Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
kalin Posted October 20, 2023 Posted October 20, 2023 Why won't and can't enable the login form captcha? We recently fell victim to a brute force attack. Someone purchased leaked emails and passwords from somewhere. And launched an attack to check if there is a registration on our site with the same email and password. Why is there no option to enable captcha for the standard login form? Lock accounts doesn't help. The email and password verification request is just one.
The Old Man Posted October 20, 2023 Posted October 20, 2023 (edited) That is surprising but you are quite correct. I just looked at my own sites which use Captcha. It only shows on Register. I would definitely activate 2FA for your members if you have suffered this kind of attack. You may find that you need the Enterprise or Pro level of Captcha to guard against Account Takeovers, I'm not sure, but Cloudflare would be ideal if you don't already have it as best practice. Edited October 20, 2023 by The Old Man
Marc Posted October 20, 2023 Posted October 20, 2023 I'm not sure why you believe this is a security flaw. I have actually added the words "In my opinion" so as this is not misleading and alarming to others. What this actually would be, is a feature you would like, but its certainly by no means a security flaw. In fact, we actually have items to mitigate these issues, but of course, they depend on being used. You would simply enable 2-factor authentication on your site, which is created to prevent people from accessing others accounts. The locked accounts does indeed work, however, if they have the correct password for some reason then indeed they will get in. See my point above on this, which would resolve that issue completely. It's also worth noting these are not always bots. If there is a list somewhere that has a password on that someone uses on multiple sites, you wouldn't have to be a bot to simply log in with those details. Again, 2-factor authentication would solve that issue. I mention the above, as it depends on it being used, of course. We can prevent many things, and of course the request of such features would be taken into account if you post this up as feedback. But as with 2-factor authentication, it would depend on it being used. Makoto and The Old Man 2
kalin Posted October 20, 2023 Author Posted October 20, 2023 3 minutes ago, Marc Stridgen said: I'm not sure why you believe this is a security flaw. I have actually added the words "In my opinion" so as this is not misleading and alarming to others. What this actually would be, is a feature you would like, but its certainly by no means a security flaw. In fact, we actually have items to mitigate these issues, but of course, they depend on being used. You would simply enable 2-factor authentication on your site, which is created to prevent people from accessing others accounts. The locked accounts does indeed work, however, if they have the correct password for some reason then indeed they will get in. See my point above on this, which would resolve that issue completely. It's also worth noting these are not always bots. If there is a list somewhere that has a password on that someone uses on multiple sites, you wouldn't have to be a bot to simply log in with those details. Again, 2-factor authentication would solve that issue. I mention the above, as it depends on it being used, of course. We can prevent many things, and of course the request of such features would be taken into account if you post this up as feedback. But as with 2-factor authentication, it would depend on it being used. I'm going to send you a private message about slavery because there is information that is not to be published here
Recommended Posts