Security Question?

[Solarpitch]

Hi,

 

I'm not sure of the technical term for this is but ya know when you register your details on a site and you are required to type in a number or series of characters on an image to stop automatic registrations or whatever.

 

Should that form of security only be used for registrations or is there any point in using it for logging in a user. I've never seen it on a login before. Is there a reason for this? Someone wants me to include this on there login scripts but I just thought Id get an opinion first.

 

Regards,

 

Gerrard

[MFHJoe]

It's called a CAPTCHA. And as far as I know mate, there's not really any reason to put one on a login box. Unless it's to stop people trying to automatically guess passwords with bruteforce scripts. But this could be more easily stopped by just locking the account for 30 minutes after 3 attempts at login had been made.

[Jabop]

I agree with the poster above me. You should never implement a captcha on a login - keep them for registrations. Limit logins to 6 tries within an hour or whatever you specify, and lock the account if that count has been exceeded.

[JonnoTheDev]

There is a very good reason for it on a login form! CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart and that is exactly what it is doing. I have webbots that can login and post details into websites and captcha makes this extremely difficult (if it is a good captcha). Imagine if your website was an auction site for example. I could easily have a robot do the logging in and bidding for me making it verry difficult for human users to purchase the items they want to as a robot knows exactly when to login and get the item at the last seconds.

[Solarpitch]

Thats all I needed!   Thanks lads, the 3/6 login attempts sounds like a better option.

 

Ger

[Jabop]

There is a very good reason for it on a login form! CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart and that is exactly what it is doing. I have webbots that can login and post details into websites and captcha makes this extremely difficult (if it is a good captcha). Imagine if your website was an auction site for example. I could easily have a robot do the logging in and bidding for me making it verry difficult for human users to purchase the items they want to as a robot knows exactly when to login and get the item at the last seconds.

 

Thanks for telling me what a CAPTCHA is!

 

...

 

That is a good example, however, a captchas on a login would probably annoy end-users more than it would actually deter bots.

[MFHJoe]

That is a good example, however, a captchas on a login would probably annoy end-users more than it would actually deter bots.

I was just about to say that as well. I've never seen a CAPTCHA on a login form for any website before, including websites like eBay or PayPal, so there must be other ways of deterring bots.

[JonnoTheDev]

Thats a fair opinion. Just make sure that you use them on any form that can send out emails on submission such as a contact form. If you dont then it wont be long before you run into trouble! Its naive to think that any website form is safe in this day and age of spammers, hackers, etc.

[Jabop]

Thats a fair opinion. Just make sure that you use them on any form that can send out emails on submission such as a contact form. If you dont then it wont be long before you run into trouble! Its naive to think that any website form is safe in this day and age of spammers, hackers, etc.

 

Do as other sites do.

 

On features of the site that are sensitive to bots, implement captchas in those areas.

 

For example, on MySpace, you can enable it on comments, messages, etc. MySpace is a leading site to attract bots and spammers, but do they use a captcha on their login? Nope.

[JonnoTheDev]

Bots are really off topic from this post but yes there are other ways of deterring them with what are called bot traps. Looking for things like user agents, request times in your web logs, etc. But remember people who make these are clever and will always get around traps one way or the other.

 

Not sure why you would want to login to paypal with a bot unless you wanted your accounting to be done automatically. Ebay allows bots and there are certainly websites that can set ebay bots running for you to get the items you want. Some websites actually encourage bots to post data as they may provide good content to lets say an article directory or a blog rather than just spam links.

[JonnoTheDev]

What I am trying to say is that if there is any damage an automated script could do by logging into your website then use a captcha. If not then dont bother. Never look at what other websites do as you can never compare your applications to the likes of facebook, myspace, ebay, etc. These are major enterprise sites and more than likely have security measures in various formats, hardware, etc.. that can detect these things quickly