PHP Nubsauce Posted July 10, 2008 Share Posted July 10, 2008 Hello all, pretty simple question ahead. Currently under my php designed login system, we use a captcha code (one of those thingys where its a image of crazy random text and you have to enter it correctly to proceed), but alot of our clients are unhappy with this because the captcha is hard for even a real person to intrepet sometimes, and they end up entering it incorrectly... I know a captcha is pretty good for a user sign-up form, but what about logging in? We've tried doing the three strikes your out for 20 minutes technique - we got alot of complaints about this. We've thought about a security question, but, woulden't just be one more string of charactors to break for a script? Making it still more unreliable then a captcha code. Security can't be compromised, but were trying to get rid of the captcha on simple logins. Any ideas? Thanks, Nubsauce. Quote Link to comment Share on other sites More sharing options...
lvtrii Posted July 10, 2008 Share Posted July 10, 2008 How about using a logic captcha? e.g. "What is the opposite of cold?". Put the string in an easy-ish to read image, and ask the user for an answer. Quote Link to comment Share on other sites More sharing options...
PHP Nubsauce Posted July 10, 2008 Author Share Posted July 10, 2008 We've thought about that, but why? Do does my hostmonster.com account have none of this? Their security has to be better then ours, and yet it doesen't have a capthca, a security question, 3 limit try w/ timer, nothing! How do they secure from scripts? Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted July 10, 2008 Share Posted July 10, 2008 What exactly are you trying to secure against? Brute-force password attacks? I seriously doubt that would be viable given the delay in requesting a page. If you're really worried, then you could set the required number of failed login attemps quite high. If someone fails to log in, say, 10 times in a minute, they probably don't deserve to go on your site anyway. Quote Link to comment Share on other sites More sharing options...
corbin Posted July 10, 2008 Share Posted July 10, 2008 It's usually just registration that I protect with a CAPTCHA. After that, I don't see a need to protect it. (If I think someone would think it was worth their time to try and brute force someone's account, I do like GingerRobot said, and I just set the threshhold high.) I can't stand when I have to enter a CAPTCHA to login. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.