SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 06:36 PM |
In this post, I will list several things that the Roblox Developers could add to make our accounts more secure. Some of these features may be too complicated for some users, so most of them will be optional.
NON-OPTIONAL FEATURES: -Increase maximum P W length to 50, and allow spaces so that P phrases can be used
-Enter in a captcha upon login
-Enter in a captcha when altering sensitive account settings
-Disallow anyone else to log into your account when you are logged into it
-Require you to enter in a security question, and then require you to provide the answer whenever logging in, or changing any sensitive account settings
OPTIONAL FEATURES: -Enter in a second, different P W and a captcha whenever transferring group ownership and/or exiling someone from your group and/or deleting or selling any of your items and/or upgrading or downgrading your membership status and/or deleting anyone from your friends or best friends list and/or using the currency exchange and/or buying anything (The reason I put "and/or" between each option is that, due to the fact that this would be an optional feature, you could set your account to require a second P W to be entered when doing one or more of the things above that you select.)
-Set your account to recognize the location that you login from the most, and disallow any logins from unrecognized locations
-Require a two-step verification upon login. Step one: enter in your main P W. Step two: enter in a verification code sent to you by the method Google uses. (OPTIONAL: Step three: enter in your second P W as described earlier on in this post)
-Automatically log out every set interval of time that you select
|
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 06:42 PM |
| There has to be a shorter way to explain this. |
|
|
| Report Abuse |
|
|
| |
|
Evelio95
|
  |
| Joined: 26 Oct 2008 |
| Total Posts: 50982 |
|
|
| 10 Jul 2012 06:45 PM |
This is a game Not a banking site (chase)
-Set your account to recognize the location that you login from the most, and disallow any logins from unrecognized locations
No, I operate off an iPhone 4S, my location varies every minute. |
|
|
| Report Abuse |
|
|
SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 06:54 PM |
@Evelio95
That's an optional feature, you don't have to use it. I grouped my post by non-optional and optional features. |
|
|
| Report Abuse |
|
|
ann510287
|
  |
| Joined: 20 Mar 2011 |
| Total Posts: 11546 |
|
|
| 10 Jul 2012 06:56 PM |
Wut?
•1+3+3=7. Your mind is now blown away• |
|
|
| Report Abuse |
|
|
SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 06:58 PM |
@ann510287
What part of my post confuses you? |
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 07:00 PM |
In order of Non-Optionals:
>50?! That's outrageous! (Hah, it's funny because I'm OBC) >Captchas are effective against computer programs, not real people. > -||- (That means same as before) > I'm currently logged in on two computers >That's better. |
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 07:04 PM |
| There has to be a shorter way to explain this. |
|
|
| Report Abuse |
|
|
SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 07:04 PM |
@Negative One
"50?! That's outrageous! (Hah, it's funny because I'm OBC)" It would only be outrageous if that were the _minimum_ P W length. That would be the _maximum_ P W length, you wouldn't have to make it anywhere near that long if you didn't want to.
"Captchas are effective against computer programs, not real people." The point of the captchas would be to prevent brute-force attempts, which use computer programs.
" I'm currently logged in on two computers" It's an optional feature, you wouldn't have to use it. It would be for people who _could_ use it effectively.
|
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 07:08 PM |
I misread maximum for minimum. (My dyslexia) Most account hackings are by use of guessing PWs. The log in thing is under Non-Optional. |
|
|
| Report Abuse |
|
|
| |
|
|
| 10 Jul 2012 07:10 PM |
| Aleezy, that was a response to me. |
|
|
| Report Abuse |
|
|
SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 07:12 PM |
@Negativeone
"I misread maximum for minimum. (My dyslexia)" That's fine.
"Most account hackings are by use of guessing PWs." This would protect against the rare cases of brute-force attempts. This will be especially useful for famous users, moderators, and administrators.
"The log in thing is under Non-Optional." Oh, sorry, I thought you were referring to the second suggestion under optional. Well, that could be optional, then. |
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 07:14 PM |
| if its a pw guess its not a hack... ITs a pw guess. |
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 07:35 PM |
Increasing max pass length: I agree Adding spaces: unnecessary, going from 94 to 95 characters to choose from doesn't help much Login Captcha: this exists already but it only shows up with multiple logins Captcha on settings change: doesn't add any security, once an account has been hacked captcha won't stop someone from making changes Dissallow login while you are logged in: Would prevent you from logging in if you had logged in on a different computer Security question: good for account recovery, not great for account settings since a hacker can already do a lot without changing account settings. Could potentially add new attack vectors if answering question grants access to account.
Require P/Captcha for more actions: Captcha doesn't add security if someone already has access to the account. requiring a user to enter pass on sensitive actions only helps if you left your account logged in somewhere and someone came across it.
Additional login verification: maybe as a one time per device thing might be ok but makes it more inconvenient. Wouldn't work if user doesn't have an email.
Auto logout: minor security improvement and minor inconvenience. Might be ok if it were optional.
The vast majority of hacked accounts are from people that were tricked into giving out their pass or gave it to a friend. Never give it out to anyone, or enter it into any site other than Roblox.com. These methods won't really help in those cases. |
|
|
| Report Abuse |
|
|
SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 07:50 PM |
@QuantumSama
Thank you for replying to my thread.
"Increasing max pass length: I agree"
Thanks.
"Adding spaces: unnecessary, going from 94 to 95 characters to choose from doesn't help much"
Adding spaces would allow one to use P phrases--please google for further information, as I cannot post offsite links.
"Login Captcha: this exists already but it only shows up with multiple logins"
Oh, okay. I assume that this is sufficient to prevent brute-forcing attempts.
"Captcha on settings change: doesn't add any security, once an account has been hacked captcha won't stop someone from making changes"
That's true. However, it might help to enter in a second, different PW to alter sensitive account settings.
"Dissallow login while you are logged in: Would prevent you from logging in if you had logged in on a different computer"
This would be an optional feature for those who could use it effectively.
"Security question: good for account recovery, not great for account settings since a hacker can already do a lot without changing account settings. Could potentially add new attack vectors if answering question grants access to account."
Ah, I see.
"Require P/Captcha for more actions: Captcha doesn't add security if someone already has access to the account. requiring a user to enter pass on sensitive actions only helps if you left your account logged in somewhere and someone came across it."
That is true. However, if you were required to enter in a second, different P W, it might help.
"Additional login verification: maybe as a one time per device thing might be ok but makes it more inconvenient. Wouldn't work if user doesn't have an email."
Perhaps it could be an optional feature, to make it so that no one would be inconvenienced.
"Auto logout: minor security improvement and minor inconvenience. Might be ok if it were optional."
I agree; I listed this one under the optional features in my post.
"The vast majority of hacked accounts are from people that were tricked into giving out their pass or gave it to a friend. Never give it out to anyone, or enter it into any site other than Roblox.com. These methods won't really help in those cases."
I agree. However, these features could really help users who are at a higher risk of having their account broken into, such as infamous users, famous users, moderators, and administrators. |
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 07:58 PM |
| What if we made the E_mail verification absolutely necessary? If you discover your account was hacked then you could just reset the PW. If you give your PW out it would still be possible to recover the account, I don't know how idiotic you must be to give your PW out. But you'd still have your account. |
|
|
| Report Abuse |
|
|
SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 08:00 PM |
@Negativeone
I see where you're coming from, but I think the issue with that idea is that many Roblox users may not have one. |
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 08:00 PM |
Quantamsama only replies on threads made by SCS.
Biased much? |
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 08:02 PM |
| True, but their parents most likely do. |
|
|
| Report Abuse |
|
|
SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 08:06 PM |
@Negativeone
That is true. However, many people may not know what their parent's one is, or if they do, they may not be allowed to use it.
|
|
|
| Report Abuse |
|
|
|
| 10 Jul 2012 08:13 PM |
| I actually like most of them. |
|
|
| Report Abuse |
|
|
SCS
|
  |
 |
| Joined: 24 Jun 2008 |
| Total Posts: 10075 |
|
|
| 10 Jul 2012 08:15 PM |
@TheLuckyScripter
Thank you. |
|
|
| Report Abuse |
|
|
| |
|