Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
pnclthnmstsh
Regular
Regular


Joined: Oct 23, 2005
Posts: 54
Location: Portland, Or

PostPosted: Sat Apr 29, 2006 4:32 pm Reply with quote

A couple of questions about the security code to register and login.

I've assumed the security code is simply for visual confirmation to stop robots. Given this, here's my thoughts...

A security code is really only needed for registering to prevent a ton of bot registers, since if you want to stop bots from messing with most of your site you just need to make those parts for registered users only. For example, if you set your site to only allow registered users to post then you won't get bot posts. If you don't set it this way then the code is useless anyway.

So my first question is...why would you set the security code to be required for login since they need a username and a password to post...etc. IMHO this is just a pain in the butt for members to login. Especially for sites that use graphical images that are hard to read anyway.

My second question is since this is just for visual confirmation why do some sites feel an 8 digit or graphical image is needed? Wouldn't just a couple of characters to the trick?

Obviously this is a security issue or so many of the more popular sites wouldn't make us jump through so many hoops just to log in, I'm just wondering if anything more is necessary than a 3 digit confimation when registering only.

_________________
Only registered users can see links on this board! Get registered or login!

Last edited by pnclthnmstsh on Fri Aug 04, 2006 12:41 am; edited 1 time in total 
View user's profile Send private message Visit poster's website Yahoo Messenger
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Apr 29, 2006 10:19 pm Reply with quote

Personally I think the 8 digits is a waste. Yes you increase the chances of a robot actually generating a correct code, but even 3 digits is a 1 of 1000 chance (well less than that to be truly correct)

As you said, I make sure my forums are for registered users only and then activate the security code. Stops these registering and posting robots ... and there are a lot targetting various PHP systems like phpNuke and phpBB.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
pnclthnmstsh
PostPosted: Sun Apr 30, 2006 1:14 am Reply with quote

So..here's the next scenario...

There really aren't any Nuke sites worth generating the hacking script to register a name, a password and a script that would generate a 1 out of 999 (I believe thats accurate) chance to register a user and then be able to log in and spam a Nuke site or get access to any of the info contained in that site.

Well...unless they were practicing to hack more important sites which have better protection than the free scripts we use.

So...it's like putting 3 locks on your bicycle..it just keeps the honest man from stealing your schwin. Why make it harder for your friend to ride your bike when a real thief can cut the lock no matter what?
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sun Apr 30, 2006 8:43 am Reply with quote

pnclthnmstsh, I have seen several popular and not so popular sites spammed up the you know what and by doing what evaders said, no more spam! Or, at least it is then "manageable" as you can hunt down the individual and ban them. (I've done it! What a good feeling that can be... Laughing)

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Sun Apr 30, 2006 6:20 pm Reply with quote

Really all you need a strong captcha, one that is not easily scanned by ocr bots and doesnt used POST vars to validate the code like nuke uses (bad FB bad).

We just finished putting in phpcaptcha into the next release of evo but left the old system inplace for sites that do not have GD + FontType. Then rewrote the old system to use session variables to hold the code and took out the POSTs. Now its much harder to get around.

Here is the system Only registered users can see links on this board! Get registered or login!

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
evaders99
PostPosted: Sun Apr 30, 2006 9:28 pm Reply with quote

Interesting.. and an audio captcha too. That is really cool
 
technocrat
PostPosted: Mon May 01, 2006 7:47 am Reply with quote

Yeah and it works great. We made it scan an image folder for background images in the admin so you can choose how you want it to look. From everything I have read its one of the better systems.
 
pnclthnmstsh
PostPosted: Tue May 02, 2006 12:07 am Reply with quote

OK, yes this new technology of anti OCR software is great but even samples you've given are almost unreadable to humans. Yahoo has taken this techno on as well and has made it a pain in the butt to send an email in some cases.

The original question was...is a 3 digit non-captcha human recognition system for registering ONLY enough? Or is it really necessary to use 8 digits to make it even tougher and is it necessary to use it for registering and logging in...Furthermore...is it necessary to use captcha and to what extent?

What do you recommend for different types of sites?


Last edited by pnclthnmstsh on Fri Aug 04, 2006 12:42 am; edited 1 time in total 
technocrat
PostPosted: Tue May 02, 2006 11:56 am Reply with quote

The amount of characters makes no difference if a) the captcha can be "hacked" by simple means. b) the captcha can be read by ocr software.

3 or 8 or 100 makes no real difference if those two factors come into play. So your question is a bit invalid if you cannot stop the root problem which is software that can bypass them.

If we are talking Nuke, which I assume we are, factor a) is true because of a poor coding concept. Its VERY easy to bypass the default nuke captcha. You just have to catch a POST on a page that has it and presto.

Is captcha imporant well thats kind of a hard one to answer, it depends on what you think is a realistic chance of your site being used for spam? For example it would be possible for bots to signup on your site and post random spam garbage everywere. It happened to me more than once on Platinummods. Or do the same thing to feedback, weblinks, downloads, or comments.
 
pnclthnmstsh
PostPosted: Tue May 02, 2006 2:49 pm Reply with quote

You did answer my question, I believe. I've had spam bots try to post to my sites as well but they were stopped because they don't have a username and were not logged in. And my original concern was why do sites insist on using 8 characters to login and making it a pain when 3 characters for registering will do just fine as long long as your posting permissions are set to registered users only. I figured they do it just to make their site look "cool" LOL or that they think more characters is harder to crack, but as you've all said...3 or 100 doesn't matter and nuke permissions will stop spammers so these sites can make it easier on humans and lighten up on the "cool" stuff...right?
 
Serafim
Worker
Worker


Joined: Mar 25, 2006
Posts: 109
Location: Delaware Usa

PostPosted: Tue May 02, 2006 9:42 pm Reply with quote

LOL I have always wondered the very same thing myself. Its a pain in the butt to keep typing that code. Will I drop it no... but i agree why go 8 or even more when 3 will do. I went one step further and use approve membership and look at each application closely. I know thats not foolproof but the follow up need more info letter normally does the trick. Had to add my two cents

_________________
Image 
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Wed May 03, 2006 7:21 pm Reply with quote

well i agree..use 8 ummm no.
lol
i personally use .htaccess and keep it as upto date as possible to block bots.
other then that...let em come...cant put nethin i cant delete. Laughing

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Thu May 04, 2006 12:33 pm Reply with quote

pnclthnmstsh wrote:
You did answer my question, I believe. I've had spam bots try to post to my sites as well but they were stopped because they don't have a username and were not logged in. And my original concern was why do sites insist on using 8 characters to login and making it a pain when 3 characters for registering will do just fine as long long as your posting permissions are set to registered users only. I figured they do it just to make their site look "cool" LOL or that they think more characters is harder to crack, but as you've all said...3 or 100 doesn't matter and nuke permissions will stop spammers so these sites can make it easier on humans and lighten up on the "cool" stuff...right?


Well try this in your footer, just put it on in preferences
Code:


<a href="http://phpnuke-downloads.com/spamlock.html" title="Anti-Spam"><img src="http://phpnuke-downloads.com/images/spam_icon.gif" alt="Anti-Spam"></a>

It'll take them spambots to a page with phony emails lol

_________________
Computer Science is no more about computers than astronomy is about telescopes.
- E. W. Dijkstra 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
MGCJerry
New Member
New Member


Joined: Feb 19, 2006
Posts: 5
Location: Nowhere

PostPosted: Sun May 14, 2006 12:38 pm Reply with quote

As far as this image verification thing, I'm working on making all my images have simple mathematical expressions that need to be solved, OR just random numbers/letters. Going to try to do this as a reusable function so I dont have to recode it a million times for the different modules.

Reusable code in nuke... What a concept! *snicker*.

Of course, I also have other systems on hand that will flag, report & ban spam attempts, bot or otherwise. Twisted Evil

Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Serafim
PostPosted: Sun May 14, 2006 1:37 pm Reply with quote

I love that wall of shame... How did you do that??? The site is pretty kewl btw
 
MGCJerry
PostPosted: Sun May 14, 2006 2:35 pm Reply with quote

<hijack>
The WOS was actually originally a hap-hazard script to display what my hack/spam detection code intercepted, but now has blown up into its own whole project which incedently is closed source. Sad
Only registered users can see links on this board! Get registered or login!

Glad you liked the site... I got your PM and replied. Smile
</hijack>
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©