CAPTCHA for login??

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

CAPTCHA for login??

Post by Luke »

My host just implemented an image CAPTCHA for their login system. What on earth does this do for them? Prevent all the login spammers?? I don't get it. :?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Probably easier than adding brute force detection.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Brute force prevention would be pretty easy. lock user out after 3-5 attempts. How is that harder than CAPTCHA?
alvinphp
Forum Contributor
Posts: 380
Joined: Wed Sep 21, 2005 11:47 am

Post by alvinphp »

if they added captcha someone is creating tons of new accounts so brute force attacks have no bearing here.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

the captcha isn't on a "create new account" form. It's on the login form. That's what makes no sense.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Maybe some script developer just talked some exec into 'a more secure authentication system for current users'.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

It does not makes sense though, right?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I believe the term is, security in layers. Some people are anal, and having the possibility of an exploit in their system is enough to push them towards more security layers. So yes, it does make sense.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Hmm... what could happen if they don't have a captcha on their login. I mean, what security risk does it pose?
alvinphp
Forum Contributor
Posts: 380
Joined: Wed Sep 21, 2005 11:47 am

Post by alvinphp »

Captcha would help prevent brute force attacks, though I think there are much easier ways to do this that is less intrusive to the customer (like locking the id after 3 tries). My guess is you have developer gold plating where some jr programmer just learned Captcha and wanted to put it somewhere even though it was not needed and there were better (and simpler) ways to do it. I see this all the time.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Maybe I should clarify that brute force attacks do not always target a specific login id.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

astions wrote:Maybe I should clarify that brute force attacks do not always target a specific login id.
This is exactly why I don't like to lock users account based on failed password attempts. Consider if cracker joe wanted inflict damage onto a site of mine, he could simply create a script to potentially read my user base (e.g. phpbb's memberlist) and potentially have every single one of the accounts temporarily blocked.

On the other hand, if captcha was used this process would take a lot longer for cracker joe. Feel my drift?
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Could be this...
Consider if cracker joe wanted inflict damage onto a site of mine, he could simply create a script to potentially read my user base (e.g. phpbb's memberlist) and potentially have every single one of the accounts temporarily blocked
(I don't like these systems either. As a user or as a developer)

but knowing my hosting company, this is more likely
My guess is you have developer gold plating where some jr programmer just learned Captcha and wanted to put it somewhere
What do you use to prevent brute-force attacks, jcart?
User avatar
veridicus
Forum Commoner
Posts: 86
Joined: Fri Feb 23, 2007 9:16 am

Post by veridicus »

My guess is that they were the victim of a successful brute force attack and when they asked around for a quick solution someone said CAPTCHA.

Maybe they'll put up something better and remove the CAPTCHA once it's up.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

It seems likely that they want to stop brute force attacks. They might also want to stop people automating the process of logging in and doing things. For example, if the host uses CPanel, and someone wrote a script to log in and email a copy of the Disk Space Usage chart to their account every ten minutes they'd have good reason to add something to make that a bit trickier.
Post Reply