Back to basics

Star Realms high damage turns

I played an interesting game on the Star Realm app today:

Star Realms deckbuilder game. Showing a large number of bases, outposts, and units in play for the player. The opponent has 30 authority left. The player has 246 authority, 47 money, and 548 damage. It is the player's turn. There are no cards in the trade row except Explorer

Now to any player of the game will know that this is an unusual game. A lot of cards are in play. Recently, to make this game more interesting, I was wondering what was the higest amount of damage I could inflict in a single turn. This was the first time I broke the 500 damage mark.

There are a few particular cards needed to actually achieve a high damage cound. Since I’m bored, I’ll go into more details. But first, some additional information:

So here it is:

The most overpowered card in the deck, in my humble opinion, is the Blob World Base.

Blob World base card. Deals 5 damage or draw a card for each blob card that you played this turn

Allowing you to draw one card per Blob card in play is absolutely insane. So how many Blob cards are in deck with the expansions listed above? Here is the list



18 units and 8 Bases. So potentially 26 additional cards. Actually it’s possible to bump that number to 28 using two of these cards:

Merc Cruiser card. Can change factions

So drawing 20+ cards in a turn won’t get you 500+ damage. There are a few other cards you’ll need to accomplish this:

Battle Barge card. Allows you to return a base in play back into your hand Mega Mech card. Allows you to return a base in play back into your hand

Both these cards allow you to return the Battle World from play back into your hand. Allowing you to put it back into play and using it’s ability again. There are 2 Battle Barges in the deck and 1 Mega Mech. That said, I don’t know if it’s possible to draw all 26 Blob cards and both Merc Cruisers before using the Blob World. If possible, then in the best case scenario you could draw 112 cards in a single turn - plus the 5 you start with. If you have the Fleet HQ that’s 117 points of damage right there.

Oh wait, I forgot about the Stealth Needle!

Stealth Needle card. Allows you to copy another card that you've played this turn

Copy the Mega Merc and pick up another 20+ cards.

Now if you’re opponent isn’t absolutely conspiring with you to lose, it’ll likely take some of the Blob cards. I never got all the Blob units in a single game - and without having a human player willing to just pick up Explorers, you will likely never get that lucky (plus get both Merc Cruisers, both Battle Barges, the Mega Mech, and the Stealth Needle - and all the other high damaging cards you’ll need). You just need a lot of luck to get the right cards at the right time.

Does this work anywhere else?

Regarding a stolen painting:

Mitic remains baffled as to how the drunken daredevil made off with the 30-by-40 inch portrait.

According to the thief, security guards stopped him at the door, but let him leave with the art.

“They asked him if he was supposed to have that and he said ‘Yep!’ and walked off,” Mitic said. “And that was it.”

I wonder how hush-hush the guards were when they learned it was stolen

Passwordless Password

Humour me.

Imagine I wanted to sign-up for Bob’s coffee roasters website1 to order some flavourful roasted beans2. I click sign-up button, enter my e-mail address and shpping information, and then told to go to my e-mail account to verify my e-mail account. At no point was I asked to enter a password.

I log into my e-mail account and click the verification link, the website then sets a password in my browser’s localstorage. I am assigned a session cookie, and can browse the website normally. I close my browser, relaunch, and visit the website again. I enter my e-mail. The browser takes the password from local storage, and submits it. If the password for any reason is invalid, I must re-verify my email. Otherwise, it lets me in.


Two reasons

  1. Password managers are (usually) amazing and incredibly useful, and I would recommend it over this approach for sure (my reasons why are below). That said, I don’t know how popular password managers are to the general public.
  2. I read something on, I believe it was hacker news, a comment that talked about a website that only used email to authenticate the user. Apparently customers loved it. I thought that was amusing (and frightening) and wondered if that kind of experience can actually exist securely.

What happens if I change devices

The same thing. You must go to your email account and verify. You would also need to store a device ID so you can map passwords to devices.

What happens if I lose my device?

This is probably fine, minus the loss of your device. Yes, technically anyone with access to your device browser has access to your passwords. But given that your device (phone, laptop) probably has unrestricted access to your email, anyone can just use the standard password reset. When an attacker has access to the device, generally it’s lost cause and you cannot trust that device.

Devices often have PINs, fingerprint readers, passwords, and encrypted drives. That is what should prevent them from accessing your private data.


If you’re site has an XSS vulnerability, it’s game over. This is by far the biggest downside I see with this approach. There are mitigaton techniques, but you have to be perfect 100% of the time. (XSS is pretty bad even if an attacker wouldn’t be able to steal your password, but password is pretty much winning gold).

Some other caveats I see:

  1. Devices need access to email
  2. Browser support for local storage
  3. Private browsing may affect access to local storage
  4. You still need to protect the password in the database
  5. Devices/browser shared between multiple people
  6. If a user has multiple accounts, that may complicate things a bit

1: My imagination is shot and some coffee would be good right now

2: Man, I can realllly go for a coffee

Newer Posts /