Well, between 1962 and 1977 the code to the US nuclear arsenal was 00000000. That's not me making a joke, either.

Read above.

That's dumb. Just email them.

SUBJECT: Fire

Dear sir or madam,

I am writing to inform you of a fire that has broken out on the premises of...

wait. Maybe some thing more urgent:


Fire! Fire! Help!


That episode actually reminds me of the highly ridiculous event that happened in the US where a student got in trouble for assisting a student instead of waiting for the nurse to answer an email about how to proceed with a student on the floor having an asthma attack.

https://www.washingtonpost.com/news/morning-mix/wp/2016/01/24/texas-eight-grader-suspended-for-rescuing-classmate-during-asthma-attack/

The quick brown fox jumps over the lazy dog

G4tmap1cw!

Liar! Your real password is:
ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

Brute forcing should NEVER work. Any system that doesn't lock an account and send a notification after a certain number of failed attempts is a bad system.

That's strange. For the record just as a data point, I use a password on GOG that is 20 characters and includes both upper and lower case, numbers and punctuation randomly generated by software and it works fine. I have not changed my password in a while however so it is possible bugs could be introduced or something but it seems rather unlikely. If you continue to have problems, contact GOG support.

That is simply not secure at all. Let me fix it for you:

god yzal eht revo spmuj xof nworb kciuq ehT

Depends. Unix and related systems used to have a hash table of the password that the system used for logging in. Accessing that you could make unlimited retries without ever having to actually make a password attempt. Often with hacked sites this is what is stolen and then shortly after tens of millions of combinations are brute-forced. Website databases especially will have this issue, since Unix moved to shadow passwords (the hashed password is a separate protected file only root has access to, and in turn the login client)

I agree though, overtly strong passwords with a 3-5 attempt system before locking you down is absurd. Reminds me of working at Fred Meyers, and the mandatory 3 month new password system where you couldn't reuse the last 10 passwords, making you either append to the password with something stupid (like a 1) or come up with a different password.

I eat a lot of Alpha-Bits cereal...

you are not trying to create a password that a human couldn't guess.

you are trying to create a password that a machine would have a hard time guessing, a machine that is aided by massive databases of both stored captured passwords and heuristic rulesets for word and character probability.

l0ngl1veth3k1ngPOTATOES is a shit password not because a human could easily guess it but because a machine could. maybe not one that long but it is still on the weaker side of things. random and write it on paper. memorise the ones you use most.

Not so strange if you carefully read what the OP actually tried. Though, even with numbers only, it's still 10**20...

Just be aware that it is still possible for someone to do harm. It involves the following steps:
1. Get root access to server, and hence to the shadow password file.
2. Brute force the passwords in parallel. There is a good chance that at least one of them has an easy password to crack. We now have a username/password combination that is valid on this server.
3. Try the username/password combination on other servers. We have now gained access to the other server, and hence to that user's personal details. This has a good chance of working because people tend to reuse passwords on multiple sites (and is why you should use a different password for every site).