Pages:
Author

Topic: Login captcha - page 2. (Read 2157 times)

copper member
Activity: 2996
Merit: 2374
August 14, 2017, 12:22:08 AM
#12
I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria, and if so a captcha would be presented before the username/password combination would be checked against the forum DB. For example, an account that has had zero failed login attempts and has had it's password changed (via a change, reset, or otherwise) since the date of the forum hack would not need to complete a captcha, while an account that has had x failed login attempts in the past n time, or has not accessed his account in the past y time, or has not had its password changed since the forum hack would need to complete a captcha in order for the login to even be attempted.

This would prevent the need for JavaScript for most users, and would still fulfill the purpose of stopping/slowing down hacking attempts.
newbie
Activity: 6
Merit: 0
August 13, 2017, 09:23:06 PM
#11
Yup, numerous reasons recaptcha is bad in the long term.
While it's a great solution to stop bots in their tracks, especially brute force ones, I feel as if in the long run it creates more potential problems.
That said, nothing wrong with using it till a more convenient solution can be implemented.

There's a reason big services (Yahoo, Gmail, Facebook and so forth) don't use it, at least when it comes to the login.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
August 13, 2017, 08:56:02 PM
#10
Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.
Because for anyone who (still) actively uses faucets, the new reCAPTCHA is much more difficult / time-consuming (if it's one of those "select all things until none are left") to fill in (probably due to the high volume of captchas filled on the same IP). At least that's what I've seen some users complain about. In addition, sometimes it's difficult to tell what specifically the captcha is asking you to mark (e.g. do the poles on road signs count as part of the sign?).

That aside, since it's important to stop bots from bruteforcing passwords, AFAIK the new reCAPTCHA is the impossible for bots to automatically bypass (for now; though if anyone is going to break Google's new captcha, it's probably going to be them - hell, that's why they created this new one). Gonna be a bit of a pain in the ass creating user based Bitcointalk bots / libraries though (not exactly a fan of manually requesting keys for each bot but I guess I've got no choice until this gets resolved (fingers crossed for the new forum software modular API access)).


Here's an example of the "select all things until none are left" captcha slowdown (that I've encountered personally as well):

newbie
Activity: 6
Merit: 0
August 13, 2017, 08:32:22 PM
#9
Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

You're welcome!
administrator
Activity: 5222
Merit: 13032
August 13, 2017, 08:12:43 PM
#8
Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.
sr. member
Activity: 292
Merit: 251
August 13, 2017, 08:05:10 PM
#7
Please do not use google captcha.
Use alternative.
newbie
Activity: 6
Merit: 0
August 13, 2017, 06:43:42 PM
#6
Was just a thought, it would obviously need some thinking.

Anyway, there's a potential bug, or rather.. an oversight.

If I click on the login button located in the top left corner it takes me to: https://bitcointalk.org/index.php?action=login
This is fine (obviously) and the login form there displays the captcha.

If you take any action and you're not logged in (for whatever reason) it shows up as this, with no captcha loading:

https://s23.postimg.org/qh9hk7w9n/captcha.png

Example: having a bookmark with https://bitcointalk.org/index.php?action= (any action, example: pm reply, thread reply, etc) or using a custom PM notification app and needing to quickly reply or so forth.

It correctly tells me to login but it doesn't display the captcha there, hence I can't login using that form, I have to click again on the top left button so it takes me to the original login form, located at https://bitcointalk.org/index.php?action=login

I'm not using an addblocker or noscript, tried it in multiple browsers, captcha doesn't load in any of them. So I'm guessing it's on your end.

Steps to reproduce:

Make sure you're not logged in.
Have a bookmark in your browser with a link entailing an action, let's use this for example: https://bitcointalk.org/index.php?action=pm
Click the bookmark
Done.
administrator
Activity: 5222
Merit: 13032
August 13, 2017, 04:14:35 PM
#5
Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.

Exactly, locking an account due to incorrect password attempts is insecure unless you already have some sort of partial authentication (eg. half of 2-factor authentication).
legendary
Activity: 2352
Merit: 1268
In Memory of Zepher
August 13, 2017, 04:07:32 PM
#4
Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
This solution is impossible to implement without making regular users lives difficult.

Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.
newbie
Activity: 6
Merit: 0
August 13, 2017, 04:02:23 PM
#3
Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
I mean who forgets their password and tries more than 3-4 times to login? After 3-4 times they'd use the forgotten password, so obviously anything above that would be brute force, hence lock and ban.

I believe Yahoo for example does that after 12 attempts, locks the account for 12 hrs. Facebook and Gmail have something similar.
Point is to make the problem go away, or make the brute force attempt not worth it, not add more hassles to actually login in.

Dunno, seems like it would a lot of trouble as opposed to the captcha challenge.
legendary
Activity: 1582
Merit: 1064
August 13, 2017, 03:35:43 PM
#2
Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.

I was wondering why there was a change.
This captcha is irritating (sometimes you have to click on multiple screens), but it does seem to be necessary. You wouldn't want to take risks given the number of hackings there have been.
administrator
Activity: 5222
Merit: 13032
August 13, 2017, 01:52:19 PM
#1
Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.
Pages:
Jump to: