Password guessing (otherwise known as Password Cracking, PGing, or PCracking) is the act of someone attempting to gain access to a Roblox account by guessing the player's password. Password Guessing may also occur when someone gains unauthorized access to another player's password, such as by the victim entering their Roblox login information into a scam website promising free Robux. Many players confuse Hacking with password guessing and commonly discuss how "their account was hacked." Hacking, unlike password guessing, involves taking advantage of security vulnerabilities within the Roblox website to obtain user information. The majority of the time, the user's account was password guessed and not actually "hacked." The most common causes of password guessing are from weak passwords and entering of Roblox login information into non-Roblox websites.
Password guessing has been an ongoing issue throughout Roblox's history, and numerous events have influenced when password guessing was utilized. Many players speculate that older accounts are frequently password guessed due to players wishing to have an older account or to obtain a name sniped account. In one 2016 incident, accounts created in 2012 or earlier were prompted to change their passwords after Roblox announced that a player gained unauthorized access to a testing site that contained "limited" user information; this incident later motivated Roblox to implement a two-factor authorization feature. When Roblox instated an age minimum on the Forums in light of forum raids that occurred during 2017 by QuackityHQ, players speculated that there was an increase in password guessing as newer players attempted to obtain accounts that could post on the forums. A common issue today are bot accounts linking to phishing websites promising free Robux or Builders Club that prompt players to input their Roblox login information. The owner of the website then gains access to the player's account, accesses it and locks the original owner out of the account by changing the password. After this occurs, the scammer can sell off Limited items and use that account to post more phishing web links until that account is banned.
Making and maintaining a strong password
Creating a strong password is one of the best steps for preventing Password Guessing. The following are guidelines for creating strong passwords:
- Passwords should not contain any easily identifiable information, such as your Roblox name, your birth day, or other known information. Avoid using some of the most common passwords, such as "password", "1234567", or "qwerty".
- The longer the password, the better. Passwords should be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special symbols. Avoid having patterns in the password, such as "12345678", which are often screened first by password guessers.
- Avoid common words in your password. The best password is a jumble of characters. l33t sp33k is stronger than regular text characters (R0bl0x versus Roblox) but should still be avoided as software is more easily able to identify l33t sp33k. The best way to create a password is to think of a phrase and abbreviate it. For instance, the phrase Shedletsky eats fried chicken every day. Yum Yum! can be abbreviated as sefcedyy. Adding uppercase letters, numbers, and special characters creates a password like $3fCed_Y&y!. Websites, such as How Secure Is My Password, are a great tool to see how strong your password is.
- Keep your password unique to Roblox.com. That way, if a security vulnerability occurs on another website, such as a fan website about Roblox, then your Roblox account is less likely to be in jeopardy from password guessers using that fan website password to access your Roblox account.
- Never share your password! Do not enter your Roblox login information into any website other than Roblox.com. Roblox staff and games will never ask for your password. Never share any Roblox browser information, such as your .ROBLOSECURITY cookie. If you are using a shared computer, such as in a school or library, do not let your internet browser save your login information.
- Use caution when downloading Roblox extensions. Some browser extensions and applications may steal your login information or inject malware into your computer. Only download things from trusted sources.
Additional protections against password guessing
- Verify your email and enable two-step verification. When two-step verification is enabled, every time your account is logged into from a new location, Roblox will require the player to enter a code sent to the account's email before authorizing the log-in. This also lets you know if you have been password guessed and need to create a stronger password.
- Enable an account PIN. When an account PIN is enabled, every time a setting such as a username, password, birth date, email, phone number, or two-factor authorization or PIN enabling is changed, Roblox will ask for a pre-set PIN number before the changes are enabled. This prevents unauthorized users from changing account setting if they do not know the PIN.
- ↑ Wikipedia. (2018) Security hacker. Retrieved from https://en.wikipedia.org/wiki/Security_hacker
- ↑ Roblox. (2016). Security Update. Roblox Blog. Retrieved from https://blog.roblox.com/2016/08/security-update/
- ↑ Koshevoy Dmitry. (2018). Most common passwords list. Retrieved from http://www.passwordrandom.com/most-popular-passwords
- ↑ 4.0 4.1 4.2 Kim Komando. (2015). How to create a strong password. USA Today. Retrieved from https://www.usatoday.com/story/tech/columnist/komando/2015/05/15/strong-passwords/27240877/
- ↑ pzdupe2. (2016). A hacker told me how to make a super strong password I can actually remember. Business Insider. Retrieved from http://www.businessinsider.com/hacker-strong-password-2016-4
- ↑ 6.0 6.1 6.2 6.3 Lilly_S. (2017). PSA: Keep Your Account Safe. Roblox Developer Forums. Retrieved from https://devforum.roblox.com/t/psa-keep-your-account-safe/65430.