I want to know if I should I use Captcha for all forms in my website?
or there is some cases that require it?
any help is appreciated
Unless your users are already authenticated (logged in), it is indeed a very good idea to have a captcha on each form to limit the number of spam bot abuse you receive.
In some cases, it is still a good idea even when the users are logged in.
Related
It seems to be common practice to lock user accounts after enough failed attempts in a particular time window.
I am wondering how you prevent denial-of-service attacks since a malicious user who had the username of someone he wished to DoS could simply rapidly make logon attempts.
Is the remedy to lock the account for only the IP address of the user who exceeded the logon attempt count+window ?
Is there any better way?
EDIT:
I don't want to make my users solve a captcha on each login attempt.
You shouldn't block the user by its IP, because maybe it is a real user that forgot his pass and did the retries manually.
The worst thing (business-wise) is that a real user will not be able to access your service.
So, your problem is actually "How do I know that the user is not a robot?".
One of the most popular ways to deal with this is to use a different mechanism for multiple login attempts.
For instance, Google uses Captcha after about 3 trials,
so an automatic bot will get stuck on this stage.
Of course it is possible to get the bot to read the captcha, but it's a start.
You can read more about captcha implementation in their official site: http://www.captcha.net/
Other alternative ideas here: http://econsultancy.com/il/blog/63144-six-alternatives-to-using-the-dreaded-captcha-images
I have an corporate intranet project that needs logins, but doesn't need high security. Impersonating a different user is not useful or very desirable. In similar intranet systems, everyone has the same password as setup by the admin.
I'm hoping to get some suggestions on what password alternatives I could consider. My first thought is to show each user 8 images and have them click on one to be their password. Would this be too annoying or problematic in someway? What other ideas would you suggest?
Why not just use a text based password? It sounds like you are over-complicating things by including images, especially if, as you stated, don't need "high security". I wouldn't consider a text based password "high security" but it does meet your requirements of a login on the intranet. A lot of products have built in functions for passwords so it would be dead simple to implement into your project if you have this available. I'm suggesting you keep it simple and don't assume that impersonating a user isn't something that won't happen without at least a password. You'd want to know who made changes or have some logs that identified who was the user at the time of a certain event.
Remember, security should be baked in, not sprayed on!
I think there is a human registering a user, getting past the original CAPTCHA, then firing his php script to spamalot.
Is there a way to make the user do the captcha test for every post in PHPBB3?
Won't this deter regular user from using your forum ? I wouldn't use stackoverflow if I had to enter a CAPTCHA each time I wanted to post a answer...
I'm not directly answering your question, but in PHPBB 3.06 you have the "Newly Registered Users Group" to which you can give specific permissions (like all messages going to the moderation queue). May this help ? Depending on your traffic you may also validate each user manually (admin activation)
More info on PHPBB and spam here : http://www.phpbb.com/community/viewtopic.php?f=46&t=1861645 (stronly suggested)
Is there a built-in way to find out whether or not a user has logged in?
Basically I would want to know if a user has logged in.
I mean, I could keep track of the users that are logging via overriding methods in authentication and storing session info.
Any ideas would be appreciated, thanks.
There is no built-in way to do this. If you want to develop a solution for this, then you need to clarify which authentication methods you are looking for: Windows, Forms, Claims ?
See this thread:
https://sharepoint.stackexchange.com/questions/6830/how-to-check-how-many-users-are-currently-logged-in-sharepoint-foundation-2010
I know it's not really a programming question but I don't know where to ask it.
Should i use a captcha in my sign up form ?
Facebook, twitter, foursquare, gowalla etc... don't use one (or not a visible one). Is there an invisible catpcha on theses sites ?
Thank you
UPDATE :
I have found a nice article about it : http://www.smashingmagazine.com/2008/07/08/web-form-design-patterns-sign-up-forms-part-2/
Thanks for your answers
I don't use a captcha for SingingEels, but I do require a valid email address. Users have to confirm their email address by clicking a link sent with a GUID upon creating a new account.
That validates a real human, and also prevents quick sign-ups for spam comments.
There is no need to use captcha code in SignUp page. But as far as security reason is concerned, you need to captcha code where you have any form. Because some one puts a robot for signup in your page at that you have to face a problem with your website. So for this purpose you need to add captcha not only in Signup page but every form you are using in your website.
CAPTCHA helps prevent automated abuse of your site (such as comment spam or bogus registrations)
it is advisable to use additional authenication methods, captcha, email authentication are most advisable.
It is not advisable to use any captcha at all..
Also see;
http://www.interfacegeek.com/dont-ever-use-captchas/