The only thing blacklisting “password” does is make it more difficult for sincere people to educate others about account theft. If someone is after another person’s password, all they have to do is remove one letter and spell it “pasword” or refer to it as their “login info” if they want to sound professional – blacklisting it does not help keep people’s accounts safe (if you wanted to do that you should focus on 2-factor authentication, especially with all of the dev member accounts being taken as of late) and the only thing it accomplishes is annoying people who have good intentions. “Password” should not be on the blacklist.
21 Likes
Thank you so much for this.
We’re not going to remove “password” from the blacklist until we have a solid algorithm for detecting if the person is phishing or not. We’re working on it. I’m not going to say soon_tm yet though.
5 Likes
Thank you for the response, but blacklisting “password” doesn’t help stop phishing in the slightest. There’s no reason to blacklist just that word when a letter can just be removed and you’re good to go. I look forward to the phishing detection algorithm, but “password” should be removed from the blacklist even before it’s finished because blacklisting it does more harm than good.
1 Like
How so?
If you can remove a letter to say it in a bad way, then you can do exactly the same in a good way.
People who want to steal accounts aren’t going to be deterred by having to change a letter. Having to review what you say when you’re trying to teach someone about account security to make sure you spell “password” “pasword” is just a nuisance and we’re not as dedicated towards teaching people about account security as phishers are about taking accounts – why bother when ROBLOX is just going to make you jump through hoops? You end up with less people helping educate players about account security because it ends up being annoying.
Source: personal experience
I think you’re just lazy. “Account login” works just as good.
Yes, I am. So are the 13 people who liked the OP (which is on the higher end of like counts). We’re too lazy to educate people about account security and certainly are nowhere as dedicated as the people who take accounts away from their rightful owners. This is precisely why blacklisting “password” does more harm than good. Account thieves aren’t turned away by something like that, but the rest of us couldn’t be bothered to educate fellow users about account security if we’re going to have to jump through hoops. Blacklisting “password” does nothing but harm the people it’s meant to protect.
2 Likes
But how will I sound like a wizard if I don’t say “word of passage” instead of ********?
3 Likes
Do you have any idea how hard it is to talk about the ******* for my office, I mean come on, I cannot tell someone the ******* if its *******. It’ll just get censored out! Geez, its so hard being the boss of my small guest family when most of what we say is censored or limited to the safe chat.
In all seriousness, I think its stupid to have the word blacklisted as its not used just for stealing accounts but in everyday conversations as well, /sarcasm/ espically in clans and groups that have those high security doors that uses words or phrases over 4 digits. /sarcasm/
1 Like
-13 users have a whitelist to prevent themselves from giving out personal information
ROBLOX should just do what Runescape does and add the users password to their own personal blacklist.
Means you need to enforce that passwords cannot be words otherwise context may give away passwords
Password require numbers in them so that wouldn’t be an issue.
Someone suggested this in the past, and a staff member responded that to do this they’d have to give the game their password (which they don’t currently do) for it to know to blacklist the password, and doing so would open up a lot of vulnerabilities or something.
ROBLOX (probably) doesn’t know your password and they shouldn’t, they only know the hash of your password. (That’s the way it should be and is usual for websites, by the way.)
They can’t just add your password to the blacklist because they don’t know it. They would have to hash every individual word of your chat to see if it matches your password hash, and since the hashing algorithm is (for security purposes) designed to be inefficient, that’s not feasible. Furthermore, if I accidentally type my password without a space on each side, such as “password=[mypassword]”, then everyone can still see it if the chat is hashed on a word-basis, so it would even have to be on a substring basis. So you would need to hash N(N+1)/2 substrings (not taking into account optimizations) for each chat of length N to fully prevent people from chatting their password.
And then, what if I put spaces between the characters of my password? The problem continues…
You say that like blacklisting “password” actually helps prevent phishing. Might as well blacklist
“account info”, “pasword”, “p4ssword”, “passw0rd”, “pa55word”, “p455w4rd”, “pass word”, “pass”, “login info”, “account code”, “passcode”, “code”, “security pass”, “security info”, “security pass”, “security”, “log code”, “acc code”, “acc pass”, “acc info”.
There’s probably more but that’s all I can think of right now.
“word of passage”
1 Like
would make it easy to bruteforce their password in game. put tons of invisible text on their screen until something is arbitrarily censored.
1 Like