Jump to content

Catcha system for login?

Eggzorcist

By Eggzorcist
in Applications

 Share

Recommended Posts

Eggzorcist Regular Member

Eggzorcist

Posted
Posted

Hello,

 

I'm creating a web application and I'm currently in the process of designing my login page, but I was wondering if I should put a captcha system on the login page. I have one for registration, though I was wondering is it really needed for login. Would a captcha help stop any kind of brute force attack?

 

Thanks

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

Also, you could do a max logins per x minutes thing.

 

Seconded.  Putting a captcha on a login page is a really bad idea, unless you don't give a hoot about the incredible annoyance to the legitimate users of your system.

Link to comment
Share on other sites
Eggzorcist Regular Member

Eggzorcist

Posted
  • Author
Posted

Yes, I can relate to that. I will be creating a cookie which will make it unable to it so you try to login more than 5 times. But would that stop a brute force attack? I'm not sure if the brute-force software can get cookies or sessions placed upon.

Link to comment
Share on other sites
nadeemshafi9 Advanced Member

nadeemshafi9

Posted
Posted

1. i would do somthing like if you get the password wrong more than 10 times in one day you get blocked for 24 hours, thats the bets you can do without thinking too hard and too long.

 

2. check how many times they failed before login and how long they took before retyping the password and either block or track depending on these metrics using a fuzzy logic algo

 

 

a human can not fill in a password and username and submit it once ever second 20 times unless his brain is connected to teh pc

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

Yes, I can relate to that. I will be creating a cookie which will make it unable to it so you try to login more than 5 times. But would that stop a brute force attack? I'm not sure if the brute-force software can get cookies or sessions placed upon.

 

You can always code it so that they require cookies.  Sometimes bots are written simply and will not accept cookies.  However, depending on a cookie for the counter isn't the best idea, because they could modify it.  The simplest way to handle this is to just use the IP address, and track that.  After a certain number of tries from one particular IP address, you can disable further attempts from that IP address for a period of time. 

Link to comment
Share on other sites
whansen02 Newbie

whansen02

Posted
Posted

I might require a captcha for registration but I wouldn't require one for login.

 

And in fact I'm getting a bit tired of these nearly Human proof captcha's.  They stop the old bots but I'm sure there are new one's out there that can get past them or use human intervention to get past them.  Unfortunately all the spammers have to do is hang out at the open source ocr forums and repositories (optical character recognition) and borrow some open source algorithms to tweak.  Contextual questions are the way to go and I don't mean "what's 2+2" or something that a bot can easily be programmed to figure out.

 

Questions like "what shape is the earth".  Again while this won't stop bots that are tied to human intervention (neither will catpcha's) questions like these are a lot less annoying than trying to read some captcha 5 times over.  For bots that use human intervention be sure to enable some serious (but not too sticky) flood control.

 

Also I wouldn't use a cookie for tracking login attempts.  Then a user can try to log in from anywhere in his botnet (or just clear his browser cache/cookies) as many times as he likes since each ip will receive a different cookie allowing him 5 attempts.  So instead have another field in the database that tracks recent login attempts (and the ip's attempting to login) and when the total recent failed login attempts are too high (regardless of ip) then lock the account temporarily.

 

 

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

I might require a captcha for registration but I wouldn't require one for login.

 

And in fact I'm getting a bit tired of these nearly Human proof captcha's.  They stop the old bots but I'm sure there are new one's out there that can get past them or use human intervention to get past them.  Unfortunately all the spammers have to do is hang out at the open source ocr forums and repositories (optical character recognition) and borrow some open source algorithms to tweak.  Contextual questions are the way to go and I don't mean "what's 2+2" or something that a bot can easily be programmed to figure out.

 

Questions like "what shape is the earth".  Again while this won't stop bots that are tied to human intervention (neither will catpcha's) questions like these are a lot less annoying than trying to read some captcha 5 times over.  For bots that use human intervention be sure to enable some serious (but not too sticky) flood control.

 

Also I wouldn't use a cookie for tracking login attempts.  Then a user can try to log in from anywhere in his botnet (or just clear his browser cache/cookies) as many times as he likes since each ip will receive a different cookie allowing him 5 attempts.  So instead have another field in the database that tracks recent login attempts (and the ip's attempting to login) and when the total recent failed login attempts are too high (regardless of ip) then lock the account temporarily.

 

Sure there are bad catpcha's that can be defeated but that is overstated.  I just read a post the other day talking about this amazing javascript code that could defeat a captcha, when in fact the captcha being employed was one of the simplest and easy to defeat I've ever seen. 

 

I advocate the use of recaptcha -- not only is it secure, but your users are benefitting mankind by helping to translate books in the process.

 

Also, since I made the initial criticism, I should probably admit that there's a reasonable case to be made for using a captcha on login, that involves bad password attempts.  What you can do is track the bad password attempts (again I'd suggest by IP), and introduce the captcha once a certain number of bad attempts has been made.  It's not the simplest thing to do, because you have to track the attempts by the time they're made, so that you can have a window of time.  I implemented this type of code for a massive multiplayer gaming site with relatively heavy traffic, to combat cheating via the use of bots.  In that case we needed to actually track logins, so the idea was a bit different, but the basic technique was the same.  Once you are keeping track of login attempts by IP, along with a timestamp, you can query a count of login attempts within the last N minutes, and if the count is high for that IP, you can issue them a captcha. 

 

It's a reasonable compromise if you don't want to be concerned that blocking by IP might keep out legit users who are coming from an ISP with a big proxy range.

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

Should we track as Sessions, Cookies or sql queries? Ultimately I'm certain a $_SERVER for IP via sql but this would take up more resources no?

 

You use mysql.  As long as the table is only doing inserts and selects, it will perform very well.  Keep in mind that you only have to insert a row into this table, when there is a bad password attempt.  You should have indexes on the IPAddress and Created columns.  So a structure like this will work:

 

badPasswordAttempt

--------------------

badPassword int unsigned primary key AUTO_INCREMENT

IPAddress VARCHAR(15)

created Timestamp

 

 

Make sure you have non unique indexes on IPAddress and created.

 

Your query should be something like:

 

SELECT count(*) as countof FROM baddPasswordAttempt

WHERE created > DATE_ADD(NOW(), INTERVAL -5 MINUTE)

AND ipAddress = '$IPAddress';

 

You will always get a result set with one column for this query, and you simply check if the answer is > your threshold.  3 or 4 would probably be a good threshold.                 

Link to comment
Share on other sites
Eggzorcist Regular Member

Eggzorcist

Posted
  • Author
Posted

Also, you might want to make sure the table is InnoDB and not MyISAM.

 

 

 

By the way, have any of you all made a GMail account lately?  The CAPTCHA on there is freaking retardedly difficult.

 

Yes I have, their captcha is indeed fairly difficult :P You're never sure if your password as wrong or the catcha... :P

Link to comment
Share on other sites
tyger Newbie

tyger

Posted
Posted

yeah, limit the number of attempts per IP. Spamers are paying cheap labor over seas to figure out CAPTCHAs and there's sites were users are rewarded for solving CAPTCHAs.  But still, this is the CAPTCHA I use. phpcaptcha.org

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.