Author

Topic: Login captcha (Read 2160 times)

hero member
Activity: 2212
Merit: 805
Top Crypto Casino
September 14, 2017, 02:38:00 PM
#32
I sent Theymos a pm regarding the difficulty the CaptCha page is causing me. Is there any way to disable the captcha on login page? I use opera mini old to access the forum since November 2016, Yesterday My browser crashed, I reinstalled it and tried to login but Opera mini (old) doesn't have JavaScript functionality. Currently using Firefox to access the forum. The experience hasn't been smooth so far. Didn't notice the new Captcha feature as I've always had "Always stay logged in" active.

Can I appeal this option be removed?
sr. member
Activity: 378
Merit: 260
Bitcoin SV is Bitcoin
August 31, 2017, 11:49:37 AM
#31
Google's captcha sucks  Cry
legendary
Activity: 1988
Merit: 1317
Get your game girl
August 30, 2017, 03:39:27 AM
#30
Actually,the captcha works perfect the way it was suppose to be.Once we solve the captcha couple of times from the same IP for login,it doesn't need you to solve the captcha again anymore.I don't know if it is programmed that way but once your ip is white listed you can get rid off the captcha.I had an option to use it when it used it first couple of times from my phone/laptop now it doesn't ask me to solve it as only clicking on "I'm not a robot" does it for me.
full member
Activity: 230
Merit: 100
August 30, 2017, 03:12:50 AM
#29
I really appreciate this although sometimes captcha makes me upset because it is always wrong and it took a few minutes to login.
 
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
August 29, 2017, 09:26:06 PM
#28
It's happening again. I keep getting "Incorrect Recaptcha." or "You must solve the CAPTCHA (JavaScript required)." I had to try dozens of times before I could finally log in; I was just about ready to give up altogether. Undecided
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
August 17, 2017, 10:09:24 AM
#27
Login captcha is pretty annoying because every time I login it asks me 3 different puzzles. I also realized that after this captcha thing implemented forum log me out occasionally when I'm browsing. When I try to post something it log me out after I press Post. Weird, this hasn't happened before captcha.
If it randomly logs you out, make sure you've checked the "Always stay logged in" checkbox or at least set the "Minutes to stay logged in" to something bigger than an hour (since 60 minutes is the default) when logging in.
hero member
Activity: 2156
Merit: 685
August 17, 2017, 09:40:43 AM
#26
Login captcha is pretty annoying because every time I login it asks me 3 different puzzles. I also realized that after this captcha thing implemented forum log me out occasionally when I'm browsing. When I try to post something it log me out after I press Post. Weird, this hasn't happened before captcha.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
August 16, 2017, 04:52:38 PM
#25
If a malicious person wants to bypass Google Captcha, the person can do it.

https://www.youtube.com/watch?v=8iMU9HbJ7Wo
Indeed, but it requires more effort and time (especially when bruteforcing large amounts of captchas in a small period of time) rather than just running the captcha through and OCR library and echoing out the results.

A bit OT, but the presentation is pretty interesting though. Wonder how long will it take till Google ups it's defenses (if it hasn't already).
member
Activity: 80
Merit: 10
August 16, 2017, 04:46:55 PM
#24
If a malicious person wants to bypass Google Captcha, the person can do it.

https://www.youtube.com/watch?v=8iMU9HbJ7Wo
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
August 16, 2017, 04:42:40 PM
#23
Please do not use google captcha.
Use alternative.

I was going to ask the same.
Feeding the G AI and allowing them to know about every login seem not fine to me.
I am calling for in house implementation.
Any in-house captcha implementation would be inferior (and probably easily crackable) compared to a system dev'd by the multi-billion data and IT tycoon that is Google. While I don't particularly like the captcha tech, it's effective and AFAIK nobody in the dark circles of the Internet managed to figure out a way to break it (edit: as in near 90-100% success ratio on a large scale brute force attempt).

If you dislike being tracked, you should probably also stop using Google search, avoid (or at least block the analytics script from even downloading) any website  that happens to use Google Analytics (hint: it's most of them) and throw your Android phone (if you're using Apple and think you are being tracked less than on an Android, I really have nothing to say to you) out the window.

I understand why captcha is important but am i the only one that has problems on a weekly base in solving them ?

It switches every week. First they are easy to solve, some other moments it's suddenly impossible to solve... another day's every solved captcha gives constant error... this ain't normal anymore.

We sould have more methodes to solve and enter/login/claim. I wonder ow many people stop doing anything because of this.
Clear your cookies (at least any Google ones). According to a user in this thread, apparently it helps.
member
Activity: 78
Merit: 10
August 16, 2017, 04:35:37 PM
#22
I understand why captcha is important but am i the only one that has problems on a weekly base in solving them ?

It switches every week. First they are easy to solve, some other moments it's suddenly impossible to solve... another day's every solved captcha gives constant error... this ain't normal anymore.

We sould have more methodes to solve and enter/login/claim. I wonder ow many people stop doing anything because of this.
full member
Activity: 159
Merit: 100
August 16, 2017, 11:00:42 AM
#21
Please do not use google captcha.
Use alternative.

I was going to ask the same.
Feeding the G AI and allowing them to know about every login seem not fine to me.
I am calling for in house implementation.
full member
Activity: 644
Merit: 101
August 15, 2017, 10:12:48 PM
#20
It is a good idea to put login captcha when logging in. Spambots could possibly enter your password by chance using combinations. Since spambots could not pass captchas, there will be a stronger security in this forum. Also, it is a good idea to put captchas before posting to prevent spamming post possibly created by an upgraded version of a spambot. Users using spambot could be terminated if captchas are implemented in this forum.
administrator
Activity: 5222
Merit: 13032
August 14, 2017, 08:07:29 PM
#19
Here's an example of the "select all things until none are left" captcha slowdown (that I've encountered personally as well):

I've seen that happen before (rarely) on Tor, but a small delay isn't very bothersome, and I've always been able to fix the really bad delays by refreshing the page or getting a new Tor identity.

Elsewhere, someone suggested Solvemedia, but I think that all captchas based on reading text are actually easier for high-quality OCR to solve than for humans. The photo-based ones give computers a major disadvantage over humans. I don't care very much if people use services like 9kw.eu to solve the captchas, since that at least has a cost, but if a captcha can be OCRed, then they have no cost at all, making them completely useless.

If someone has other suggestions for good captcha services/libraries, let me know. I don't really like using Google products, since Google's whole business model is spying on people. Though as I mentioned, I don't have much faith in captchas based on reading mangled text.

I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria

I thought about that, but it'd be a bit difficult to implement, and I'm not sure how much value it'd really provide. Even if a captcha isn't required in 99% of logins, the 1% of logins where it is required is going to screw up bots, etc.
hero member
Activity: 761
Merit: 606
August 14, 2017, 04:51:42 PM
#18
Theymos,

May I suggest locking this thread at the top here temporarily?   I participated in a couple of other threads B4 I realized you already addressed this publicly.  Sorry for that.  I am not a Mod here so I can't sticky this.
legendary
Activity: 1932
Merit: 2272
August 14, 2017, 08:53:22 AM
#17
Whoever is having problem with captcha(too many NEXT-SKIP buttons, too many street numbers(stores, vehicles, roads, aliens  Shocked) to click, failed to verify etc etc) simplest solution is to delete google cookies. Tested long time ago and it is working.
full member
Activity: 123
Merit: 474
August 14, 2017, 08:27:14 AM
#16
Hope this will only be a temporary thing. The captcha is pretty annoying.
sr. member
Activity: 448
Merit: 258
August 14, 2017, 08:20:23 AM
#15
Sorry Mr Theymos but i don't like this feature, it keeps me annoying as the images are keep changing..first it says to select all street signs, then select vehicles...then says me to select a store in front of building..and lastly it says there was some problem with captcha.. Roll Eyes
legendary
Activity: 1204
Merit: 1028
August 14, 2017, 06:29:30 AM
#14
Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.

The problem is Tor likes to switch IP randomly, sometimes it happens while you are trying to solve the captcha. The captcha images are so slow to load sometimes (they fade in from white) so sometimes you run out of time. Also it's pretty hard, I had to try several times because I was getting "incorrect recaptcha".

I like to use noscript and a proxy here for obvious reasons: bitcoins and scammers don't mix well, so you want to take measures against it.
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
August 14, 2017, 06:23:08 AM
#13
test

(I kept getting an "Incorrect recaptcha." error when I tried to log in, but it seems I can log in successfully by trying to reply to a thread... not sure what happened there.)
copper member
Activity: 2996
Merit: 2374
August 14, 2017, 12:22:08 AM
#12
I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria, and if so a captcha would be presented before the username/password combination would be checked against the forum DB. For example, an account that has had zero failed login attempts and has had it's password changed (via a change, reset, or otherwise) since the date of the forum hack would not need to complete a captcha, while an account that has had x failed login attempts in the past n time, or has not accessed his account in the past y time, or has not had its password changed since the forum hack would need to complete a captcha in order for the login to even be attempted.

This would prevent the need for JavaScript for most users, and would still fulfill the purpose of stopping/slowing down hacking attempts.
newbie
Activity: 6
Merit: 0
August 13, 2017, 09:23:06 PM
#11
Yup, numerous reasons recaptcha is bad in the long term.
While it's a great solution to stop bots in their tracks, especially brute force ones, I feel as if in the long run it creates more potential problems.
That said, nothing wrong with using it till a more convenient solution can be implemented.

There's a reason big services (Yahoo, Gmail, Facebook and so forth) don't use it, at least when it comes to the login.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
August 13, 2017, 08:56:02 PM
#10
Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.
Because for anyone who (still) actively uses faucets, the new reCAPTCHA is much more difficult / time-consuming (if it's one of those "select all things until none are left") to fill in (probably due to the high volume of captchas filled on the same IP). At least that's what I've seen some users complain about. In addition, sometimes it's difficult to tell what specifically the captcha is asking you to mark (e.g. do the poles on road signs count as part of the sign?).

That aside, since it's important to stop bots from bruteforcing passwords, AFAIK the new reCAPTCHA is the impossible for bots to automatically bypass (for now; though if anyone is going to break Google's new captcha, it's probably going to be them - hell, that's why they created this new one). Gonna be a bit of a pain in the ass creating user based Bitcointalk bots / libraries though (not exactly a fan of manually requesting keys for each bot but I guess I've got no choice until this gets resolved (fingers crossed for the new forum software modular API access)).


Here's an example of the "select all things until none are left" captcha slowdown (that I've encountered personally as well):

newbie
Activity: 6
Merit: 0
August 13, 2017, 08:32:22 PM
#9
Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

You're welcome!
administrator
Activity: 5222
Merit: 13032
August 13, 2017, 08:12:43 PM
#8
Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.
sr. member
Activity: 292
Merit: 251
August 13, 2017, 08:05:10 PM
#7
Please do not use google captcha.
Use alternative.
newbie
Activity: 6
Merit: 0
August 13, 2017, 06:43:42 PM
#6
Was just a thought, it would obviously need some thinking.

Anyway, there's a potential bug, or rather.. an oversight.

If I click on the login button located in the top left corner it takes me to: https://bitcointalk.org/index.php?action=login
This is fine (obviously) and the login form there displays the captcha.

If you take any action and you're not logged in (for whatever reason) it shows up as this, with no captcha loading:

https://s23.postimg.org/qh9hk7w9n/captcha.png

Example: having a bookmark with https://bitcointalk.org/index.php?action= (any action, example: pm reply, thread reply, etc) or using a custom PM notification app and needing to quickly reply or so forth.

It correctly tells me to login but it doesn't display the captcha there, hence I can't login using that form, I have to click again on the top left button so it takes me to the original login form, located at https://bitcointalk.org/index.php?action=login

I'm not using an addblocker or noscript, tried it in multiple browsers, captcha doesn't load in any of them. So I'm guessing it's on your end.

Steps to reproduce:

Make sure you're not logged in.
Have a bookmark in your browser with a link entailing an action, let's use this for example: https://bitcointalk.org/index.php?action=pm
Click the bookmark
Done.
administrator
Activity: 5222
Merit: 13032
August 13, 2017, 04:14:35 PM
#5
Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.

Exactly, locking an account due to incorrect password attempts is insecure unless you already have some sort of partial authentication (eg. half of 2-factor authentication).
legendary
Activity: 2352
Merit: 1268
In Memory of Zepher
August 13, 2017, 04:07:32 PM
#4
Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
This solution is impossible to implement without making regular users lives difficult.

Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.
newbie
Activity: 6
Merit: 0
August 13, 2017, 04:02:23 PM
#3
Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
I mean who forgets their password and tries more than 3-4 times to login? After 3-4 times they'd use the forgotten password, so obviously anything above that would be brute force, hence lock and ban.

I believe Yahoo for example does that after 12 attempts, locks the account for 12 hrs. Facebook and Gmail have something similar.
Point is to make the problem go away, or make the brute force attempt not worth it, not add more hassles to actually login in.

Dunno, seems like it would a lot of trouble as opposed to the captcha challenge.
legendary
Activity: 1582
Merit: 1064
August 13, 2017, 03:35:43 PM
#2
Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.

I was wondering why there was a change.
This captcha is irritating (sometimes you have to click on multiple screens), but it does seem to be necessary. You wouldn't want to take risks given the number of hackings there have been.
administrator
Activity: 5222
Merit: 13032
August 13, 2017, 01:52:19 PM
#1
Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.
Jump to: