CAPTCHA for login??
Moderator: General Moderators
CAPTCHA for login??
My host just implemented an image CAPTCHA for their login system. What on earth does this do for them? Prevent all the login spammers?? I don't get it. 
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Captcha would help prevent brute force attacks, though I think there are much easier ways to do this that is less intrusive to the customer (like locking the id after 3 tries). My guess is you have developer gold plating where some jr programmer just learned Captcha and wanted to put it somewhere even though it was not needed and there were better (and simpler) ways to do it. I see this all the time.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
This is exactly why I don't like to lock users account based on failed password attempts. Consider if cracker joe wanted inflict damage onto a site of mine, he could simply create a script to potentially read my user base (e.g. phpbb's memberlist) and potentially have every single one of the accounts temporarily blocked.astions wrote:Maybe I should clarify that brute force attacks do not always target a specific login id.
On the other hand, if captcha was used this process would take a lot longer for cracker joe. Feel my drift?
Could be this...
but knowing my hosting company, this is more likely
(I don't like these systems either. As a user or as a developer)Consider if cracker joe wanted inflict damage onto a site of mine, he could simply create a script to potentially read my user base (e.g. phpbb's memberlist) and potentially have every single one of the accounts temporarily blocked
but knowing my hosting company, this is more likely
What do you use to prevent brute-force attacks, jcart?My guess is you have developer gold plating where some jr programmer just learned Captcha and wanted to put it somewhere
It seems likely that they want to stop brute force attacks. They might also want to stop people automating the process of logging in and doing things. For example, if the host uses CPanel, and someone wrote a script to log in and email a copy of the Disk Space Usage chart to their account every ten minutes they'd have good reason to add something to make that a bit trickier.