The most secure password requirements are none at all, other than you need a password. That may sound hypocritical, but it's just math: the more requirements you have, the less combinations an attacker needs to search through in order to guess your password. So, ironically, the best way to increase security is to do the opposite of this suggestion and remove any existing requirements, other than that there be a password, and give some advice on how to create a strong password. This way, it forces the attacker to check every possible combination rather than ones within a specific rule set (and even if they don't, they still have to check more combinations than they would otherwise, unless you gave them your password).

TL;DR what @jvvg said.

I think that, when creating your account, there should be a bit of text warning you about passwords below a certain number of characters, and providing tips on how to make a secure password.

BigNate469 wrote:

The most secure password requirements are none at all, other than you need a password. That may sound hypocritical, but it's just math: the more requirements you have, the less combinations an attacker needs to search through in order to guess your password. So, ironically, the best way to increase security is to do the opposite of this suggestion and remove any existing requirements, other than that there be a password, and give some advice on how to create a strong password. This way, it forces the attacker to check every possible combination rather than ones within a specific rule set.

TL;DR what @jvvg said.

I think that, when creating your account, there should be a bit of text warning you about passwords below a certain number of characters, and providing tips on how to make a secure password.

true, but if you were to only have it numbers, or only letters, then it would be easier to automate, while if you have requirements like special keys, numbers, letters, and characters, it would be harder to guess.
also, with those requirements, it adds more possibilities, for example, there's 26 letters in the alphabet, say you want to make a password using 1 of every letter, in lowercase, you would only be able to use a-z, while if you made it so you have exactly 1 capital, hackers don't know which letter is capital, so they have to go through all 1.79 * 10^27 possibilities, on top of the 1/26 chance of guessing which letter is capital correctly

blaze012345678 wrote:

true, but if you were to only have it numbers, or only letters, then it would be easier to automate, while if you have requirements like special keys, numbers, letters, and characters, it would be harder to guess.

Not necessarily. A password can be all letters and be 100 times stronger than something that uses a $ instead of an S. Its more length thats the concern. If your password is short and made up of a mix of letters/numbers/special characters it'll likely be cracked before one double the length that's all letters or numbers.

Side note, this topic has now reached 100 posts! Tysm to everyone who has contributed to the discussion so far!

Yes your all right we need some way to pretct our accounts and then we have some letter like A is 1 B 2 but lower case is a 112 and gos on and on i think it will be smart and we need them to say put sepical cartters and we an not have a acccount ‘hacked’ i don't know how to im prove this more but i will try to also we need them to add this feature

and we could add these to prtect it even more like these !@#$$%^%^*&(() alll of them it would take years 3 years insteed of 1 week like think about the posbillties and were gonana stay safe what do you think?

and we could addd emojis to make it even better to stay safe that will take! 10 years! and if we add sepical emojis it would TAKE 30 YEARS! to just hack one account and hopefully scratch adds this

Seems like a good way for Scratch users to be aware of protecting their account with a strong password. I know sometimes people put in weak passwords that can get compromised easily so having these requirements would at least stop some of the compromisations.

Everyone before me may find ( part of ) their ideas here. Anyways I want to express my support.

I think a suffiscent password must follow all these criteria :
- at least 4 letters, including :
- at least 1 lower cap
- at least 1 upper cap
- at least 4 digits
- at least 1 special character
- no ( partial ) use of publicly available account info
- can't be a common password ( like Abcd1234! )
- ( optional, for harder security ambitions ) can't be a leaked password ( HaveIBeenPwned's database is a good source for this check )

When changing the password, we should have to follow an extra step, like using a confirmation link sent to our email.

This website should allow us to choose and enable a secondary authentication step to make our accounts even safer. If this gets applied, then a Keep me signed in option should be added, but unticked by default. Also, if this gets applied, a warning email should be sent for every successful login.

This is what I think, at least a sum up of all earlier replies

My suggestion is that the minimum password length is raised, stuff like “password”, “123456789”, “warriorcats”, “wingoffire”, “abcdefgh”, “qwertyuiop” and other super common passwords are automatically rejected, and there's an additional reminder on the screen to not make your password your interest, your username, any logical string of numbers, a part of the alphabet, a part of the alphabet backwards, a part of the keyboard letter order, a part of the keyboard letter order backwards, a celebrity or a location

How I'd suggest these:

- One or more uses of punctuation
- At least eight characters
- At least one number
- “Password” “123456789” and other common phrases rejected
- At least one capital letter
- Cannot be same as username

BadBackLeg wrote:

(#110)
How I'd suggest these:

- One or more uses of punctuation
- At least eight characters
- At least one number
- “Password” “123456789” and other common phrases rejected
- At least one capital letter
- Cannot be same as username

cannot be same as username already exits

Tunibal_Scratcher wrote:

BadBackLeg wrote:

(#110)
How I'd suggest these:

- One or more uses of punctuation
- At least eight characters
- At least one number
- “Password” “123456789” and other common phrases rejected
- At least one capital letter
- Cannot be same as username

cannot be same as username already exits

This is meant to be a list of every requirement I think should in it, not just suggestions.

Yeah, this is a really good idea. Even though this is supposed to be a simple kids website there still needs to be better protections.
Oh also you should update your OP to say cracked, not hacked accounts as the “hackers” are really just trying common password.

I don't agree. 2-step would be much more effective. Besides, most people aren't trying to hack into scratch accounts anyways. Also this would make me have to change my password

Sorry for necro posting but have you seen this project rating your passwords? This is made by @scratchinghead https://scratch.mit.edu/projects/1212076486/

Super_Ninja123456 wrote:

Sorry for necro posting

Necroposting doesn't exist in Suggestions

Tunibal_Scratcher wrote:

Super_Ninja123456 wrote:

Sorry for necro posting

Necroposting doesn't exist in Suggestions

Unless the topic is resolved

password game

jjspidermanmcqueen wrote:

and we could addd emojis to make it even better to stay safe that will take! 10 years! and if we add sepical emojis it would TAKE 30 YEARS! to just hack one account and hopefully scratch adds this

yeah but my dad's phone doesn't let me type an emoji in the box i had to type it in another box and copy paste it in

I don't think emojis are easy to be supported inside a password. This might make password technically harder to handle for security algorithms. You can feel it by noticing

(length of [])

returns 2 on any emoji…