Captcha on Login

[Ethreon]

What internet realms are you roaming around where your account's security is not your responsibility even more than it is the responsibility of the account provider? Must be that fantasy land of "I don't need responsibilities" a lot of people seem to frequent.

[varkonasnorse]

 

 

Our site's security and database security is our problem. Your account security is YOUR problem.

 

A lot of the recent security changes we've made are because users are not looking after their user accounts properly online and are not following best security practices. We have to do this BECAUSE of complacent users, not because our own security is inadequate.

 

I was unaware of the infiltration issues. Engaged mouth before brain. Sorry. I reckon you gotta do what you gotta do. :confused:

[varkonasnorse]

What internet realms are you roaming around where your account's security is not your responsibility even more than it is the responsibility of the account provider? Must be that fantasy land of "I don't need responsibilities" a lot of people seem to frequent.

Ya. I can see what you think I am, but not true. Don't confuse me with one of those millenial baby's that always cry when they don't get their own way or no one pays attention to them. I'm just old and tired of all the consessions we are forced to make in order to even use devices nowadays. I have been using PCs since they first were made available to the public in 1979. They were large, bulky, heavy , and slow with no internet. I went through the modem activated forums of the day. There were no online games, and email was somewhat of a chore.

 

It's just too bad that the general populace takes instant internet for granted and uses it to peddle their garbage and steal our money and identities. I don't mind complying with whatever policies protect my account and the provider. I am just saying today's loyalties wain at the introduction of stricter security.

 

To answer your original question, there are some financial institutions in the world that set your security for your accounts. I have one that gives me a login, password, and a PIN. I have no say. If I want to change it I have to call the I.T. and give reasons. Then it takes 72 hours. So, yes, some "realms" do exist. But like I said, I'm just old and tired of it. I'll get over it. :pinch:

[Ethreon]

Ah yes bubba, dem milleniuls amirite. I'm sure those financial institutions also gave you a personal helper to insure you're not a dumbass that gives away their pin to a nigerian prince and so on right?

Edited June 22, 2018 by Ethreon

[SirSalami]

Update:

We've implemented a new Captcha that is intended to be served to those who cannot 'see' Google's ReCaptcha. This will hopefully allow those who have been having issues recently to successfully log in.

I know captcha's in general are a bit of an inconvenience, but unfortunately it's a necessity these days. That said, we're still looking into ways to make the process more transparent/seamless for everyone, including implementation of "invisible" captchas if possible.

Hopefully, the changes that've been made so-far are helpful. If you continue to have any issues logging in (ensuring that no third-party security software is interfering), please let us know with screenshots if possible.

Thank you all for your patience!!

[matortheeternal]

What about "legitimate" bot accounts? Are they just SoL if the API is insufficient now? This change seems like a monkey patch for a larger problem. There are many ways for you to secure logins without forcing users to respond to a captcha challenge:

 

1. Throttle login attempts. Don't allow more than, say, 6 attempts per minute. Throttle at whatever rate is sufficient to prevent brute force attacks but not bother users who forgot their password. Maybe set an upper limit on 30 attempts before locking an account and requiring the user to respond to an email to unlock it. This is a fairly standard system.

2. Use IP address and device information to authorize access to the account based on the device the user is accessing the site from. Steam does something similar to this. This basically requires the user to "authorize" a device which has not been used to log into their account before by clicking a link in an email sent to the address associated with their account.

3. Add and encourage the use of two factor authentication.

4. If these are "too difficult or time-consuming to implement" then wash your hands of users who do not understand the basics of password security and ignore recommendations to not use the same password that they use on other sites (assuming this recommendation is made visible whenever a user creates/changes their password). If a user sets themselves up to have their account hijacked that's their problem, not yours.

 

If the aforementioned security concerns go beyond "brute force" or "third party accounts with the same password cracked" then I have to ask what the hell is going on with your login system to create such issues in the first place? Most attacks are fairly easy to protect against - use HTTPS to protect against man-in-the-middle attacks, use an token to prevent against CSRF, use throttles/locks to protect against brute force, and educate users to help them protect themselves against password reuse/weak passwords. The only kind of attack which is difficult to protect against (but rare in the wild, especially with websites) is a timing attack.

 

You can also throttle logins in general, not allowing the same IP address to make more than a certain number of attempts per minute/hour/day, regardless of the account they attempt to log into. Such a throttle can be set at a value that a human is likely to never encounter (e.g. 200 login attempts/day) but would put a serious damper on illegitimate bot activity.

[kamikatze13]

1. Throttle login attempts.

 

This. I mean, basic phpBB and vBulletin forum software implement this - why not go that route?

 

That said, thank you for implementing securimage as a fallback solution - worked here 2nd try.

[sweevil]

Using Firefox and NoScript, I could see the Captcha as badly drawn text. I entered the text multiple times, but it would always fail with Captcha error. Also when tabbing from login name to password to Captcha, it would not tab to the Captcha textbox. That probably needs to be fixed going forward.

 

After trial and error with NoScript and Captchas, I attached a PNG of what worked for me to log in. A bit of a hassle, but now I got to click on street sign pictures instead of text, and it finally let me in.

 

Not to mention a HUGE bottom banner about Curse, cookies, and the like. Hope they are server-side cookies, as I (like many others) delete all cookies on exit. Either that, or I'll have to endure that banner every time.

 

Hmm.. guess pics didn't come out. I had to also allow cursecdn, cloudfront, quantserv, along with Nexusmods.

Edited June 22, 2018 by sweevil

[kamikatze13]

Not to mention a HUGE bottom banner about Curse

 

makes me wonder - how is nexusmods related to cur§e.com? last time i saw curse was back when i downloaded ui mods for wow :sweat:^{and the most current expansion was wotlk}

Edited June 22, 2018 by kamikatze13

[seydaneen]

thank you.

seems like you found an acceptable workaround.

 

my complaints were about Google most of all, not so much about general craptcha.

 

bet I'm not the only one here, privacy does matter big time, even if the majority might still be too blind to see ...

cheers,

seyda

Edited June 23, 2018 by seydaneen