Login captcha

[theymos]

Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.

[1714867906]

1714867906

[1714867906]

1714867906

[1714867906]

1714867906

[botany]

Recently someone has taken to using 5000+ IPs to bypass rate-limits and try many passwords. Therefore, it is now required to solve a captcha when logging in. JavaScript is required for this. I know that several forum users like to use NoScript, but I am not aware of any high-quality (ie. not OCR-able) captcha services/libraries which don't require JavaScript. You can maybe enable JS just for the login page, and then disable it again afterward.

There are a few people who use automated bots which need to login. Contact me with a description of your bot, and if it seems reasonable, I will give you a key which will allow you to bypass the captcha.

Let me know if you see any bugs.

I was wondering why there was a change.
This captcha is irritating (sometimes you have to click on multiple screens), but it does seem to be necessary. You wouldn't want to take risks given the number of hackings there have been.

[tcsh]

Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
I mean who forgets their password and tries more than 3-4 times to login? After 3-4 times they'd use the forgotten password, so obviously anything above that would be brute force, hence lock and ban.

I believe Yahoo for example does that after 12 attempts, locks the account for 12 hrs. Facebook and Gmail have something similar.
Point is to make the problem go away, or make the brute force attempt not worth it, not add more hassles to actually login in.

Dunno, seems like it would a lot of trouble as opposed to the captcha challenge.

[minifrij]

Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?

This solution is impossible to implement without making regular users lives difficult.

Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.

[theymos]

Lets say we lock an account after too many wrong password attempts, what would stop me from spamming someone's account with incorrect login attempts to get them locked out? If it were only locked for the current IP, that would be near enough useless as those looking to abuse it could just connect VIA proxy services.

Exactly, locking an account due to incorrect password attempts is insecure unless you already have some sort of partial authentication (eg. half of 2-factor authentication).

[tcsh]

Was just a thought, it would obviously need some thinking.

Anyway, there's a potential bug, or rather.. an oversight.

If I click on the login button located in the top left corner it takes me to: https://bitcointalk.org/index.php?action=login
This is fine (obviously) and the login form there displays the captcha.

If you take any action and you're not logged in (for whatever reason) it shows up as this, with no captcha loading:

https://s23.postimg.org/qh9hk7w9n/captcha.png

Example: having a bookmark with https://bitcointalk.org/index.php?action= (any action, example: pm reply, thread reply, etc) or using a custom PM notification app and needing to quickly reply or so forth.

It correctly tells me to login but it doesn't display the captcha there, hence I can't login using that form, I have to click again on the top left button so it takes me to the original login form, located at https://bitcointalk.org/index.php?action=login

I'm not using an addblocker or noscript, tried it in multiple browsers, captcha doesn't load in any of them. So I'm guessing it's on your end.

Steps to reproduce:

Make sure you're not logged in.
Have a bookmark in your browser with a link entailing an action, let's use this for example: https://bitcointalk.org/index.php?action=pm
Click the bookmark
Done.

[gelius]

Please do not use google captcha.
Use alternative.

[theymos]

Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.

[tcsh]

Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

You're welcome!

[mprep]

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.

Because for anyone who (still) actively uses faucets, the new reCAPTCHA is much more difficult / time-consuming (if it's one of those "select all things until none are left") to fill in (probably due to the high volume of captchas filled on the same IP). At least that's what I've seen some users complain about. In addition, sometimes it's difficult to tell what specifically the captcha is asking you to mark (e.g. do the poles on road signs count as part of the sign?).

That aside, since it's important to stop bots from bruteforcing passwords, AFAIK the new reCAPTCHA is the impossible for bots to automatically bypass (for now; though if anyone is going to break Google's new captcha, it's probably going to be them - hell, that's why they created this new one). Gonna be a bit of a pain in the ass creating user based Bitcointalk bots / libraries though (not exactly a fan of manually requesting keys for each bot but I guess I've got no choice until this gets resolved (fingers crossed for the new forum software modular API access)).

Here's an example of the "select all things until none are left" captcha slowdown (that I've encountered personally as well):

[tcsh]

Yup, numerous reasons recaptcha is bad in the long term.
While it's a great solution to stop bots in their tracks, especially brute force ones, I feel as if in the long run it creates more potential problems.
That said, nothing wrong with using it till a more convenient solution can be implemented.

There's a reason big services (Yahoo, Gmail, Facebook and so forth) don't use it, at least when it comes to the login.

[Quickseller]

I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria, and if so a captcha would be presented before the username/password combination would be checked against the forum DB. For example, an account that has had zero failed login attempts and has had it's password changed (via a change, reset, or otherwise) since the date of the forum hack would not need to complete a captcha, while an account that has had x failed login attempts in the past n time, or has not accessed his account in the past y time, or has not had its password changed since the forum hack would need to complete a captcha in order for the login to even be attempted.

This would prevent the need for JavaScript for most users, and would still fulfill the purpose of stopping/slowing down hacking attempts.

[Foxpup]

test

(I kept getting an "Incorrect recaptcha." error when I tried to log in, but it seems I can log in successfully by trying to reply to a thread... not sure what happened there.)

[BillyBobZorton]

Anyway, there's a potential bug, or rather.. an oversight.

Fixed, thanks!

Please do not use google captcha.
Use alternative.

Why? Recaptcha is a bit difficult, though effective. And they don't ban Tor or anything like that.

The problem is Tor likes to switch IP randomly, sometimes it happens while you are trying to solve the captcha. The captcha images are so slow to load sometimes (they fade in from white) so sometimes you run out of time. Also it's pretty hard, I had to try several times because I was getting "incorrect recaptcha".

I like to use noscript and a proxy here for obvious reasons: bitcoins and scammers don't mix well, so you want to take measures against it.

[|Admiral|]

Sorry Mr Theymos but i don't like this feature, it keeps me annoying as the images are keep changing..first it says to select all street signs, then select vehicles...then says me to select a store in front of building..and lastly it says there was some problem with captcha..

[Cøbra]

Hope this will only be a temporary thing. The captcha is pretty annoying.

[marlboroza]

Whoever is having problem with captcha(too many NEXT-SKIP buttons, too many street numbers(stores, vehicles, roads, aliens  ) to click, failed to verify etc etc) simplest solution is to delete google cookies. Tested long time ago and it is working.

[Coin-Keeper]

Theymos,

May I suggest locking this thread at the top here temporarily?   I participated in a couple of other threads B4 I realized you already addressed this publicly.  Sorry for that.  I am not a Mod here so I can't sticky this.

[theymos]

Here's an example of the "select all things until none are left" captcha slowdown (that I've encountered personally as well):

I've seen that happen before (rarely) on Tor, but a small delay isn't very bothersome, and I've always been able to fix the really bad delays by refreshing the page or getting a new Tor identity.

Elsewhere, someone suggested Solvemedia, but I think that all captchas based on reading text are actually easier for high-quality OCR to solve than for humans. The photo-based ones give computers a major disadvantage over humans. I don't care very much if people use services like 9kw.eu to solve the captchas, since that at least has a cost, but if a captcha can be OCRed, then they have no cost at all, making them completely useless.

If someone has other suggestions for good captcha services/libraries, let me know. I don't really like using Google products, since Google's whole business model is spying on people. Though as I mentioned, I don't have much faith in captchas based on reading mangled text.

I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria

I thought about that, but it'd be a bit difficult to implement, and I'm not sure how much value it'd really provide. Even if a captcha isn't required in 99% of logins, the 1% of logins where it is required is going to screw up bots, etc.

[sumangs]

It is a good idea to put login captcha when logging in. Spambots could possibly enter your password by chance using combinations. Since spambots could not pass captchas, there will be a stronger security in this forum. Also, it is a good idea to put captchas before posting to prevent spamming post possibly created by an upgraded version of a spambot. Users using spambot could be terminated if captchas are implemented in this forum.