So, basically, sometimes people get to know other’s passwords then access their accounts to do mostly bad things, including deleting that account. This is what we call “hacking” in Scratch, right?
This is mostly avoided by changing the password regularly, but when a hacker once accesses an account, the automatic “Remember me” option doesn’t deactivate when the user changes their password, and the hacker and still access it if they had the password one time.

And even worse, the hacker can change the account’s password so the user can no longer access their account on new devices.

My suggestion is a new option in the account settings, “I think I am being hacked.”. It will also have a note near it, saying “Use this immediately if you see unexpected things on your account.

When a user clicks it, it will first give some info with a continue button:
“You can use this when:
You see things you didn’t do on your account.
Your projects are being deleted or modified.
You receive a wrong password message on other devices even if you didn’t change your password.

Are you sure?”

When the user clicks continue, it will first send an e-mail to the account e-mail address, allowing the user to change their password without knowing the old one. (also gives a note on putting a better password that hackers won’t guess)

As this is done via e-mail, the hacker won’t be able to use this option if they don’t have access to the specified address.

Once this is done, the user will be able to sign out on all devices with another button. This is what makes this different than a normal password change.

After all this, the user will be signed out, and they can login with their new password.

What are your thoughts on this?

few things, 1. there's a forgot password. 2. when you sign in, it signs out everywhere else.

DarthVader4Life wrote:

few things, 1. there's a forgot password. 2. when you sign in, it signs out everywhere else.

Wait, it does sign out everywhere else when you sign in? Then I think it did not work for me…

Edit: So, as you say, it signs out everywhere when you sign in. But you have to sign out first to sign in, right? But what if the hacker has changed the password?

I think you're on the right track, but what if hackers set a script running to guess every possible password? Scratch has no sign-in-attempt limit, (I think) so maybe something more like Roblox's Two Step Verification is what we need.

HighFlyer222 wrote:

DarthVader4Life wrote:

few things, 1. there's a forgot password. 2. when you sign in, it signs out everywhere else.

Wait, it does sign out everywhere else when you sign in? Then I think it did not work for me…

Edit: So, as you say, it signs out everywhere when you sign in. But you have to sign out first to sign in, right? But what if the hacker has changed the password?

You can use forgot password to reset it via email.

--Explosion-- wrote:

Some people wrote:

some stuff

You can use forgot password to reset it via email.

Can you?

Will it sign out from all other devices?

probably all my writing was for nothing :l

BlueNoodle29 wrote:

…what if hackers set a script running to guess every possible password?

I don’t think somebody would do that just to access a kid’s programming account.

I mean, why else will one try to hack a Scratch user?

is that even possible lol

HighFlyer222 wrote:

BlueNoodle29 wrote:

…what if hackers set a script running to guess every possible password?

I don’t think somebody would do that just to access a kid’s programming account.

I mean, why else will one try to hack a Scratch user?

is that even possible lol

It's certainly possible, and what if they just wanted to frame the user?

HighFlyer222 wrote:

BlueNoodle29 wrote:

…what if hackers set a script running to guess every possible password?

I don’t think somebody would do that just to access a kid’s programming account.

I mean, why else will one try to hack a Scratch user?

is that even possible lol

I'm pretty sure it's not feasible if you have a strong password.

BlueNoodle29 wrote:

I think you're on the right track, but what if hackers set a script running to guess every possible password? Scratch has no sign-in-attempt limit, (I think) so maybe something more like Roblox's Two Step Verification is what we need.

A script like that wouldn't work, because there is a captcha button after 3 incorrect sign-in attempts

bigpuppy wrote:

HighFlyer222 wrote:

BlueNoodle29 wrote:

…what if hackers set a script running to guess every possible password?

I don’t think somebody would do that just to access a kid’s programming account.

I mean, why else will one try to hack a Scratch user?

is that even possible lol

I'm pretty sure it's not feasible if you have a strong password.

-sniped because I'm stupid lol-

BlueNoodle29 wrote:

bigpuppy wrote:

HighFlyer222 wrote:

BlueNoodle29 wrote:

…what if hackers set a script running to guess every possible password?

I don’t think somebody would do that just to access a kid’s programming account.

I mean, why else will one try to hack a Scratch user?

is that even possible lol

I'm pretty sure it's not feasible if you have a strong password.

I'm not sure I understand what you are saying. Computers are much faster than the human brain, so a computer could guess a password.

Right, but I'm not sure it would happen very quickly — did you read the section I linked?

Also, scwestbrook brings up a good point:

scwestbrook wrote:

A script like that wouldn't work, because there is a captcha button after 3 incorrect sign-in attempts

scwestbrook wrote:

BlueNoodle29 wrote:

I think you're on the right track, but what if hackers set a script running to guess every possible password? Scratch has no sign-in-attempt limit, (I think) so maybe something more like Roblox's Two Step Verification is what we need.

A script like that wouldn't work, because there is a captcha button after 3 incorrect sign-in attempts

Ah, you're right. My bad.

bigpuppy wrote:

-snip-

Dang it, I ninja'd myself lol. Yep, I tested what scwestbrook said, and they were right. My bad!

We've never really had any issues of hacking on Scratch. Those who claim they were “hacked” usually had one of two things happen to them:

1. They didn't log out of Scratch when they were finished using it.
   
   
2. They told someone else their password.
   

As long as someone doesn't tell someone else their password, and they log out of Scratch whenever they're not using it (and, of course, they're using a strong password), their account will be safe from harm.

After all that, if you really think you were hacked, it's best to change your password and/or use the Contact Us link to let us know about it.

Za-Chary wrote:

As long as someone doesn't tell someone else their password, and they log out of Scratch whenever they're not using it (and, of course, they're using a strong password), their account will be safe from harm.

After all that, if you really think you were hacked, it's best to change your password and/or use the Contact Us link to let us know about it.

You can change the password, but will it sign out from every device?
Also in Contact Us, can you make it sign out on th hacker’s device?

(why am I not receiving notifications from followed topic tho)

HighFlyer222 wrote:

You can change the password, but will it sign out from every device?
Also in Contact Us, can you make it sign out on th hacker’s device?

(why am I not receiving notifications from followed topic tho)

In my experience, you can only be logged in on one browser at a time.

BlueNoodle29 wrote:

I think you're on the right track, but what if hackers set a script running to guess every possible password? Scratch has no sign-in-attempt limit, (I think) so maybe something more like Roblox's Two Step Verification is what we need.

I agree with this post.

Implementing a two step verification would be really ideal, especially if exploiting becomes a major problem in the future (as we all know, technology is growing and hackers are finding new ways to trick people into giving passwords). Maybe, when you make your Scratch account, it will ask you whether you want a two-step verification, and if they don't do it, they can always enable it in their Account Settings.

The feature OP is suggesting seems to partially already be implemented; a “Forgot your Password?” button, plus signing out on one device signs you out on all of them (at least, that's what everyone is saying).

Za-Chary wrote:

-snip-
After all that, if you really think you were hacked, it's best to change your password and/or use the Contact Us link to let us know about it.

I'd download all my projects that I care anything about too, in case they are deleted.