ROBLOX Account Protection

1. Before saying TL;DR, let me just say that this applies to YOUR account as much as anybody else's.
2.  
3. A lot of people try to PG old accounts (or even new ones that have good namesnipes) and they use a method somewhat like this:
4.  
5. there is a list compiled of the most common English words, sometimes a few numbers. the script tries to login to an account multiple times, while the person behind the script types in the Captcha each time.
6.  
7. A friend of mine did this (not going to say his name) and it was quite easy, even though the account was verified. There needs to be a safeguard system in place- ROBLOX needs to update their Captcha to 2.0, and also update the signup-login API.
8.  
9. A few days ago (on the 13th, I believe), RT, OT, ATR, and LMaD got hit pretty hard by bot accounts. There were over 1000 accounts, all created simultaneously and automatically. If a Captcha was in place at signup (even if you don't try to make multiple accounts, just one), there wouldn't have been that problem.
10.  
11. That brings up another thing: with logging in, if you fail to login 5 times or so, a Captcha will start popping up, but that is not enough. That friend of mine PGed the account in less than an hour. If the password is guessed wrong up to 32 times, the account (if it's verified) should be locked. Account verification uses email, so an email will be sent to the email address associated with the account, saying that somebody is trying to login and there are 2 things you could do:
12.  
13. 1. let it slide, or
14. 2. block the IP address of the user trying to login
15.  
16. I'll get back to this later.
17.  
18.  
19. For extra security precautions, there should be the Personal Questions backup, where only the owner of the account will know the answer to the question. Questions such as "what was your first intermediate school's name?" and "how old was your mother when you were born?". Questions like that are personal things that only the true owner of the account would know.
20.  
21. Going back to the logging in lock, I said the account should be locked IF it's verified. If the account is not verified, the login page should ask the PGer the answers to the personal questions. The personal questions should be set on signup for new accounts after the update. If there are none set and the account hasn't been active for more than a year, there's not much ROBLOX can do.
22.  
23. Thanks for actually taking the time to read all of this- I really appreciate this! Hopefully this catches the eye of a moderator, administrator, or better yet, a web engineer. If you have something you'd like to add on or change, please reply!