Does anyone else find it odd that our passwords can be some of the most basic word/number combinations ever used on the internet? I haven't been asked to update my password here for years. It's one of the least complex passwords I use. The same password here is used for the Cyberpunk forum as well.

With the recent hack of CDPR I suppose we shouldn't be surprised, but you['d think we would be forced to update our passwords here if the companies took our security serious.

Please don't give them ideas. I hate updating my password.

I hate that stuff. I have a methodology for strong passwords.

However, I don't always hit all the special character requirements

I have some default characters that I add systematically at the end to cover a lot of special cases, but sometimes they'll outdo themselves and it will require that I add something on top of my method which I need to remember.

Often, I'll forget and have to reset my passwords, repeatedly.

Then, if they really want to annoy me, they'll require that your new password be different from the last X passwords you had (usually, I just add the same character multiple times at the end to "differentiate", but then I still have to remember the number of times I added it).

I get you want to protect users from their own foolishness (really, I had a friend whose email was repeatedly hacked and I didn't know why until he told me that he used his email with the same password as the email for every account he created...), but the trick to do so is not with password shenanigans.

If you really want to protect people from themselves (up to the extent that you can), you do multi-factor authentication (ex: requiring both a password and a PIN code that you receive via a text to login).

#metoo 8:J

If a mere web service like gog.com would start forcing password updates, I'd probably stop using the web service.

Also, it is your responsibility to use a strong and long password.

The password is not that important anyway, as long as you have two-factor authentication enabled, which is enabled by default on gog.com. With 2FA, the password is there merely to locally stop some of your family members from logging into your GOG account, using the same shared PC/web browser as you are using. So when you go to take a dump and your little sister comes to your room and PC, she can't log into your gog.com account unless she knows your gog.com password. Or your mother. Or your dog.

On the other hand, even if some big-time cybercriminal online knew your gog.com account password, he still can't log into your account remotely because the 2FA will stop him. So in that sense your gog.com password can be 123456 and nothing bad happens. Unless that online cyber-criminal actually broke into your room while you are still taking a dump, and accessed your gog.com account using your PC and your web browser (or another PC in the same household behind the same NAT router, using the same public IP address, because I think it is the IP address (and/or your browser cookies) mainly which gog.com uses to decide whether it should trigger 2FA or not).

The only thing is, make sure you don't use the same password on your email account which is linked to your gog.com account. And that email account password is strong as heck, and possibly it also uses some form of 2FA, if possible.

tl;dr: Nowadays, passwords are mainly meant for stopping other people locally using your PC (or your gog.com account using your PC). Two-factor-authentication is meant for stopping strangers online.

The original post is one of the worst ideas I've ever seen.

No one should ever be forced to change their password.

Yeah, not to mention those old NIST guidelines were not so recently pulled behind the shed and given a point blank to the head.

Passwords themselves are more a relic or should be relegated to a secondary option. Personally I prefer methods like secondary device confirmation or other authentication methods.

The TL;DR is: Making people make new passwords just results in weaker passwords.

Not to mention, GOG barely functions with Unicode, I can't exactly imagine them handling a revamp to the password system very well.

Reply to this teapot if you have questions about how GOG can barely handle Unicode: 🫖

If you can't see the teapot, contact your software vendor and ask what options you have for getting upgraded Unicode codepoints.

It's your responsibility to set your own password. Users should take ownership of this and not expect to be spoon fed by the site. Plus, GoG forcing password updates would likely be implemented in an incredibly ham fisted way.

I would also suggest that users taking some basic security precautions would be wise. For example, not telegraphing that your password is one of the least complex passwords you use...

This one?

Using strong passwords on sites linked to your main mail account, ones you also use payment data, both for your mail address as well as any sites you use it on, that's on you and has always been.

Recently there was such a massive hack, billions of mail addresses and log-in data have been stolen and published, payment data inclusive. One of my accounts was found but no biggie as this was a secondary used for forums and such and with a rather weak password. My main account however wasn't hacked because it obviously got a very strong one.

In case anyone was to hack GOG they will not find any payment data and thank GOG for that since they don't store it on their servers.

Sometimes one has to go out of one's way to create and unlock an account ... two factor authentication, a secure code, another code, a security check that you are actually the person opening that account, in one word: Authy an 2FA app. It is a bother to use but very secure.

Passwords, 2FA, that's one part to make your accounts secure. The other is to use anonymous browsing, secure shopping and the most important thing: DOWNLOAD AND STORE YOUR PERSONAL/PAYMENT DATA FROM YOUR MAIL ACCOUNTS AND DELETE THEM! After downloading them store them in a secure location only you got access do in case you need it. Never link mail accounts to retrieve passwords or to authorize your main account main->spam account. Always keep a separate and secure account with strong password for that you never use for something else.

That way even if someone got your mail address and access to your account they don't get anything relevant. They could still do things with the account but risk of it being linked to whatever payment data you normally use to rob you becomes almost impossible. As long as you don't store any contacts - which you can also retrieve from an offline DB when you need them, tedious I know but it's worth it - they can't know which payment service(s) or possibly important people/companies you do business with.

There is much more you can do to make you more secure and less vulnerable to hacks and attacks but some security measures like the ones outlined above will go a long way towards not being the victim you'd otherwise become.

NO No no... You are responsible for making a good password.

I've got a system that's absolutely fine. But it doesn't work if I have to change it every now and then.
I'll forget it, and have to request a new one countless times. As I'm forced to do on NexusMods.
I hate it.

2FA is also bogus. Not very much more secure than if you don't have good passwords.

If you feel your account/password is in danger. Change it yourself.

Short answer: No.

Long answer: No. Because anyone having the most basic idea of auth flow design knows you always salt before you hash. letmein123

I actually have no idea what my GOG password is.
All I know is that it is a long string of random characters and that it is unique to my GOG account.

Let me change it for you, hmm... from zero zero zero zero... tooooo.... zero zero zero one...

Ha! That's a strong one!