I cannot express enough how disappointed and angry I am with GOG's implementation of the captcha. It is flawed and doesn't work as it should, in fact I have spent half an hour trying to access my account.

"Choose all the signs and click verify", After choosing the signs and clicking next I get taken to one more bloody page "Choose all the cars until there are none left" which ends up in a stream of never ending car pictures > click next and doesn't work > click all the Storefronts > same thing. What's next, Cat pictures?

If you want to take an anti spam measure that works properly you'd be better off copying Steam or Humble Bundle, which sends a code to your email address, I surely would be very grateful for not wasting the little free time I have with a flawed system.

/rant out.

Two step authentication is already in place, should be default in your account. I for instance, get a code sent to my email which I then need to pop in the browser window to access my account. As of yet I have not seen a single "captcha" in relation to GOG's site, other than when redeeming a key which I had it once. Its likely triggered by a new computer or something like that, and I note there has been several posts about this subject:

https://www.gog.com/forum/general/what_is_with_the_gog_captcha

https://www.gog.com/forum/general/3_minutes_to_log_into_gog_get_rid_of_that_captcha_please

Also note, that captcha is really slow on other websites as well, not just this one, its a real pain in the neck.

This is why I eventually reenabled two step authentication. Login takes a couple of minutes in both cases, so...

Ok I'll hold my horses, I have activated two-step for now, will see how it goes. Out of all the websites, forums etc I log in to everyday this is the only one that gave me so much trouble with it, It was working fine as of about 2 weeks ago, just got worse lately.

Thanks :-) *super saiyan mode off*

Also, Humble uses those damn Google captchas as well. With the added annoyance that the language localization is... quite lacking to say the least. The one in which you need to select the parts of the image containing "street signs" is translated as "street names" in my local setting. Took me a good amount of frustrating attempts to realize why I was always getting those wrong (and why most of them rarely included any street name sign at all). :S

Tried to login just now, another 5mins wasted clicking pictures, my last login was about 9 hours ago. Can GOG please look into this? It's very very frustrating and annoying.

You have to actually log out sometimes in order to see it.

I direct my honorable colleague's attention to the "logging in" part of my statement, which obviously implies logging out beforehand. Perhaps he would pick up on such subtleties were he not always busy with some puzzles instead of listing to the chamber proceedings!

As said, you are mixing up two different things, which serve two different "needs".

The "code that Steam and HB sends to email" is two-factor authentication (2FA), and GOG has that too, It should even be enabled by default. On GOG, apparently it is triggered if both of these conditions are met (both at the same time):

1. You are using a different IP address than in your previous successful login.

2. You don't have valid login cookies in your browser (e.g. you are using a different browser or PC in your household, or you have deleted the cookies; or the cookies have been invalidated e.g.. because they are so old, I guess).

Not sure if Steampowered.com and humblebundle.com use the same conditions for their 2FA, sometimes it feels to me that at those places it is enough that you merely don't have valid cookies (but then I normally don't go to Steam via browser, but use their client).

CAPTCHA is triggered for different reasons, and I am unsure what are the conditions. I presume one of the conditions is that there have been several attempts to log in to your account with a wrong password, and CAPTCHA tries to prevent too many attempts using some kind of script (trying to repeatedly guess the right password).

So, it is possible someone knows your username/email address in GOG.com, and is repeatedly trying to log in as you, but using wrong passwords. That's why you would see CAPTCHA often too. Or then you have tried to log in with wrong password several times?

I am unsure if there are other possibilities too, like if several people are logging into the same account at the same time from different IP addresses? Then again I don't know what CAPTCHA would help there, 2FA would be better there. I always log out as well, and very rarely, if ever, see CAPTCHA. Even if I clear the cookies (but then I will get the 2FA code, in case the IP address has changed too).

I personally think that if someone is constantly seeing CAPTCHA, then most probably someone else is repeatedly trying to log into your account, without knowing your password. If they knew the password, then you would get the 2FA code instead into your email (not CAPTCHA), as long as you have 2FA enabled.

The 2 factor authentication on Steam and HB sends me an email every time I clear the cookies, on GOG does not. The only time it asked me is when I enabled it last night.

As for my IP it's static as long as I don't turn off my modem for several days, I would know instantly if it changes as I wouldn't be able to access my ftp server remotely.

Sometimes I log out several times a day and until recently I didn't get the captcha as often. I find it strange, since I always log back from the same IP/ PC.

Although unlikely to be the case I will take your suggestion and change my password just to be safe. :)

Yeah I think in those other two places the 2FA code is sent even if cookies are just cleared, I recall having to get the code every time I visited HB (or Steampowered) because I've set Firefox to always clear cookies and other stuff when closing it. In GOG I would get it only occasionally, when I had to reboot the cable modem (it would get a new IP address), or if using my mobile connection for internet instead.

I have made life easier for myself by having Chrome and Firefox side by side. I let Chrome keep cookies and stuff (default settings) and use it for sites like GOG.com, humblebundle.com etc. (in order not to trigger 2FA due to cleared cookies, or have some other reason I want to keep the cookies), and Firefox for all the rest.
Always a good idea just in case, but if it really was about that, it wouldn't matter much as apparently they don't know your current password anyway. :) I've understood CAPTCHA might be triggered for trying to log in too many times with wrong passwords. Not sure if there are other triggers too, like repeatedly logging in and out successfully for no good reason (at which point GOG servers might think it is some kind of misbehaving login script doing it from here to eternity). Just guessing here...

If they knew your password too, you'd get 2FA verification emails instead. Some have reported those too, so for them changing the password is a good idea even though 2FA still protects them as well. Just make sure no one else gets to your email account, then all is lost. :)


Ps. Check your email address at this site:

https://haveibeenpwned.com/

It will know if the same email address has been used on some other site whose user database was breached (and that's how they know it). If some sites are listed, just make sure you don't use the same password on GOG, or for your email account for that matter, that you have possibly used on those sites.

Then again mere email addresses can be harvested easier too, it is also the passwords they are after...

This may be unrelated, but since a couple of weeks or so Gog's main page has started appearing in Russian, Polish or german for me (that is, with no cookies stored). It doesn't happen always and refreshing the page changes the language to English, but it happens quite often.
If Gog has trouble determining some users location this might explain the increased amount of captcha.

I don't know if someone is repeatedly trying to log in as me to GOG (with wrong passwords), or if GOG has changed something, but now I seem to get CAPTCHA at login each and every time, if I clear the cookies. A couple of weeks ago when I tested it, it wouldn't trigger CAPTCHA.

I am not getting any "3-5 minute CAPTCHAs" though, it usually takes me something like 5-10 seconds to pass the CAPTCHA. However, it complicates the usage of e.g. gogrepo.py somewhat. e.g. if you are logging in with gogrepo the very first time, or your existing gogrepo login cookies are either deleted or outdated, then you need to export valid cookies from your web browser.

That is, if it really has now been changed so that all get CAPTCHA if they try to log in without cookies.

Can anyone else confirm if they are now getting CAPTCHA at every cookie-less login, when earlier they didn't?

Just got the "Pick out the storefronts" one at another website. Got shown a bunch of pictures of what were parking lots and what appeared to be the backs of businesses.

No, didn't pass it.