Scratch Team: I am NOT trying to spread rumors about false bot attacks. I am only speaking of constant security issues.

Hello Scratchers and Scratch Team,

There has recently been an issue of Scratch accounts with weak passwords being hacked to be used for unwanted or harmful activities. Hackers use brute force to hack into accounts, testing hundreds of thousands of password combinations per second. Weak passwords, (like “password” or “abcd1234”) take very little time to crack (while strong passwords can take billions of years to crack which basically means they will never be hacked). Student accounts are often compromised by hackers, as they usually have very weak passwords, or regular accounts that do not have strong passwords. Hacked accounts can be used for spamming, false reporting, and more negative actions. Hackers can also access the user's email.

Why are hackers able to hack into accounts? Doesn't Scratch require you to create a strong password?

Surprisingly - Scratch does not require you to make a strong password when creating an account or changing your password. In fact, your password only must be 6 characters. Even a 6-character password with capital and lowercase letters, numerals, and special symbols only takes a hacker less than a second to crack. It's no surprise so many accounts can be hacked with such a low password security requirement.

What change could be made to improve the security of everyone's Scratch accounts?

Simple: Require passwords that:

• Are at least 12 characters long
  If the password is is 19 or less characters it must:
  Have at least 2 capital letters
  Have at least 2 lowercase letters
  Have at least 2 special characters
  Have at least 2 numerals
  This means passwords would need to contain at least 2 of each component and extras to get to at least 12. This is guaranteed to be secure enough for hackers to not hack.
  
  If the password is 20 or more characters, it won't need certain character type requirements since any password this long are secure. However, character type requirements greatly improves the security of shorter passwords.
  

Or, a password security detector like the one by @scratchinghead could be utilized for this and be built into the Scratch password creation system. The password must take at least 5 years (or another similar quantity) to crack. This would guarantee security since most hackers aren't going to sit and wait 5 years to compromise an account.


If this change went into effect…what about existing accounts with weak passwords?

For accounts with weak passwords, when the user tries to log in, a page similar to the “Account Blocked” message could show. Instead, it would say that the user must: change their password to something stronger (they can click a button to change it and there could be a random password generator if they can't think of one). Then, their email, parent's email or teacher's email connected to the account will be emailed to approve the password change (to ensure a hacker is not trying to change it). If they've lost access to the account email, they could email the Scratch Team on their current email to get their account back (I'm pretty sure the Scratch Team can tell if someone is the true owner or a hacker based on things like IP and the legitimacy of their email message).

Isn't this too strict?
It is better than having innocent accounts hacked and used for malice. Plus, kids need to learn to create strong passwords for the future (when they get their own emails, bank accounts, etc.).

Security Changes With Flaws

There are some other ideas floating around on improving password security on Scratch; these are a few that I believe have flaws.
Two-Step Verification
It sounds good in theory: When a user logs in, the email associated with their account will be notified with a code or button to verify the user logging in to their account.
However, consider the unneeded burden that would come with this.
For younger users who have their accounts connected to their guardian's email, every time the child logs in, the guardian must approve it. The guardian may not have the time to approve all sign-in requests, or may forget their email password and be unable to log in into their email at all. The child, especially if they have siblings, likely will log in and out of their account constantly when their siblings use their device. This could be a huge burden on the guardians; having the approve requests all the time.
The same goes for older users or users with their personal emails connected to their account. They may constantly need to sign in and out, especially if they use a library computer, and they may not have access to their emails due to forgetting email passwords.

Instead of requiring users to do this unneeded task, Scratch password security could simply be improved by increasing the number of required characters and be just as safe.
Conclusion

Implementing this change (better password requirements) could prevent accounts from being hacked and used for harming other accounts. This could truly help Scratch become a safer and better place for its users.

Scratchers, please support this change or suggest ideas to improve it! Scratch Team, please consider adding this change to help secure Scratch for all Scratchers.

Thanks everyone!

P.S.
Here's a cool password security drawing project I made on my alt @undiscoveries.
It does NOT detect password security but could be used for a colorful and useful safety estimate.
Tap/press space to enter a number from 0-7 to view what a security level could look like.
https://scratch.mit.edu/projects/1252658735/

I agree with this option. It will hopefully help security on Scratch if a ST member has approval for it.
However, I have the same mind when we talk about student accounts here:
https://scratch.mit.edu/discuss/topic/854897/

gelatin-free wrote:

I agree with this option. It will hopefully help security on Scratch if a ST member has approval for it.
However, I have the same mind when we talk about student accounts here:
https://scratch.mit.edu/discuss/topic/854897/

Yes, I just meant this for securing accounts, however, your suggestion is very useful for preventing unwanted accounts from being created and utilized.

HollyEuca wrote:

Yes, I just meant this for securing accounts, however, your suggestion is very useful for preventing unwanted accounts from being created and utilized.

Who are you and what have you done with Holly?

Support, though I think that newer scratchers / ban evaders will not care.

i second this take. security should always be first, above updates like “set thumbnail,” though i'm sure that made scratch a bit easier for others.
if this were to become a thing, it should be enforced to all scratchers, not just those who are creating new accounts.
e.g. everyone get a message in their mailbox on the new updates, and how it'll work for those who have passwords that don't meet the requirements.

I see the vision, but there is one key issue we need address. What if your email that is connected to your account not yours? For example, (I believe that gradient has said this) Gradient's email is her mom's ex boyfriend's, so they can't change their password.

-Cosmic--- wrote:

HollyEuca wrote:

Yes, I just meant this for securing accounts, however, your suggestion is very useful for preventing unwanted accounts from being created and utilized.

Who are you and what have you done with Holly?

Support, though I think that newer scratchers / ban evaders will not care.

(lol im way too “forumal” here)
erm
I am grateful for your support.

HollyEuca wrote:

-Cosmic--- wrote:

HollyEuca wrote:

Yes, I just meant this for securing accounts, however, your suggestion is very useful for preventing unwanted accounts from being created and utilized.

Who are you and what have you done with Holly?

Support, though I think that newer scratchers / ban evaders will not care.

erm
I am grateful for your support.

You seem upset?

-Cosmic--- wrote:

HollyEuca wrote:

-Cosmic--- wrote:

HollyEuca wrote:

Yes, I just meant this for securing accounts, however, your suggestion is very useful for preventing unwanted accounts from being created and utilized.

Who are you and what have you done with Holly?

Support, though I think that newer scratchers / ban evaders will not care.

erm
I am grateful for your support.

You seem upset?

No, I am fine.

Berry154 wrote:

i second this take. security should always be first, above updates like “set thumbnail,” though i'm sure that made scratch a bit easier for others.
if this were to become a thing, it should be enforced to all scratchers, not just those who are creating new accounts.
e.g. everyone get a message in their mailbox on the new updates, and how it'll work for those who have passwords that don't meet the requirements.

Thank you.

l_believe_workdogs wrote:

I see the vision, but there is one key issue we need address. What if your email that is connected to your account not yours? For example, (I believe that gradient has said this) Gradient's email is her mom's ex boyfriend's, so they can't change their password.

In that case:

1. The user gets in contact with the email owner to tell them to approve the password email, OR:
   
   2.The user could send an email to Scratch Team proving they are themselves. Hackers likely wouldn't take the time to craft an email just to hack 1 account, and if they spammed Scratch Team's email for many different accounts, Scratch Team would likely be able to tell they are a hacker.
   

I remember this kind of thing was suggested by someone else once, and another person argued that, if they were trying to guess a scratcher's password, they would know that the password:
- has 12 or 13 characters, probably not more
- likely has 2 of each of the other requirements
Because kids will mostly make a password that reaches the minimum requirements, strict regulations may actually make it easier to guess passwords due to there being less variety.
That being said, I think the minimum length should be increased to 8 characters, or (and I don't know why st hasn't already done this) have a button that automatically creates a secure password, like other websites.

sillyNate wrote:

I remember this kind of thing was suggested by someone else once, and another person argued that, if they were trying to guess a scratcher's password, they would know that the password:
- has 12 or 13 characters, probably not more
- likely has 2 of each of the other requirements
Because kids will mostly make a password that reaches the minimum requirements, strict regulations may actually make it easier to guess passwords due to there being less variety.
That being said, I think the minimum length should be increased to 8 characters, or (and I don't know why st hasn't already done this) have a button that automatically creates a secure password, like other websites.

Good point; however, 8-character passwords are still easy to crack. What if randomly generated requirements were made for each new or password-changing user? For one user, 1 special symbol and 3 numerals are required, or for another 2 each, etc. This would be much harder for hackers to guess. Also, yes, I agree that a password generator should be added.

HollyEuca wrote:

l_believe_workdogs wrote:

I see the vision, but there is one key issue we need address. What if your email that is connected to your account not yours? For example, (I believe that gradient has said this) Gradient's email is her mom's ex boyfriend's, so they can't change their password.

In that case:

1. The user gets in contact with the email owner to tell them to approve the password email, OR:
   
   2.The user could send an email to Scratch Team proving they are themselves. Hackers likely wouldn't take the time to craft an email just to hack 1 account, and if they spammed Scratch Team's email for many different accounts, Scratch Team would likely be able to tell they are a hacker.
   

Usually, ST takes months to process an email sent to them.

l_believe_workdogs wrote:

HollyEuca wrote:

l_believe_workdogs wrote:

I see the vision, but there is one key issue we need address. What if your email that is connected to your account not yours? For example, (I believe that gradient has said this) Gradient's email is her mom's ex boyfriend's, so they can't change their password.

In that case:

1. The user gets in contact with the email owner to tell them to approve the password email, OR:
   
   2.The user could send an email to Scratch Team proving they are themselves. Hackers likely wouldn't take the time to craft an email just to hack 1 account, and if they spammed Scratch Team's email for many different accounts, Scratch Team would likely be able to tell they are a hacker.
   

Usually, ST takes months to process an email sent to them.

Perhaps they could use an advanced AI for reviewing these types of emails?

-Cosmic--- wrote:

DUPE ALERT!!

That's slightly different than my idea, plus I recently used a suggestion to add randomized password component requirements.

HollyEuca wrote:

-Cosmic--- wrote:

DUPE ALERT!!

That's slightly different than my idea, plus I recently used a suggestion to add randomized password component requirements.

Same idea.
It's a dupe.

-Cosmic--- wrote:

HollyEuca wrote:

-Cosmic--- wrote:

DUPE ALERT!!

That's slightly different than my idea, plus I recently used a suggestion to add randomized password component requirements.

Same idea.
It's a dupe.

Eh, not exactly. Their suggestion doesn't have the email idea, etc.

HollyEuca wrote:

l_believe_workdogs wrote:

HollyEuca wrote:

l_believe_workdogs wrote:

I see the vision, but there is one key issue we need address. What if your email that is connected to your account not yours? For example, (I believe that gradient has said this) Gradient's email is her mom's ex boyfriend's, so they can't change their password.

In that case:

1. The user gets in contact with the email owner to tell them to approve the password email, OR:
   
   2.The user could send an email to Scratch Team proving they are themselves. Hackers likely wouldn't take the time to craft an email just to hack 1 account, and if they spammed Scratch Team's email for many different accounts, Scratch Team would likely be able to tell they are a hacker.
   

Usually, ST takes months to process an email sent to them.

Perhaps they could use an advanced AI for reviewing these types of emails?

Yea, I agree that AI should definitely be used in its moderation, but scratch lacks funding and AI costs a lot of money and resources to create, that is curently not feasible for them.