Roblox Wiki
Register
Advertisement
Roblox Wiki

Password guessing (also abbreviated PG-ing, and/or variants thereof) is a form of security hacking involving the process of stealing passwords from data that has been stored in or transmitted by a computer system. A common approach is to try guesses repeatedly for the password and check them against an available cryptographic hash of the password, which is known as brute-forcing.


Motives toward password guessing may either be to help a user recover a forgotten password (creating an entirely new password is less of a security risk, however) or to gain unauthorized access to a system. In the case of Roblox, password guessing is used to gain access to accounts that do not belong to the guesser, after which they can hijack the account for personal or malicious intent, steal its Robux/limited items, or even get the account banned. Hacked accounts are referred to as compromised (often shortened to comped). Password guessing is prohibited by Roblox's Community Guidelines, which means a user's account(s) can be banned if they are found to have password guessed other players.


In an attempt to combat PGing, Roblox will automatically ban an account that has been logged into after being inactive for an arbitrary number of years⁠[citation needed], and will only unban it if the user can provide proof of account ownership. This measure has proven polarizing among the userbase. Some see it as an effective necessity to curb account theft, others see it as overly strict to original owners who have lost access to an earlier email address tied to said account. It also does not account for original account owners giving out or selling accounts to others, which also violates Roblox's Community Guidelines.

History[]

Password guessing has been an ongoing issue throughout Roblox's history, and numerous events have influenced when password guessing was utilized.

2016[]

Main article: 2016 Roblox Security Breach

Some accounts created in September 2006 or earlier were prompted to change their passwords after Roblox announced that a player gained unauthorized access to a testing site that contained "limited" user information in 2016; this incident later motivated Roblox to implement a two-factor authorization feature.[1]

Priority targets[]

Although password guessers can have a variety of motives for doing so, the following are considered to be the most prioritized types of users

  • Successful game developers (primarily those with front page games)
  • Users or their alternate accounts with extreme wealth in Robux or limited items
  • Popular YouTubers' accounts, especially those in the Roblox Video Stars Program, or their alternate accounts
  • Users who own popular groups of any kind
  • Well-known clothing designers
  • Old accounts (generally pre-2012) and name-sniped users
  • Users with rare off-sale items or those who own the only copy of a certain item
  • Users with 'special' ID numbers or those who own groups with special group IDs (e.g. Azoo5573, the one billionth user)
  • Roblox administrators
  • Deceased users
  • Users with a space in their username.

Prevention[]

Password guessing remains a widespread issue on Roblox, so users must take steps to prevent it from happening to them. A strong password is one of the best methods of preventing the user's account from being breached, and the following are guidelines for creating strong passwords, as well as methods to keep their password and account safe. A lot of these tips are not exclusive to Roblox, and may be useful on other websites regarding the user's cybersecurity:

  • Passwords should not contain any easily identifiable information, such as their Roblox name, their birthday, or other easily known information. Avoid using some of the most common passwords, such as "password" (Roblox no longer allows this), "1234567", "roblox123", "abc123", or "qwerty".[2]
  • Making a long password. Passwords should be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special symbols if possible. Avoid having patterns in the password, such as "12345678", which are often screened first by password guessers.[3] If the user is not able to create their password, it is highly recommended to use password generators and save it somewhere in the user's computer files or password managers.
  • Avoiding common words. The best password is a jumble of characters. l33t sp33k is stronger than regular text characters, but should still be avoided as the software is more easily able to identify l33t sp33k.[3] The best way to create a password is to think of a phrase and abbreviate it.[4] For instance, the phrase Shedletsky eats fried chicken every day. Yum Yum! can be abbreviated as sefcedyy. Adding uppercase letters, numbers, and special characters creates a password like $3fCed_Y&y!. Alternatively, multiple random plain words (known as a passphrase) with spaces between them such as 'clock green blanket paper' can also be surprisingly effective and easier to remember (one such method is Diceware). Websites such as How Secure Is My Password are a great tool to see how strong the user's password is and improve it accordingly. The user must try to avoid using dictionary words as well because hackers have software that brute-force dictionary passwords.
  • Keeping the password unique to Roblox.com. This way, if a security vulnerability occurs on another website (such as a fan website about Roblox), then the user's Roblox account is less likely to be in jeopardy from PGers using that fan website password to try and access their Roblox account. If they use the same password for every website, in the event a person had breached the victim's account, they have gained access to every digital account the victim owns.[3][5]
  • Using a password manager. A typical password manager will allow the user to create an account to store all their login details for each website they use separately under one master account, and they may also allow them to generate long, random passwords for each website and then save them to be auto-filled the next time they want to log in. The only catch is that the user has to make sure they will remember the details of the master account itself (noting the username and password down somewhere is a good method) and also ensure that their password for the master account is not weak.
  • Never sharing the password with anyone. The user must not enter their Roblox login information into any website other than Roblox.com. Roblox staff and games will never ask for their password, and any person asking them to do so is a scam. The user should never share any Roblox browser information, such as their ROBLOSECURITY cookie. If they are using a shared computer, such as in a school or library, they must not let the Web browser save their login information, or avoid logging in to any websites if possible.[5] Just in case, the user might want to tell a trusted guardian or parent if they forget their password, as an alternative to password managers. Finally, they must ensure that they are up to date with knowledge of the latest scams and do not fall for them.
  • Using caution when downloading Roblox extensions. Some browser extensions and applications may steal login information or inject malware into the user's computer.
  • Always signing out when the user is done playing. There is a possibility that if someone steals the user's computer, phone, tablet, or anything that has their Roblox information (or any other website), they must change it immediately and log out of all other sessions on their account using another device. There is a possibility that the thief could get into the device, launch Roblox, and steal the victim's account, so action must be taken to prevent this as soon as possible. However, they must ensure that more crucial websites are secured first, such as their email(s), social media, banking, and other important details before Roblox.
  • Verifying their email and enable two-step verification. When two-step verification is enabled, every time their account is logged in from a new location, Roblox will require the player to enter a code sent to the account's email before authorizing the log-in. This also lets the user know if they have been password guessed and need to create a stronger password. This is one of the best ways for account security because the hacker must also gain access to the victim's password and email address before being able to successfully log in to the victim's account, even though it can be circumvented by obtaining their ROBLOSECURITY cookie.[5]
  • Enabling an account PIN. When an account PIN is enabled, every time a setting such as a username, password, birth date, email, phone number, or two-factor authorization or PIN enabling is changed, Roblox will ask for a pre-set PIN before the changes are enabled. This prevents unauthorized users from changing account settings if they do not know the PIN.

Notes[]

  • A password that is easy to remember is generally also easy for an attacker to guess. Passwords that are difficult to remember will reduce the security of a system because
  • (a) users might need to write down or electronically store the password using an insecure method,
  • (b) users will need frequent password resets
  • (c) users are more likely to re-use the same password.

Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.

  • In "The Memorability and Security of Passwords", Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "Algorithm" for generating obscure passwords is another good method. In the latest improvements, more and more people are noticing a change in the way that passwords are secured.
  • However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalizes one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.
  • Research detailed in an April 2015 paper by several professors at Carnegie Mellon University shows that people's choices of password structure often follow several known patterns. As a result, passwords may be much more easily cracked than their mathematical probabilities would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password.
  • The chances of guessing an 8-digit password is 1 in 2.1834 Quintillion (2.1834E+15), making it extremely rare to guess someone's password. The chances of guessing a gobbledygook (random string of numbers, letters, and symbols) password are known to be 1 in 6.09569 Quintillion (6.09569E+15).

References[]

  1. Roblox (2016, August 12). "Security Update". From Roblox Blog. Accessed October 12, 2022. Archived from the original on September 24, 2021.
  2. Koshevoy Dmitry (2018). "Most common passwords list". From PasswordRandom. Accessed October 12, 2022. Archived from the original on October 12, 2022.
  3. 3.0 3.1 3.2 Kim Komando (2015, May 15). "How to create a strong password". From USA Today. Accessed October 12, 2022. Archived from the original on September 23, 2021.
  4. pzdupe2 (2016, April 29). "A hacker told me how to make a super strong password I can remember". From Business Insider. Accessed October 12, 2022. Archived from the original on September 23, 2021.
  5. 5.0 5.1 5.2 Lilly_S (2017, December 11). "Security Update". From Roblox Developer Forum. Accessed October 12, 2022. Archived from the original on October 12, 2022.
Advertisement