Page 2 of 3

Posted: Sun Apr 08, 2007 11:08 am
by John Cartwright
The Ninja Space Goat wrote:What do you use to prevent brute-force attacks, jcart?
Like I was suggesting earlier, it all depends on how many security layers you want to implement. Sure, you could use captcha, log failed attempts, etc, but you have to decide where usability meets security.

In programs I write to be as secure as possible, I would most definitely use a captcha because it will eliminate (hopefully) the possibility of robots as well as slow down the process of hired goons to manually try and gain access. In the mean time, I would be logging everything that happens, and an admin would typically be alerted in some fashion (SMS, email, etc) to take action on the account to take action on the account. Otherwise, if an admin hasn't taken on a flagged account, some intervention would take place (limited account access, lock account, whatever)

If you salt your passwords, connect using SSL, and enforce strong passwords brute forces are pretty much useless considering the amount of time it takes versus being discovered (assuming your actively monitor things).

Posted: Sun Apr 08, 2007 12:06 pm
by Jenk
I've started using more intuitive captcha's, OCR software is almost at the stage where it can read as good as, or better the human eye. Some of Yahoo's captchas, for example, are barely legible.

So instead of "Enter the code on the image" I use silhouettes of common objects, and have something like "How many kittens do you see?" :)

However, to go back on topic - this will be an extra method for preventing spam abuse.

Posted: Mon Apr 09, 2007 12:50 am
by Luke
yea I prefer those types of captchas myself. They are better for security and usability. As a developer, I like that type of captcha because it is just about impossible for a computer to answer that correctly (or even better, something like "What is in this picture?" and show a picture of an animal), and i like it as a user because it is much easier to type "cat" than it is to try and decode a bunch of scribbled letters and numbers hidden in noise.

Posted: Mon Apr 09, 2007 9:35 am
by Weirdan
The Ninja Space Goat wrote:yea I prefer those types of captchas myself.
Myself I dislike them. Face the fact - there are people who know English well enough to use most sites but can't match a peach image with the word 'peach' (e.g. I had to look it in the dictionary).

Posted: Mon Apr 09, 2007 10:13 am
by Oren
So just use something like the guys said before: "How many peaches you see?".
This should be good enough currently since it's new (I've just heard about it - here in this topic), but don't think it will be good forever since once it becomes common enough, someone will crack it.

Posted: Mon Apr 09, 2007 10:20 am
by Weirdan
Oren wrote:So just use something like the guys said before: "How many peaches you see?".
So if there were two apples, one pear and three peaches on the picture I would still have to look what does 'peach' mean in the dictionary? Not good, usability-wise.

Posted: Mon Apr 09, 2007 10:26 am
by jayshields
No, I don't think he means it like that. He could have worded it "How many objects do you see?".

Posted: Mon Apr 09, 2007 10:52 am
by RobertGonzalez
I think another thing weirdan's post suggests is that using that type of capcha could preclude non-english speakers from being able to answer the question.

This is a tricky area because you want to most people to be able to use the system without allowing a computer to use the system. I have seen systems that throw up math questions like 8 + 12 = ? and have you answer that. I was thinking the other day that having a capcha in which a user is asked what the second parameter of a PHP function might be according the manual with a link to that page. Or even throwing a link to a math equation that google solves and asking what answer google gave as an answer might be something usable.

Posted: Mon Apr 09, 2007 11:14 am
by Oren
jayshields wrote:No, I don't think he means it like that. He could have worded it "How many objects do you see?".
Actually, I did mean it like this but... there will be only one type of objects in the picture. Second, the word, "peaches" in our example, will be written down so you can check it with the dictionary in a second.

Everah, I must say that your idea sounded very cool to me, but a second later I thought: this will be even weaker and easier to crack than the simple CAPTCHAs we have now - all the bot will have to do is to follow the link and grab the result.

Posted: Mon Apr 09, 2007 11:15 am
by RobertGonzalez
I thought of that too. And I am still thinking of ways to implement a system like that which would be difficult or [s]impossible[/s] somewhat more difficult for a bot to spoof.

Edit | Per user request, strikethrough added to shed some semblance of reality on the term impossible as it relates to computer recognition of information presented for capcha validation. ;)

Posted: Mon Apr 09, 2007 11:22 am
by Oren
Great but... use the strike-through on the word "impossible". There isn't such thing - which is bad sometimes, and sometimes it is good :P

Posted: Mon Apr 09, 2007 12:27 pm
by RobertGonzalez

Code: Select all

^
Like that --┘

Posted: Tue Apr 10, 2007 4:17 am
by Maugrim_The_Reaper
Visual CAPTCHAs alone are not very helpful - hint: you can't use sites with CAPTCHAs controlling access from a screenreader.

Posted: Sun Apr 15, 2007 9:54 pm
by Trenchant
You can't build a script to automatically login and carry out an action once logged in.

Posted: Sun Apr 15, 2007 11:13 pm
by d3ad1ysp0rk
Web Dummy wrote:You can't build a script to automatically login and carry out an action once logged in.
Uhmm.. C++?