Bitcoin Forum
December 16, 2017, 09:38:32 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Login captcha  (Read 1889 times)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2870


View Profile
August 13, 2017, 06:52:19 PM
 #1

Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
1513417112
Hero Member
*
Offline Offline

Posts: 1513417112

View Profile Personal Message (Offline)

Ignore
1513417112
Reply with quote  #2

1513417112
Report to moderator
1513417112
Hero Member
*
Offline Offline

Posts: 1513417112

View Profile Personal Message (Offline)

Ignore
1513417112
Reply with quote  #2

1513417112
Report to moderator
1513417112
Hero Member
*
Offline Offline

Posts: 1513417112

View Profile Personal Message (Offline)

Ignore
1513417112
Reply with quote  #2

1513417112
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513417112
Hero Member
*
Offline Offline

Posts: 1513417112

View Profile Personal Message (Offline)

Ignore
1513417112
Reply with quote  #2

1513417112
Report to moderator
1513417112
Hero Member
*
Offline Offline

Posts: 1513417112

View Profile Personal Message (Offline)

Ignore
1513417112
Reply with quote  #2

1513417112
Report to moderator
1513417112
Hero Member
*
Offline Offline

Posts: 1513417112

View Profile Personal Message (Offline)

Ignore
1513417112
Reply with quote  #2

1513417112
Report to moderator
botany
Legendary
*
Offline Offline

Activity: 1274


View Profile
August 13, 2017, 08:35:43 PM
 #2

Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.

I was wondering why there was a change.
This captcha is irritating (sometimes you have to click on multiple screens), but it does seem to be necessary. You wouldn't want to take risks given the number of hackings there have been.
tcsh
Newbie
*
Offline Offline

Activity: 5


View Profile
August 13, 2017, 09:02:23 PM
 #3

Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
I mean who forgets their password and tries more than 3-4 times to login? After 3-4 times they'd use the forgotten password, so obviously anything above that would be brute force, hence lock and ban.

I believe Yahoo for example does that after 12 attempts, locks the account for 12 hrs. Facebook and Gmail have something similar.
Point is to make the problem go away, or make the brute force attempt not worth it, not add more hassles to actually login in.

Dunno, seems like it would a lot of trouble as opposed to the captcha challenge.
minifrij
Legendary
*
Offline Offline

Activity: 1526


Bored.


View Profile WWW
August 13, 2017, 09:07:32 PM
 #4

Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
This solution is impossible to implement without making regular users lives difficult.

Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.


▄▄▄████████▄▄▄
▄██████████████████▄
▄██████████████████████▄
██████████████████████████
████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
████████████████████████████
██████████████████████████
▀██████████████████████▀
▀██████████████████▀
▀▀▀████████▀▀▀
   ███████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
███████
BTC  ◉PLAY  ◉XMR  ◉DOGE  ◉STRAT  ◉ETH  ◉GRC  ◉LTC  ◉DASH  ◉PPC
     ▄▄██████████████▄▄
  ▄██████████████████████▄        █████
▄██████████████████████████▄      █████
████ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄ ████     ▄██▀
████ █████ ██████ █████ ████    ▄██▀
████ █████ ██████ █████ ████    ██▀
████ █████ ██████ █████ ████    ██
████ ▀▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀ ████ ▄██████▄
████████████████████████████ ████████
███████▀            ▀███████ ▀██████▀
█████▀                ▀█████
▀██████████████████████████▀
  ▀▀████████████████████▀▀ 
DICE           
BLACKJACK
PLINKO       
VIDEO POKER
ROULETTE     
LOTTO            
Report to moderator 

▄▄▄████████▄▄▄
▄██████████████████▄
▄██████████████████████▄
██████████████████████████
████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
████████████████████████████
██████████████████████████
▀██████████████████████▀
▀██████████████████▀
▀▀▀████████▀▀▀
CryptoGames
Catch the winning spirit
   ███████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
███████      
BEST PROVABLY FAIR CRYPTOCURRENCY GAMBLING SITE
◉BTC  ◉PLAY  ◉XMR  ◉DOGE  ◉STRAT 
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2870


View Profile
August 13, 2017, 09:14:35 PM
 #5

Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.

Exactly, locking an account due to incorrect password attempts is insecure unless you already have some sort of partial authentication (eg. half of 2-factor authentication).

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
tcsh
Newbie
*
Offline Offline

Activity: 5


View Profile
August 13, 2017, 11:43:42 PM
 #6

Was just a thought, it would obviously need some thinking.

Anyway, there's a potential bug, or rather.. an oversight.

If I click on the login button located in the top left corner it takes me to: https://bitcointalk.org/index.php?action=login
This is fine (obviously) and the login form there displays the captcha.

If you take any action and you're not logged in (for whatever reason) it shows up as this, with no captcha loading:

https://s23.postimg.org/qh9hk7w9n/captcha.png

Example: having a bookmark with https://bitcointalk.org/index.php?action= (any action, example: pm reply, thread reply, etc) or using a custom PM notification app and needing to quickly reply or so forth.

It correctly tells me to login but it doesn't display the captcha there, hence I can't login using that form, I have to click again on the top left button so it takes me to the original login form, located at https://bitcointalk.org/index.php?action=login

I'm not using an addblocker or noscript, tried it in multiple browsers, captcha doesn't load in any of them. So I'm guessing it's on your end.

Steps to reproduce:

Make sure you're not logged in.
Have a bookmark in your browser with a link entailing an action, let's use this for example: https://bitcointalk.org/index.php?action=pm
Click the bookmark
Done.
gelius
Full Member
***
Offline Offline

Activity: 223


View Profile
August 14, 2017, 01:05:10 AM
 #7

Please do not use google captcha.
Use alternative.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2870


View Profile
August 14, 2017, 01:12:43 AM
 #8

Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
tcsh
Newbie
*
Offline Offline

Activity: 5


View Profile
August 14, 2017, 01:32:22 AM
 #9

Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

You're welcome!
mprep
Diamond Member
Global Moderator
Legendary
*
Offline Offline

Activity: 1722


In a world of peaches, don't ask for apple sauce


View Profile
August 14, 2017, 01:56:02 AM
 #10

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.
Because for anyone who (still) actively uses faucets, the new reCAPTCHA is much more difficult / time-consuming (if it's one of those "select all things until none are left") to fill in (probably due to the high volume of captchas filled on the same IP). At least that's what I've seen some users complain about. In addition, sometimes it's difficult to tell what specifically the captcha is asking you to mark (e.g. do the poles on road signs count as part of the sign?).

That aside, since it's important to stop bots from bruteforcing passwords, AFAIK the new reCAPTCHA is the impossible for bots to automatically bypass (for now; though if anyone is going to break Google's new captcha, it's probably going to be them - hell, that's why they created this new one). Gonna be a bit of a pain in the ass creating user based Bitcointalk bots / libraries though (not exactly a fan of manually requesting keys for each bot but I guess I've got no choice until this gets resolved (fingers crossed for the new forum software modular API access)).


Here's an example of the "select all things until none are left" captcha slowdown (that I've encountered personally as well):



Advertisment:
           ▄▄███████▄▄
        ▄███▀▀
▄▄▄▄    ▀▄
     ▄▄█████████████▄▄  ▀▄
  ▄▀▀██▀           ▀▀██▄▄▀▄
▄▀  ██                 ▀██
  ██       ▀▀█▀▀         █
█▀        █ █ █        ▄█▀▄
▀▄         █ █ █       ▄█  █
 ██         █▄▄▄█      ▄█  ▄▀
  ██▄                ▄█▀  ▄▀
  ▀▄▀██▄▄          ▄█▀  ▄▀
   ▀▄ ▀▀███▄▄▄▄▄▄█████▀▀
     ▀▀▄▄▄▄▄▄▀▀▀▀▀▀▀
UTRUST ▀████████▄
  ▀███████▄
    ▀██████▄
      ▀██████
       ▀█████
        ▀████▄
         █████
          ▀███
           ███
           ▀██
            ██
             █
             █
●  Download WHITEPAPER  ●
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ ▼ ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
facebook      twitter      slack
▀████████▄
  ▀███████▄
    ▀██████▄
      ▀██████
       ▀█████
        ▀████▄
         █████
          ▀███
           ███
           ▀██
            ██
             █
             █
Unofficial Bitcointalk API - get posts, boards, topics
Bitcointalk Post Iconizer - custom post editing buttons
|  Services advertised here are not endorsed by me
|  Advertise in my signature
tcsh
Newbie
*
Offline Offline

Activity: 5


View Profile
August 14, 2017, 02:23:06 AM
 #11

Yup, numerous reasons recaptcha is bad in the long term.
While it's a great solution to stop bots in their tracks, especially brute force ones, I feel as if in the long run it creates more potential problems.
That said, nothing wrong with using it till a more convenient solution can be implemented.

There's a reason big services (Yahoo, Gmail, Facebook and so forth) don't use it, at least when it comes to the login.
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1260

#PathOfTotality


View Profile WWW
August 14, 2017, 05:22:08 AM
 #12

I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria, and if so a captcha would be presented before the username/password combination would be checked against the forum DB. For example, an account that has had zero failed login attempts and has had it's password changed (via a change, reset, or otherwise) since the date of the forum hack would not need to complete a captcha, while an account that has had x failed login attempts in the past n time, or has not accessed his account in the past y time, or has not had its password changed since the forum hack would need to complete a captcha in order for the login to even be attempted.

This would prevent the need for JavaScript for most users, and would still fulfill the purpose of stopping/slowing down hacking attempts.

Foxpup
Legendary
*
Online Online

Activity: 2044



View Profile
August 14, 2017, 11:23:08 AM
 #13

test

(I kept getting an "Incorrect recaptcha." error when I tried to log in, but it seems I can log in successfully by trying to reply to a thread... not sure what happened there.)

Will pretend to do unverifiable things (while actually eating an enchilada-style burrito) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
BillyBobZorton
Legendary
*
Offline Offline

Activity: 1036



View Profile
August 14, 2017, 11:29:30 AM
 #14

Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.

The problem is Tor likes to switch IP randomly, sometimes it happens while you are trying to solve the captcha. The captcha images are so slow to load sometimes (they fade in from white) so sometimes you run out of time. Also it's pretty hard, I had to try several times because I was getting "incorrect recaptcha".

I like to use noscript and a proxy here for obvious reasons: bitcoins and scammers don't mix well, so you want to take measures against it.

..C..
.....................
........What is C?.........
..............
...........ICO            Dec 1st – Dec 30th............
       ............Open            Dec 1st- Dec 30th............
...................ANN thread      Bounty....................

|Admiral|
Full Member
***
Offline Offline

Activity: 224


Μεγάλες α&


View Profile
August 14, 2017, 01:20:23 PM
 #15

Sorry Mr Theymos but i don't like this feature, it keeps me annoying as the images are keep changing..first it says to select all street signs, then select vehicles...then says me to select a store in front of building..and lastly it says there was some problem with captcha.. Roll Eyes

Cøbra
Bitcoin.org domain administrator
Jr. Member
*
Offline Offline

Activity: 59

Co-owner of bitcoin.org & bitcointalk.org.


View Profile WWW
August 14, 2017, 01:27:14 PM
 #16

Hope this will only be a temporary thing. The captcha is pretty annoying.
marlboroza
Hero Member
*****
Offline Offline

Activity: 672


650+ BTC JACKPOT INSIDE


View Profile
August 14, 2017, 01:53:22 PM
 #17

Whoever is having problem with captcha(too many NEXT-SKIP buttons, too many street numbers(stores, vehicles, roads, aliens  Shocked) to click, failed to verify etc etc) simplest solution is to delete google cookies. Tested long time ago and it is working.

FORTUNEJACK.COM[
                            
5 BTC WELCOME PACK FOR 1ST 5 DEPOSITS
FREE 1,000 mBTC daily for LuckyJack winners
[
          
]
Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 504



View Profile
August 14, 2017, 09:51:42 PM
 #18

Theymos,

May I suggest locking this thread at the top here temporarily?   I participated in a couple of other threads B4 I realized you already addressed this publicly.  Sorry for that.  I am not a Mod here so I can't sticky this.

BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2870


View Profile
August 15, 2017, 01:07:29 AM
 #19

Here's an example of the "select all things until none are left" captcha slowdown (that I've encountered personally as well):

I've seen that happen before (rarely) on Tor, but a small delay isn't very bothersome, and I've always been able to fix the really bad delays by refreshing the page or getting a new Tor identity.

Elsewhere, someone suggested Solvemedia, but I think that all captchas based on reading text are actually easier for high-quality OCR to solve than for humans. The photo-based ones give computers a major disadvantage over humans. I don't care very much if people use services like 9kw.eu to solve the captchas, since that at least has a cost, but if a captcha can be OCRed, then they have no cost at all, making them completely useless.

If someone has other suggestions for good captcha services/libraries, let me know. I don't really like using Google products, since Google's whole business model is spying on people. Though as I mentioned, I don't have much faith in captchas based on reading mangled text.

I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria

I thought about that, but it'd be a bit difficult to implement, and I'm not sure how much value it'd really provide. Even if a captcha isn't required in 99% of logins, the 1% of logins where it is required is going to screw up bots, etc.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
sumangs
Full Member
***
Online Online

Activity: 154


My post are my own.


View Profile
August 16, 2017, 03:12:48 AM
 #20

It is a good idea to put login captcha when logging in. Spambots could possibly enter your password by chance using combinations. Since spambots could not pass captchas, there will be a stronger security in this forum. Also, it is a good idea to put captchas before posting to prevent spamming post possibly created by an upgraded version of a spambot. Users using spambot could be terminated if captchas are implemented in this forum.

..C..
.....................
........Finally C is .........
..............
...........            ............
       ............            ............
...................      ....................

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!