As follow up to http://www.gog.com/forum/general/gog_galaxy_frequently_requires_password which has been marked solved, which I just can't agree to. It's still a bad concept. So okay, please take this posting with humor - it's meant to make a point and entertain at the same time. Not meant to offend ;-)

GOG Galaxy Client: "OMG! He's not been here for 7 days? Surely that's a completely different user! Better make sure he (or she) didn't forget his (or her) password." - yeah, in what universe again...?

I'm the only one with access to my computer and there's nothing to "protect" in that client anyways - even if there was some alien invasion that tries to rob my order history or has any interest of ordering "Dear Esther" or (omg, beware, please not again!) "Thief 4" through my account - I could imagine worse. Not much tho, but I'd take that chance.

So could we *please* get an option to disable these.. ehem.. "intelligent" security features? What's the difference between day one to day six, compared to day seven to day z? I see you *meant* well - but show me one thief that robs your pc/notebook and waits 7 days to access your GOG Galaxy client and *then* returns your stuff because he's locked out of your GOG account. Wooot! -.-

Seriously, I'll even drop the sarcasm and ask: what weird situation would that be, where this feature *would* come in handy? Either there *are* people who should not access your client (you wouldn't store your pwd at all) and they would be there every day, not just after the 7th day - or there ain't no people who'd try funny stuff at all. Either way this "feature" is pointless and an inconvenience at best.

Before you suggest: no, I don't want to run the client automatically when my system starts - I don't even want it to minimize when I no longer need it. You GOG guys, of all the others, should understand this very well. I launch it when I need it and often that's only every n-th week. So I have to type in my wall-of-text-pwd every time. Meh.


Post Scriptum:
Haha, regarding security on this site. Yeah, I'm being logged out all the time on gog.com too - but even tho having the big "LOG IN" button on top of this page, I'm able to post in the forums without logging in. Funny! You could apply the 7-day-auto-logout to the website - there it would make sense in terms of "session lifetime" - web developer speaking - but just not for locally installed software ;-)

Maybe the feature was introduced after some accounts were hacked and the users complained about the hacker still using galaxy to play the games even after recovering the account.

Thanks for your consideration, blotunga :-)

I'll take the challenge. So considering a hacker can access the account even after recovering it and, of course, changing the old password to a new one by the righteous owner of the account. That would be a massive flaw in the clients code, because as long as the *new password* hasn't been entered in the hackers installation, the hacker shouldn't be allowed to use the client.

A saved password is stored to log in automatically at client start - if the password is changed through account recovery by the owner, every previously saved password should no longer be usable.


Even if we consider your assumption true: as long as the hacker logs in on a regular basis, this "security feature" wouldn't affect him anyways ;-)


Thanks for participating again - that's fun! Keep the suggestions coming - I'm very curious if anyone can make a point that justifies the feature or at least explains the difference between day 5 and day 10 **drool** =)

That's a known site bug with the nav-bar, actually. You're not really logged out, the site just doesn't display the "Account" tab for you when on the forum. Does it show if you visit your account?

What i rather miss on GOG is two facyor authentication. And since i don't use Galaxy i was just speculating.

So you of all people should know that "fine" applies to a "wide range" of development states and doesn't ever mean truly "finished" ;-)

Seriously, of course I'm aware that this ain't worlds end if never enhanced - but having a "fine state of development" doesn't mean it's not worthy of improvement. Regarding "common folks security" I'd even agree to put some stones in their way - therefore I ask for an option to part with the default, because people that go looking for such an option usually know what they're looking for and what it does mean if they change the setting.

At HypersomniacLive
Hm, narp, I'm not logged in at all at the main account. I can't even access the link you posted, because it just redirects me to the main page. In my opinion this website needs some serious SSO - but well, it's not the first and surely not the last page I encounter that tries to incorporate two different subsystems via one sign on and fails miserably because they're not truly "merging" the session and authentication management. My suggestion would be not to "try" make two systems look like one - but that's not really affecting me, so duh =) What do you mean by "two factor(?) authentication"? (ps: ah, scratch the question - just googled it) And yeah, I was being serious - I enjoy the input! So thank you for speculating! :-)

This is just a left over from a site redesign stuff a while ago. Problem is a bad cookie. Log into the website, then log out again and close the browser. After logging in again, the cookie should be again set to remember you. At least this worked for most people who had that problem ;-)

I mean with two factor authentication the option to have an email sent with a key in case i use a new device to access GOG.