CAPTCHA for login??

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

The Ninja Space Goat wrote:What do you use to prevent brute-force attacks, jcart?
Like I was suggesting earlier, it all depends on how many security layers you want to implement. Sure, you could use captcha, log failed attempts, etc, but you have to decide where usability meets security.

In programs I write to be as secure as possible, I would most definitely use a captcha because it will eliminate (hopefully) the possibility of robots as well as slow down the process of hired goons to manually try and gain access. In the mean time, I would be logging everything that happens, and an admin would typically be alerted in some fashion (SMS, email, etc) to take action on the account to take action on the account. Otherwise, if an admin hasn't taken on a flagged account, some intervention would take place (limited account access, lock account, whatever)

If you salt your passwords, connect using SSL, and enforce strong passwords brute forces are pretty much useless considering the amount of time it takes versus being discovered (assuming your actively monitor things).
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

I've started using more intuitive captcha's, OCR software is almost at the stage where it can read as good as, or better the human eye. Some of Yahoo's captchas, for example, are barely legible.

So instead of "Enter the code on the image" I use silhouettes of common objects, and have something like "How many kittens do you see?" :)

However, to go back on topic - this will be an extra method for preventing spam abuse.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

yea I prefer those types of captchas myself. They are better for security and usability. As a developer, I like that type of captcha because it is just about impossible for a computer to answer that correctly (or even better, something like "What is in this picture?" and show a picture of an animal), and i like it as a user because it is much easier to type "cat" than it is to try and decode a bunch of scribbled letters and numbers hidden in noise.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

The Ninja Space Goat wrote:yea I prefer those types of captchas myself.
Myself I dislike them. Face the fact - there are people who know English well enough to use most sites but can't match a peach image with the word 'peach' (e.g. I had to look it in the dictionary).
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

So just use something like the guys said before: "How many peaches you see?".
This should be good enough currently since it's new (I've just heard about it - here in this topic), but don't think it will be good forever since once it becomes common enough, someone will crack it.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Oren wrote:So just use something like the guys said before: "How many peaches you see?".
So if there were two apples, one pear and three peaches on the picture I would still have to look what does 'peach' mean in the dictionary? Not good, usability-wise.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

No, I don't think he means it like that. He could have worded it "How many objects do you see?".
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think another thing weirdan's post suggests is that using that type of capcha could preclude non-english speakers from being able to answer the question.

This is a tricky area because you want to most people to be able to use the system without allowing a computer to use the system. I have seen systems that throw up math questions like 8 + 12 = ? and have you answer that. I was thinking the other day that having a capcha in which a user is asked what the second parameter of a PHP function might be according the manual with a link to that page. Or even throwing a link to a math equation that google solves and asking what answer google gave as an answer might be something usable.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

jayshields wrote:No, I don't think he means it like that. He could have worded it "How many objects do you see?".
Actually, I did mean it like this but... there will be only one type of objects in the picture. Second, the word, "peaches" in our example, will be written down so you can check it with the dictionary in a second.

Everah, I must say that your idea sounded very cool to me, but a second later I thought: this will be even weaker and easier to crack than the simple CAPTCHAs we have now - all the bot will have to do is to follow the link and grab the result.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I thought of that too. And I am still thinking of ways to implement a system like that which would be difficult or [s]impossible[/s] somewhat more difficult for a bot to spoof.

Edit | Per user request, strikethrough added to shed some semblance of reality on the term impossible as it relates to computer recognition of information presented for capcha validation. ;)
Last edited by RobertGonzalez on Mon Apr 09, 2007 12:25 pm, edited 1 time in total.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Great but... use the strike-through on the word "impossible". There isn't such thing - which is bad sometimes, and sometimes it is good :P
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Code: Select all

^
Like that --┘
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Visual CAPTCHAs alone are not very helpful - hint: you can't use sites with CAPTCHAs controlling access from a screenreader.
User avatar
Trenchant
Forum Contributor
Posts: 291
Joined: Mon Nov 29, 2004 6:04 pm
Location: Web Dummy IS

Post by Trenchant »

You can't build a script to automatically login and carry out an action once logged in.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

Web Dummy wrote:You can't build a script to automatically login and carry out an action once logged in.
Uhmm.. C++?
Post Reply