PSA: Keep Your Account Safe

Hello developers,

As account scamming tactics evolve, we remain ever-vigilant in promoting good account security practices. Here are some good tips to follow on keeping your accounts secure:

  • If two-factor authentication (2FA)/two-step verification (2SV) is available, use it. Enabling 2FA/2SV allows you a second line of defense against malicious user attempting to access your account. While we understand that having to verify yourself twice-over can be tedious, the extra step is worth it to protect your account against unauthorized access.
  • Use unique passwords for all accounts. One of the easiest ways you can get your accounts stolen doesn’t even have to involve you. When you sign up for a website using a password, you’re effectively trusting that the website to have impenetrable security that will never allow malicious people to access your account information. This is not always the case, and many notable security breaches back this up. Think of your passwords like keys: if you use the same password for every website, you’re effectively creating a bunch of copies of the same key; if someone steals that key, they can get into anything that key is used for! Unique passwords are one of the most important practices in keeping everything secure.
  • Roblox admins will never ask you for your password! Anyone who asks you for your password is trying to steal your account and should be reported through the Report Abuse button.
  • Do not give your cookies to other people. One popular form of stealing accounts through social engineering involves the victim giving up their cookie data. This is like giving the attacker access to your account directly. If somebody asks you what your .ROBLOSECURITY cookie is, they’re trying to steal your account!
  • Protect your personal information. Any information you share via digital communications has the chance to wind up in the hands of someone else; sharing things like your address and phone number is ill-advised. If people start asking you about your life, like old pet names or your birthday, and you don’t know why, they are likely phishing for information they can use to guess your passwords.
  • Be careful when downloading browser extensions. There are many browser extensions that will steal your account or could be otherwise harmful to your computer. You should only download browser extensions from trusted sources.
  • Roblox customer service may ask you to verify partial account or billing information if you need assistance with your account or a request submitted via our official support form here: Roblox Support. Roblox employees will never ask you for your password or full credit card information. Roblox employees with an admin badge on the Roblox website may reach out to users, via Roblox private messages, to confirm email contact; they will otherwise never ask you for account information.
  • There is no such thing as free Robux or Builder’s Club. Websites telling you otherwise are trying to steal your account.

Read this blog post for more information on how to keep your account secure, as well as this article from our help site.

Think your Roblox account has been compromised? Follow the guide here to figure out how to recover anything that was stolen!

Thanks, and be safe out there,
Developer Relations Team

123 Likes

Having a pin in your account settings adds an extra security barrier, although it may not be intended as such.

48 Likes

This is also true. Especially great if you don’t do things like trading, you can lock them off.

26 Likes

A post was merged into an existing topic: Memes, Puns & Meme related GIFs Thread

Using actual words as passwords can be STRONGER than just doing some miscellaneous randomness! A good tactic I like to use is memorizing a string that contains 7-10 random words, such as:

rocket-boat-twelve-soccer-blame-john-forty-seven

THEN, for each different website, you use a certain length of your password string based on how secure you need it. For my Roblox, Bank Accounts, etc this is typically the entire thing or nearly, while lesser important accounts only use 2-3 of the words. This way you can use the same password for multiple websites without one being able to breach the other :smiley:

16 Likes

Why am I thinking of some program that randomly generates words and sticks them together and keeps on trying until it is successful to get into your account?

2 Likes

There are so many words in the english dictionary that you have a 1/29B chance of just guessing two words.

12 Likes

When I’m creating a password, I like to think of a random word and some numbers and then basically see how much I can combine the two in such a way that’s extremely hard to guess, such as random capital letters. While it takes a while, it’s honestly really effective.

i just rely on good old german passwords ; there arent as many german PW guessers and hackers than with many other languages … not to mention most letters of my keyboard dont exist on majority of other keyboards :smiley:

but anyways i also suggest combining a lot of lower and uppercase letters but in a very random pattern ; plus using uncommon symbols and letters of other languages …

7 Likes

And if you mix those two words with different languages with another say 3 words with a random gibberish word too, would be a great password :wink:

Could tell people that there are fake extensions out there, some people will think it’s a legitimate extension, then proceed to download it which would result in the attackers gaining access to their details.

1 Like

I tend to use KeepPass database, makes random passwords and stores it in a encrypted database.

Same one that has had 3 vulnerabilities in the pass 5 years? :frowning:

3 Likes

Banned for posting compromising info.

Anyway, protip: Have a password that’s over 40 characters long with all kinds of caps and special characters, and store it in an unmarked notepad file on your computer. impenetrable vault.

Useful for people like me with 30+ different accounts.

4 Likes

The biggest pain I’ve had with remembering multiple passwords is that I have to type them on a mobile device. If I’m using the multiple word strategy like @SmoothBlockModel is suggesting, then it requires me to enter even more text into a mobile keyboard. Then comes the remembering part, which is more tedious than it seems for a guy with ADHD.

At some point it just feels uncomfortable, overcomplicated, and frustrating. As an industry, I think the internet needs to develop something that is not only far more secure, but extremely easy to use. SMS is promising, but it’s hard to say if it’s the best way to deal with it, because we’re putting our trust in our provider. I’ve looked into stuff like LastPass and I think I’m going to start using that if I so must.

I know I’m making myself vulnerable just by saying that I’m lazy when it comes to putting 20,000 locks and barriers on my stuff. If that’s the push I need to amp up my security, so be it, but I wish it wasn’t such an annoyance for me to setup and deal with.

5 Likes

Just a note on this, not all “Free robux” websites try to steal your password, some just trying to get you to do surveys making the website money.
Either way, never believe them

4 Likes

For passwords I use Apple’s built in password generator in Safari on iOS and macOS. It saves all of my passwords that I generate, and even the ones that I don’t. Can also view them easily in Keychain Access or on an iOS device in Settings.

2 Likes

But in case something happens to that computer, then you would lose all your passwords. Better to stick with 5 rememberable passwords that contain uppercase, lowercase, number, and sign combination that has 8+ characters and alternate between them.

It isn’t tied to your computer. Your keychain is shared among your iCloud account.

Still, I find it too risky for you to have a generated hash-like password for every website. Yes, it provides security, but it sacrifices too much ease-of-access. There is a little chance where someone would be able to guess your password, hacking often involves getting the password completely through a cheat or cookies etc. Since your using the Apple generated ones, what would you do if you move to chrome?