Tip: Do something like this (DO NOT MAKE YOUR PASSWORD “CORRECTHORSEBATTERYSTAPLE” THOUGH)
xkcd 936

Hey ya'll, I'm back! Glad to see this topic was still active while I was away. I'm going to actually start updating the main proposal now, lol.

if you add emojis it might be hardeer for younger kids to remember their password

I dunno

SkyCedar wrote:

the specific requirements:
-password must be 12+ characters
-If the user is under 16, a parent should help the child set the passcode

1. 12+ characters??? How are you supposed to memorize that? I can barely remember my 8-character passcode on my Chromebook. This is so unnecessary. I mean, the passcode “x1234567890x” (which is super weak) has 12 characters, and it is not good at all. What matters more is the number of numbers and symbols.

2. Ok, this just does not make sense. 15-year-olds can make their own passcodes. So can a 14-year-old, a 13-year-old, and a 12-year-old, an 11-year-old, and maybe even a 10-year-old. And how will we know the child asked their parent through email? I thought this was supposed to be kid-friendly. I do not want to have my mom sign me in every time. This is also on my school account, so my parents can not even get there. And for all the schools that use this? How will they get “parents” to accept them? Plus, if you just add other requirements, the kids can't even make a bad passcode.

3. Also the suggestion “make it a sentence” is kind of useless since passwords are usually small phrases, not full sentences. For example, the password, “ilovecatsanddogs,” is pretty weak, but it is a sentance and has more than 12 characters

SkyCedar wrote:

Wandoof wrote:

I think a good Idea would be to add 2-step verification, so that even if someone guesses your password, they won’t be able to get it because they would have to have the security code that gets sent to your email in order to sign in.

there's a topic for that right here: https://scratch.mit.edu/discuss/topic/291659/

also this is enough already - a two step verification is so much more useful than setting impossible passwords to remember

I have a rlly bad passcode for my alt account

I dont even know my pass word

wei04787 wrote:

SkyCedar wrote:

the specific requirements:
-password must be 12+ characters
-If the user is under 16, a parent should help the child set the passcode

1. 12+ characters??? How are you supposed to memorize that? I can barely remember my 8-character passcode on my Chromebook. This is so unnecessary. I mean, the passcode “x1234567890x” (which is super weak) has 12 characters, and it is not good at all. What matters more is the number of numbers and symbols.

2. Ok, this just does not make sense. 15-year-olds can make their own passcodes. So can a 14-year-old, a 13-year-old, and a 12-year-old, an 11-year-old, and maybe even a 10-year-old. And how will we know the child asked their parent through email? I thought this was supposed to be kid-friendly. I do not want to have my mom sign me in every time. This is also on my school account, so my parents can not even get there. And for all the schools that use this? How will they get “parents” to accept them? Plus, if you just add other requirements, the kids can't even make a bad passcode.

3. Also the suggestion “make it a sentence” is kind of useless since passwords are usually small phrases, not full sentences. For example, the password, “ilovecatsanddogs,” is pretty weak, but it is a sentance and has more than 12 characters

this is JUST NUTS how they do this my alt password is 13 characters and it’s simple but I mean

Don't worry about what little me wrote, when I update this within the next few days I'm going to include insights I had from when my account was broken into (I just got it back today, it was broken into in September) and what I've learned from friends who've gone through similar experiences. Let me know if you want me to ping you when I finish!

Support Because I do think this can stop hacking and knowing that these trolls get student accounts the most because of their weak passwords I do think this might stop it or might reduce the increase of hacked accounts.

kittymach wrote:

if you add emojis it might be hardeer for younger kids to remember their password

What age are you worrying about? Cause I'm sure 8yo me could remember a password with an emoji. Also you don't have to add one.

Alex5002 wrote:

I don't think emojis are easy to be supported inside a password. This might make password technically harder to handle for security algorithms. You can feel it by noticing

(length of [])

returns 2 on any emoji…

That's just an issue of how JavaScript (the language Scratch is programmed in) handles strings.

It's entirely possible to build a system that can support any unicode character (which includes emojis) in a password, rather than just the Basic Multilingual Plane.

SkyCedar wrote:

well with the high number of passwords being guessed recently it does make sense to have them be longer

Wouldn't making the requirements more specific make it more easier for the password to be guessed?

I'm split on this suggestion. While the site is full of kids who would have an easier time remembering their pet's name as their password than a phrase encoded with dollar signs for S's and there's for E's, and hacking isn't all that common on this site, making people use a more secure password might be good, especially for a programming site, since they might be more encouraged to make a more secure password in the future.

What I find sad is that we even need to discuss this topic. Why do the hackers feel the need to use their skills on a website made for literal children.
Why do these dorks think it's fun to hack into Scratch accounts owned by kids and make them sad? It's such a waste of time to cuz they don't even get anything out of it!!! ༼ つ ◕_◕ ༽つ (Like lock in and get a life people..}

I would say that these would be better requirements:
1. Must be at least 20 characters. The main thing that increases a passwords strength isn't special characters or capitals or numbers, it is length. A long password is impossible to practically crack with no extra information (eg, a stolen hash).
2. Checked for very generic phrases (eg, thisismypasswordyeah, 12345678901234567890, passwordpasswordpasswordpassword, opensesameopensesame, quertyuiopasdfghjklzxcvbnm, etc.)
3. NOT required to have:
sp. characters,
numbers,
capitols
because most of the time they are just attached to the end or a common substitution (eg, surf -> $uRf#@2 which a computer can rather easily know of and try substitutions as well)

There should be something explaining passphrases (like the horsebatterystaplecorrect thing) linked or directly placed in the area.
Maybe a “generate password” button which attaches together 5 random words from the English dictionary?

MagicCoder330 wrote:

~snip~
Maybe a “generate password” button which attaches together 5 random words from the English dictionary?

And maybe a few numbers randomly placed between some of the words (could be chosen randomly) and then it could tell you to write it down so you remember it.

SimonCheeseburger wrote:

MagicCoder330 wrote:

~snip~
Maybe a “generate password” button which attaches together 5 random words from the English dictionary?

And maybe a few numbers randomly placed between some of the words (could be chosen randomly) and then it could tell you to write it down so you remember it.

it likely doesn't need numbers. They just make the password harder to remember, and though they make it more complex, they do it less than just sheer length.
The goal of this system is to make easy to remember, strong passwords. A long password is a strong password; but numbers and special characters make it harder to remember. “19fiend77beanie12mouse96steel41rubbish” is harder to remember than fiendbeaniemousesteelrubbish.

Saying to write it down is probably a good idea, though

this is a good idea but some kids could forget to write it down and end up forgetting their password but also kids perfer to make their pasword because they think its fun to do that and end up makke an easy password like idk “ILoVeTaCoS”,SuRf#%@#23 etc. and then they get hacked

MagicCoder330 wrote:

SimonCheeseburger wrote:

MagicCoder330 wrote:

~snip~
Maybe a “generate password” button which attaches together 5 random words from the English dictionary?

And maybe a few numbers randomly placed between some of the words (could be chosen randomly) and then it could tell you to write it down so you remember it.

it likely doesn't need numbers. They just make the password harder to remember, and though they make it more complex, they do it less than just sheer length.
The goal of this system is to make easy to remember, strong passwords. A long password is a strong password; but numbers and special characters make it harder to remember. “19fiend77beanie12mouse96steel41rubbish” is harder to remember than fiendbeaniemousesteelrubbish.

Yeah, I guess those 6 numbers could be replaced with just a 5th word like you said. (I forgot about that when making that image)

it just sounds so wrong to have a password made of English words and no numbers