Bitcoin Forum

You can now bypass the login CAPTCHA by bookmarking the link generated for you here: https://bitcointalk.org/captcha_code.php

If it causes problems, I might restrict it to Jr Members and above or something, but currently anyone can do it.

Excellent. CAPTCHAs can be quite infuriating at times.

Thank you!

The captcha on the log in page was driving everyone crazy, especially Tor users.

Great! Hope it works because these are exactly the type of people whose posts I like to read..
Maybe nullius will come back..

This is a huge lifesaver for the Tor users, for those who want to hide their crypto-related activity from their ISPs. You can never have enough opsec. +1

Will hacking an account through this link be easy than previous? I'm not a hacker  ;D Just trying to know.
BTW, it's a great edition, no doubt. Lots of people were looking for a solution to this. Some even asked for a paid solution.

Normally it has 0 effect on the hacking thing. It is just a link that will let you insert your login without resolving captcha. If the hacker already has your credentials, he will hack your account whether he has this link or not.

Not really, it's just for bypass captcha. Still you need login details for enter the website. I think it will be more easy to save your account from phishing site. Because you already bookmarked original link. Also ddos attacker will not able to attack by this link, because this link generated for each account. Before get this link you have to login first. So ddos attacker will not able to bypass captcha.

Thank you!!

Perhaps I am not a bot, but it was sometimes difficult to clear the CAPTCHA... (Especially the stage of checking the shop's signboard was difficult :'()

Thanks for this. I will show it to my BTT friends. There are days I get frustrated when logging in because of captcha and I will just chill hoping to get a quick verification later on. There are days I will have to severally close my browser.

I've sent him an email already :D

You still need to set a decent password. If it's difficult enough, it can't be brute-forced.

It actually has an effect. If a hacker gets hold of the link, then the hacker can freely attempt to bruteforce your password; as they'd normally have to pay a good amount of money for captcha solvers(like 2captcha, deathbycaptcha, etc). It probably may not make it easier, but it's definitely a lot cheaper. This is why Theymos implemented a Reset feature for the link to be changed if ever you think someone else has your link.

Does the captcha vary between countries. Whenever I change login details, all I have to do it to tick the captcha box. I think I have only triggered the image verification extension on a couple of occasions since it was implemented.

It varies per country, IP address, browser fingerprinting, or anything else Google knows or wants to know about you :P
I've noticed that a logged in Gmail in the same browser helps too, and if you only use captcha a few times per day, just one click is enough most of the time.
That's why it's mainly a problem for Tor users, who share their exit IP with many others.

I don't think gmail would help too much with tor either.
A good precise tap of the ticking box on a normal computer does enough. If you're precise and natural enough for google to believe you're not a bot, I believe you can get in quite easy on the first few attempts from you IP. However, using recaptcha on a lot of occasions can make the image box show up, when I was in college you used to have to do the image verification every time you wanted to fill a recaptcha no matter what else you'd done and logged onto on that machine...

Good job buddy. Good job.

Just wanna know, do you have any formal PHP knowledge or its self-taught?

Captchas are hell with Tor. In most cases, you'll be forced to compromise your security by being forced to enable javascript, iframes and so on so the thing shows up, and hackers love javascript.

But yeah, I just tried theymos' workaround and it will save me so much time. Recently I made a thread asking for some ideas to bypass captcha, I was even willing to pay. It's awesome that he is still adding things to the forum and he did it for free. Now I will no longer have nightmares with traffic signs and crossroads.

The only added risk is that if your computer is compromised, they could get the link with the code. He mentioned owning that code makes bruteforcing the pass easier. Anyone has the math?

If your password is decent and unique to bitcointalk.org, then brute-forcing isn't going to be possible via the Internet. I can't imagine anyone being able to do more than a few hundred attempts per second, which is far slower than if you had the password hash.

The main reason why the login captcha is necessary at all is that whenever some site's username/password database is leaked anywhere on the Internet, hackers would come and try all of those logins here, grabbing a few accounts from people who shared passwords, and sometimes slowing down the forum from the rapid barrage of login attempts. These codes are sufficient for preventing that on any large scale. For individual users, the main thing is to not share passwords, not even with minor variations between sites.

Thank you very much.

Doesn't that make it easier for scammer, bot accounts, farmers, etc. to shitpost constantly?
I use the "always stay logged in" option and rarely have to see the Captcha

Bot accounts can do nothing because each and every account has their own unique link. So, it's almost imposible to utilize by bots, IMO.

This was previously working a treat, but today on logging in I immediately got a Cloudflare page and captcha that took about 5 attempts then didn't allow me though. Managed on the second time, however.


Depends. I suppose it could be abused by bots and probably should be limited to Juniors like theymos mentioned in the opening post, but I'm sure the benefits outweigh the negatives. I'm sure the admins will be able to see if it's being abused or not but it's certainly a positive for us genuine users.

No more than normal. If you were an enthusiastic bot programmer before you could program your addon for firefox or google chrome in order to make your bot post.
Alternatively, there are programming lanauges taht can control browsers that you can use which will probably still be used now for bots to post, there is a limit on newbies of 360 seconds, is this nt enough to try to stop the spambies^tm? spamies is copyright Jet Cash

It sounds like this means that for all intents and purposes, you will only need to use a captcha once, when you create your account, provided you save the bypass link and can access it when you login.

This is probably a step forward for tor users, although CF sometimes otherwise makes using tor difficult. It would probably be helpful (and marginally profitable) to sell unique .onion addresses intended for individual users that can be used to access the forum via tor. Privacy would only be impacted marginally, although depending on how much information you think CF collects, it may help privacy.

It doesn't bypass the Cloudflare captcha, only the forum's own captcha. Whether you get a CF captcha depends on whether / how much the forum is currently being attacked and CF's idea of your IP's reputation.

There are some possible ways that I could allow bypassing the CF captcha, but they're all troublesome in various ways. Maybe I'll look into it if there are a lot of complaints about CF's captcha.

When i used to use it, generally refreshing one's identity did the trick if you can't get through on the first few attempts and you're using tor.

I've only run into the error that one time so far so it's probably fine.

update - Just happened again, but only took me three goes at the captcha so not really an issue.


But you still had to go through the tedious process of filling out the captcha ten times just to find out you've been blocked. The bypass link is probably enough for now and I'm thankful for it.

I usually try limiting it to three and then just using the shortcut for a new circuit after that...
seemed to work well for me.

Such a wonderful improvement! Last time I was active I just didn't want to get in because of such annoying captcha.

I FINALLY BEAT GOOGLE!!!

You can register if you try a bajillion times. It does eventually let you in after an hour of training the self driving cars/skynet killbots.

I expected to be hit by an evil fee but their was no mention of it. Is that still a thing or did I get lucky and happen to be on a rare IP?

Another Q - This captcha bypass link.
If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?

It looks like you will get an error message if you try to login using a link that is not associated with the account you are trying to login to. You could presumably brute force which account is associated with a code by trying to login to every account until you no longer get an error message. I suspect theymos would detect this and invalidate the code before someone could try many accounts.

OH DAMN

For all other accounts it gives "invalid code" with incorrect password.
For the correct account it gives "invalid password" with incorrect password.
It lets you try as fast as you can too.

It would be easy to brute force if you had a list of suspects, even the list of active accounts isn't that many if you use a bot.

Bug?

You could argue this is a bug. Like I said before, I don't think theymos would allow a large number of attempts before he would take action on the code/link being used.

Perhaps a solution would be to invalidate the code after xxx number of consecutive attempts to login to an account not associated with the code.

Shouldn't that be implemented for incorrect passwords too? If you fail more than 10 times, you should get a captcha again. That also stops any brute-force attack in case your unique link is leaked:

Perhaps, however if you keep the link secret, this will not be an issue.

My login code (that I have since reset) is 893f4e9d4e171dc97db6 -- If someone were to know that someone uses this code, they could attempt to login using every username until they don't get an error message anymore, then bruteforce my password.

Another solution might be to only give the error message for the first xxx consecutive attempts to login to an account not associated with the code but keep the code active. This would prevent an attacker forcing someone to use the captcha while reducing the risk that an attacker could use a captcha bypass code to first bruteforce which account it is associated with and then bruteforce the PW

Bump

I know maybe it's not the newest update on bitcointalk, but I just read it recently. Thanks to @LoyceV for bumping this topic [GUIDES] on Bitcointalk. Index thread (https://bitcointalk.org/index.php?topic=4928968.0) because of that I can found it.

It is very useful for me, I don't need to deal with captcha 3-10 times in a day anymore. Thanks @theymos

And from my sight, it doesn't have high traffic views. So I translated it to my native language with my comprehension to share it on my local board. I'll be glad if you want to visit on my thread here (https://bitcointalk.org/index.php?topic=5113449.msg49881301#msg49881301)

I guess you didn't see this:
http://i64.tinypic.com/f9iftd.gif

I tested it, and it showed "You have to login first".

Maybe theymos could just add SolveMedia to alleviate the whole thingy.

Yeah, I didn't see it. I also tried it by myself as @UserU do and it showed the same message as him. We have to log in first to get the captcha code.

Personally, I think more should be done to make TOR users have to jump through hoops to access the forum, not the other way around.  This is probably outstanding news to those who use alt accounts regularly though.

The administration does not do anything about alt accounts, even those of scammers well over 99% of the time, and does not even put much effort into finding alt accounts of banned users.

Also, it is possible (https://bitcointalk.org/index.php?topic=1011340.msg11006090#msg11006090) to find alt accounts that are all using TOR, even if they are taking a lot of precautions against detection.

Yes, Essentially CAPTCHA can prevent spam from robots, but sometimes it sucks the user himself, especially for the blind this is a pity. CAPTCHA is hard to read.


On the other hand the CAPTCHA works correctly preventing bots, for that there are quite a lot of services that provide automatic CAPTCHAs such as bypassing CAPTCHAs.
I hope this can solve the constant CAPTCHA problem in the web browser, and hope for ways to bypass it by completing it automatically and well, thanks @themmos for this.

CAPTCHAs generally have a tolerance towards mini typos. So even if you entered "noclick" or "nodick", it'd still let you pass thru

I just discovered this captcha bypass and it 90% answers what I wanted... but since it's not 100%:

Is there a reason that the site couldn't use an old login cookie to let you bypass the captcha for the same account only and get upto one wrong password?

This way a user that enters their password successfully doesn't ever need to captcha again after the initial sign-up.  There would also be no risk of losing control of the cookie, since it will only allow one unsuccessful captcha-free login per successful login to the same account.

[I find the captcha a nuisance because I have to temporarily disable third party script blocking, plus I sometimes fail to be human enough for it...]

I can't answer this question, but with the right cookie set, I never have to login, thus never see the captcha. This even works on Tor, as long as you allow cookies.
So I assume the captcha bypass is mainly for Tor users who don't want to use cookies, although I use it (without Tor) when I use LoyceMobile in a private browser (I don't logout LoyceV).

When I created an account to use for testing automated scripts, I used the following procedure:
-Create account*
-login first time*
-obtain captcha bypass link
-logout
-login all subsequent times using bypass link

The steps with a * above require solving a captcha, so you need to solve once twice and never need to solve one after the second one.

I have a guide video on this, not too good in quality but it might help for newbies, who are not familiar with the forum structure and its operations.
https://www.youtube.com/watch?v=k0kBvOXizhg&feature=youtu.be

The most important thing when one uses captcha bypass code is keep the code in secret and secure it as best as possible. Losing the code will result in risks of account hack. If one unintentionally disclose captcha code, using the reset to get a new one + change password to a new one.