It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
Cyraxpt: True enough but i like to consider those moments where we ask Judas to help in some stuff (changing the thread title or locking the thread) a somewhat "moderation".
nah - thats bouncing - you know he wears a monkey siut and a cockney accent (secretly screaming inside "sling yer 'ook yoo wanka!" when he does it! :D

* * *

also (ontopic), I find the last line of the reply from the blue a little disconcerting:
"Also - this isn't any new topic - we're fully aware of it, and if we believed something was wrong, we would inform you..."

well, surely the concern from the community here says something IS wrong and it should have ALREADY be addressed?!?!

NO?

...no "common" sense there then!
avatar
wpegg: His password is of medium level strength such that it would take a strong / brute force attack to breach it (i.e. hitting the server enough to hit lockout limits).

Any of these incorrect?
He said the password was a word.
I don't see why we should assume the crackers just use English dictionaries.
Post edited June 05, 2015 by madth3
avatar
wpegg: His password is of medium level strength such that it would take a strong / brute force attack to breach it (i.e. hitting the server enough to hit lockout limits).

Any of these incorrect?
avatar
madth3: He said the password was word.
I don't see why we should assume the crackers just use English dictionaries.
Yes, but this would still be a large number of options, so at this point I'm wondering, where is the opportunity to actually try to log in to GOG 100K times. Lockout?

EDIT: but not possible, because there have been no brute force attacks.
Post edited June 05, 2015 by wpegg
avatar
wpegg: Yes, but this would still be a large number of options
Way smaller than a brute force attack. That's the part I'd have a problem with.
In any case, if the password was also used elsewhere it needn't be obtained by cracking that specific account there, there's always the possibility that an entire site was compromised.
Post edited June 05, 2015 by Zeyes
avatar
Sachys: well, surely the concern from the community here says something IS wrong and it should have ALREADY be addressed?!?!
Come on, Sachys, people get histrionic over nothing. There's no sense in dedicating someone to keeping an eye on the forums to pop in and stroke people's hair when they get some damnfool notion that GOG isn't selling a bad game because of t3h cenzorz or they're selling downgraded gaemz because of tricksy hobbitses or whatever. Sure, there are a lot of posts about this, but how many times do you really expect GOG should have to show up to say "You're all making things up again because you seem to think one point and an hypothesis is enough to draw a line."?

[url= To say nothing of the people who seem to be professional worrywarts, starting thread after thread about GOG not bringing the game they want to the store, or bemoaning how terrible things are about to get as soon as this one change happens. Honestly I'm mostly just surprised that Judas hasn't rm-rf'ed the entire server stack hosting the forums and gone off to drink three gallons of vodka. The idea that people are entitled not only to service but customized, catered service is one that would also entail a rather hefty price tag - and with gamers complaining about $20 price tags on new games, I'm sure they'd complain about a service fee as well ^_^ ][/url]
avatar
BKGaming: A good password cracking program will crack that in no time, because they start with basic words...
What I don't understand, how is a password that even requires "only" several thousand attempts insufficiently safe in case of online accounts? Even if you're bruteforcing it, the server usually won't allow more than three login attempts in several minutes or up to an hour depending on the service (and in case of many services you get informed via email after a single failed attempt so you have time to go for a safer password). I have heard many times that weak passwords are one of the main reasons for compromised systems but I don't understand how that can be a major reason for online account stuff like on GOG. Isn't malware or using the same password on shady websites infinitely more likely to compromise your password in this case?
avatar
wpegg: Yes, but this would still be a large number of options
avatar
madth3: Way smaller than a brute force attack. That's the part I'd have a problem with.
From a tech point of view, that number of way smaller or massive is still so large that it's noticed.
avatar
wpegg: From a tech point of view, that number of way smaller or massive is still so large that it's noticed.
You're assuming it had to be cracked using login attempts.

Again, I'm just nitpicking with the use of "it would take a strong / brute force attack to breach it"
avatar
OneFiercePuppy: how many times do you really expect GOG should have to show up to say "You're all making things up again because you seem to think one point and an hypothesis is enough to draw a line."?
HEHEHEH!

Well in regards to what I've quoted - once for each series of incidents / issues and far sooner!
avatar
wpegg: From a tech point of view, that number of way smaller or massive is still so large that it's noticed.
avatar
madth3: You're assuming it had to be cracked using login attempts.

Again, I'm just nitpicking with the use of "it would take a strong / brute force attack to breach it"
you realise all these people had the password "g0gb34r" dont you?!

*tries madth3's account with the same password

You BOUGHT hatoful boyfriend?!?! O_____o

...1000 times?!?!
Post edited June 05, 2015 by Sachys
avatar
Sachys: You BOUGHT hatoful boyfriend?!?! O_____o

...1000 times?!?!
You told me you needed like 20 copies in our last trade.
avatar
BKGaming: A good password cracking program will crack that in no time, because they start with basic words...
avatar
F4LL0UT: What I don't understand, how is a password that even requires "only" several thousand attempts insufficiently safe in case of online accounts? Even if you're bruteforcing it, the server usually won't allow more than three login attempts in several minutes or up to an hour depending on the service (and in case of many services you get informed via email after a single failed attempt so you have time to go for a safer password). I have heard many times that weak passwords are one of the main reasons for compromised systems but I don't understand how that can be a major reason for online account stuff like on GOG. Isn't malware or using the same password on shady websites infinitely more likely to compromise your password in this case?
My area is not security, I'm a programmer... but I've sat through some security classes.

Having said that, I was talking more in general than specifically online accounts. You do have a point for online accounts, but does GOG lock you out after a few failed attempts? But there are other ways like capturing the login as it's being sent, keyloggers, or the worse case scenario gaining access to the database, ect... people tend to use the same password for stuff, so that can have a huge impact regardless of the origin site.
avatar
Sachys: you realise all these people had the password "g0gb34r" dont you?!
Mine used to be "12345" but I changed it to "That'sAmazing!I'veGotTheSameCombinationOnMyLuggage!"
avatar
F4LL0UT: What I don't understand, how is a password that even requires "only" several thousand attempts insufficiently safe in case of online accounts? Even if you're bruteforcing it, the server usually won't allow more than three login attempts in several minutes or up to an hour depending on the service (and in case of many services you get informed via email after a single failed attempt so you have time to go for a safer password). I have heard many times that weak passwords are one of the main reasons for compromised systems but I don't understand how that can be a major reason for online account stuff like on GOG. Isn't malware or using the same password on shady websites infinitely more likely to compromise your password in this case?
When I crack a password, I don't crack it by seeing what the server responds to. I MITM or eavesdrop, pull the hashed or encrypted password, then break it locally. That's what everyone does unless they have a good side channel. It's the most efficient way if you're dealing with normal hardware.

Yes, password re-use and malware like keyloggers are much easier ways to crack an account open, but brute force is rather easy once you know how to eavesdrop on a session.

[url= EDIT: for those of you who know enough that that second sentence looked strange - yes, of course I would generally brute force a larger transmission because hopefully they've used something that was written in the last few decades and encrypts more than just the password part itself. I was taking creative liberty with not having to explain how to open a tunnel or something like that.][/url]

EDIT: Heh, I said "that's what everyone does" like my knowledge is so comprehensive and relevant. I meant "that's what a lot of us do who aren't actual l33t h4xx0rz" because I'm pretty sure I don't know 1% of what a proper system cracker knows.
Post edited June 05, 2015 by OneFiercePuppy
avatar
Sachys: You BOUGHT hatoful boyfriend?!?! O_____o

...1000 times?!?!
You didn't? BURN THE HEATHEN!