Password guessing

Password guessing (sometimes called PGing) is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach (brute-force attack) is to try guesses repeatedly for the password and check them against an available cryptographic hash of the password.

Motives toward password guessing may either be to help a user recover a forgotten password (creating an entirely new password is less of a security risk, however) or to gain unauthorized access to a system.

In the case of Roblox, password guessing is used to gain access to accounts that do not belong to the guesser, after which they can hijack the account for personal or malicious intent, steal its Robux/Limited items or even get the account banned. Password guessing is prohibited by Roblox's Community Guidelines, which means it is possible for a user's own account(s) to be banned if they are found to have password guessed other players.

History
Password guessing has been an ongoing issue throughout Roblox's history, and numerous events have influenced when password guessing was utilized.

2016
Some accounts created in 2012 or earlier were prompted to change their passwords after Roblox announced that a player gained unauthorized access to a testing site that contained "limited" user information in 2016; this incident later motivated Roblox to implement a two-factor authorization feature.

Forum raids
When Roblox instated an age minimum on the Forums in light of forum raids that occurred during 2017 by the YouTuber QuackityHQ, players speculated that there was an increase in password guessing as newer players attempted to obtain accounts that could post on the forums.

Bots
A common issue today are bot accounts linking to phishing websites promising free Robux or Builders Club that prompt players to input their Roblox login information. The owner of the website then gains access to the player's account, accesses it and locks the original owner out of the account by changing the password. After this occurs, the scammer can sell off Limiteds and use that account to post more phishing web links until that account is banned.

Common targets
Although password guessers can have a variety of motives for doing so, the following are considered to be the most prioritised types of users:
 * Successful game developers (primarily those with front page games)
 * Users or their alternate accounts with extreme wealth in limited items
 * Popular YouTubers' accounts
 * Users who own popular groups of any kind
 * Well-known clothing designers
 * Old accounts and name-sniped users
 * Users with rare offsale items or those who own the only copy of a certain item
 * Roblox administrators

Making and maintaining a strong password
Password guessing remains a widespread issue on Roblox, so it is essential that users take steps to prevent it from happening to them. A strong password is one of the best methods of preventing your account from being breached, and the following are guidelines for creating strong passwords:
 * Passwords should not contain any easily identifiable information, such as your Roblox name, your birthday, or other known information. Avoid using some of the most common passwords, such as "password", "1234567", "roblox123", or "qwerty".
 * Make a long password. Passwords should be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special symbols. Avoid having patterns in the password, such as "12345678", which are often screened first by password guessers.
 * Avoid common words in your password. The best password is a jumble of characters. l33t sp33k is stronger than regular text characters (R0bl0x versus Roblox) but should still be avoided as software is more easily able to identify l33t sp33k. The best way to create a password is to think of a phrase and abbreviate it. For instance, the phrase Shedletsky eats fried chicken every day. Yum Yum! can be abbreviated as sefcedyy. Adding uppercase letters, numbers, and special characters creates a password like $3fCed_Y&y!. Websites such as How Secure Is My Password are a great tool to see how strong your password is and improve it accordingly.
 * Keep your password unique to Roblox.com. This way, if a security vulnerability occurs on another website (such as a fan website about Roblox), then your Roblox account is less likely to be in jeopardy from PGers using that fan website password to try and access your Roblox account.
 * Consider using a password manager. A typical password manager will allow you to create an account to store all your login details for each website you use separately under one master account, and they may also allow you to generate ultra-strong and random passwords for each website and then save them to be auto-filled the next time you want to log in so that you don't have to remember them. The only catch is that you have to make sure you will remember the details to the master account itself (noting the username and password down somewhere is a good method) and also ensure that your password for the master account is not weak. The recommended service for the average user is LastPass, but others such as Dashlane may also work similarly depending on your preference.
 * Never share your password with anyone. Do not enter your Roblox login information into any website other than Roblox.com. Roblox staff and games will never ask for your password. Never share any Roblox browser information, such as your ROBLOSECURITY cookie. If you are using a shared computer, such as in a school or library, do not let your internet browser save your login information. Finally, ensure that you are up to date with knowledge of the latest scams and do not fall for them.
 * Use caution when downloading Roblox extensions. Some browser extensions and applications may steal your login information or inject malware into your computer. Only download things from trusted sources.

Additional protections against password guessing

 * Verify your email and enable two-step verification. When two-step verification is enabled, every time your account is logged into from a new location, Roblox will require the player to enter a code sent to the account's email before authorizing the log-in. This also lets you know if you have been password guessed and need to create a stronger password.
 * Enable an account PIN. When an account PIN is enabled, every time a setting such as a username, password, birth date, email, phone number, or two-factor authorization or PIN enabling is changed, Roblox will ask for a pre-set PIN number before the changes are enabled. This prevents unauthorized users from changing account setting if they do not know the PIN.