When the password you typed is weak, the it will tell you: This password seemed like too weak, please type another password. | Reason: Avoid hacking
List of weak Passwords:
'123456'
'password1'
'passw0rd'
'scratch'
'(username)1234'
'(username)'
'qwerty'
'abcdef'
'abc123'
'ilike(object)
'asdfghjkl'
'1234567890'
'(user's name or full name)'
'scratch.mit.edu'
'ilove(sitename)'
'(person's birthday)'
'111111'
'654321'
'(object)isawesome'
'ilove(object)
'wordpass'
'password123'
'(thing)rules123'
etc.
( https://en.scratch-wiki.info/wiki/Password )

semi-support
while this would be a good idea there are very simple passwords which would be impossible to guess, and this could stop people from using those passwords which are easy to remember for them and just as secure as a strong password
also 100th post lets go

This is extremely important, as it's way better for Scratchers to learn about password security on the Scratch signup page than in 20 years time when they get hacked in something with large real-world importance.

I agree that learning about password safety is very important but

-An_Unnamed_User- wrote:

'(user's name or full name)'

how would it detect this? There are millions or even billions of names and surnames around the world and it would be near-impossible if not impossible to detect all of them.

historical_supa wrote:

I agree that learning about password safety is very important but

-An_Unnamed_User- wrote:

'(user's name or full name)'

how would it detect this? There are millions or even billions of names and surnames around the world and it would be near-impossible if not impossible to detect all of them.

you have to input your name in the join scratcher process I believ

-Valtren- wrote:

you have to input your name in the join scratcher process I believ

No, you don’t. You have to put in your email which might reveal your name, but there isn’t really any way of telling.

IMO, your full name is a safe enough password. Unless you share it with someone on scratch (which would be sharing personal info and isn’t allowed), this isn’t guessable.

support, but what would be the algorithm for finding weak passwords
maybe only if scratch detects a pattern, if the password is too short or the password is a word with extra characters on the end or the start

yavuz61035 wrote:

if the password is too short

This is already a feature. Your password must be 6 characters or more.

musicROCKS013 wrote:

IMO, your full name is a safe enough password. Unless you share it with someone on scratch (which would be sharing personal info and isn’t allowed), this isn’t guessable.

Ha, not if you know people in real life who know you use Scratch. It's better to just make a strong password from the get go. Even “J0hNny4pPLe533D” is better than “JohnnyAppleseed”. If you have a common name like “John Smith” or something, people could certainly have at least some chance of guessing the name correctly.

perhaps instead of a blacklist like this, there should be some sort of requirements to ensure secure passwords

such as:
“J0hNny4pPLe533D”
at least one uppercase letter ✔️
at least one lowercase letter ✔️
at least one number ✔️
at least one special character ❌

or something very similar

zparkly wrote:

(#10)
perhaps instead of a blacklist like this, there should be some sort of requirements to ensure secure passwords

such as:
“J0hNny4pPLe533D”
at least one uppercase letter ✔️
at least one lowercase letter ✔️
at least one number ✔️
at least one special character ❌

or something very similar

(src)

Support, if the password is weaker, then the chances of you getting hacked will increase

-Valtren- wrote:

historical_supa wrote:

I agree that learning about password safety is very important but

-An_Unnamed_User- wrote:

'(user's name or full name)'

how would it detect this? There are millions or even billions of names and surnames around the world and it would be near-impossible if not impossible to detect all of them.

you have to input your name in the join scratcher process I believ

It will say: Looks like the password is a name, please type another password.

-An_Unnamed_User- wrote:

It will say: Looks like the password is a name, please type another password.

What if someone wanted to make their password the name of a famous celebrity? Then what would happen?

k0d3rrr wrote:

-An_Unnamed_User- wrote:

It will say: Looks like the password is a name, please type another password.

What if someone wanted to make their password the name of a famous celebrity? Then what would happen?

I feel like this is a bad example as that would be a very bad password.
And yes, (im not op) I feel like the name filter probably should prevent that

thugatwoary wrote:

k0d3rrr wrote:

-An_Unnamed_User- wrote:

It will say: Looks like the password is a name, please type another password.

What if someone wanted to make their password the name of a famous celebrity? Then what would happen?

I feel like this is a bad example as that would be a very bad password.
And yes, (im not op) I feel like the name filter probably should prevent that

What if someone wanted to make that their password by replacing the letters with numbers that look like the letters? (1 = i, 3 = E, etc)

Za-Chary wrote:

Even “J0hNny4pPLe533D” is better than “JohnnyAppleseed”.

False. Adding random capitals, numbers, or other common substitutions does not improve security at all. Brute force methods will try thousands, sometimes millions, of combinations a second. Changing an E to a 3 will only add a few milliseconds until the password is eventually cracked, and you're simply making it harder for yourself to remember. Length is by far more important than silly characters.

SavetheAtlantic wrote:

Za-Chary wrote:

Even “J0hNny4pPLe533D” is better than “JohnnyAppleseed”.

False. Adding random capitals, numbers, or other common substitutions does not improve security at all. Brute force methods will try thousands, sometimes millions, of combinations a second. Changing an E to a 3 will only add a few milliseconds until the password is eventually cracked, and you're simply making it harder for yourself to remember. Length is by far more important than silly characters.

It does fend off against anyone who knows your name and your Scratch account. If they know both and are willing to get into your account, it's free to them.

coder2045 wrote:

SavetheAtlantic wrote:

Za-Chary wrote:

Even “J0hNny4pPLe533D” is better than “JohnnyAppleseed”.

False. Adding random capitals, numbers, or other common substitutions does not improve security at all. Brute force methods will try thousands, sometimes millions, of combinations a second. Changing an E to a 3 will only add a few milliseconds until the password is eventually cracked, and you're simply making it harder for yourself to remember. Length is by far more important than silly characters.

It does fend off against anyone who knows your name and your Scratch account. If they know both and are willing to get into your account, it's free to them.

How would they know that one's password even is their name in the first place?

SavetheAtlantic wrote:

coder2045 wrote:

SavetheAtlantic wrote:

Za-Chary wrote:

Even “J0hNny4pPLe533D” is better than “JohnnyAppleseed”.

False. Adding random capitals, numbers, or other common substitutions does not improve security at all. Brute force methods will try thousands, sometimes millions, of combinations a second. Changing an E to a 3 will only add a few milliseconds until the password is eventually cracked, and you're simply making it harder for yourself to remember. Length is by far more important than silly characters.

It does fend off against anyone who knows your name and your Scratch account. If they know both and are willing to get into your account, it's free to them.

How would they know that one's password even is their name in the first place?

After stuff like “password” and “123456”, someone's name is one of the most common passwords. Sure, it won't help against random strangers, but any friends who are in the same school coding club or something can hack into someone with a bad password.