Password guessing (PGing) is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach (brute-force attack) is to try guesses repeatedly for the password and check them against an available cryptographic hash of the password.
Motives toward password guessing may either be to help a user recover a forgotten password (creating an entirely new password is less of a security risk, however) or to gain unauthorized access to a system.
In the case of Roblox, password guessing is used to gain access to accounts that do not belong to the guesser, after which they can hijack the target account for personal or malicious intent, steal its Robux/Limited items or even get the account banned. Password guessing is prohibited by Roblox's Community Guidelines, which means it is possible for a user's own account(s) to be banned if they are found to have password guessed other players.
Password guessing has been an ongoing issue throughout Roblox's history, and numerous events have influenced when password guessing was utilized. Many players speculate that older accounts are frequently password guessed due to players wishing to have an older account or to obtain a name sniped account.
Some accounts created in 2012 or earlier were prompted to change their passwords after Roblox announced that a player gained unauthorized access to a testing site that contained "limited" user information in 2016; this incident later motivated Roblox to implement a two-factor authorization feature.
When Roblox instated an age minimum on the Forums in light of forum raids that occurred during 2017 by the YouTuber QuackityHQ, players speculated that there was an increase in password guessing as newer players attempted to obtain accounts that could post on the forums.
A common issue today are bot accounts linking to phishing websites promising free Robux or Builders Club that prompt players to input their Roblox login information. The owner of the website then gains access to the player's account, accesses it and locks the original owner out of the account by changing the password. After this occurs, the scammer can sell off Limiteds and use that account to post more phishing web links until that account is banned.
Making and maintaining a strong password
Password guessing remains a widespread issue on Roblox, so it is essential that users take steps to prevent it from happening to them. A strong password is one of the best methods of preventing your account from being breached, and the following are guidelines for creating strong passwords:
- Passwords should not contain any easily identifiable information, such as your Roblox name, your birthday, or other known information. Avoid using some of the most common passwords, such as "password", "1234567", "roblox123", or "qwerty".
- Make a long password. Passwords should be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special symbols. Avoid having patterns in the password, such as "12345678", which are often screened first by password guessers.
- Avoid common words in your password. The best password is a jumble of characters. l33t sp33k is stronger than regular text characters (R0bl0x versus Roblox) but should still be avoided as software is more easily able to identify l33t sp33k. The best way to create a password is to think of a phrase and abbreviate it. For instance, the phrase Shedletsky eats fried chicken every day. Yum Yum! can be abbreviated as sefcedyy. Adding uppercase letters, numbers, and special characters creates a password like $3fCed_Y&y!. Websites such as How Secure Is My Password are a great tool to see how strong your password is and improve it accordingly.
- Keep your password unique to Roblox.com. This way, if a security vulnerability occurs on another website (such as a fan website about Roblox), then your Roblox account is less likely to be in jeopardy from PGers using that fan website password to try and access your Roblox account.
- Consider using a password manager. A typical password manager will allow you to create an account to store all your login details for each website you use separately under one master account, and they may also allow you to generate ultra-strong and random passwords for each website and then save them to be auto-filled the next time you want to log in so that you don't have to remember them. The only catch is that you have to make sure you will remember the details to the master account itself (noting the username and password down somewhere is a good method) and also ensure that your password for the master account is not weak. The recommended service for the average user is LastPass, but others such as Dashlane may also work similarly depending on your preference.
- Never share your password with anyone. Do not enter your Roblox login information into any website other than Roblox.com. Roblox staff and games will never ask for your password. Never share any Roblox browser information, such as your ROBLOSECURITY cookie. If you are using a shared computer, such as in a school or library, do not let your internet browser save your login information. Finally, ensure that you are up to date with knowledge of the latest scams and do not fall for them.
- Use caution when downloading Roblox extensions. Some browser extensions and applications may steal your login information or inject malware into your computer. Only download things from trusted sources.
Additional protections against password guessing
- Verify your email and enable two-step verification. When two-step verification is enabled, every time your account is logged into from a new location, Roblox will require the player to enter a code sent to the account's email before authorizing the log-in. This also lets you know if you have been password guessed and need to create a stronger password.
- Enable an account PIN. When an account PIN is enabled, every time a setting such as a username, password, birth date, email, phone number, or two-factor authorization or PIN enabling is changed, Roblox will ask for a pre-set PIN number before the changes are enabled. This prevents unauthorized users from changing account setting if they do not know the PIN.
- A password that is easy to remember is generally also easy for an attacker to guess. Passwords that are difficult to remember will reduce the security of a system because (a) users might need to write down or electronically store the password using an insecure method, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.
- In "The Memorability and Security of Passwords", Jeff Yan et al. examines the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "Algorithm" for generating obscure passwords is another good method. In the latest improvements, more and more people are noticing a change in the way that passwords are secured.
- However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalizes one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.
- Research detailed in an April 2015 paper by several professors at Carnegie Mellon University shows that people's choices of password structure often follow several known patterns. As a result, passwords may be much more easily cracked than their mathematical probabilities would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password.
- ↑ Roblox. (2016). Security Update. Roblox Blog. Retrieved from https://blog.roblox.com/2016/08/security-update/
- ↑ Koshevoy Dmitry. (2018). Most common passwords list. Retrieved from: http://www.passwordrandom.com/most-popular-passwords
- ↑ 3.0 3.1 3.2 Kim Komando. (2015). How to create a strong password. USA Today. Retrieved from https://www.usatoday.com/story/tech/columnist/komando/2015/05/15/strong-passwords/27240877/
- ↑ pzdupe2. (2016). A hacker told me how to make a super strong password I can actually remember. Business Insider. Retrieved from http://www.businessinsider.com/hacker-strong-password-2016-4
- ↑ 5.0 5.1 5.2 5.3 Lilly_S. (2017). PSA: Keep Your Account Safe. Roblox Developer Forums. Retrieved from https://devforum.roblox.com/t/psa-keep-your-account-safe/65430.