If you have email 2SV enabled and use email OTP to log in, you should not be prompted to enter two separate codes from your email twice. If you are encountering a bug, please reach out.
Funny enough, this isnât true. Even though, it appears it should be. Itâs only easy to crack if you have associating information about someone or you have a brute algorithm strong enough.
Secondly, using a mix of upper case, lowercase, special characters, etc would make it almost infeasible to cram by design.
Since most people usually speak on this topic without providing any proof, allow me to break down the math for you:
Letâs just say, you had a password that was 6 characters in length and only had lower case characters. There would be 26 possibilities per character. e.g 26^6 = 308,915,776 possibilities.
Letâs say, you wanted to test 1 million passwords a second:
It would take about 308,915,776 / 1,000,000 = 309 seconds / 60 = ~5.1 minutes. Which is reasonable on a fairly powerful, modern machine.
Now, if we take the same amount of digits but, add in special character cases, uppercase letters and numbers, there would be 94 possible characters. e.g the sum of 26 lowercase letters, 26 uppercase letters, 10 digits, and 32 special characters.
If we apply the same math rules to a 6 character password, weâll get 94^6 = 689,869,781,056 possibilities.
If you wanted to try 1,000,000 passwords a second: 689,869,781,056 / 1,000,000 = ~689,869 seconds = ~11,497 minutes = ~7.98 days.
It would take longer to crack because, youâd have to solve capatcha constantly, and probably flag the account tries as suspicious. Practicality of this wouldnât make any real sense. Increasing the character limit would dramatically and exponentially lessen the odds of someone cracking it.
If you tie everything to your email, all someone has to do is crack your email and they have everything already.
Unfortunately, even with all this, the root of the problem is and will always be stupid people that trust malicious, seemingly too-good-to-be-true intentions. You can mitigate risk but, you canât stop a person who willingly gives their info to the wrong person.
5 Likes
Shorter passwords is a generalization.
Of course password length and character difference matters, but you should know before-hand not to use easy passwords but to mix characters.
Lastly, like youâve mentioned, websites have captchas and IP ratelimiters / account. Still, just like in any, for example, developing context, you should strive to protect your password as much as you can, as if the captcha and ratelimiter wasnât present even though it is, think of it as developing a game with Hyperion anticheat present, it will lessen the odds of exploiters, but that doesnât mean you shouldnât be careful.
In conclusion, a shorter password with a mix of special characters would be 99% of the times less secure than a long password with a similar mix of special characters.
2 Likes
The reason for my post is to tell people to protect their emails since itâs becoming the tool used for any website (i mentioned natural selection as a joke, adaptation).
1 Like
This feature does not bypass 2SV by Authenticator App. You will still be required to input your code after the email OTP code if you have 2SV by Authenticator App enabled. If you are concerned about the security of your email provider, we suggest you review your security settings and adhere to their recommendations.
4 Likes
Thanks. This is an extension of our previous account recovery flows. Instead of having the user reset and remember a novel password, they can login and play with their friends.
2 Likes
If you have enabled 2SV by Authenticator App, then you will need to enter 2 different codes: 1) Email Login OTP Code 2) 2SV by Authenticator App Code.
If you have enabled 2SV by Email, then you will not need to enter 2 different codes. Your Email Login OTP Code is sufficient.
2 Likes
Roblox has multiple kinds of communications with users via email. You may have received an email notification for your login with IP information. To learn more, refer to the security email notification Dev Forum post here: Session Management & Security Email Notifications [Account Security]
2 Likes
I do not care if it still asks for 2FA, give us the option to opt out.
2 Likes
This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.