[quote] Help me design an interface where the person, who is already in your account, can’t also change your PIN.
I like the PIN idea. [/quote]
So simple minded… obviously you need to enter the original pin then the new pin and then you need to enter the verification code sent to you verified email…
I do support this idea, though have never been hacked before.
I think that this is a fantastic idea! Adding a pin would remove most of the nonsense surrounding account stealing, and would give some peace of mind to dumb rich people. ("BUT HE OFFURD ME 1001231K RUBUX!!!")
As an idea for the .ROBLOSECURITY cookie… well, I don’t know too much on how cookies – or more importantly verification of cookies – work. But could you not give a unique .ROBLOSECURITY for each session, and maybe send over the user’s IP every page visit or so? Check over the ROBLOSECURITY with the current IP (server side), and make sure its the correct user on the account.
[quote] I think that this is a fantastic idea! Adding a pin would remove most of the nonsense surrounding account stealing, and would give some peace of mind to dumb rich people. ("BUT HE OFFURD ME 1001231K RUBUX!!!")
As an idea for the .ROBLOSECURITY cookie… well, I don’t know too much on how cookies – or more importantly verification of cookies – work. But could you not give a unique .ROBLOSECURITY for each session, and maybe send over the user’s IP every page visit or so? Check over the ROBLOSECURITY with the current IP (server side), and make sure its the correct user on the account. [/quote]
As of what i know, .robloxsecurity is the most known way to get someones account, as you copy the key in it, and the person who is keylogging another is spam pasting it into his own cookies, until he get’s in.
[quote] I think that this is a fantastic idea! Adding a pin would remove most of the nonsense surrounding account stealing, and would give some peace of mind to dumb rich people. ("BUT HE OFFURD ME 1001231K RUBUX!!!")
As an idea for the .ROBLOSECURITY cookie… well, I don’t know too much on how cookies – or more importantly verification of cookies – work. But could you not give a unique .ROBLOSECURITY for each session, and maybe send over the user’s IP every page visit or so? Check over the ROBLOSECURITY with the current IP (server side), and make sure its the correct user on the account. [/quote]
As of what i know, .robloxsecurity is the most known way to get someones account, as you copy the key in it, and the person who is keylogging another is spam pasting it into his own cookies, until he get’s in.[/quote]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page.
[quote]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page. [/quote]
That was considered at one point, but it turns out a lot of people have dynamic IP addresses.
[quote]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page. [/quote]
That was considered at one point, but it turns out a lot of people have dynamic IP addresses.[/quote]
What about your MAC address? I honestly don’t know jack about them, but somewhere I read that they are machine-specific. In fact, ROBLOX is already sending them over whenever you play a game. (Fiddler, yay!)
However, please excuse me if I’m being an uneducated little shit. I really don’t know much about MAC addresses.
[quote] [quote=“Nelson” post=12668]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page. [/quote]
That was considered at one point, but it turns out a lot of people have dynamic IP addresses.[/quote]
What about your MAC address? I honestly don’t know jack about them, but somewhere I read that they are machine-specific. In fact, ROBLOX is already sending them over whenever you play a game. (Fiddler, yay!)
However, please excuse me if I’m being an uneducated little shit. I really don’t know much about MAC addresses.[/quote]
You can spoof mac addresses.
I don’t think most skiddies will get your MAC address through.
[quote]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page. [/quote]
That was considered at one point, but it turns out a lot of people have dynamic IP addresses.[/quote]
Correct me if I am wrong but I don’t think your ip adress changes between sessions, right? That means that if you encode the ip into the cookie you can check if it is still the same as last time and if it is not log out the user. That’d mean it would log out the user each time he/she reconnects to his network though.
[quote] [quote=“Merely” post=12678][quote=“Nelson” post=12668]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page. [/quote]
That was considered at one point, but it turns out a lot of people have dynamic IP addresses.[/quote]
What about your MAC address? I honestly don’t know jack about them, but somewhere I read that they are machine-specific. In fact, ROBLOX is already sending them over whenever you play a game. (Fiddler, yay!)
However, please excuse me if I’m being an uneducated little shit. I really don’t know much about MAC addresses.[/quote]
You can spoof mac addresses.
I don’t think most skiddies will get your MAC address through.[/quote]
We could use the local IP, not the public IP. there’s many IP adresses on your computer.
[quote] [quote=“Nelson” post=12679][quote=“Merely” post=12678][quote=“Nelson” post=12668]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page. [/quote]
That was considered at one point, but it turns out a lot of people have dynamic IP addresses.[/quote]
What about your MAC address? I honestly don’t know jack about them, but somewhere I read that they are machine-specific. In fact, ROBLOX is already sending them over whenever you play a game. (Fiddler, yay!)
However, please excuse me if I’m being an uneducated little shit. I really don’t know much about MAC addresses.[/quote]
You can spoof mac addresses.
I don’t think most skiddies will get your MAC address through.[/quote]
We could use the local IP, not the public IP. there’s many IP adresses on your computer.
[quote] [quote=“uyjulian” post=12681][quote=“Nelson” post=12679][quote=“Merely” post=12678][quote=“Nelson” post=12668]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page. [/quote]
That was considered at one point, but it turns out a lot of people have dynamic IP addresses.[/quote]
What about your MAC address? I honestly don’t know jack about them, but somewhere I read that they are machine-specific. In fact, ROBLOX is already sending them over whenever you play a game. (Fiddler, yay!)
However, please excuse me if I’m being an uneducated little shit. I really don’t know much about MAC addresses.[/quote]
You can spoof mac addresses.
I don’t think most skiddies will get your MAC address through.[/quote]
We could use the local IP, not the public IP. there’s many IP adresses on your computer.
computer IP.
Public IP that websites use. IPV4/6[/quote]
What happens if you move or get a new router?[/quote]
Then it logs you out, and you log in again and get a new session cookie.
[quote] [quote=“Master3395” post=12684][quote=“uyjulian” post=12681][quote=“Nelson” post=12679][quote=“Merely” post=12678][quote=“Nelson” post=12668]
That is why I was proposing that they would be session/network specific, the scammer would be unable to log onto your account. The server would compare your .ROBLOSECURITY cookie with your IP, see that it was incorrect, and not authenticate your access to the page. [/quote]
That was considered at one point, but it turns out a lot of people have dynamic IP addresses.[/quote]
What about your MAC address? I honestly don’t know jack about them, but somewhere I read that they are machine-specific. In fact, ROBLOX is already sending them over whenever you play a game. (Fiddler, yay!)
However, please excuse me if I’m being an uneducated little shit. I really don’t know much about MAC addresses.[/quote]
You can spoof mac addresses.
I don’t think most skiddies will get your MAC address through.[/quote]
We could use the local IP, not the public IP. there’s many IP adresses on your computer.
computer IP.
Public IP that websites use. IPV4/6[/quote]
What happens if you move or get a new router?[/quote]
Then it logs you out, and you log in again and get a new session cookie.[/quote]
Couldn’t anyone do that though? Sorry if I’m a bit lost, I just decided to jump into the conversation.
[quote] - finally on a computer for a bit, so snipedy snip snip -
Couldn’t anyone do that though? Sorry if I’m a bit lost, I just decided to jump into the conversation. [/quote]
What I’m proposing is another level of security for the .ROBLOSECURITY cookie. Every time you access a ROBLOX webpage, it requires your browser to send over some information that would be computer/network specific. When you are assigned a ROBLOSECURITY cookie, you get a different one for every computer/network. If the .ROBLOSECURITY cookie doesn’t match the IP linked to it (server-side), the user is logged out. However, then they can simply log in with the correct credentials, and the server will give them a unique .ROBLOSECURITY cookie and store the information about their computer/network for the next time its used.
[quote]
For email changing, that’s tricky. The way I’d do it, is like this.
Enter new email: ____________
Enter old email _______________(Don’t display their old email on the website)
This way, even if the account holder forgets their email password, their address will still be the same. [/quote]
Sometimes I forget what email I used to sign up with.
But it /does/ send an email verification to the old address- but that’s an “if you didn’t mean to do this then undo” not a “are you sure you want to do this” and I think that should change.
[quote] Help me design an interface where the person, who is already in your account, can’t also change your PIN.
I like the PIN idea. [/quote]
Everyone who signs up as from now has to enter a pin anyone who already has an account will be prompted to make one? idk?