Yes, the codes are random. An extremely dedicated attacker could take note of someone's confirmation post and make a password change request, and then sit there for weeks hitting refresh until he gets the same confirmation code. Even with a script it is unlikely to take less than a week.

To protect yourself you could edit your verification thread posts to remove any codes, but I don't want anyone to have to do that so I'll quietly change the code generator to guarantee that no code ever appears twice.

I doubt we have such important messages for anyone else just to waste such period of time, but it still could be used as exploit and - Damuna, thank you for your post.

:) Maybe introduce much more greater range of possible combinations including letters etc.

I'd love to try out this service, but I've run into an issue. Because I have a . in my username the gogpm system refuses it.

Yes. I misunderstood you at first and only "got it" after reading Lexor's response to my reply. Still, the attacker would have only a few seconds to perform the attack and it would most likely take days if not weeks of intense work to perform, so the risk is tiny. Nonetheless, thanks for pointing out the exploit. It will be gone before the end of the day.


Good news, everyone! Another update. This one is minor, and focuses on the verification process, making it more secure and slightly more convenient.

1: If you post twice in the verification thread then GOG merges your posts together. Previously, GogPM would look at your first confirmation code and ignore the one that you just posted, forcing you to have to edit the post to remove the old code. Now GogPM knows how to cope with merged posts. If there are multiple confirmation codes in one post, it reads the last one.

2: Confirmation codes are now unique. Any code that is generated will never be generated again. This is a security measure.

Now, codes are using fourteen digit number, so...

I think they are maybe including some time stamp now, and as the time go forward, system will not generate any used code in future just only some new ones.

Hey Lexor, I've finished the list-shortening code that you were asking for. Just in time, because I'm going to need to take a break from working on GogPM for the next 2 weeks - I have a lot of Capoeira training / grading coming up.

100% correct.

Damuna, I meant after they're generated they don't come back. As Lexor noticed, the code are now at least 14 digits long (they're not fixed length either - they include a unix timestamp and will grow as necessary) so we're good :)

It works :) But maybe we could also get "button" to hide them back? :)

BTW: When you come back, I have another job for you with messages :P

Haha, I like when I'm guessing correct ^^

I like that attitude. From the start I've been keeping an eye on the verification thread hoping to see people trying to poke holes in it. There have been a couple.

Here's to Barefoot_Monkey enjoying some time off. Props to him for GogPM and Lexor for the contest that just ended.

Hi Barefoot_Monkey. Just letting you know GogPM is down (at the time I am writing this, at least.)

Thanks Jimmy. I've noticed it going up and down all week, and I'm getting rather concerned. I might have to consider changing to a different hosting provider if this continues.

Trying to sign up but it seems down.



Still down, I hate tecknology

Can you inform us when GOG PM is going to work again? :)

I have a Linode which is barely used at the moment. If you want to move GOGPM to that (either temporarily or permanently), I'd be happy to host it for you.

It seems like GOG PM has "corrected itself" for now again.