It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
real.geizterfahr: Sadly there are quite some websites who tell you that your password is too long if you use more than 12 or 16 characters (I even saw a 10 character limit once) -.-
That's.... stupid..... If you're one-way hashing your passwords, length shouldn't matter... and making it shorter just ensures weaker passwords...
avatar
real.geizterfahr: Sadly there are quite some websites who tell you that your password is too long if you use more than 12 or 16 characters (I even saw a 10 character limit once) -.-
avatar
rtcvb32: That's.... stupid..... If you're one-way hashing your passwords, length shouldn't matter... and making it shorter just ensures weaker passwords...
Perhaps it's a misguided fear on the part of the admins, that if you choose a long password, you'll forget it. (As if people were likely to choose random characters for their 20-character passwords...)
I still don't get some details. Let us consider only online attacks, since otherwise there is little discussion to take place.

The website, by itself (and I want to believe it is some deliberate thing) adds some significant lag on each login attempt. That would add about 1-3 seconds delay per connection. Furthermore, the reCAPTCHA seems to kick in after a few failed passwords have been tried (and I guess that that is tied to the client IP).
That should discourage a naive brute force attack. But not [url=http://home.nuug.no/~peter/hailmary2013/index.html]a sophisticated one[/url].
Maybe Galaxy uses another login API that does not show the reCAPTCHA thing?

But there are two keys to each GOG login. The email address is also required, and while not secred, it should not be always obvious to an automatic attacker. So, either the attackers focus on a known email address, or they add it to the search space.

Reused passwords seems to be a much more likely attack vector, as you also get a nice email address to go with it.

avatar
real.geizterfahr: I have no idea how hackers deal with captcha and Co.
Take your pick: or [url=https://boingboing.net/2012/01/09/virtual-sweatshops-versus-capt.html]money.
avatar
drevo2: Perhaps it's a misguided fear on the part of the admins, that if you choose a long password, you'll forget it. (As if people were likely to choose random characters for their 20-character passwords...)
Heh... reminds me... One woman who apparently followed the rules for putting in her password, but her password was 60 characters long... When she read it had to have something like 4 capitals, she selected the names of actual cities...

As for that fear, it's still really really stupid. I can remember long titles of games fairly well, but CD-keys that are 10-20 characters? Forget it... (Mostly since i don't have to type them in enough).

Then there's the password changing policy... I worked at Fred Meyers once, they required you to change your password every 3 months, so even if you had a really good password, you had to change it and this was a major annoyance for a great password. Changing your password a lot makes you lazy and start adding numbers to the end. password1, password2, password3... etc. Which i quickly ended up doing. You also couldn't reuse a previous password within the last 8 passwords making it almost impossible to remember which ones you may have already used UNLESS you use a sequence...

Yep society has taught us to use bad passwords out of frustration...
I think it's more about creativity than laziness. It's very easy to create a good password easy to remember.

Totte[]nham[]Newca[]stle
Newca!?stle!?Uni!?ted
Post edited September 10, 2015 by OlivawR
Can always do what certian organisations do and use an amalgum of 3-5 types.

(stone)(animal)(thing)(date)(name)
OnyxRhinoBattery082377David

but now that this pattern and type was selected its brutforcable very easy :(
Post edited September 10, 2015 by Starkrun
avatar
PhilD: *******

Did it work?

Oh, c'mon someone had to do it! :)
I would have been so disappointed if nobody had suggested ******* by now
Post edited September 10, 2015 by Barefoot_Monkey
avatar
Gede: I still don't get some details. Let us consider only online attacks, since otherwise there is little discussion to take place.
I think using the e-mail address as login data is a mistake and a username (not the username displayed to buddies and friends, a own login-username) should be used instead.

since thousands of active e-mail-addresses can actually be bought on black markets for a few bucks and e-mail addresses are generally widely spread, it is way harder to hack (or even identify) an account if the login-name is unknown.

the e-mail address could anyway still be used for password-reset or device authentication if needed.
(may even using pgp-encrypted mails or equivalent, as long as the auth-code is not written in the mail-subject, since pgp does not encrypt the subject of the mail, as far as i know)

would be nice :-)
avatar
TrickMe: I think using the e-mail address as login data is a mistake and a username (not the username displayed to buddies and friends, a own login-username) should be used instead.
What you say is true. The email address or the username provide very little added security. They are mostly used as user identifiers (that is, pointing to which password field to compare to).

What you suggest is more similar to having two passwords that you need to enter to log in. That is certainly not less secure. But is it worth the inconvenience? Let us see:

Most users would handle their "secret code" the same way they handle their current password: they would memorize it and type it in at each login, use their password manager or paste them in. That means that in the situations where the regular password fails, they both fail together (e.g. key loggers, system breach, shoulder surfing).

Would this make the system safer? I think so. But not by that much. But that is the trade-off between security and convenience. It seems you cannot have both.