Security code-3 or 8 digits??

registered · Posted: Sat Apr 29, 2006 4:32 pm

A couple of questions about the security code to register and login.

I've assumed the security code is simply for visual confirmation to stop robots. Given this, here's my thoughts...

A security code is really only needed for registering to prevent a ton of bot registers, since if you want to stop bots from messing with most of your site you just need to make those parts for registered users only. For example, if you set your site to only allow registered users to post then you won't get bot posts. If you don't set it this way then the code is useless anyway.

So my first question is...why would you set the security code to be required for login since they need a username and a password to post...etc. IMHO this is just a pain in the butt for members to login. Especially for sites that use graphical images that are hard to read anyway.

My second question is since this is just for visual confirmation why do some sites feel an 8 digit or graphical image is needed? Wouldn't just a couple of characters to the trick?

Obviously this is a security issue or so many of the more popular sites wouldn't make us jump through so many hoops just to log in, I'm just wondering if anything more is necessary than a 3 digit confimation when registering only.

registered · Posted: Sat Apr 29, 2006 10:19 pm

Personally I think the 8 digits is a waste. Yes you increase the chances of a robot actually generating a correct code, but even 3 digits is a 1 of 1000 chance (well less than that to be truly correct)

As you said, I make sure my forums are for registered users only and then activate the security code. Stops these registering and posting robots ... and there are a lot targetting various PHP systems like phpNuke and phpBB.

Posted: Sun Apr 30, 2006 1:14 am

So..here's the next scenario...

There really aren't any Nuke sites worth generating the hacking script to register a name, a password and a script that would generate a 1 out of 999 (I believe thats accurate) chance to register a user and then be able to log in and spam a Nuke site or get access to any of the info contained in that site.

Well...unless they were practicing to hack more important sites which have better protection than the free scripts we use.

So...it's like putting 3 locks on your bicycle..it just keeps the honest man from stealing your schwin. Why make it harder for your friend to ride your bike when a real thief can cut the lock no matter what?

registered · Posted: Sun Apr 30, 2006 8:43 am

pnclthnmstsh, I have seen several popular and not so popular sites spammed up the you know what and by doing what evaders said, no more spam! Or, at least it is then "manageable" as you can hunt down the individual and ban them. (I've done it! What a good feeling that can be... Laughing

)

registered · Posted: Sun Apr 30, 2006 6:20 pm

Really all you need a strong captcha, one that is not easily scanned by ocr bots and doesnt used POST vars to validate the code like nuke uses (bad FB bad).

We just finished putting in phpcaptcha into the next release of evo but left the old system inplace for sites that do not have GD + FontType. Then rewrote the old system to use session variables to hold the code and took out the POSTs. Now its much harder to get around.

Here is the system http://www.ejeliot.com/pages/2

Posted: Sun Apr 30, 2006 9:28 pm

Interesting.. and an audio captcha too. That is really cool

Posted: Mon May 01, 2006 7:47 am

Yeah and it works great. We made it scan an image folder for background images in the admin so you can choose how you want it to look. From everything I have read its one of the better systems.

Posted: Tue May 02, 2006 12:07 am

OK, yes this new technology of anti OCR software is great but even samples you've given are almost unreadable to humans. Yahoo has taken this techno on as well and has made it a pain in the butt to send an email in some cases.

The original question was...is a 3 digit non-captcha human recognition system for registering ONLY enough? Or is it really necessary to use 8 digits to make it even tougher and is it necessary to use it for registering and logging in...Furthermore...is it necessary to use captcha and to what extent?

What do you recommend for different types of sites?

Posted: Tue May 02, 2006 11:56 am

The amount of characters makes no difference if a) the captcha can be "hacked" by simple means. b) the captcha can be read by ocr software.

3 or 8 or 100 makes no real difference if those two factors come into play. So your question is a bit invalid if you cannot stop the root problem which is software that can bypass them.

If we are talking Nuke, which I assume we are, factor a) is true because of a poor coding concept. Its VERY easy to bypass the default nuke captcha. You just have to catch a POST on a page that has it and presto.

Is captcha imporant well thats kind of a hard one to answer, it depends on what you think is a realistic chance of your site being used for spam? For example it would be possible for bots to signup on your site and post random spam garbage everywere. It happened to me more than once on Platinummods. Or do the same thing to feedback, weblinks, downloads, or comments.

Posted: Tue May 02, 2006 2:49 pm

You did answer my question, I believe. I've had spam bots try to post to my sites as well but they were stopped because they don't have a username and were not logged in. And my original concern was why do sites insist on using 8 characters to login and making it a pain when 3 characters for registering will do just fine as long long as your posting permissions are set to registered users only. I figured they do it just to make their site look "cool" LOL or that they think more characters is harder to crack, but as you've all said...3 or 100 doesn't matter and nuke permissions will stop spammers so these sites can make it easier on humans and lighten up on the "cool" stuff...right?

Posted: Tue May 02, 2006 9:42 pm

LOL I have always wondered the very same thing myself. Its a pain in the butt to keep typing that code. Will I drop it no... but i agree why go 8 or even more when 3 will do. I went one step further and use approve membership and look at each application closely. I know thats not foolproof but the follow up need more info letter normally does the trick. Had to add my two cents

Posted: Wed May 03, 2006 7:21 pm

well i agree..use 8 ummm no.
lol
i personally use .htaccess and keep it as upto date as possible to block bots.
other then that...let em come...cant put nethin i cant delete. Laughing

Client Joined: Jan 29, 2004 Posts: 624

pnclthnmstsh wrote:

You did answer my question, I believe. I've had spam bots try to post to my sites as well but they were stopped because they don't have a username and were not logged in. And my original concern was why do sites insist on using 8 characters to login and making it a pain when 3 characters for registering will do just fine as long long as your posting permissions are set to registered users only. I figured they do it just to make their site look "cool" LOL or that they think more characters is harder to crack, but as you've all said...3 or 100 doesn't matter and nuke permissions will stop spammers so these sites can make it easier on humans and lighten up on the "cool" stuff...right?

Well try this in your footer, just put it on in preferences

Code:




<a href="http://phpnuke-downloads.com/spamlock.html" title="Anti-Spam"><img src="http://phpnuke-downloads.com/images/spam_icon.gif" alt="Anti-Spam"></a>

It'll take them spambots to a page with phony emails lol

New Member Joined: Feb 19, 2006 Posts: 5 Location: Nowhere

As far as this image verification thing, I'm working on making all my images have simple mathematical expressions that need to be solved, OR just random numbers/letters. Going to try to do this as a reusable function so I dont have to recode it a million times for the different modules.

Reusable code in nuke... What a concept! *snicker*.

Of course, I also have other systems on hand that will flag, report & ban spam attempts, bot or otherwise. Twisted Evil

Only registered users can see links on this board! Get registered or login!

Posted: Sun May 14, 2006 1:37 pm

I love that wall of shame... How did you do that??? The site is pretty kewl btw

Posted: Sun May 14, 2006 2:35 pm

<hijack>
The WOS was actually originally a hap-hazard script to display what my hack/spam detection code intercepted, but now has blown up into its own whole project which incedently is closed source. Sad

http://www.2thextreme.org/modules.php?name=Rogue_Admin

Glad you liked the site... I got your PM and replied. Smile

</hijack>