IPB Should Use reCaptcha For Login Purposes

[Rheddy]

While IPB uses the reCaptcha system to register for an account, why not use the reCaptcha system to also log into the forums?

[TrixieTang]

Because there's no real reason to...

[Martin A.]

From a regular users standpoint, that would be so annoying if it happened on every single log in.

But requiring it for users with less then some posts could be kind of useful, tho. You log in like you normally do, but if you have less then 5 posts, you get a page where you have to solve the captcha before moving on.

[Rheddy]

It would serve a purpose since it would halt spambots at the login point. If you log off the forums, then had to log back in, at least reCaptcha requires you to prove you're a real person upon login. It would halt automated spammers at the front door and require actual people to get past the login point.

It's useless? I would expect a spammer or an Admin of a Bot Net to say something like that. IPB could use the added security.

[Cybertimber2009]

Hmm... I would say this is an idea I would like to see implemented, esp. if it included the # of posts or x group doesn't require it.

Although from the sounds of how some groups work, the bot waits to encounter a (re)Captcha and presents it to a human... so in that case it won't do much.
But I've noted FB and Myspace do this on occasion. Like if you log in and immediatley post a link in someones wall or your status, it makes you clear a captcha test.

[Connor T]

I'm tired of entering Captchas, if any site does this. They loose me.

You can't make the web harder to navigate based on spammers, at some point thats why you hire moderators and pay them to do it. You can catch spammers now with the new patches and IPS put some sweet features in IPB 3 to make the identification and removal of a spammer easily.

Also, no one said anywhere about being useless. Just annoying.

[Rikki]

It would serve a purpose since it would halt spambots at the login point. If you log off the forums, then had to log back in, at least reCaptcha requires you to prove you're a real person upon login. It would halt automated spammers at the front door and require actual people to get past the login point.

It's useless? I would expect a spammer or an Admin of a Bot Net to say something like that. IPB could use the added security.

But there's reCaptcha on register - if that's defeated then it's safe to assume it's a human spammer using the account, so a sign in captcha wouldn't pose much more of an issue for them.

[atomicknight]

But there's reCaptcha on register - if that's defeated then it's safe to assume it's a human spammer using the account, so a sign in captcha wouldn't pose much more of an issue for them.

Well, it depends on the situation. Requiring a CAPTCHA for login probably would have prevented the recent spam attack using human registrations followed by automated messaging. I do feel that requiring a CAPTCHA on every login would be excruciatingly annoying though. An activity-based system like the Facebook one mentioned above would be more user-friendly.

[TrixieTang]

Well, it depends on the situation. Requiring a CAPTCHA for login probably would have prevented the recent spam attack using human registrations followed by automated messaging. I do feel that requiring a CAPTCHA on every login would be excruciatingly annoying though. An activity-based system like the Facebook one mentioned above would be more user-friendly.

I really doubt it would have stopped those recent spammers, even if a login CAPTCHA was added then the human spammers would just login and then activate the spam script, which is quite possibly what they already do.

[bfarber]

Guys, the spammers use an automated program to facilitate the spamming. It's designed to feed the captcha into a queue where a human answers it and the program takes back over.

If we added such a feature, they'd simply update the program so that it feeds the login captcha into the same queue. You're just playing cat and mouse. Within a week or two, their programs would be updated and they'd be spamming your forums again.

A better idea, and one already implemented into IPB3, is to create unique questions (and allowable answers) for your forum. In IPB3 you can do this in the ACP. Spam programs can't be programmed to understand every single question and potential answer on the internet, so as long as you create your own questions and answers your site will be reasonably safe from automated attacks.

Examples:
Name a color starting with "m" (answers: maroon, magenta, mauve)
http://wiki.answers.com/Q/What_are_some_colors_that_begin_with_the_letter_M

Reverse the order of these words: "Trek" and "Star" (answer: Star Trek)

etc.

Just be reasonable so that anybody could answer the question, but make it unique. :)

[stoo2000]

This might take a little research but it obviously takes time for the captcha to be sent to a human to verify, what about having a timeout on the captcha, so that it changes after X seconds.

[Connor T]

Its a program it won't help. You click a button, all fields are entered from some database automatically then the captcha is displayed and you enter it. The program doesn't cue captcha's it downloads the newest one freshly when you call for it.

[TrixieTang]

Spam programs can't be programmed to understand every single question and potential answer on the internet

Give them a few more years... :ermm:

[Rheddy]

Brandon, if that's the case then why add reCaptcha into the registration process in the first place? From the way you posted, it sounds like a useless idea there as well.

[Brett B]

Besides the fact that it would be obnoxious to regular users, this is why it would be pointless:

But there's reCaptcha on register - if that's defeated then it's safe to assume it's a human spammer using the account, so a sign in captcha wouldn't pose much more of an issue for them.

[Michael]

The only reason I could see reCAPTCHA being useful in the login process is to protect against people trying to brute force a login of an Admin or other Staff account, and that's the sort of thing that account locking is good for. For everyone else, in order to login, one would have to have already registered and thus passed the reCAPTCHA test at that point.

[bfarber]

Brandon, if that's the case then why add reCaptcha into the registration process in the first place? From the way you posted, it sounds like a useless idea there as well.

It's a cat and mouse game. We had to do something quickly, and adding reCAPTCHA did stop them for a while. Unfortunately, CAPTCHA's on the whole are quickly becoming obsolete. I think the internet will start moving to adaptive recognition (e.g. things like StopForumSpam and Akismet), as it's becoming so easy to bypass the typical existing measures.

[wickedfpoop]

One thing I haven't seen mentioned is that it adds another possibility of not being able to stay logged in at all. With as many tickets as I see coming through due to users not being able to stay logged in because of cookie issue, that would be another pain to deal with for everyone involved.

Another point to make would be staying logged in automatically, that would almost have to be entirely scrapped and I know, even without a reCAPTCHA, I very much dislike having to log in every time I return to a site I visit regularly.

[Luke]

Brandon, if the captcha's are being stripped out and solved by humans elsewhere, what hope is there for any captcha type system? Even if you were to have a group of images and had to pick which one based on a question... if a human was answering it somewhere else... what good does it do anymore, besides stopping minor script kiddies? Because unless I'm missing something, there is no real way of stopping them short of admin validation. Even some of the methods proposed about restricting access until one reply is made is easily overcome.

One thing is abundantly clear to me though... they are able to do this because the html and the structure of the page for registering is either almost the same, or exactly the same. Even the url to get to that registration page is the same. They are targeting widely used software. Other websites that are uniquely made cannot be indirectly targeted like IPB, vBulletin, Wordpress, etc...

So if the captcha's aren't working, what about trying to make the registration page harder to find, or harder to recognize by a generic algorithm? They may find a few, but if each one has a uniqueness about them, maybe it would be enough to throw these scripts off?

[Guest]

I'm not sure you've thought about what you're suggesting, Luke. You're suggesting that you want to make it hard for people to find your registration page (by changing the URL on each request, or similar)... and you want to break the usability of the page by making it different each time you access it, rather than sticking to a 'known good' design.

Bad idea.

That is all. :)

[Luke]

I'm not sure you've thought about what you're suggesting, Luke. You're suggesting that you want to make it hard for people to find your registration page (by changing the URL on each request, or similar)... and you want to break the usability of the page by making it different each time you access it, rather than sticking to a 'known good' design.

[b]Bad idea. [/b]

That is all. :)

No, I'm just saying the reason why it's so easy for them to do this is because every single registration page is exactly the same. Other sites that are unique do not get indirectly effected like similar sites. I'm not saying it should be done, or how it could be done, I'm just pointing out that the software is getting targeted as a whole because of each installation being too similar. All a script has to do is find that your site uses IPB and go directly to the registration page. But if it were different for each site, then it wouldn't be as easy. It can be linked just the same... But then again, they could pull the link out of the HTML code.

[bfarber]

Luke, your reply is fundamentally correct. No matter what is done, a program can be updated to overcome it. For instance, if captchas are fed into a queue for people to answer them, there's nothing stopping a program from doing the same with questions/answers eventually.

With the registration form, while the ideas are nice, they're not practical for compatibility reasons.

You could randomize field names, but then the bot can just look at the order of the fields. You could use javascript to build the form with random names, but then it won't work for people without javascript, and you don't want to randomize the actual displayed order of elements on a registration form. You can't sacrifice usability for real humans to combat spammers.

[Ryan H.]

No, I'm just saying the reason why it's so easy for them to do this is because every single registration page is exactly the same. Other sites that are unique do not get indirectly effected like similar sites. I'm not saying it should be done, or how it could be done, I'm just pointing out that the software is getting targeted as a whole because of each installation being too similar. All a script has to do is find that your site uses IPB and go directly to the registration page. But if it were different for each site, then it wouldn't be as easy. It can be linked just the same... But then again, they could pull the link out of the HTML code.

Any generated randomness is only so random as the system that created it. If they mix some things up, those are the same things that are consistently mixed up. It's a nice idea, but it effectively becomes another Captcha sort of thing without so much complexity. They just adjust their scripts to deal with possible variations or to get the link to the registration page first and then get on with life.

This is a horrid example, but they say to speak what you know. In MMO games, 'real-world trading'--selling in-game money, items or accounts for real world dollars--is a huge issue with similar ramifications. Jagex, the makers of Runescape, have been dealing with it for almost as long as the game has existed, eight-some years now. "We keep developing technologies to combat bots, but it's like an arms race – we stop bots, they improve their macros, we stop them, they improve again," says Andrew. The longer we keep doing this, the harder it's going to be to keep stopping bots. "If we don't break that vicious cycle now, it would just keep getting worse and worse. It could reach a point where macro software becomes undetectable." [*]

The only way to stop it outright is to make it unpractical for them to continue. In Runescape, they removed the ability to make any sort of unbalanced trade. On forums, well, what might that mean?.


Captcha is failing, but we're not to the point that the absence of it is no worse than its presence.

[Luke]

Yep. And I was stating the reasons for why it is so easy for bots to do this. There has to be a way to stop them though... but at the moment, I really can't think of anything too incredibly useful.

[ll4ever]

Do the recaptcha at the post/pm screen, not login screen.

I can give some reasons:

the registration page is now pointless if a human does it. granted, still have it on the reg page.
nobody would want to enter that info on each login. (stated above)
not all ppl that are on the site post anyway.
spam bots don't expect it yet.. shhhh
if they did, they would have to enter it in again (human).
they get bored doing that all the time
they would probably get killed off by a mod before they could do it again anyway.

I've done this on "my" site. It works. The bot just sits there, then leaves. Same with the PM system.
I made it do a one time per session for ppl with less than 3-5 posts. That gives you time to act.
Nobody would want to keep entering recaptcha data all the time.


Not saying this is the way to do it, but it has helped a lot.