How to Keep Your Account SECURE!

Hello!
I’ve notice more compromises targeting developers since 2020 begun, now coming into 2021.

Today I’m going to be discussing about how you can keep your account secure, at different levels, general account safety, do’s and don’t do’s,
and more.

Before we start, you should check out this topic about logging, as well as security tips!: Cookie logging explained

Let’s start!


Account Security

First of all lets go over the 4 big steps to security:

  1. Have a secure password, don’t use something like “password” or your birthday, no, it should also use different types of characters, special characters, spaces+periods+underscores, numbers, letters, etc.
  2. Have a secured verified email, I recommend gmail, and you should have a recovery email for the email account you verified your account with.
  3. 2-step is always necessary.
  4. You should always have an account pin, as this makes it so no one can change you settings without this. Do NOT use something easily guessable like 1234, or 0000. Use something specific and private, maybe an important date, or a special code, whatever you chose though, make sure that it is not public, nor do people know about it, as it will be easily guessable.

Now lets get into different levels of security.


We’re going to start at a newbie level for security, take this as more of a bad security example:

"You should have a password with letters and numbers, being at least 4-6 characters long.

Next you should have a secure email account to verify your account, along with 2 step.
Lastly you should have a secure pin." (That security is horrible, don’t EVER use something like this).

Now you see, that is horrible security, and such will put you at risk.
I’m going to list somethings, and if you fall into one of these, you should update your security (by the way staff I’m not asking for peoples info on their passwords someone recommended this, and these questions are for users to ask themselves, as if they match then they need to boost their security which is what this post is about.):
Do you have a password under 8 digits?
Does you password not use special characters or a mix of letters and numbers?
Is your Roblox password being used commonly in other sites?
Have you verified your account?
Is your email that verified your account at risk?
Is 2 step disabled?
Do you not have a pin?
Does your pin match something like 1234, 0000, or a public date/code/number?
Do you apply to any of these? If so, it looks like it might be time for a security boost. Lets move ahead!


We’re gonna have 3 more segments, being average, advanced, and what I call “BATTEN DOWN THE HATCHES mode”.


Okay lets get to average.
First off, you should have a pretty tight password, using letters, numbers, capitals and lowercases, and spaces+periods+underscores, or other special characters being around 8-12 digits (on average). This password shouldn’t be used anywhere else.
You should have verified a SECURE email that also has a unique password and is not at risk.
I recommend gmail as it is the most modern and secure type to my knowledge.
Also verify it with your phone number.
Lastly, get a secure pin that isn’t something stupid like 1234 of 0000.

Now one again, I don’t recommend this security set up, as it is quite basic and can be bypassed, although many users use a security set up like this.

Now that is for an average player not at risk, lets move up to advanced!


So maybe you need a lot of security, your getting attacks or your account is valuable, or maybe your just interested in keeping you account as safe as possible. Lets go to advanced.

Your gonna need a secure unique password with letters, numbers, spaces+periods+underscores, capitals and lowercases, and special characters (like “*”, “]”, “@”, “&”, “#”, or a very important thing is having multiple “S”'s, but using dollar signs for some, “$”), being at least 16 digits long. This password shouldn’t be used anywhere else.

Next you need to make a new email account to verify your account, don’t let anyone know of this account, don’t ever have it signed in, don’t use the email account anywhere else, this email is only for Roblox. Don’t use the same password, however you should follow the steps above for the password.
Use gmail, and you can use your main as a recovery for that email, however make sure it is entirely breach free, if you want to be more secure, make a new account with another unique password as a recovery email to that account, and then make that one’s recovery your main, after that you shouldn’t keep going though as it isn’t going to tighten anything much more. If you wanna go the extra extra mile then make those accounts with different phone numbers.
Next, verify your phone, and to go the extra mile use a different phone number from the emails.
Then, turn on 2-step,
Lastly, make a secure unique pin, I don’t wanna see an account get compromised with 1234 on the pin, I know about half of you have something like 1234, 0000, 4321, 1111, it just doesn’t work.

Now we move on to BATTEN DOWN THE HATCHES mode (lol).


Alrighty its time for lets say you’re a big developer, front page game, and you’re constantly being attacked.
Then one is pretty much advanced mode, just with more external features.

Your gonna need a secure unique password with letters, numbers, spaces+periods+underscores, capitals and lowercases, and special characters (like “*”, “]”, “@”, “&”, “#”, or a very important thing is having multiple “S”'s, but using dollar signs for some, “$”), being at least 24 digits long. This password shouldn’t be used anywhere else.

You’re likely going to need some external security meaning a password pin that changes every 10-60 seconds using a OTP Software, and 2 UCF keys (or a physical chip needed, meaning no one can get in with those keys/chips)

Next you need to make a new email account to verify your account, don’t let anyone know of this account, don’t ever have it signed in, don’t use the email account anywhere else, this email is only for Roblox. Don’t use the same password, however you should follow the steps above for the password. Have 2 step for this email, a password pin that changes every 10-60 seconds using a OTP Software, and 2 UCF keys (or a physical chip needed, meaning no one can get in with those keys/chips).
Make a new email account with another unique password as a recovery email to that new account that verified your account, and then make that one’s recovery your main, after that you shouldn’t keep going though as it isn’t going to secure you much more. If you wanna go the extra extra mile then make those email accounts with different phone numbers.
Next, verify your phone, and to go the extra mile use a different phone number from the emails, however if you can’t afford 3 phones just for Roblox and 2 emails then don’t and just use your normal phone
Make sure you have phone verified.
(Just keep in mind that this stuff about phone numbers, phone numbers aren’t private, so you shouldn’t rely on a phone number to secure your account, although it should at least be verified to your account).

Then, turn on 2-step,
Lastly, make a secure unique pin, I don’t wanna see an account get compromised with 1234 on the pin, I know about half of you have something like 1234, 0000, 4321, 1111, it just doesn’t work.


A good video about this type of security is here: [REDACTED LINK]


Privacy Settings

If you go to settings image,
Privacy

,
you’ll notice a segment about your inventory, and who can see it.
If you’re not a trader, this should be set to either friends or nobody, as this’ll make you a lot less appealing to compromisers who beam people (which is where they password guess or PG you by using brute forcing [which brute forcing is where people use softwares that make random combos of characters and try to see if its your password] and sell all your limiteds for very cheap).






Cookie Logging

This is info on cookie logging, which you should also read this post about it: Cookie logging explained (a lot of the info below is based off of this topic).


Cookie Logging Details

You’ve probably heard of Cookie Logging, if you haven’t allow me to explain.
Cookie Logging is when a backdoor is executed and takes your cookie info, which the most important one for compromisers is your ROBLOSECURITY code, as well as your RBXID, RBXSESSION, and other important cookies.

Lets go over some of these things, this isn’t meant to scare you, this is only to inform you :slight_smile:!


1st, never, ever, ever send over anything labeled as a HAR file to anyone. These files contain a lot of info including internet activity, cookies, and more. This commonly happens in commisions.

2nd, don’t use inspect when you don’t know what you’re doing. Sometimes you may right click and hit inspect or Ctrl+Shift+I, and it should bring you to “Elements”, and that is usually fine to play with, just be careful. However, don’t mess with anything else, specifically copying network selection or copying/pasting in console.
These are harmful codes that will steal your cookies and worse.
If you don’t know what it is, does, or what you’re doing, just stop right there.

3rd, Don’t download things that seem sketchy, this is very common on Discord and malicious websites.
Not only can this cookie-log you, but these will also download viruses on your computer and ruin everything. You should also not click links from media, to check these links you should run them in a safe site checker, however it is usually easy to see if they’re a malicious link just from it’s appearance (also on Discord don’t click images attached by a link as these can be advanced loggers).

4th, do NOT enter any code looking stuff in your URL box. These are usually malicious JavaScript codes that will steal your cookies. These are commonly found on YouTube videos that promise that a code will do this really cool feature.

5th and final, don’t even mess with your ROBLOXSECURITY or RBXID (or ROBLOXSESSION) information/codes without know what you’re doing. These are included in HAR files, and you should NEVER share these.


So, now you know what a cookie-logging could look like, and how to stop it.
Now lets say your in a conversation and someone is asking for this info, in this case you need to report them to the platform (example Discord), and leave the conversation, as these people are trying to steal your account and scam you.


Have you been logged, but never fell for one of these? There is a good chance that it could be an add-on/extension. We’ll get on to trustworthy extensions in a bit, but if this happens you need to uninstall your extensions.

Also, it is always good to everyone now and then clear your cookies (this will log you out of the DevForum.) and on Roblox go in settings and sign out of all other sessions.


Here is some other useful information that was from the other post:

(All the info in the quote came from the post about cookie logging that I highly recommend that you check out, made by @VoidedBlades


Other Information

Browsers can be hard to pick from.
Google/Chrome use a ton of memory/RAM, and their known for their tracking.
Opera has a past activity, although OperaGX is ran by a different team and includes a free VPN, ad blocker, a lot of customization, and is built for gaming.
Edge and Safari are kind of just browsers that are there, I don’t recommend them because neither have any benefits.
My personal recommendation is FireFox by Mozilla. FireFox doesn’t have strange shady things going on, it is feature filled, private, and Mozilla is a very respected and honest company.
There are multiple types of FireFox, and I use FireFox Developer Tools as it’s basically FireFox, but with more programming uses.
Normally I balance between Chrome and FireFox DT, as I’m used to Chrome and it’s very sleek design, but also FireFox DT, and sometimes I use OperaGX.


Extensions:

Here are some extensions are trusted, however you should limit your extensions as these increase your risk, no matter what it is.

  1. Roblox+ [REDACTED LINK]
    Roblox+ is an extension that is very useful, and has over 1 million users!
    Many large influencers including Star Creators, big developers, big trades, even staff, and many more people use this. It was actually created by a Roblox intern, named WebGL3D.

  2. BTRoblox [REDACTED LINK]
    BTRoblox is an extension that makes Roblox easier, customizable, and more useful in general.
    You can make ads not show, you can go to legacy theme, you can see how much money it costs you for something and how much is pays someone, etc.

Other: Lets start with Roblox Stats/Statistics; There is 2, neither seem to be backdoors, but they both have huge issues.
Let’s start with Roblox Stats, made by a top dev named AlreadyPro, who also created the load character plugin, one of the most used ones in fact.
You see, you apparently have to buy a shirt for it to even work, and it is broken.
The other one made by “Kohl”, is one that is more popular and liked, but it is deprecated, as Roblox made an update making sales private, so when you check sales of thing it just says “0”, same goes for Robux earned. Either way, other extensions are better, have a built in stats system, and more features, so these are not worth it.
Next: Theme extensions. Big problem, there are none that are really made for Roblox that either aren’t big, don’t work, or seem shady, and once again other extensions can be used for themes (like BTRoblox), so don’t get any of these Roblox theme extensions.
Finally for a more controversial one, however let me explain (you probably already know what this is gonna be lol)
RoPro, it is a very good and useful extension, however if you’re interested in installing it, you need to wait a bit till it is confirmed that the plugin is safe. Basically what happened was that a backdoor got into the extension, and people used dangerous XSS code to activate the backdoor, giving them peoples ROBLOXSECURITY code, and beamed their accounts.


Other Information

Make sure to do your own research on account security as well!
Account Security PSA, https://en.help.roblox.com/hc/en-us/articles/203313380, and there are YouTube videos of account security (I recommend checking out one made by Fave, not linking as it is off-site).


Suggestions to Roblox for security: (All Optional)

  • Pin that changes every 60 seconds or a Software OTP.
  • Make it so that you can choose what the account pin can be used on, and add things like spending Robux or deleting/reselling/trading items.
  • Maybe like you can choose that only certain devices or email accounts can login to your account, like if someone stole you password they can login from their computer, but if a user has it set so the account and only be logged in through their computer then the compromiser can’t do very much.
  • An optional UCF key.
  • QR code verification maybe? (If it works good)
  • You can make account pin longer, like 6-8 digits.

If you have any recommendations that I should add, please tell me through DMs!

11 Likes

This post has been moved from here to here, as it was taken down.
Because comments are disabled on Bulletin Board, DM me for anything that needs change.

Soon there will be a revamp.

5 Likes