weapons

When a two handed weapon is used, the wielder rolls initiative at disadvantage (roll two d6, pick the worst).

Two Weapons

When two weapons are used, the wielder rolls initiative at advantage (roll two d6, pick the best). If the dice are equal the attack is made with the off-hand weapon at -2.

To be decided: Two simultaneous attacks, and if this rule applies to all one handed weapons and all classes.

Death and more

D&D Basic is deadly. 0HP means death. Poison is often saving throw or death. Petrification is instant and permanent. Let us give each character three lives per adventure.

  1. st death (or similar) results in unconsciousness. A successful (suitable) saving throw will make the character recover in his own during the next turn (not round) at 1HP. A failure means death, unless character is cared for during next turn.
  2. nd death (or similar) as 1st death. Also there is a permanent injury. If the saving throw succeeds it is just esthetic but if it fails it comes with a suitable penalty.
  3. rd death is definite.

Movement and Encumbrance

Let us start with the baseline:

Coins
(20/lbs)
Encounter
(feet / round)
Running
(feet / round)
Encounter
(m / round)
Monsters
150(50) Spectre
0-4004012012120(40) Hydra
401-8003090990(30) Hobgoblin
801-12002060660(20) Skeleton
1201-16001030330(10) Beholder
1601-24005151

(I got rid of feet/turn when exploring dungeons).

I suggest:

ArmorMax DEX
AC
Encounter
(feet / round)
Running
(feet / round)
Encounter
(m / round)
None, Leather4012012
Scale-211
Chain-210
Banded-130909
Plate-18

A character can carry a number of items equal to his Strength. Small items can be carried together in a sack/backback (which counts as 1). For every extra item carried, movement is reduced by 10feet/1m per round. If you use grid, round down.

500 coins or gems count as one item.

Background: this is complicated. I have a Swedish D&D with metres instead of feet. Neither pounds nor coins are very convenient to recalculate. I kind of like the 5e dexterity limitation to heavy armor. At the same time it may be more in the OSR spirit to let heavy armor limit movement to make escape harder. I also makes sense to let Strength have something to do with it.

SonarQube – I disagree

For someone like me working in a (very) small development team SonarQube is good. It reviews my code and it teaches me about both old and new things that I did not know about.

There are some things I don’t agree about though (all JavaScript below).

“switch” statements should have at least 3 “case” clauses

I understand the point. But I have my reasons. Let us say I have orders with different statuses (DRAFT,OPEN,CLOSED). Then often I have switch statements like:

switch (order.status) {
case 'DRAFT':
  ...
  break;
case 'OPEN':
  ...
  break;
case 'CLOSED':
  ...
  break;
default:
  throw new Error(...);
}

This switch over order.status happens in many places. Sometimes it is just:

switch (order.status) {
case 'CLOSED':
  ...
  break;
}

I don’t want to refactor the (rewrite if with switch) code if/when I need to do something for other states. And I like a consistent form.

Another case can be that I allow the user to upload files in different formats, but for now I just allow PDF.

switch ( upload.format ) {
case 'pdf':
  process_pdf();
  break;
default:
  throw new Error('Unsupported upload.format: ' + upload.format);
}

A switch is much more clear than an if-statement. However, if the above code was in a function called uploadPdf() then the code would have been:

if ( 'pdf' !== upload.format ) throw new Error(...);
...
...

But in conclusion, I think switch statements with few (even 1) case clause are often fine.

This branch’s code block is the same as the block for the branch on line …

This happens to me often. A good rule is to never trust user input. So I may have code that looks like this (simplified):

if ( !(user = validateToken(request.params.token)) ) {
  error = 401;
} else if ( !authorizeAction(user,'upload') ) {
  error = 401;
} else if ( !reqest.params.orderid ) {
  error = 400;
  errormsg = 'orderid required';
} else if ( user !== (order = getOrder(request.params.orderid)).owner ) {
  error = 401;
} else if ( !validateOrder(order) ) {
  error = 400;
  errormsg = 'order failed to validate';
} else ...

The point is that important part of the code is not the code blocks, but rather the checks. The content of the code blocks may, or may not, be identical. That hardly counts as duplication of code. The important thing is that the conditions are executed one-by-one, in order and that they all pass.

I could obviously write the first two ones as the same (with a more complex condition), since both gives 401. But code is debugged, extended and refactored and for those purposes my code is much better than:

if ( !(user = validateToken(request.params.token) ) ||
     !authorizeAction(user.upload) ) {
  error = 401;
} else ...

My code is easier to read, reorganize, debug (add temporary breakpoints or printouts) or improve (perhaps all 401 are not equal one day).

Remove this …… label

The reason I get this warning is mostly that I use what i learnt in my own post Faking a good goto in JavaScript.

SonarCube also complained when I wanted to break out of a nested loop this way:

break_block {
  for ( i=0 ; i<10 ; i++ ) {
    for ( j=0 ; j<10 ; j++ ) {
      if ( (obj=lookForObjInMatrix(matrix,i,j) ) ) break break_block;
    }
  }
  // obj not found, not set
}

It is a stupid simplified example, but it happens.