Wandoof wrote:

I think a good Idea would be to add 2-step verification, so that even if someone guesses your password, they won’t be able to get it because they would have to have the security code that gets sent to your email in order to sign in.

there's a topic for that right here: https://scratch.mit.edu/discuss/topic/291659/

Space_traveler1 wrote:

I feel like passwords should have like 5 to 10+ characters, as a longer password is harder to guess. Also maybe at least two symbols and three caps. No caps at the start though. (Also this is my first post)

The current requirement is 6+, so we definitely don't want to lower it. Maybe 10+ would be good….




Anyone know what the limit is?

SkyCedar wrote:

Space_traveler1 wrote:

I feel like passwords should have like 5 to 10+ characters, as a longer password is harder to guess. Also maybe at least two symbols and three caps. No caps at the start though. (Also this is my first post)

The current requirement is 6+, so we definitely don't want to lower it. Maybe 10+ would be good….




Anyone know what the limit is?

Idk what the limit is, but making the requirement higher is a good idea. Hackers mostly have pretty powerful computers with usually a couple AIs installed on them to help with password guessing. Also, most hackers are actually on the Scratch website quite a bit, even if it’s mainly for hacking.

SkyCedar wrote:

I think it would be a good idea to make there be password requirements such as 3+ letters, at least 2 capitals, one special symbol, some lowercase letters, stuff like that. A majority of the hacked accounts are from weak passwords, so setting requirements would help solve that problem.
_________________________________________________
(draft, will be edited as suggestions come in)

the specific requirements:
-password must be 12+ characters

suggestions (not requirements) that can listed somewhere when users create their password:
- at least 3 lowercase letters
- at least 1 capital
- at least 1 special character
- at least 1 number

other mechanics that should be included in such an update:
- strength checker

A child might not know how to do this - What if they want a easier password? like catsanddogs? they can have that - it's not like anyone is going to know that

support!!!

leaf_shadow_ wrote:

A child might not know how to do this - What if they want a easier password? like catsanddogs? they can have that - it's not like anyone is going to know that

The so-called “hackers” that have taken over a lot of accounts recently have actually stated that they're just guessing passwords. Apparently some common ones are things like (I removed them cause it could be a danger), etc., so a password like that would 100% be compromised.
Children under the age of 16 are required to have a parent's email linked to their acc already, so I think its reasonable to assume the parent would be present when the kid makes their password and would be able to help with it.

leaf_shadow_ wrote:

SkyCedar wrote:

I think it would be a good idea to make there be password requirements such as 3+ letters, at least 2 capitals, one special symbol, some lowercase letters, stuff like that. A majority of the hacked accounts are from weak passwords, so setting requirements would help solve that problem.
_________________________________________________
(draft, will be edited as suggestions come in)

the specific requirements:
-password must be 12+ characters

suggestions (not requirements) that can listed somewhere when users create their password:
- at least 3 lowercase letters
- at least 1 capital
- at least 1 special character
- at least 1 number

other mechanics that should be included in such an update:
- strength checker

A child might not know how to do this - What if they want an easier password? like catsanddogs? they can have that - it's not like anyone is going to know that

As long as you’re on an updated Apple IPad or Phone, then Apple Intelligence can make up a strong password for you. For those who DON’T have Apple devices, go to a responsible adult, like your Parent or Guardian, to get a strong password.
Oh also for anyone who has that password you just told it to just about all of scratch (not trying to be mean, as always)

ArmosKnight666 wrote:

Make it 12 or more characters.

≥8 is enough

No support for stuff like capital/lowercase/numbers/symbols. These sort of requirements are actually counterproductive. We should instead be focusing on actual entropy, what actually makes a password strong. An example of a tool that can more effectively check password strength is zxcvbn, which uses the logic an actual password cracker would use.

A ton of support.

Finally people will stop being hacked.

Uh i clicked quote to reply to this idk if that's how you do it it's my first time on this page in scratch but I know with like you said symbols and capitals make it hard to remember, and some people say to use 3 or 4 random words and that's easier to remember, longer passwords are better than more complex ones, at least that's just my opinion. Or you could just make it a random sentence like: whatdoyoumeanidonthaveapassword cause it takes longer for a hacker to guess cause it's longer, but easier for you to remember.

jmdzti_0-0 wrote:

ArmosKnight666 wrote:

Make it 12 or more characters.

≥8 is enough

No. No, it really isn't. Multiple graphs show that most passwords with 8 characters can be hacked in under a week. You can only make it truly safe by including just flat-out random symbols, upper and lowercase letters, and numbers. Most people, however are unable to do that, because of (Cough cough) “Poor cognitive understanding” which would mean that it should be at least 10 or above characters to be truly considered “safe”.

jmdzti_0-0 wrote:

ArmosKnight666 wrote:

Make it 12 or more characters.

≥8 is enough

No it ain’t. An 8 or less character password would be just about the easiest password to guess, as hackers have guessed many a password with that exact number of characters.

I think a strength checker would be a good idea rather than symbol requirements. As jvvg and other people have pointed out, capital letters/numbers/symbols aren't the only things that go into password strength. Using a few random words can also create a strong password.

A higher character minimum is still a good idea, though.

i'm just here to support this idea lol

We appreciate.

SkyCedar wrote:

My thought would be to have sign-ins to accs over 2 years old with no activity be verified through an email, similar to when a user first joins Scratch.

Gotcha, alright. That seems like it would certainly work. Maybe a message while attempting to sign in:

Since your account has been inactive for (x time period), please verify your account through the email in which you signed up. An email has been sent!

Wandoof wrote:

I think a good Idea would be to add 2-step verification, so that even if someone guesses your password, they won’t be able to get it because they would have to have the security code that gets sent to your email in order to sign in.

Nice idea, though it would be annoying for be because of the time taken.

Support fully!!

Not allowing it to be your username