nah - thats bouncing - you know he wears a monkey siut and a cockney accent (secretly screaming inside "sling yer 'ook yoo wanka!" when he does it! :D

* * *

also (ontopic), I find the last line of the reply from the blue a little disconcerting:
"Also - this isn't any new topic - we're fully aware of it, and if we believed something was wrong, we would inform you..."

well, surely the concern from the community here says something IS wrong and it should have ALREADY be addressed?!?!

NO?

...no "common" sense there then!

He said the password was a word.
I don't see why we should assume the crackers just use English dictionaries.

Yes, but this would still be a large number of options, so at this point I'm wondering, where is the opportunity to actually try to log in to GOG 100K times. Lockout?

EDIT: but not possible, because there have been no brute force attacks.

Way smaller than a brute force attack. That's the part I'd have a problem with.

In any case, if the password was also used elsewhere it needn't be obtained by cracking that specific account there, there's always the possibility that an entire site was compromised.

Come on, Sachys, people get histrionic over nothing. There's no sense in dedicating someone to keeping an eye on the forums to pop in and stroke people's hair when they get some damnfool notion that GOG isn't selling a bad game because of t3h cenzorz or they're selling downgraded gaemz because of tricksy hobbitses or whatever. Sure, there are a lot of posts about this, but how many times do you really expect GOG should have to show up to say "You're all making things up again because you seem to think one point and an hypothesis is enough to draw a line."?

[url= To say nothing of the people who seem to be professional worrywarts, starting thread after thread about GOG not bringing the game they want to the store, or bemoaning how terrible things are about to get as soon as this one change happens. Honestly I'm mostly just surprised that Judas hasn't rm-rf'ed the entire server stack hosting the forums and gone off to drink three gallons of vodka. The idea that people are entitled not only to service but customized, catered service is one that would also entail a rather hefty price tag - and with gamers complaining about $20 price tags on new games, I'm sure they'd complain about a service fee as well ^_^ ][/url]

What I don't understand, how is a password that even requires "only" several thousand attempts insufficiently safe in case of online accounts? Even if you're bruteforcing it, the server usually won't allow more than three login attempts in several minutes or up to an hour depending on the service (and in case of many services you get informed via email after a single failed attempt so you have time to go for a safer password). I have heard many times that weak passwords are one of the main reasons for compromised systems but I don't understand how that can be a major reason for online account stuff like on GOG. Isn't malware or using the same password on shady websites infinitely more likely to compromise your password in this case?

From a tech point of view, that number of way smaller or massive is still so large that it's noticed.

You're assuming it had to be cracked using login attempts.

Again, I'm just nitpicking with the use of "it would take a strong / brute force attack to breach it"

HEHEHEH!

Well in regards to what I've quoted - once for each series of incidents / issues and far sooner!
you realise all these people had the password "g0gb34r" dont you?!

*tries madth3's account with the same password

You BOUGHT hatoful boyfriend?!?! O_____o

...1000 times?!?!

You told me you needed like 20 copies in our last trade.

My area is not security, I'm a programmer... but I've sat through some security classes.

Having said that, I was talking more in general than specifically online accounts. You do have a point for online accounts, but does GOG lock you out after a few failed attempts? But there are other ways like capturing the login as it's being sent, keyloggers, or the worse case scenario gaining access to the database, ect... people tend to use the same password for stuff, so that can have a huge impact regardless of the origin site.

Mine used to be "12345" but I changed it to "That'sAmazing!I'veGotTheSameCombinationOnMyLuggage!"

When I crack a password, I don't crack it by seeing what the server responds to. I MITM or eavesdrop, pull the hashed or encrypted password, then break it locally. That's what everyone does unless they have a good side channel. It's the most efficient way if you're dealing with normal hardware.

Yes, password re-use and malware like keyloggers are much easier ways to crack an account open, but brute force is rather easy once you know how to eavesdrop on a session.

[url= EDIT: for those of you who know enough that that second sentence looked strange - yes, of course I would generally brute force a larger transmission because hopefully they've used something that was written in the last few decades and encrypts more than just the password part itself. I was taking creative liberty with not having to explain how to open a tunnel or something like that.][/url]

EDIT: Heh, I said "that's what everyone does" like my knowledge is so comprehensive and relevant. I meant "that's what a lot of us do who aren't actual l33t h4xx0rz" because I'm pretty sure I don't know 1% of what a proper system cracker knows.