generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Roblox » Suggestions & Ideas
Home Search
 

Re: Improve account security

Previous Thread :: Next Thread 
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 06:36 PM
In this post, I will list several things that the Roblox Developers could add to make our accounts more secure. Some of these features may be too complicated for some users, so most of them will be optional.


NON-OPTIONAL FEATURES:
-Increase maximum P W length to 50, and allow spaces so that P phrases can be used

-Enter in a captcha upon login

-Enter in a captcha when altering sensitive account settings

-Disallow anyone else to log into your account when you are logged into it

-Require you to enter in a security question, and then require you to provide the answer whenever logging in, or changing any sensitive account settings



OPTIONAL FEATURES:
-Enter in a second, different P W and a captcha whenever transferring group ownership and/or exiling someone from your group and/or deleting or selling any of your items and/or upgrading or downgrading your membership status and/or deleting anyone from your friends or best friends list and/or using the currency exchange and/or buying anything
(The reason I put "and/or" between each option is that, due to the fact that this would be an optional feature, you could set your account to require a second P W to be entered when doing one or more of the things above that you select.)

-Set your account to recognize the location that you login from the most, and disallow any logins from unrecognized locations

-Require a two-step verification upon login. Step one: enter in your main P W. Step two: enter in a verification code sent to you by the method Google uses. (OPTIONAL: Step three: enter in your second P W as described earlier on in this post)

-Automatically log out every set interval of time that you select





Report Abuse
Aleezybaby0 is not online. Aleezybaby0
Joined: 01 Jan 2011
Total Posts: 6335
10 Jul 2012 06:42 PM
There has to be a shorter way to explain this.
Report Abuse
FrenzoBlox is not online. FrenzoBlox
Joined: 20 Dec 2011
Total Posts: 28854
10 Jul 2012 06:45 PM
@Aleezybaby0 ikr XD
Report Abuse
Evelio95 is not online. Evelio95
Joined: 26 Oct 2008
Total Posts: 50982
10 Jul 2012 06:45 PM
This is a game
Not a banking site (chase)

-Set your account to recognize the location that you login from the most, and disallow any logins from unrecognized locations

No, I operate off an iPhone 4S, my location varies every minute.
Report Abuse
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 06:54 PM
@Evelio95

That's an optional feature, you don't have to use it. I grouped my post by non-optional and optional features.
Report Abuse
ann510287 is not online. ann510287
Joined: 20 Mar 2011
Total Posts: 11546
10 Jul 2012 06:56 PM
Wut?

•1+3+3=7. Your mind is now blown away•
Report Abuse
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 06:58 PM
@ann510287

What part of my post confuses you?
Report Abuse
Negativeone is not online. Negativeone
Joined: 24 Jun 2008
Total Posts: 11380
10 Jul 2012 07:00 PM
In order of Non-Optionals:

>50?! That's outrageous! (Hah, it's funny because I'm OBC)
>Captchas are effective against computer programs, not real people.
> -||- (That means same as before)
> I'm currently logged in on two computers
>That's better.
Report Abuse
Aleezybaby0 is not online. Aleezybaby0
Joined: 01 Jan 2011
Total Posts: 6335
10 Jul 2012 07:04 PM
There has to be a shorter way to explain this.
Report Abuse
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 07:04 PM
@Negative One

"50?! That's outrageous! (Hah, it's funny because I'm OBC)"
It would only be outrageous if that were the _minimum_ P W length. That would be the _maximum_ P W length, you wouldn't have to make it anywhere near that long if you didn't want to.


"Captchas are effective against computer programs, not real people."
The point of the captchas would be to prevent brute-force attempts, which use computer programs.


" I'm currently logged in on two computers"
It's an optional feature, you wouldn't have to use it. It would be for people who _could_ use it effectively.
Report Abuse
Negativeone is not online. Negativeone
Joined: 24 Jun 2008
Total Posts: 11380
10 Jul 2012 07:08 PM
I misread maximum for minimum. (My dyslexia)
Most account hackings are by use of guessing PWs.
The log in thing is under Non-Optional.
Report Abuse
Aleezybaby0 is not online. Aleezybaby0
Joined: 01 Jan 2011
Total Posts: 6335
10 Jul 2012 07:09 PM
Your TBC.
Report Abuse
Negativeone is not online. Negativeone
Joined: 24 Jun 2008
Total Posts: 11380
10 Jul 2012 07:10 PM
Aleezy, that was a response to me.
Report Abuse
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 07:12 PM
@Negativeone

"I misread maximum for minimum. (My dyslexia)"
That's fine.


"Most account hackings are by use of guessing PWs."
This would protect against the rare cases of brute-force attempts. This will be especially useful for famous users, moderators, and administrators.


"The log in thing is under Non-Optional."
Oh, sorry, I thought you were referring to the second suggestion under optional. Well, that could be optional, then.
Report Abuse
Aleezybaby0 is not online. Aleezybaby0
Joined: 01 Jan 2011
Total Posts: 6335
10 Jul 2012 07:14 PM
if its a pw guess its not a hack... ITs a pw guess.
Report Abuse
QuantumSama is not online. QuantumSama
Joined: 24 Jun 2011
Total Posts: 14
10 Jul 2012 07:35 PM
Increasing max pass length: I agree
Adding spaces: unnecessary, going from 94 to 95 characters to choose from doesn't help much
Login Captcha: this exists already but it only shows up with multiple logins
Captcha on settings change: doesn't add any security, once an account has been hacked captcha won't stop someone from making changes
Dissallow login while you are logged in: Would prevent you from logging in if you had logged in on a different computer
Security question: good for account recovery, not great for account settings since a hacker can already do a lot without changing account settings. Could potentially add new attack vectors if answering question grants access to account.

Require P/Captcha for more actions: Captcha doesn't add security if someone already has access to the account. requiring a user to enter pass on sensitive actions only helps if you left your account logged in somewhere and someone came across it.

Additional login verification: maybe as a one time per device thing might be ok but makes it more inconvenient. Wouldn't work if user doesn't have an email.

Auto logout: minor security improvement and minor inconvenience. Might be ok if it were optional.

The vast majority of hacked accounts are from people that were tricked into giving out their pass or gave it to a friend. Never give it out to anyone, or enter it into any site other than Roblox.com. These methods won't really help in those cases.
Report Abuse
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 07:50 PM
@QuantumSama

Thank you for replying to my thread.


"Increasing max pass length: I agree"

Thanks.




"Adding spaces: unnecessary, going from 94 to 95 characters to choose from doesn't help much"

Adding spaces would allow one to use P phrases--please google for further information, as I cannot post offsite links.




"Login Captcha: this exists already but it only shows up with multiple logins"

Oh, okay. I assume that this is sufficient to prevent brute-forcing attempts.




"Captcha on settings change: doesn't add any security, once an account has been hacked captcha won't stop someone from making changes"

That's true. However, it might help to enter in a second, different PW to alter sensitive account settings.




"Dissallow login while you are logged in: Would prevent you from logging in if you had logged in on a different computer"

This would be an optional feature for those who could use it effectively.




"Security question: good for account recovery, not great for account settings since a hacker can already do a lot without changing account settings. Could potentially add new attack vectors if answering question grants access to account."

Ah, I see.




"Require P/Captcha for more actions: Captcha doesn't add security if someone already has access to the account. requiring a user to enter pass on sensitive actions only helps if you left your account logged in somewhere and someone came across it."

That is true. However, if you were required to enter in a second, different P W, it might help.




"Additional login verification: maybe as a one time per device thing might be ok but makes it more inconvenient. Wouldn't work if user doesn't have an email."

Perhaps it could be an optional feature, to make it so that no one would be inconvenienced.




"Auto logout: minor security improvement and minor inconvenience. Might be ok if it were optional."

I agree; I listed this one under the optional features in my post.




"The vast majority of hacked accounts are from people that were tricked into giving out their pass or gave it to a friend. Never give it out to anyone, or enter it into any site other than Roblox.com. These methods won't really help in those cases."

I agree. However, these features could really help users who are at a higher risk of having their account broken into, such as infamous users, famous users, moderators, and administrators.
Report Abuse
Negativeone is not online. Negativeone
Joined: 24 Jun 2008
Total Posts: 11380
10 Jul 2012 07:58 PM
What if we made the E_mail verification absolutely necessary? If you discover your account was hacked then you could just reset the PW. If you give your PW out it would still be possible to recover the account, I don't know how idiotic you must be to give your PW out. But you'd still have your account.
Report Abuse
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 08:00 PM
@Negativeone

I see where you're coming from, but I think the issue with that idea is that many Roblox users may not have one.
Report Abuse
Aleezybaby0 is not online. Aleezybaby0
Joined: 01 Jan 2011
Total Posts: 6335
10 Jul 2012 08:00 PM
Quantamsama only replies on threads made by SCS.

Biased much?
Report Abuse
Negativeone is not online. Negativeone
Joined: 24 Jun 2008
Total Posts: 11380
10 Jul 2012 08:02 PM
True, but their parents most likely do.
Report Abuse
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 08:06 PM
@Negativeone

That is true. However, many people may not know what their parent's one is, or if they do, they may not be allowed to use it.
Report Abuse
TheLuckyScripter is not online. TheLuckyScripter
Joined: 14 Apr 2012
Total Posts: 122
10 Jul 2012 08:13 PM
I actually like most of them.
Report Abuse
SCS is not online. SCS
Forum Moderator
Joined: 24 Jun 2008
Total Posts: 10075
10 Jul 2012 08:15 PM
@TheLuckyScripter

Thank you.
Report Abuse
TheLuckyScripter is not online. TheLuckyScripter
Joined: 14 Apr 2012
Total Posts: 122
10 Jul 2012 08:24 PM
@SCS Anytime.
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Roblox » Suggestions & Ideas
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image