search

opencaching / opencaching-pl

The source code of Opencaching.PL (and some other domains)
https://opencaching.pl/
GNU General Public License v3.0
22 stars 33 forks source link

Captcha mechanism on oc pages. #606

Open mzylowski opened 8 years ago

mzylowski commented 8 years ago

Nice improvement of security will be adding capcha in register and login page. On register page user have to put text from captcha into register form. On login page after 3 attempts, user also have to put captcha to login.

What do you think?

kojoty commented 8 years ago

Have we had any security issue around it already?

In my opinion complication of the user registration is generally a bad idea - I have never seen any "bot" in our service :smile:

I don't know if we have any brute-force password break prevention mechanism, so if not maybe captcha could be a good idea after X login attempts (maybe not 3 but 5 or something).

harrieklomp commented 8 years ago

I believe captcha is a bit out of date. We did use it on oc.nl forum and the not wanted accounts where still there. We now (several years) use a/q Answer/question. This is much more secure.

mzylowski commented 8 years ago

I have never seen any "bot" in our service :smile:

But maybe you will see :P Prevention is better than cure ;] It is very easy to write.

By captcha mechanism I mean Answer/question. Easy captcha (numbers, text) is useless now. Also google have a good solution: https://www.google.com/recaptcha/intro/index.html

kojoty commented 8 years ago

I have never seen any "bot" in our service :smile:

But maybe you will see :P Prevention is better than cure ;] It is very easy to write.

:smile: Generally yes, but there is something like an accepted level of risk we've taken in the name of not complication of user registration process...

and one more thing: who and why could want to create many bot-accounts at oc?

andrixnet commented 8 years ago

It would be a useful feature when it is established that the site has become indeed a target for bots. I've seen opencaching.us having it. It could be implemented and activated (or not) based on settings. (IMO low priority, as long as we don't see data showing OC nodes being bot targets)

Contrary to forums, using well known and widely used packages, such as phpBB, though based on open-source projects, OC apparently is minimum profile and interest level.

I would focus more on admin user management at this time.