reCaptcha

[GoogleCodeExporter]

Should reCaptcha support be enabled?

If so, by default or by a globals setting?

What forms?

Original issue reported on code.google.com by rdivilb...@gmail.com on 5 Feb 2010 at 2:29

[GoogleCodeExporter]

Original comment by rdivilb...@gmail.com on 5 Feb 2010 at 7:58

• Added labels: OpSys-All, Priority-High, Usability

[GoogleCodeExporter]

Maybe on the registration and password reset type forms.  For login entry, I 
have
seen the two part approach taken versus reCaptcha : i.e., enter user name and 
then on
separate screen enter password.

Original comment by b1ackKni...@gmail.com on 6 Feb 2010 at 11:57

[GoogleCodeExporter]

Again, I will respect group consensus. I think it is only needed for 
Registration.
Should we add an option to the global configuration to let the web designer 
decide if
it is used, or hard code into registration and add as an option for login?

Original comment by rdivilb...@gmail.com on 7 Feb 2010 at 12:21

[GoogleCodeExporter]

Original comment by rdivilb...@gmail.com on 7 Feb 2010 at 1:07

[GoogleCodeExporter]

Original comment by rdivilb...@gmail.com on 7 Feb 2010 at 1:07

• Added labels: Milestone-Release1.0
• Removed labels: Type-Enhancement

[GoogleCodeExporter]

Maybe give an option for it - can determine the own level of security for
registration process.  Agree registration is fine.

Original comment by b1ackKni...@gmail.com on 7 Feb 2010 at 1:11

[GoogleCodeExporter]

Thanks for looking in on these issues Kevin

Original comment by rdivilb...@gmail.com on 7 Feb 2010 at 1:24

[GoogleCodeExporter]

Original comment by rdivilb...@gmail.com on 8 Feb 2010 at 5:06

• Added labels: Milestone-Alpha
• Removed labels: Milestone-Release1.0

[GoogleCodeExporter]

Original comment by rdivilb...@gmail.com on 20 Apr 2010 at 6:13

• Added labels: Milestone-Release1.0
• Removed labels: Milestone-Alpha

[GoogleCodeExporter]

You could let people choose a lot of things in global settings for placing 
this. This 
will also allow the system to be much more flexible. Another option you could 
add with 
this is to place a reCaptcha on a query. Like for example with a forum, when 
the use 
has places less then 20 posts.

Original comment by Caspar.S...@gmail.com on 27 Apr 2010 at 5:28

[GoogleCodeExporter]

Thank you for your comments Caspar. I am certain there will be a setting in the
loginGlobals file to use on not use reCaptcha on the registration form.

This is the first someone has suggested the use be based on some outside 
factor, such
as a forum user's number of posts.

That being said: If the user has registered, he would never see reCaptcha 
again. We
did not and are not building the comment posting pages for a forum, so whoever
developed the forum software could decide how they handle reCaptcha on a forum 
post.

I realize the forum example may have been just that, a hypothetical example off 
the
top of your head, but we do not have plans to include reCaptcha on the login 
form,
just the registration form, therefore each user would see it one and only one 
time.

Regards,
Rod

Original comment by rdivilb...@gmail.com on 27 Apr 2010 at 8:37

[GoogleCodeExporter]

Gmail displays a captcha if login fails after few attempts. 
So what is the current way to prevent automated brute force attack?
Simply locking an account after few failed atttempts won't suffice. 
Or may be I am still new to this system and need some more reading...

Original comment by coty...@gmail.com on 30 Apr 2010 at 7:10

[GoogleCodeExporter]

reCAPTCHA working for ASP.
still need change to loginGlobals
still need PHP implementation.

Original comment by rdivilb...@gmail.com on 1 May 2010 at 12:10

• Changed state: Accepted

[GoogleCodeExporter]

@coty993

"Gmail displays a captcha if login fails after few attempts. 
So what is the current way to prevent automated brute force attack?
Simply locking an account after few failed atttempts won't suffice. 
Or may be I am still new to this system and need some more reading..."

The account is locked and the remote IP is also locked out.

These are not temporary or temporal locks. The webmaster would have to decide 
if they
should be removed and would manually need to do that in the table.

I'm curious: "Simply locking an account after few failed atttempts won't 
suffice."
does not suffice in what regard? The purpose of preventing a brute force of the
account has been stopped and the remote IP can not attempt further brute force
attacks on other accounts.

Do you have a suggested enhancement?

Original comment by rdivilb...@gmail.com on 1 May 2010 at 9:47

• Changed state: Fixed
• Added labels: Type-Enhancement
• Removed labels: Type-Review

[GoogleCodeExporter]

"The account is locked and the remote IP is also locked out.These are not 
temporary 
or temporal locks. The webmaster would have to decide if they
should be removed and would manually need to do that in the table."

So if an account is locked out, they need to contact the webmaster to unlock it 
for 
them you mean? 

"does not suffice in what regard? The purpose of preventing a brute force of the
account has been stopped and the remote IP can not attempt further brute force
attacks on other accounts."

I was pointing to locking of accounts by automated programs on few failed 
attempts. 
Blocking IP does answer that "does not suffice" thing in part. Why in part..

Look at this: http://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

"Do you have a suggested enhancement?"

There needs to be a way to let users unlock their accounts. May be some 
security 
password/answer before they have to call webmaster.
Say after 3 failed attempts, prompt user with captcha and also let keep 
informed 
that they have 3 more attempts before their account will get locked out.
Or prompt with their security question instead of captcha....

Thanks.

Original comment by coty...@gmail.com on 6 May 2010 at 8:52