SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
In this post, I will list several things that the Roblox Developers could add to make our accounts more secure. Some of these features may be too complicated for some users, so most of them will be optional.
NON-OPTIONAL FEATURES:
-Increase maximum P W length to 50, and allow spaces so that P phrases can be used
-Enter in a captcha upon login
-Enter in a captcha when altering sensitive account settings
-Disallow anyone else to log into your account when you are logged into it
-Require you to enter in a security question, and then require you to provide the answer whenever logging in, or changing any sensitive account settings
OPTIONAL FEATURES:
-Enter in a second, different P W and a captcha whenever transferring group ownership and/or exiling someone from your group and/or deleting or selling any of your items and/or upgrading or downgrading your membership status and/or deleting anyone from your friends or best friends list and/or using the currency exchange and/or buying anything
(The reason I put "and/or" between each option is that, due to the fact that this would be an optional feature, you could set your account to require a second P W to be entered when doing one or more of the things above that you select.)
-Set your account to recognize the location that you login from the most, and disallow any logins from unrecognized locations
-Require a two-step verification upon login. Step one: enter in your main P W. Step two: enter in a verification code sent to you by the method Google uses. (OPTIONAL: Step three: enter in your second P W as described earlier on in this post)
-Automatically log out every set interval of time that you select
|
|
|
There has to be a shorter way to explain this. |
|
|
|
This is a game
Not a banking site (chase)
-Set your account to recognize the location that you login from the most, and disallow any logins from unrecognized locations
No, I operate off an iPhone 4S, my location varies every minute. |
|
SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
@Evelio95
That's an optional feature, you don't have to use it. I grouped my post by non-optional and optional features. |
|
|
Wut?
•1+3+3=7. Your mind is now blown away• |
|
SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
@ann510287
What part of my post confuses you? |
|
|
In order of Non-Optionals:
>50?! That's outrageous! (Hah, it's funny because I'm OBC)
>Captchas are effective against computer programs, not real people.
> -||- (That means same as before)
> I'm currently logged in on two computers
>That's better. |
|
|
There has to be a shorter way to explain this. |
|
SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
@Negative One
"50?! That's outrageous! (Hah, it's funny because I'm OBC)"
It would only be outrageous if that were the _minimum_ P W length. That would be the _maximum_ P W length, you wouldn't have to make it anywhere near that long if you didn't want to.
"Captchas are effective against computer programs, not real people."
The point of the captchas would be to prevent brute-force attempts, which use computer programs.
" I'm currently logged in on two computers"
It's an optional feature, you wouldn't have to use it. It would be for people who _could_ use it effectively.
|
|
|
I misread maximum for minimum. (My dyslexia)
Most account hackings are by use of guessing PWs.
The log in thing is under Non-Optional. |
|
|
|
Aleezy, that was a response to me. |
|
SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
@Negativeone
"I misread maximum for minimum. (My dyslexia)"
That's fine.
"Most account hackings are by use of guessing PWs."
This would protect against the rare cases of brute-force attempts. This will be especially useful for famous users, moderators, and administrators.
"The log in thing is under Non-Optional."
Oh, sorry, I thought you were referring to the second suggestion under optional. Well, that could be optional, then. |
|
|
if its a pw guess its not a hack... ITs a pw guess. |
|
|
Increasing max pass length: I agree
Adding spaces: unnecessary, going from 94 to 95 characters to choose from doesn't help much
Login Captcha: this exists already but it only shows up with multiple logins
Captcha on settings change: doesn't add any security, once an account has been hacked captcha won't stop someone from making changes
Dissallow login while you are logged in: Would prevent you from logging in if you had logged in on a different computer
Security question: good for account recovery, not great for account settings since a hacker can already do a lot without changing account settings. Could potentially add new attack vectors if answering question grants access to account.
Require P/Captcha for more actions: Captcha doesn't add security if someone already has access to the account. requiring a user to enter pass on sensitive actions only helps if you left your account logged in somewhere and someone came across it.
Additional login verification: maybe as a one time per device thing might be ok but makes it more inconvenient. Wouldn't work if user doesn't have an email.
Auto logout: minor security improvement and minor inconvenience. Might be ok if it were optional.
The vast majority of hacked accounts are from people that were tricked into giving out their pass or gave it to a friend. Never give it out to anyone, or enter it into any site other than Roblox.com. These methods won't really help in those cases. |
|
SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
@QuantumSama
Thank you for replying to my thread.
"Increasing max pass length: I agree"
Thanks.
"Adding spaces: unnecessary, going from 94 to 95 characters to choose from doesn't help much"
Adding spaces would allow one to use P phrases--please google for further information, as I cannot post offsite links.
"Login Captcha: this exists already but it only shows up with multiple logins"
Oh, okay. I assume that this is sufficient to prevent brute-forcing attempts.
"Captcha on settings change: doesn't add any security, once an account has been hacked captcha won't stop someone from making changes"
That's true. However, it might help to enter in a second, different PW to alter sensitive account settings.
"Dissallow login while you are logged in: Would prevent you from logging in if you had logged in on a different computer"
This would be an optional feature for those who could use it effectively.
"Security question: good for account recovery, not great for account settings since a hacker can already do a lot without changing account settings. Could potentially add new attack vectors if answering question grants access to account."
Ah, I see.
"Require P/Captcha for more actions: Captcha doesn't add security if someone already has access to the account. requiring a user to enter pass on sensitive actions only helps if you left your account logged in somewhere and someone came across it."
That is true. However, if you were required to enter in a second, different P W, it might help.
"Additional login verification: maybe as a one time per device thing might be ok but makes it more inconvenient. Wouldn't work if user doesn't have an email."
Perhaps it could be an optional feature, to make it so that no one would be inconvenienced.
"Auto logout: minor security improvement and minor inconvenience. Might be ok if it were optional."
I agree; I listed this one under the optional features in my post.
"The vast majority of hacked accounts are from people that were tricked into giving out their pass or gave it to a friend. Never give it out to anyone, or enter it into any site other than Roblox.com. These methods won't really help in those cases."
I agree. However, these features could really help users who are at a higher risk of having their account broken into, such as infamous users, famous users, moderators, and administrators. |
|
|
What if we made the E_mail verification absolutely necessary? If you discover your account was hacked then you could just reset the PW. If you give your PW out it would still be possible to recover the account, I don't know how idiotic you must be to give your PW out. But you'd still have your account. |
|
SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
@Negativeone
I see where you're coming from, but I think the issue with that idea is that many Roblox users may not have one. |
|
|
Quantamsama only replies on threads made by SCS.
Biased much? |
|
|
True, but their parents most likely do. |
|
SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
@Negativeone
That is true. However, many people may not know what their parent's one is, or if they do, they may not be allowed to use it.
|
|
|
I actually like most of them. |
|
SCSForum ModeratorJoin Date: 2008-06-24
Post Count: 10075 |
@TheLuckyScripter
Thank you. |
|
|