Password guessing (often shortened to PG-ing or variants thereof) is a form of security hacking involving the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to try guesses repeatedly for the password and check them against an available cryptographic hash of the password, which is known as brute-forcing.
Motives toward password guessing may either be to help a user recover a forgotten password (creating an entirely new password is less of a security risk, however) or to gain unauthorized access to a system.
In the case of Roblox, password guessing is used to gain access to accounts that do not belong to the guesser, after which they can hijack the account for personal or malicious intent, steal its Robux/Limited items or even get the account banned. Hacked accounts are referred to as compromised (often shortened to comped). Password guessing is prohibited by Roblox's Community Guidelines, which means a user's account(s) can be banned if they are found to have password guessed other players.
In an attempt to combat PGing, Roblox will automatically ban an account that has been logged into after being inactive for an arbitrary number of years, and will only unban it if the user can provide proof of account ownership. This is considered to be a controversial measure as some find it effective while others see it as unnecessarily strict.
Password guessing has been an ongoing issue throughout Roblox's history, and numerous events have influenced when password guessing was utilized.
- Main article: 2016 Roblox Security Breach
Some accounts created in September 2006 or earlier were prompted to change their passwords after Roblox announced that a player gained unauthorized access to a testing site that contained "limited" user information in 2016; this incident later motivated Roblox to implement a two-factor authorization feature.
Although password guessers can have a variety of motives for doing so, the following are considered to be the most prioritized types of users:
- Successful game developers (primarily those with front page games)
- Users or their alternate accounts with extreme wealth in Robux or limited items
- Popular YouTubers' accounts, especially those in the Roblox Video Stars Program, or their alternate accounts
- Users who own popular groups of any kind
- Well-known clothing designers
- Old accounts (generally pre-2012) and name-sniped users
- Users with rare off-sale items or those who own the only copy of a certain item
- Users with 'special' ID numbers or those who own groups with special group IDs
- Roblox administrators
Password guessing remains a widespread issue on Roblox, so users must take steps to prevent it from happening to them. A strong password is one of the best methods of preventing your account from being breached, and the following are guidelines for creating strong passwords, as well as methods to keep your password and account safe. A lot of these tips are not exclusive to Roblox, and may be useful on other websites regarding your cybersecurity.
- Passwords should not contain any easily identifiable information, such as your Roblox name, your birthday, or other easily known information. Avoid using some of the most common passwords, such as "password" (Roblox won't let you use this anymore), "1234567", "roblox123", "abc123", or "qwerty".
- Make a long password. Passwords should be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special symbols if possible. Avoid having patterns in the password, such as "12345678", which are often screened first by password guessers.If you can't create your password, it is highly recommended to use password generators and save it somewhere in your files or password managers.
- Avoid common words in your Password. The best password is a jumble of characters. l33t sp33k is stronger than regular text characters, but should still be avoided as the software is more easily able to identify l33t sp33k. The best way to create a password is to think of a phrase and abbreviate it. For instance, the phrase Shedletsky eats fried chicken every day. Yum Yum! can be abbreviated as sefcedyy. Adding uppercase letters, numbers, and special characters create a password like $3fCed_Y&y!. Alternatively, multiple random plain words (known as a passphrase) with spaces between them such as 'clock green blanket paper' can also be surprisingly effective and easier to remember. Websites such as How Secure Is My Password are a great tool to see how strong your password is and improve it accordingly. Try to avoid using dictionary words as well, because hackers have software that brute-force dictionary passwords.
- Keep your password unique to Roblox.com. This way, if a security vulnerability occurs on another website (such as a fan website about Roblox), then your Roblox account is less likely to be in jeopardy from PGers using that fan website password to try and access your Roblox account. If you use the same password for every website, in the event a person had breached into your account, they basically have gained access to every digital account you own.
- Consider using a password manager. A typical password manager will allow you to create an account to store all your login details for each website you use separately under one master account, and they may also allow you to generate ultra-strong and random passwords for each website and then save them to be auto-filled the next time you want to log in so that you don't have to remember them by heart. The only catch is that you have to make sure you will remember the details to the master account itself (noting the username and password down somewhere is a good method) and also ensure that your password for the master account is not weak. The recommended service for the average user is LastPass, but others such as Dashlane may also work similarly depending on your preference. It is strongly recommended that you choose reputable password managers, one's which have been verified by security researchers and are equipped with powerful encryption.
- Never share your password with anyone. Do not enter your Roblox login information into any website other than Roblox.com. Roblox staff and games will never ask for your password, and any person asking you to do so is definitely a scam. Never share any Roblox browser information, such as your ROBLOSECURITY cookie. If you are using a shared computer, such as in a school or library, do not let your Web browser save your login information, or avoid logging in to any websites if possible. Just in case, you might want to tell a trusted guardian or parent if you forget your password, as an alternative to password managers. Finally, ensure that you are up to date with knowledge of the latest scams and do not fall for them.
- Use caution when downloading Roblox extensions. Some browser extensions and applications may steal your login information or inject malware into your computer. Only download things from trusted sources. Generally, extensions from the Chrome Web Store have a track record of being very safe. Although, this is not guaranteed. If extensions have bad ratings or very few downloads, use extreme caution. Some trusted and great extensions are Roblox+ and BTRoblox.
- Your password can also be gained physically. There is a possibility that if someone steals your computer, phone, tablet, or anything that has your Roblox information (or any other website), change it immediately and log out of all other sessions on your account using another device. There is a possibility that the thief could get into the device, launch Roblox, and steal your account, so action must be taken to prevent this as soon as possible. However, ensure that more crucial websites are secured first, such as your email(s), social media, banking and other important details before Roblox.
- Verify your email and enable two-step verification. When two-step verification is enabled, every time your account is logged into from a new location, Roblox will require the player to enter a code sent to the account's email before authorizing the log-in. This also lets you know if you have been password guessed and need to create a stronger password. This is one of the best ways for account security, because the hacker must also gain access to your password AND your email address before being able to succesfully log in to your account, even though it can be circumvented by obtaining your ROBLOSECURITY cookie. 
- Enable an account PIN. When an account PIN is enabled, every time a setting such as a username, password, birth date, email, phone number, or two-factor authorization or PIN enabling is changed, Roblox will ask for a pre-set PIN before the changes are enabled. This prevents unauthorized users from changing account settings if they do not know the PIN.
- A password that is easy to remember is generally also easy for an attacker to guess. Passwords that are difficult to remember will reduce the security of a system because (a) users might need to write down or electronically store the password using an insecure method, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.
- In "The Memorability and Security of Passwords", Jeff Yan et al. examines the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "Algorithm" for generating obscure passwords is another good method. In the latest improvements, more and more people are noticing a change in the way that passwords are secured.
- However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalizes one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.
- Research detailed in an April 2015 paper by several professors at Carnegie Mellon University shows that people's choices of password structure often follow several known patterns. As a result, passwords may be much more easily cracked than their mathematical probabilities would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password.
- The chances of guessing a 8-digit password is 1 in 2.1834 Quintillion (2.1834E+15), making it extremely rare to guess your own or someone's password. The chances of guessing a gobbledygook (random string of numbers, letters, and symbols) password is known to be 1 in 6.09569 Quintillion (6.09569E+15).
- ↑ Roblox. (2016). Security Update. Roblox Blog. Retrieved from https://blog.roblox.com/2016/08/security-update/
- ↑ Koshevoy Dmitry. (2018). Most common passwords list. Retrieved from: http://www.passwordrandom.com/most-popular-passwords
- ↑ 3.0 3.1 3.2 Kim Komando. (2015). How to create a strong password. USA Today. Retrieved from https://www.usatoday.com/story/tech/columnist/komando/2015/05/15/strong-passwords/27240877/
- ↑ pzdupe2. (2016). A hacker told me how to make a super strong password I can actually remember. Business Insider. Retrieved from http://www.businessinsider.com/hacker-strong-password-2016-4
- ↑ 5.0 5.1 5.2 5.3 Lilly_S. (2017). PSA: Keep Your Account Safe. Roblox Developer Forums. Retrieved from https://devforum.roblox.com/t/psa-keep-your-account-safe/65430.