By denisr on

hi guys,
is it possible to use captcha for every login?

I mean, not only for people that want to register, but also for the users that are loggin in?

Categories: Drupal 4.6.x

Comments

chx’s picture

chx commented

but captcha is totally useless. Bad guys will use programs which can solve them. Or to quote Morbus, any of them can be cracked by waving a twenty to a hobo. In real practice, they will rather use a free porn site or some slave in china.

The real users will be annoyed when they mistype GRTXP and I hope you won't have any visually impaired visitor.
--
Read my developer blog on Drupal4hu. | The news is Now Public

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

varunvnair’s picture

varunvnair commented

CAPTCHAs have their own limitations but they cannot be disregarded as being totally useless. In any case we are raising the barrier and making it more difficult for the bad guys to do whatever they want to do.

Visually impaired users can be accomodated by asking them to directly mail the admin who will create an account for them. For accounts of visually impaired users the CAPTCHA can be disregarded by using appropriate code and by marking the account as not needing a valid CAPTCHA.

My Drupal-powered Blog: ThoughtfulChaos

varunvnair’s picture

varunvnair commented

It is quite possible to implement a CAPTCHA for every login but you will have to do some hacking of your own. You can study the patch to add a CAPTCHA for commenting and cook up something similar for every login.

It would be great if you could post a patch when you are done. I am sure many other admins will find the patch useful.

My Drupal-powered Blog: ThoughtfulChaos

heine’s picture

heine commented

I can't imagine many people finding captcha's for every login very usefull. If captcha's weren't so weak, they might have a use during registration, but for every login seems to be silly. A user has to 'prove' every login that he's human?

@ original poster: as an academic question: sure, it's possible. But why do you want it?
--
Tips for posting to the forums.
When your problem is solved, please post a follow-up to the thread you started.

varunvnair’s picture

varunvnair commented

I wrote up a reply to the question you pose but then realised that this is a very messy topic. Lot of things depend on the environment in which such a setup might be required, who the users will be and many other factors.

Every countermeasure to counter bad behaviour had a possible counter-countermeasure and so on... something like an arms race. So I just concentrated in letting the original author know how s/he could go about doing what s/he wanted to do. Unless I know the exact scenario in which the setup will live I really cannot make a judgement on whether CAPTCHAs would help or not.

Of course the author herself/himself might be unclear on this front. In that case a discussion on the pros and cons and alternatives would definitely be productive. But not otherwise.

@babyshambles: I too am interested in why you want a CAPTCHA for every login instead of just registration.

My Drupal-powered Blog: ThoughtfulChaos

denisr’s picture

denisr commented

I am just trying to create a simple intranet with drupal and I wanted to add an extra layer of security with captcha. So username, password and the captcha before logging in in the intranet.

for the discussion above, I saw this system used in gmail (try to fail the password once or twice) or in overture.

I hope that this can be of some inspiration for the module developer. Maybe give an option to display captcha after one or two failed login attempts.

Of couse, I do not want to use captcha for every action (comment, posting and so on). Just for the log in process.

Ok, I will have to do some hacking to the module :(

varunvnair’s picture

varunvnair commented

CAPTCHAs are most useful in wide open environments such as the Net where your site is visible to everybody, you can have visitors from anywhere and where you cannot do much about malicious activity except defend yourself against them.

However an Internet is a different ballgame altogether. All the users will be known, it is practical to trace people and you can actually go after the bad guys in the real world. A CAPTCHA does not really provide any significant added security. It would definitely help you fend off bots but thats about it. Malicious users will be able to do damage irrespective of the CAPTCHA.

You should aim to secure your site by using the appropriate configuration settings, access control policies, logging all activity etc.

Anyways happy hacking. Keep us updated.

My Drupal-powered Blog: ThoughtfulChaos

denisr’s picture

denisr commented

yep, I think I can see your point.... ok, I see what I can do...

varunvnair’s picture

varunvnair commented

I meant 'intranet', not 'internet in 2nd para.

i.e. 1st line of 2nd paragraph should read 'However an intranet is a different ballgame altogether'.

My Drupal-powered Blog: ThoughtfulChaos

ymcp’s picture

ymcp commented

Hey babyshambles,

Maybe give an option to display captcha after one or two failed login attempts.

I think that's a great idea.

It would certainly make a "brute-force" password attack much harder.

Sure, an evil-minded registered user can still do damage... but just think how much more damage they could do if they managed to find out you admin password!

Now if only I had a clue of how to code this kind of change! ;-)