Page 1 of 3

CAPTCHA for login??

Posted: Fri Apr 06, 2007 3:51 pm
by Luke
My host just implemented an image CAPTCHA for their login system. What on earth does this do for them? Prevent all the login spammers?? I don't get it. :?

Posted: Fri Apr 06, 2007 3:57 pm
by Benjamin
Probably easier than adding brute force detection.

Posted: Fri Apr 06, 2007 4:07 pm
by Luke
Brute force prevention would be pretty easy. lock user out after 3-5 attempts. How is that harder than CAPTCHA?

Posted: Fri Apr 06, 2007 4:34 pm
by alvinphp
if they added captcha someone is creating tons of new accounts so brute force attacks have no bearing here.

Posted: Fri Apr 06, 2007 4:39 pm
by Luke
the captcha isn't on a "create new account" form. It's on the login form. That's what makes no sense.

Posted: Fri Apr 06, 2007 5:30 pm
by RobertGonzalez
Maybe some script developer just talked some exec into 'a more secure authentication system for current users'.

Posted: Fri Apr 06, 2007 5:34 pm
by Luke
It does not makes sense though, right?

Posted: Fri Apr 06, 2007 6:24 pm
by John Cartwright
I believe the term is, security in layers. Some people are anal, and having the possibility of an exploit in their system is enough to push them towards more security layers. So yes, it does make sense.

Posted: Fri Apr 06, 2007 6:40 pm
by Luke
Hmm... what could happen if they don't have a captcha on their login. I mean, what security risk does it pose?

Posted: Fri Apr 06, 2007 11:27 pm
by alvinphp
Captcha would help prevent brute force attacks, though I think there are much easier ways to do this that is less intrusive to the customer (like locking the id after 3 tries). My guess is you have developer gold plating where some jr programmer just learned Captcha and wanted to put it somewhere even though it was not needed and there were better (and simpler) ways to do it. I see this all the time.

Posted: Fri Apr 06, 2007 11:39 pm
by Benjamin
Maybe I should clarify that brute force attacks do not always target a specific login id.

Posted: Sat Apr 07, 2007 12:09 am
by John Cartwright
astions wrote:Maybe I should clarify that brute force attacks do not always target a specific login id.
This is exactly why I don't like to lock users account based on failed password attempts. Consider if cracker joe wanted inflict damage onto a site of mine, he could simply create a script to potentially read my user base (e.g. phpbb's memberlist) and potentially have every single one of the accounts temporarily blocked.

On the other hand, if captcha was used this process would take a lot longer for cracker joe. Feel my drift?

Posted: Sat Apr 07, 2007 2:43 pm
by Luke
Could be this...
Consider if cracker joe wanted inflict damage onto a site of mine, he could simply create a script to potentially read my user base (e.g. phpbb's memberlist) and potentially have every single one of the accounts temporarily blocked
(I don't like these systems either. As a user or as a developer)

but knowing my hosting company, this is more likely
My guess is you have developer gold plating where some jr programmer just learned Captcha and wanted to put it somewhere
What do you use to prevent brute-force attacks, jcart?

Posted: Sat Apr 07, 2007 3:56 pm
by veridicus
My guess is that they were the victim of a successful brute force attack and when they asked around for a quick solution someone said CAPTCHA.

Maybe they'll put up something better and remove the CAPTCHA once it's up.

Posted: Sat Apr 07, 2007 6:12 pm
by onion2k
It seems likely that they want to stop brute force attacks. They might also want to stop people automating the process of logging in and doing things. For example, if the host uses CPanel, and someone wrote a script to log in and email a copy of the Disk Space Usage chart to their account every ten minutes they'd have good reason to add something to make that a bit trickier.