Hello, I’ve noticed how players get hacked from time to time because of their weak passwords. (also because they go to scamming websites but this is not about that). Because they have weak passwords people can easily hack them with bruteforce or other ways. The problem is not only this, but also that they already know your username (because its on your profile)
Solution
My idea was to let players login with their e-mail instead of their username. This way hackers would need to know the player’s email address first before being able to bruteforce the password.
Great idea, I can think of some workarounds, but it would be a nice option to have as a replacement for usernames
@WebGL3D already has a feature in Roblox plus where you can log in with a previous username, maybe he could add an option for email too, that is if the method is secure.
People can register multiple accounts to one email, at a maximum of 20. You will have to deal with this first before you can log in with an email instead of a username.
There was another, unrelated feature request that suggested utilizing email more, but ultimately email isn’t very user friendly for our (primary) younger audience. Most don’t use email, so it would be awkward for them to use – they may also forget it. Email isn’t something we can incorporate too deep into ROBLOX.
As it’s been stated on this thread already, people can register multiple accounts to the same email address. Each account has its own password.
This means we would need to associate many passwords to the same email address, so we can’t do your typical login with that.
A solution I can think of (for this idea) is having the user choose the account from a list of users associated with the password that was used during login. I personally would not like to see this, as it makes login more complicated.
On the other hand, I honestly don’t see what advantage this would have in terms of security. People who try to gain access to accounts have come from seeing them in-game or on the website.
So what I feel that you’re asking for is to have usernames made more private, which is obviously ridiculous.
My suggestion is to raise awareness of online safety when it comes to account passwords, such as a cool advice box during registration or a recurring notification to change your password every so often.
Regarding the topic; With the userbase ROBLOX has, making them sign in via email wouldn’t be smart, not to mention all of the old accounts that are linked to the same email.
At the end of the day, a 6 year old most likely won’t know/remember their parents email when they decide to sign on, but they’ll remember their username. Although I understand there are some benefits, it’s still limited imo and not worth it in the long run. Enable 2FA if you are really that concerned with being brute forced. 2FA is next to impossible to breach, I’ve seen users know the users pw, email, etc, but unable to get into the account because of 2FA.
Hold up. This could possibly allow people with multiple accounts to login to each account easier. Maybe when logged in with Google, Roblox could list all of the accounts you own on a dropdown and once you click the account you log into that account.
2SV/2FA is your friend, as well as a password generating site (like randomkeygen). Document your password somewhere secure or on paper in real life so you can remember it. Logging in with an email as opposed to a username is troublesome as multiple accounts can be registered under that username and once your email is found, it becomes as easy to break in as it is with a username.
My personal set up is that I have 2SV on my ROBLOX, 2FA on my EMail and a phone locked with a pin and my finger print.
I kind of don’t agree with putting emails out there like that.Think of it this way, account trading/account phishing. If this happens then the person now has access to the other users email. They could basically go into settings and change everything. With usernames as login you prevent anyone from seeing your email. The email is filtered with stars in the settings page if I do remember as well. Roblox must have a reason for not doing this in the first place.
Honestly I feel like if we want to prevent bruteforcing the passwords we simply need stronger password requirements. Using emails is going to:
Cause a lot of problems for people who already have a ton of accounts on one email address
Encourage phishers, scammers, and hackers, to find kids’ email addresses.
You can’t stop account theft. People will find a way to lie to little kids. They would give these people their email addresses. I feel like this is an inevitability that should be avoided.