Bitcoin Forum

Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.

I was wondering why there was a change.
This captcha is irritating (sometimes you have to click on multiple screens), but it does seem to be necessary. You wouldn't want to take risks given the number of hackings there have been.

Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
I mean who forgets their password and tries more than 3-4 times to login? After 3-4 times they'd use the forgotten password, so obviously anything above that would be brute force, hence lock and ban.

I believe Yahoo for example does that after 12 attempts, locks the account for 12 hrs. Facebook and Gmail have something similar.
Point is to make the problem go away, or make the brute force attempt not worth it, not add more hassles to actually login in.

Dunno, seems like it would a lot of trouble as opposed to the captcha challenge.

This solution is impossible to implement without making regular users lives difficult.

Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.

Exactly, locking an account due to incorrect password attempts is insecure unless you already have some sort of partial authentication (eg. half of 2-factor authentication).

Was just a thought, it would obviously need some thinking.

Anyway, there's a potential bug, or rather.. an oversight.

If I click on the login button located in the top left corner it takes me to: https://bitcointalk.org/index.php?action=login
This is fine (obviously) and the login form there displays the captcha.

If you take any action and you're not logged in (for whatever reason) it shows up as this, with no captcha loading:

https://s23.postimg.org/qh9hk7w9n/captcha.png

Example: having a bookmark with https://bitcointalk.org/index.php?action= (any action, example: pm reply, thread reply, etc) or using a custom PM notification app and needing to quickly reply or so forth.

It correctly tells me to login but it doesn't display the captcha there, hence I can't login using that form, I have to click again on the top left button so it takes me to the original login form, located at https://bitcointalk.org/index.php?action=login

I'm not using an addblocker or noscript, tried it in multiple browsers, captcha doesn't load in any of them. So I'm guessing it's on your end.

Steps to reproduce:

Make sure you're not logged in.
Have a bookmark in your browser with a link entailing an action, let's use this for example: https://bitcointalk.org/index.php?action=pm
Click the bookmark
Done.

Please do not use google captcha.
Use alternative.

Fixed, thanks!


Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.

You're welcome!

Because for anyone who (still) actively uses faucets, the new reCAPTCHA is much more difficult / time-consuming (if it's one of those "select all things until none are left") to fill in (probably due to the high volume of captchas filled on the same IP). At least that's what I've seen some users complain about. In addition, sometimes it's difficult to tell what specifically the captcha is asking you to mark (e.g. do the poles on road signs count as part of the sign?).

That aside, since it's important to stop bots from bruteforcing passwords, AFAIK the new reCAPTCHA is the impossible for bots to automatically bypass (for now; though if anyone is going to break Google's new captcha, it's probably going to be them - hell, that's why they created this new one). Gonna be a bit of a pain in the ass creating user based Bitcointalk bots / libraries though (not exactly a fan of manually requesting keys for each bot but I guess I've got no choice until this gets resolved (fingers crossed for the new forum software modular API access)).

---

Here's an example of the "select all things until none are left" captcha slowdown (that I've encountered personally as well):

https://i.imgur.com/TOBsBgl.gif

Yup, numerous reasons recaptcha is bad in the long term.
While it's a great solution to stop bots in their tracks, especially brute force ones, I feel as if in the long run it creates more potential problems.
That said, nothing wrong with using it till a more convenient solution can be implemented.

There's a reason big services (Yahoo, Gmail, Facebook and so forth) don't use it, at least when it comes to the login.

I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria, and if so a captcha would be presented before the username/password combination would be checked against the forum DB. For example, an account that has had zero failed login attempts and has had it's password changed (via a change, reset, or otherwise) since the date of the forum hack would not need to complete a captcha, while an account that has had x failed login attempts in the past n time, or has not accessed his account in the past y time, or has not had its password changed since the forum hack would need to complete a captcha in order for the login to even be attempted.

This would prevent the need for JavaScript for most users, and would still fulfill the purpose of stopping/slowing down hacking attempts.

test

(I kept getting an "Incorrect recaptcha." error when I tried to log in, but it seems I can log in successfully by trying to reply to a thread... not sure what happened there.)

The problem is Tor likes to switch IP randomly, sometimes it happens while you are trying to solve the captcha. The captcha images are so slow to load sometimes (they fade in from white) so sometimes you run out of time. Also it's pretty hard, I had to try several times because I was getting "incorrect recaptcha".

I like to use noscript and a proxy here for obvious reasons: bitcoins and scammers don't mix well, so you want to take measures against it.

Sorry Mr Theymos but i don't like this feature, it keeps me annoying as the images are keep changing..first it says to select all street signs, then select vehicles...then says me to select a store in front of building..and lastly it says there was some problem with captcha.. ::)

Hope this will only be a temporary thing. The captcha is pretty annoying.

Whoever is having problem with captcha(too many NEXT-SKIP buttons, too many street numbers(stores, vehicles, roads, aliens  :o) to click, failed to verify etc etc) simplest solution is to delete google cookies. Tested long time ago and it is working.

Theymos,

May I suggest locking this thread at the top here temporarily?   I participated in a couple of other threads B4 I realized you already addressed this publicly.  Sorry for that.  I am not a Mod here so I can't sticky this.

I've seen that happen before (rarely) on Tor, but a small delay isn't very bothersome, and I've always been able to fix the really bad delays by refreshing the page or getting a new Tor identity.

Elsewhere, someone suggested Solvemedia, but I think that all captchas based on reading text are actually easier for high-quality OCR to solve than for humans. The photo-based ones give computers a major disadvantage over humans. I don't care very much if people use services like 9kw.eu to solve the captchas, since that at least has a cost, but if a captcha can be OCRed, then they have no cost at all, making them completely useless.

If someone has other suggestions for good captcha services/libraries, let me know. I don't really like using Google products, since Google's whole business model is spying on people. Though as I mentioned, I don't have much faith in captchas based on reading mangled text.


I thought about that, but it'd be a bit difficult to implement, and I'm not sure how much value it'd really provide. Even if a captcha isn't required in 99% of logins, the 1% of logins where it is required is going to screw up bots, etc.

It is a good idea to put login captcha when logging in. Spambots could possibly enter your password by chance using combinations. Since spambots could not pass captchas, there will be a stronger security in this forum. Also, it is a good idea to put captchas before posting to prevent spamming post possibly created by an upgraded version of a spambot. Users using spambot could be terminated if captchas are implemented in this forum.

I was going to ask the same.
Feeding the G AI and allowing them to know about every login seem not fine to me.
I am calling for in house implementation.

I understand why captcha is important but am i the only one that has problems on a weekly base in solving them ?

It switches every week. First they are easy to solve, some other moments it's suddenly impossible to solve... another day's every solved captcha gives constant error... this ain't normal anymore.

We sould have more methodes to solve and enter/login/claim. I wonder ow many people stop doing anything because of this.

Any in-house captcha implementation would be inferior (and probably easily crackable) compared to a system dev'd by the multi-billion data and IT tycoon that is Google. While I don't particularly like the captcha tech, it's effective and AFAIK nobody in the dark circles of the Internet managed to figure out a way to break it (edit: as in near 90-100% success ratio on a large scale brute force attempt).

If you dislike being tracked, you should probably also stop using Google search, avoid (or at least block the analytics script from even downloading) any website  that happens to use Google Analytics (hint: it's most of them) and throw your Android phone (if you're using Apple and think you are being tracked less than on an Android, I really have nothing to say to you) out the window.

Clear your cookies (at least any Google ones). According to a user in this thread, apparently it helps.

If a malicious person wants to bypass Google Captcha, the person can do it.

https://www.youtube.com/watch?v=8iMU9HbJ7Wo

Indeed, but it requires more effort and time (especially when bruteforcing large amounts of captchas in a small period of time) rather than just running the captcha through and OCR library and echoing out the results.

A bit OT, but the presentation is pretty interesting though. Wonder how long will it take till Google ups it's defenses (if it hasn't already).

Login captcha is pretty annoying because every time I login it asks me 3 different puzzles. I also realized that after this captcha thing implemented forum log me out occasionally when I'm browsing. When I try to post something it log me out after I press Post. Weird, this hasn't happened before captcha.

If it randomly logs you out, make sure you've checked the "Always stay logged in" checkbox or at least set the "Minutes to stay logged in" to something bigger than an hour (since 60 minutes is the default) when logging in.

It's happening again. I keep getting "Incorrect Recaptcha." or "You must solve the CAPTCHA (JavaScript required)." I had to try dozens of times before I could finally log in; I was just about ready to give up altogether. :-\

I really appreciate this although sometimes captcha makes me upset because it is always wrong and it took a few minutes to login.
 

Actually,the captcha works perfect the way it was suppose to be.Once we solve the captcha couple of times from the same IP for login,it doesn't need you to solve the captcha again anymore.I don't know if it is programmed that way but once your ip is white listed you can get rid off the captcha.I had an option to use it when it used it first couple of times from my phone/laptop now it doesn't ask me to solve it as only clicking on "I'm not a robot" does it for me.

Google's captcha sucks  :'(

I sent Theymos a pm regarding the difficulty the CaptCha page is causing me. Is there any way to disable the captcha on login page? I use opera mini old to access the forum since November 2016, Yesterday My browser crashed, I reinstalled it and tried to login but Opera mini (old) doesn't have JavaScript functionality. Currently using Firefox to access the forum. The experience hasn't been smooth so far. Didn't notice the new Captcha feature as I've always had "Always stay logged in" active.

Can I appeal this option be removed?