-Yes, the archives are password-protected. Here's why:
The supported way of installing the games is by using the Installer, which apart from unpacking the files, also creates registry entries, shortcuts, compatibility fixes etc. We want to avoid having the situation, when user will see a unprotected rar file, download and unpack it, and get a "broken" installation, because he didn't use the installer.
There were situations, when users would download just a single part of the installer, or try to unrar it manually (because apparently some browsers detect our new archives as rar files), or even try to open the .bin files with the VLC Video Player.
In such a situation I think it's better to give immediate "it won't work that way" message, rather than allow someone to make a "partial" installation, which may or may not work, without any information.
Another reason - I want to avoid the situation where someone tampers with the archives (let's say adding malware, or some illegal content), and uploads the modified version on torrents. I don't want the GOG Installer installing anything else than it was supposed to, and it doesn't matter how it was obtained.
Both of those reasons go against DRM-free approach which should give the user full freedom of how to use the package. Users want to do weird stuff like playing it with VLC? It shouldn't stop them from doing it! That's the point. Putting any kind of password protection or worrying about potential torrents is already falling into the DRM mentality. Come on, the last people I expected it from were GOG!
About updating without repacking, there should be free non patent encumbered format to achieve that, and no password protection is required.
Overall I'm pretty disappointed with the direction where this is heading.
Mind you - if you are using the supported installation mode, you don't have to enter the password anywhere. Nor is it in any way dependent on username, or hardware, or anything else. It's more or less hardcoded into the installer (I see you guys already figured out how), as much as the decompression algorithm. You can still use the installer exactly as you could since the beginning of GOG, and install your games wherever, whenever, and however many times you want. It doesn't detect where was it downloaded from either. That hasn't changed at all.
Yet you know perefctly well that many users don't use "supported installation mode" and unpack their games with other tools. Which often happens for systems which don't have Windows / Wine. For example to play those games on mobile systems with ScummVM. Why should users go through the pain of finding Windows just to unpack those games in such case?
We don't really support installing the game by manually unpacking the archives (for whatever reason you do that). On the other hand, I see you already figured out the algorithm for obtaining the password, so you are still able to do as much. I'm not going to say "Hey, good job hacking into our software guys!", but I'm not going to try and make the password harder either.
It's one thing not to support it, it's another thing to actively make it hard. Yes, we figured out a way to bypass this stupid password, but nothing stops you tomorrow from changing that way and making it much harder to bypass. Yesterday you said there will be no DRM. Today we got this password. You say today you won't make it harder. Should we believe it? We are talking about the attitude here, not about the method. Once you are falling into that mentality, there can be no end to it. So please, revise this approach and remain community friendly by avoiding any such stuff. You don't need to support it but you don't need to be hostile to DRM-free approach either, which is exactly what's happening in this case.
If you want any kind of verification / authenticity checks, provide checksums. You don't need any passwords for authenticity checks to avoid malware.