It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionGOG, please give us a statement regarding hijacked accounts(125 posts)solved(125 posts)solved
(125 posts)solved
Pages:
1
2
3
4
5
6
7
8
9
This is my favourite topic
Posted June 05, 2015
avatar
JMich: Ωτορυνολαρυγγ&omic ron;λόγος. Do check this for quality ;) Better yet, go with extra capitalization: ΩτοΡυνοΛαρυγγοΛό& gamma;ος.

Non English words have the extra benefit of accented letters, not to mention non Latin characters. If the application can accept unicode passwords, the complexity increases enormously.
Complexity only helps against brute force attacks though, much less so against dictionary attacks. And I didn't get the impression that we're talking about a correcthorsebatterystaple type of "word" here, rather just an ordinary non-English word. If I misinterpreted the comment I responded to, I do apologize.
avatar
wpegg: Perhaps, but this victim was co-operatively sharing information with us that is very useful to ascertaining what is actually going on here. So while maybe it is "for his own good", you have to take the information in the context it was offered. Would you tell a hit and run victim that just described a bmw to say, "don't cross while a bmw is coming".
This is more about the suspicion that the BMW being described was actually a tank.
Post edited June 05, 2015 by Zeyes
Posted June 05, 2015
avatar
Zeyes: Complexity only helps against brute force attacks though, much less so against dictionary attacks.
Opposite. Complexity helps against dictionary attacks, not brute force ones. For a brute force attack the passwords "password" and "#&Χ.w8~" are equivalent, since both are 8 characters long. For a dictionary attack, a word in the dictionary is much easier than a string of random characters, especially since dictionary attacks won't be able to crack it.

avatar
Zeyes: And I didn't get the impression that we're talking about a correcthorsebatterystaple type of "word" here, rather just an ordinary non-English word. If I misinterpreted the comment I responded to, I do apologize.
No idea about the context. But ωτορυνολαρυγγολό& gamma;ος is one word, not multiple (though it is a complex one). It means a doctor of otorhinolaryngology, so it is ear/nose/larynx/doctor, yet still a single word.
And I don't think I need to mention extremely long words to a German, I think the year of birth for most of us would be a long enough password ;)
Posted June 05, 2015
avatar
Zeyes: Complexity only helps against brute force attacks though, much less so against dictionary attacks.
avatar
JMich: Opposite. Complexity helps against dictionary attacks, not brute force ones. For a brute force attack the passwords "password" and "#&Χ.w8~" are equivalent, since both are 8 characters long. For a dictionary attack, a word in the dictionary is much easier than a string of random characters, especially since dictionary attacks won't be able to crack it.
We're talking about different things here, I think. I'm talking about complexity strictly in the context of passwords that are vulnerable to dictionary attacks to begin with, e.g. the misplaced thinking that you're much safer by using a longer word (an actual word, not correcthorse-etc.) or an uncommon language.

Edit: Yes, I do realize I'm using "complexity" in a bit of an off-beat sense here. Is there a lay term for it, "complicatedness" or something? :)
Post edited June 05, 2015 by Zeyes
Posted June 05, 2015
avatar
Destro: This topic is 6 hours old and today is bank holidays in Poland.

Also - this isn't any new topic - we're fully aware of it, and if we believed something was wrong, we would inform you...
Oh, sorry for being cynical but since you (gog team) are aware of what's happening around here, when is gog going to upgrade the forums for something more stable that don't require that you remove stuff (like hidding old threads in an archive section or the search forum from the top side)?

Removing the report spam = delete thread/post would also be a good idea since i don't think the the gog community should be policing the forum, that's the job for the moderators.

A sticky section for the "friend me" posts would also be welcome since the first page gets the occasional "Friend me Mike" threads (not that it would fix the problem that gog galaxy caused).

And i'm sure that there are way more improvements to be made here (spoiler tag would be AMAZING) but i guess you guys get the idea.

I'll await an answer! :)
Post edited June 06, 2015 by Cyraxpt
Posted June 05, 2015
avatar
Cyraxpt: [snip]
Isn't there any better thread to beat all those dead horses...?
Posted June 05, 2015
avatar
JMich: To quote Intel, "Compl3xity_<_Length"
avatar
BKGaming: Meh I prefer both complexity and length. :P
so does my wife....
Posted June 05, 2015
avatar
Zeyes: We're talking about different things here, I think.
Yes. When someone mentions complexity for passwords, I assume he means that the pool of characters is more than just the letters, so about 80 characters. If someone mentions a simple password, I assume they only mean letters, so 52 characters.
A password based on letters only is not a complex one, no matter what its length is. That does not mean it's an easy password to break, just that it's not complex.

If you change the language, the number of characters may also change. So for Greek language you have 24 letters, 35 if you add accents and "umlaut". Add capital letters and you are looking at 70 characters pool, only for letters.
Posted June 05, 2015
avatar
Destro: No, we are not aware of any such vulnerability or any data leak. We do monitor our login servers and there is no brute force attack happening either. Keep in mind however, that:
- there were different malware apps pretending to be GOG Galaxy (see here for example: https://blog.malwarebytes.org/fraud-scam/2015/05/look-out-for-pups-claiming-to-be-gog-galaxy-client/).
- we have right now a great (record) influx of new users registering on GOG with the release of The Witcher 3: Wild Hunt. Combined with the fact that many users are reactivating their accounts for the game and promo that they haven't accessed for long time, we have times more active users than ever before = obviously more reports like that.

As long as you use a password that is considered safe (not trivial to guess and not used in any other service with the same email address) and have your computer 100% free and safe from malware and keyloggers or similar apps, then there is no reason to be worried in our opinion.

If we will have any updates on this topic, we will update you.

avatar
Cyraxpt: Unless this hits the videogame media (or a big forum like neogaf) i don't think that we will hear an answer...
avatar
Destro: This topic is 6 hours old and today is bank holidays in Poland.

Also - this isn't any new topic - we're fully aware of it, and if we believed something was wrong, we would inform you...
While this is good news, it still doesn't mean that GOG shouldn't have better authorization here... perhaps before an email can be changed GOG should send the email a short 4 - 8 digit code that must be entered before the new email can be added?

This should help users at-least be able to get their account back with a password reset. I also suggest a "log out everywhere" button were any instance of a user's GOG account being logged in is immediately kicked from the server to keep the account thief from being able to stay logged into your account.

Just a thought...
Post edited June 05, 2015 by BKGaming
Posted June 05, 2015
avatar
darkwolf777: Ugh! Seriously, this shouldn't even need a warning, this should be common-freaking-sense.
It has recently been discovered that common sense isn't as common as its name may suggest.
Posted June 05, 2015
avatar
Cyraxpt: Removing the report spam = delete thread/post would also be a good idea since i don't think the the gog community should be policing the forum, that's the job for the moderators.
there are no moderators, we police ourselves - agree with the rest though!
Posted June 05, 2015
avatar
BKGaming: Meh I prefer both complexity and length. :P
avatar
iphgix: so does my wife....
But does she get that... that is the question. xD
Post edited June 05, 2015 by BKGaming
Posted June 05, 2015
avatar
Destro: - we have right now a great (record) influx of new users registering on GOG with the release of The Witcher 3: Wild Hunt. Combined with the fact that many users are reactivating their accounts for the game and promo that they haven't accessed for long time, we have times more active users than ever before = obviously more reports like that.
Yeah I hope you guys are finding ways to handle all this; presumably there's been a huge influx of tickets.
Posted June 05, 2015
avatar
Cyraxpt: [snip]
avatar
Zeyes: Isn't there any better thread to beat all those dead horses...?
No because the others threads related to this problem (that i mentioned) isn't graced with the visit of gog team member aka "the blue ones", i want to take advantage of this precious moment to see if THIS is the historical moment where this problem is adressed.

avatar
Sachys: there are no moderators, we police ourselves - agree with the rest though!
True enough but i like to consider those moments where we ask Judas to help in some stuff (changing the thread title or locking the thread) a somewhat "moderation".
Posted June 05, 2015
avatar
darkwolf777: Ugh! Seriously, this shouldn't even need a warning, this should be common-freaking-sense.
avatar
Crackpot.756: It has recently been discovered that common sense isn't as common as its name may suggest.
common sense is a reference to when archery was manditory practice for all men (on common ground) every sunday in England - the term referring to NOT walking on the range (or common) during the appointed hours to prevent uneccesary death.
- so the term does not refer to any particular sense or logic being prevalent, but more aquired for a specific slice of the population through practise (this is why many medieval texts also refer to women as having no common sense - women were regularly killed on the commons during practise as they were not aware of the unspoken rule).
in this case, internet and computer users on the whole SHOULD have common sense, but not everybody knows the unspoken rules as some did not get an invite for the last three sundays after church.

!

O____o

*goes away to polish longbow
Posted June 05, 2015
We have ascertained -

The user in question has been compromised.
His password is of medium level strength such that it would take a strong / brute force attack to breach it (i.e. hitting the server enough to hit lockout limits).
There is no brute force attack happening on GOG servers quote : " there is no brute force attack happening"
The user may have been compromised on the other site he used this password, or via a key logger.

Any of these incorrect?
Pages:
1
2
3
4
5
6
7
8
9
This is my favourite topic
Community
General discussionGOG, please give us a statement regarding hijacked accounts(125 posts)solved(125 posts)solved
(125 posts)solved