Password guessing

Password guessing (also abbreviated PG-ing, and/or variants thereof) is a form of security hacking involving the process of stealing passwords from data that has been stored in or transmitted by a computer system. A common approach is to try guesses repeatedly for the password and check them against an available cryptographic hash of the password, which is known as brute-forcing.

Motives toward password guessing may either be to help a user recover a forgotten password (creating an entirely new password is less of a security risk, however) or to gain unauthorized access to a system. In the case of Roblox, password guessing is used to gain access to accounts that do not belong to the guesser, after which they can hijack the account for personal or malicious intent, steal its Robux/limited items, or even get the account banned. Hacked accounts are referred to as compromised (often shortened to comped). Password guessing is prohibited by Roblox's Community Guidelines, which means a user's account(s) can be banned if they are found to have password guessed other players.

In an attempt to combat PGing, Roblox will automatically ban an account that has been logged into after being inactive for an arbitrary number of years, and will only unban it if the user can provide proof of account ownership. This measure has proven polarizing among the userbase. Some see it as an effective necessity to curb account theft, others see it as overly strict to original owners who have lost access to an earlier email address tied to said account. It also does not account for original account owners giving out or selling accounts to others, which also violates Roblox's Community Guidelines.

History
Password guessing has been an ongoing issue throughout Roblox's history, and numerous events have influenced when password guessing was utilized.

2016

 * Main article: 2016 Roblox Security Breach

Some accounts created in September 2006 or earlier were prompted to change their passwords after Roblox announced that a player gained unauthorized access to a testing site that contained "limited" user information in 2016; this incident later motivated Roblox to implement a two-factor authorization feature.

Priority targets
Although password guessers can have a variety of motives for doing so, the following are considered to be the most prioritized types of users


 * Successful game developers (primarily those with front page games)
 * Users or their alternate accounts with extreme wealth in Robux or limited items
 * Popular YouTubers' accounts, especially those in the Roblox Video Stars Program, or their alternate accounts
 * Users who own popular groups of any kind
 * Well-known clothing designers
 * Old accounts (generally pre-2012) and name-sniped users
 * Users with rare off-sale items or those who own the only copy of a certain item
 * Users with 'special' ID numbers or those who own groups with special group IDs (e.g., the one billionth user)
 * Roblox administrators
 * Deceased users

Prevention
Password guessing remains a widespread issue on Roblox, so users must take steps to prevent it from happening to them. A strong password is one of the best methods of preventing the user's account from being breached, and the following are guidelines for creating strong passwords, as well as methods to keep their password and account safe. A lot of these tips are not exclusive to Roblox, and may be useful on other websites regarding the user's cybersecurity:


 * Passwords should not contain any easily identifiable information, such as their Roblox name, their birthday, or other easily known information. Avoid using some of the most common passwords, such as "password" (Roblox no longer allows this as of an unknown date), "1234567", "roblox123", "abc123", or "qwerty".
 * Making a long password. Passwords should be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special symbols if possible. Avoid having patterns in the password, such as "12345678", which are often screened first by password guessers. If the user is not able to create their password, it is highly recommended to use password generators and save it somewhere in the user's computer files or password managers.
 * Avoiding common words. The best password is a jumble of characters. l33t sp33k is stronger than regular text characters, but should still be avoided as the software is more easily able to identify l33t sp33k. The best way to create a password is to think of a phrase and abbreviate it. For instance, the phrase Shedletsky eats fried chicken every day. Yum Yum! can be abbreviated as sefcedyy. Adding uppercase letters, numbers, and special characters create a password like $3fCed_Y&y!. Alternatively, multiple random plain words (known as a passphrase) with spaces between them such as 'clock green blanket paper' can also be surprisingly effective and easier to remember (one such method is Diceware). Websites such as How Secure Is My Password are a great tool to see how strong the user's password is and improve it accordingly. The user must try to avoid using dictionary words as well, because hackers have software that brute-force dictionary passwords.
 * Keeping the password unique to Roblox.com. This way, if a security vulnerability occurs on another website (such as a fan website about Roblox), then the user's Roblox account is less likely to be in jeopardy from PGers using that fan website password to try and access their Roblox account. If they use the same password for every website, in the event a person had breached into the victim's account, they basically have gained access to every digital account the victim owns.
 * Using a password manager. A typical password manager will allow the user to create an account to store alltheir login details for each website they use separately under one master account, and they may also allow them to generate long, random passwords for each website and then save them to be auto-filled the next timethey want to log in. The only catch is that the user has to make sure they will remember the details to the master account itself (noting the username and password down somewhere is a good method) and also ensure that their password for the master account is not weak.
 * Never sharing the password with anyone. The user must not enter their Roblox login information into any website other than Roblox.com. Roblox staff and games will never ask for their password, and any person asking them to do so is a scam. The user should never share any Roblox browser information, such as their ROBLOSECURITY cookie. If they are using a shared computer, such as in a school or library, they must not let the Web browser save their login information, or avoid logging in to any websites if possible. Just in case, the user might want to tell a trusted guardian or parent if they forget their password, as an alternative to password managers. Finally, they must ensure that they are up to date with knowledge of the latest scams and do not fall for them.
 * Using caution when downloading Roblox extensions. Some browser extensions and applications may steal login information or inject malware into the user's computer.
 * Always signing out when the user is done playing. There is a possibility that if someone steals the user's computer, phone, tablet, or anything that has their Roblox information (or any other website), they must change it immediately and log out of all other sessions on their account using another device. There is a possibility that the thief could get into the device, launch Roblox, and steal the victim's account, so action must be taken to prevent this as soon as possible. However, they must ensure that more crucial websites are secured first, such as their email(s), social media, banking, and other important details before Roblox.
 * Verifying their email and enable two-step verification. When two-step verification is enabled, every time their account is logged into from a new location, Roblox will require the player to enter a code sent to the account's email before authorizing the log-in. This also lets the user know if they have been password guessed and need to create a stronger password. This is one of the best ways for account security, because the hacker must also gain access to the victim's password and their email address before being able to successfully log in to the victim's account, even though it can be circumvented by obtaining their ROBLOSECURITY cookie.
 * Enabling an account PIN. When an account PIN is enabled, every time a setting such as a username, password, birth date, email, phone number, or two-factor authorization or PIN enabling is changed, Roblox will ask for a pre-set PIN before the changes are enabled. This prevents unauthorized users from changing account settings if they do not know the PIN.