Email to confirm password change = good, anything else = bad. Simple. I agree, browser should clear everything on exit for the reasons you have given. I would also avoid using any type of "client" software, so Steam, or the upcoming Galaxy. Pull the internet cable out when not using it etc. Treat online as you would real life, don't leave the key in the lock for example. Don't let your neighbour (client) control your door access, it may make life easier by not having to worry about getting a key out and installing the key yourself, but if their out or move your ruined.

If this has already been mentioned previous then I apologize but two factor authentication is important because some games use CD-Keys which can be written down, and if a hijacker gets your account they could collect all the keys and use them in the multi-player of pirated copies (was done in Steam before Steam Guard came along and stopped it).

Let me recap - how does this two factor authentication limit yer, exactly? What in substance is "bad" abou it?

Best answer in a thread on GOG.com ever! LOL

or... unhide "Softporn Adventure" from the Leisure Suit Larry game extras... :)

More or less by following this formula:

1) Being generally good people who don't think like bad guys think and don't perceive potential vulnerabilities and weaknesses in their software as a bad guy might.

2) Looking at potential security issues that are raised by people in the office, in the community, wherever from a viewpoint of not trying to see a security issue at all, but trying to look at security issues as something to try to ignore by putting up verbal counter-arguments about them and ignoring how hackers think. Maybe even by saying things like "if a customer gets hacked it's their own fault for picking a dumb password" and stuff like that.

3) Leaving their security lax until some day when real hackers notice.

4) Hackers devise a plan based on the weaknesses they've analyzed in the company's website, software/whatever to break into as many accounts as possible or even the entire server and capture all of the accounts and perhaps other user data stored on the server. They then either hold onto this data/info etc. for some time before doing something with it, or they sell it on darknet blackmarkets, or they publish everyone's password and other details on a pastebin "for the lulz" to point out the shitty security at the given company. *COUGH* Sony Playstation Network *COUGH*. They laugh how they've hacked Sony, EA, Ubisoft, Steam multiple times and none of them had proactive security, and rejoice how all other companies do it more or less the same way by pretending there is no problem until *AFTER* someone comes along and shows them "But, oh yes... there is a problem, surprise!".

5) Freak out and panic that customer accounts were just compromised and rush to bandaid fix it, and apologize to all customers for the inconvenience while telling them they all have to change their passwords now and depending on the nature of the security breach that they may need to contact their credit card company or some other issue to deal with. They may also need to offer to pay for customers to get credit card theft / identity theft protection for a year or more (as has been the case in many high profile cases like this).

6) Put a brown paper bag of embarrassment over their heads.

7) Tell everyone how secure their new setup is.

8) Wait a few weeks/months/years until another hacker or group comes along and hacks them again, possibly prompted by disliking some decision the company has made or something, then repeat all of the above steps again until they get tired of going through the process and the loss of revenue to clean it up.

9) Hire experienced proactive senior security experts to implement a much more robust security infrastructure that isn't a toy afterthought.

10) Enjoy much greater security and hopefully never get their service hacked again.


That's the general overview of how it typically happens based on years of monitoring computer security mailing lists, blogs, news, personal experience. The details change slightly but it's just variations on a general theme of history repeating itself over and over again with every company pretty much.

A common theme underlying it all is lack of perception of threat due to not thinking proactively on how someone would go about compromising the system in the first place. One has to think like the bad guy thinks in order to figure out the weakness in a system and if one can't or doesn't want to do that, then one isn't the best person to judge whether the system has any weaknesses or not really.

Hell, Sony had their network/systems compromised dozens of times by Lulzsec et al years ago, and never learned a damned thing either as the massive compromise they endured last year showed. That's been heavily analyzed by security experts who have shown that the company was lax with security in just about every area. Sadly, most companies don't bother with security because they under-perceive the real threats and over-perceive their existing security measures as adequate until they're shown it to be false.

Executive summary a.k.a. tl;dr version: They wait until they are breached then scramble to fix it without usually learning much in the process then repeat this again each time a new problem occurs.

Very well written post. Virtually every article I have read about a company getting breached follows the steps you outlined. It's a sad but true description.

I've noticed that even Indiegala has 2FA. Come on GOG, step up your game.
Also people vote for this on the wishlist

Add tinyE as a friend.