Password guessing (often shortened to PG-ing or variants thereof) is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach (brute force attack) is to try guesses repeatedly for the password and check them against an available cryptographic hash of the password.
Motives toward password guessing may either be to help a user recover a forgotten password (creating an entirely new password is less of a security risk, however) or to gain unauthorized access to a system.
In the case of Roblox, password guessing is used to gain access to accounts that do not belong to the guesser, after which they can hijack the account for personal or malicious intent, steal its Robux/Limited items or even get the account banned. Password guessing is prohibited by Roblox's Community Guidelines, which means it is possible for a user's own account(s) to be banned if they are found to have password guessed other players.
Password guessing has been an ongoing issue throughout Roblox's history, and numerous events have influenced when password guessing was utilized.
Some accounts created in 2012 or earlier were prompted to change their passwords after Roblox announced that a player gained unauthorized access to a testing site that contained "limited" user information in 2016; this incident later motivated Roblox to implement a two-factor authorization feature.
Although password guessers can have a variety of motives for doing so, the following are considered to be the most prioritized types of users:
- Successful game developers (primarily those with front page games)
- Users or their alternate accounts with extreme wealth in Robux or limited items
- Popular YouTubers' accounts
- Users who own popular groups of any kind
- Well-known clothing designers
- Old accounts and name-sniped users
- Users with rare off-sale items or those who own the only copy of a certain item
- Users with 'special' ID numbers or those who own groups with special group IDs
- Roblox administrators
Making and maintaining a strong password
Password guessing remains a widespread issue on Roblox, so it is essential that users take steps to prevent it from happening to them. A strong password is one of the best methods of preventing your account from being breached, and the following are guidelines for creating strong passwords:
- Passwords should not contain any easily identifiable information, such as your Roblox name, your birthday, or other known information. Avoid using some of the most common passwords, such as "password" (Roblox won't let you use this anymore), "1234567", "roblox123", "abc123", or "qwerty".
- Make a long password. Passwords should be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special symbols. Avoid having patterns in the password, such as "12345678", which are often screened first by password guessers.
- Avoid common words in your Password. The best password is a jumble of characters. l33t sp33k is stronger than regular text characters, but should still be avoided as the software is more easily able to identify l33t sp33k. The best way to create a password is to think of a phrase and abbreviate it. For instance, the phrase Shedletsky eats fried chicken every day. Yum Yum! can be abbreviated as sefcedyy. Adding uppercase letters, numbers, and special characters create a password like $3fCed_Y&y!. Websites such as How Secure Is My Password are a great tool to see how strong your password is and improve it accordingly.
- Keep your password unique to Roblox.com. This way, if a security vulnerability occurs on another website (such as a fan website about Roblox), then your Roblox account is less likely to be in jeopardy from PGers using that fan website password to try and access your Roblox account.
- Consider using a password manager. A typical password manager will allow you to create an account to store all your login details for each website you use separately under one master account, and they may also allow you to generate ultra-strong and random passwords for each website and then save them to be auto-filled the next time you want to log in so that you don't have to remember them. The only catch is that you have to make sure you will remember the details to the master account itself (noting the username and password down somewhere is a good method) and also ensure that your password for the master account is not weak. The recommended service for the average user is LastPass, but others such as Dashlane may also work similarly depending on your preference.
- Never share your password with anyone. Do not enter your Roblox login information into any website other than Roblox.com. Roblox staff and games will never ask for your password. Never share any Roblox browser information, such as your ROBLOSECURITY cookie. If you are using a shared computer, such as in a school or library, do not let your Web browser save your login information. Just in case, you might want to tell a trusted guardian or parent if you forget your password, as an alternative to password managers. Finally, ensure that you are up to date with knowledge of the latest scams and do not fall for them.
- Use caution when downloading Roblox extensions. Some browser extensions and applications may steal your login information or inject malware into your computer. Only download things from trusted sources.
- Your password can also be gained physically. There is a possibility that if someone steals your computer, phone, tablet or anything that has your Roblox information (or any other website), change it immediately. There is a slight possibility that the robber could use Roblox and steal your account. Do that just to be safe.
Additional protections against password guessing
- Verify your email and enable two-step verification. When two-step verification is enabled, every time your account is logged into from a new location, Roblox will require the player to enter a code sent to the account's email before authorizing the log-in. This also lets you know if you have been password guessed and need to create a stronger password.
- Enable an account PIN. When an account PIN is enabled, every time a setting such as a username, password, birth date, email, phone number, or two-factor authorization or PIN enabling is changed, Roblox will ask for a pre-set PIN number before the changes are enabled. This prevents unauthorized users from changing account setting if they do not know the PIN.
- A password that is easy to remember is generally also easy for an attacker to guess. Passwords that are difficult to remember will reduce the security of a system because (a) users might need to write down or electronically store the password using an insecure method, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.
- In "The Memorability and Security of Passwords", Jeff Yan et al. examines the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "Algorithm" for generating obscure passwords is another good method. In the latest improvements, more and more people are noticing a change in the way that passwords are secured.
- However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalizes one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.
- Research detailed in an April 2015 paper by several professors at Carnegie Mellon University shows that people's choices of password structure often follow several known patterns. As a result, passwords may be much more easily cracked than their mathematical probabilities would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password.
- ↑ Roblox. (2016). Security Update. Roblox Blog. Retrieved from https://blog.roblox.com/2016/08/security-update/
- ↑ Koshevoy Dmitry. (2018). Most common passwords list. Retrieved from: http://www.passwordrandom.com/most-popular-passwords
- ↑ 3.0 3.1 3.2 Kim Komando. (2015). How to create a strong password. USA Today. Retrieved from https://www.usatoday.com/story/tech/columnist/komando/2015/05/15/strong-passwords/27240877/
- ↑ pzdupe2. (2016). A hacker told me how to make a super strong password I can actually remember. Business Insider. Retrieved from http://www.businessinsider.com/hacker-strong-password-2016-4
- ↑ 5.0 5.1 5.2 5.3 Lilly_S. (2017). PSA: Keep Your Account Safe. Roblox Developer Forums. Retrieved from https://devforum.roblox.com/t/psa-keep-your-account-safe/65430.