OT: website login protection scheme
3 views
Skip to first unread message
Darrell Lee
Dec 9, 2021, 3:34:09 PM12/9/21
to Upstate Carolina Linux Users Group
Is there anyone on this email list that has used the honeypot method to
protect a login page for a website? I am presently using Google's
recaptcha and it is a pain in the .... for the users, especially on a
mobile phone
Thanks,
--
Darrell Lee
Advanced Data Systems, Inc.
113 Robertson Rd
Taylors, SC 29687
864-230-9626 | dl...@adsi-sc.com
protect a login page for a website? I am presently using Google's
recaptcha and it is a pain in the .... for the users, especially on a
mobile phone
Thanks,
--
Darrell Lee
Advanced Data Systems, Inc.
113 Robertson Rd
Taylors, SC 29687
864-230-9626 | dl...@adsi-sc.com
George Law
Dec 9, 2021, 3:44:18 PM12/9/21
to uc...@googlegroups.com
I think recaptcha v2 requires you to select the matching items where v3 is less of a hassle
I've got some of my wordpress login forms set up with the "Advanced noCaptcha & invisible captcha Settings" plugin
gives me the option of the v2 usual image selection "I am not a robot", v2 invisible and then v3 -- I really haven't changed this much recently,
I just logged in to check and it looks like its set to the first option -
ugh, I just changed it to V2 invisible and now I can't log in LOL :)
--
You received this message because you are subscribed to the Google Groups "Upstate Carolina Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uclug+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/50535f06614cb87d024675d42c50d2b3%40adsi-sc.com.
Fred Laxton
Dec 9, 2021, 4:00:05 PM12/9/21
to uc...@googlegroups.com
Yes, I usually use both.
The Captcha is also different for different versions - the version you select needs to match what the website software uses ;-)
When I create a Captcha for a website, I always record the private and public keys, and the Captcha version used.
Fred
On Dec 9, 2021, at 3:44 PM, George Law <geo...@geolaw.com> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/CAKzfAU5jB9sf8gYztGcwkDHjNrtxi9Q9nQd38oHmuv0Mynu%3DBg%40mail.gmail.com.
Darrell Lee
Dec 9, 2021, 4:15:19 PM12/9/21
to uc...@googlegroups.com
I am using v2 version, so how is v3 easier on the user?
---
>> [1].
> [2].
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/uclug/CAKzfAU5jB9sf8gYztGcwkDHjNrtxi9Q9nQd38oHmuv0Mynu%3DBg%40mail.gmail.com?utm_medium=email&utm_source=footer
> [2]
> https://groups.google.com/d/msgid/uclug/340CBBA9-6C96-4B05-9F87-A87B28E645B7%40gmail.com?utm_medium=email&utm_source=footer
---
Darrell Lee
Advanced Data Systems, Inc.
113 Robertson Rd
Taylors, SC 29687
864-230-9626 | dl...@adsi-sc.com
Advanced Data Systems, Inc.
113 Robertson Rd
Taylors, SC 29687
864-230-9626 | dl...@adsi-sc.com
>
> --
> You received this message because you are subscribed to the Google
> Groups "Upstate Carolina Linux Users Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to uclug+un...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/uclug/340CBBA9-6C96-4B05-9F87-A87B28E645B7%40gmail.com
> --
> You received this message because you are subscribed to the Google
> Groups "Upstate Carolina Linux Users Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to uclug+un...@googlegroups.com.
> To view this discussion on the web visit
> [2].
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/uclug/CAKzfAU5jB9sf8gYztGcwkDHjNrtxi9Q9nQd38oHmuv0Mynu%3DBg%40mail.gmail.com?utm_medium=email&utm_source=footer
> [2]
> https://groups.google.com/d/msgid/uclug/340CBBA9-6C96-4B05-9F87-A87B28E645B7%40gmail.com?utm_medium=email&utm_source=footer
Fred Laxton
Dec 9, 2021, 4:37:01 PM12/9/21
to uc...@googlegroups.com
I’m not sure. But the software I’m currently using only supports v2 so that’s what I use.
> On Dec 9, 2021, at 4:15 PM, 'Darrell Lee' via Upstate Carolina Linux Users Group <uc...@googlegroups.com> wrote:
>
> I am using v2 version, so how is v3 easier on the user?
> To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/e1af260558abc8ce47bf4d90d0dc6e9b%40adsi-sc.com.
> On Dec 9, 2021, at 4:15 PM, 'Darrell Lee' via Upstate Carolina Linux Users Group <uc...@googlegroups.com> wrote:
>
> I am using v2 version, so how is v3 easier on the user?
George Law
Dec 9, 2021, 4:46:03 PM12/9/21
to uc...@googlegroups.com
v2 seems to have 2 options, the "i am not a robot" with the image selection and then an "invisible" option where it just inserts a google image "protected by recaptcha" down in the bottom corner.
I believe v3 is the same as "v2 invisible"
I think the invisible option has got some detection in it to determine if its a valid user vs. a bot - so its possible an older browser or something could still set off the image selection
I need to update my websites and may be able to provide more info later on, but its going to be a while :)
that link I provided seems to give a good how-to implement v3 with PHP
To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/7C1CF8D1-A6B8-45FE-878A-D78DCD21876B%40gmail.com.
lyrics.sa...@mailer.me
Dec 9, 2021, 4:46:07 PM12/9/21
to uc...@googlegroups.com
I'm not clear your goal. You mention login screen. Is this for security (prevent username/password enumeration, brute forcing) or is this for some sort of sign-up form and you want to prevent spam bots?
If the former then it depends on your toolset but you might be able to integrate with the systems fail2ban facility. For example here is an article for doing that in Rails. Obviously apply the same concept with whatever framework you are using.
Another option for login is to go with a commercial provider that will implement abuse prevention for you. For example something like Auth0. Not only does this give you abuse prevention but it also gives you all sorts of nice features such as social logins, OAuth-based login, etc. Assuming you have less than 7K users it doesn't even cost anything (if you have more the cost is minor for what you get).
OTOH, if you are trying to prevent spam bots you don't need anything complicated. Just something that is unique enough to fool the bots. Some examples:
- Include an field made not visible by CSS. Call it something like "username" even though you don't use that name yourself when processing the form. Real users will not fill it in because they cannot see it. Bots will generally try to fill everything in to pass validation. If the submission includes a value then reject the login.
- Use JavaScript to calculate some value. Maybe a hash of the login email or something. Have that calculated value submitted in a hidden field. Verify the hidden field is populated with the right value server-side. If not reject the login. This relies on the fact that most spam bots don't have a JavaScript engine enabled.
Both of these example protections can obviously be bypassed by anyone looking close enough but that's ok. Spam bots are just spidering sites and using certain heuristics to do their work. As long as your protection can throw a monkey-wrench into their heuristics it can be fairly effective as the bots are not taking the time to understand your site. They just move onto the next site.
Eric
Dec 9, 2021, 3:34 PM by uc...@googlegroups.com:
Darrell Lee
Dec 9, 2021, 11:38:06 PM12/9/21
to uc...@googlegroups.com
I am trying to prevent username/password enumeration, brute forcing. Do
you have any experience with using Auth0?
---
> https://groups.google.com/d/msgid/uclug/73e70f92c706ee545ae1120f741f95f5%40mailer.me
> [3].
>
>
> Links:
> ------
> [1] https://jkraemer.net/2015/09/fail2ban-with-devise-based-rails-apps
> [2] https://auth0.com/
> [3]
> https://groups.google.com/d/msgid/uclug/73e70f92c706ee545ae1120f741f95f5%40mailer.me?utm_medium=email&utm_source=footer
you have any experience with using Auth0?
---
Darrell Lee
Advanced Data Systems, Inc.
113 Robertson Rd
Taylors, SC 29687
864-230-9626 | dl...@adsi-sc.com
On 2021-12-09 04:46 PM, lyrics.sandfish335 via Upstate Carolina Linux
Advanced Data Systems, Inc.
113 Robertson Rd
Taylors, SC 29687
864-230-9626 | dl...@adsi-sc.com
Users Group wrote:
> I'm not clear your goal. You mention login screen. Is this for
> security (prevent username/password enumeration, brute forcing) or is
> this for some sort of sign-up form and you want to prevent spam bots?
>
> If the former then it depends on your toolset but you might be able to
> integrate with the systems fail2ban facility. For example here is an
> article [1] for doing that in Rails. Obviously apply the same concept
> I'm not clear your goal. You mention login screen. Is this for
> security (prevent username/password enumeration, brute forcing) or is
> this for some sort of sign-up form and you want to prevent spam bots?
>
> If the former then it depends on your toolset but you might be able to
> integrate with the systems fail2ban facility. For example here is an
> with whatever framework you are using.
>
> Another option for login is to go with a commercial provider that will
> implement abuse prevention for you. For example something like Auth0
> [2]. Not only does this give you abuse prevention but it also gives
>
> Another option for login is to go with a commercial provider that will
> implement abuse prevention for you. For example something like Auth0
> you all sorts of nice features such as social logins, OAuth-based
> login, etc. Assuming you have less than 7K users it doesn't even cost
> anything (if you have more the cost is minor for what you get).
>
> OTOH, if you are trying to prevent spam bots you don't need anything
> complicated. Just something that is unique enough to fool the bots.
> Some examples:
>
> * Include an field made not visible by CSS. Call it something like
> login, etc. Assuming you have less than 7K users it doesn't even cost
> anything (if you have more the cost is minor for what you get).
>
> OTOH, if you are trying to prevent spam bots you don't need anything
> complicated. Just something that is unique enough to fool the bots.
> Some examples:
>
> "username" even though you don't use that name yourself when
> processing the form. Real users will not fill it in because they
> cannot see it. Bots will generally try to fill everything in to pass
> validation. If the submission includes a value then reject the login.
>
> * Use JavaScript to calculate some value. Maybe a hash of the login
> processing the form. Real users will not fill it in because they
> cannot see it. Bots will generally try to fill everything in to pass
> validation. If the submission includes a value then reject the login.
>
> [3].
>
>
> Links:
> ------
> [1] https://jkraemer.net/2015/09/fail2ban-with-devise-based-rails-apps
> [2] https://auth0.com/
> [3]
> https://groups.google.com/d/msgid/uclug/73e70f92c706ee545ae1120f741f95f5%40mailer.me?utm_medium=email&utm_source=footer
lyrics.sa...@mailer.me
Dec 10, 2021, 10:19:08 AM12/10/21
to uc...@googlegroups.com
Yes, the application I work on with my job uses Auth0.
We primarily chose it because of the support for enterprise identity integrations (i.e. ActiveDirectory). Our customers don't want yet another system to maintain for their employees. They want to do it via ActiveDirectory so they have a single place to say who is an active user, what permissions they have, etc. Auth0 allowed us to support that easily with getting bogged down in SAML minutia.
We ourselves use GSuite and therefore use the social logins for the same reason (manage users in one place) with the same application. Auth0 allows this flexibility of customizing the authentication process to the organization using the app.
In the end, authentication systems don't deliver value. No customer ever bought a product/service because it had a great login system. At best a good authentication system just reduces pain (reduces administration, reduces exposure to risk). By using a 3rd party system it allows us to focus on creating things of value instead of yet another login system.
This isn't to say outsourcing this part of your application has no drawbacks. In the 4 years I have been working for this company, twice Auth0 has had an outages. This means our customers could not log in to our application not because our application was down but because Auth0 was down. But who is to say if we had "rolled our own" we wouldn't have screwed up SAML minutia at least twice ourselves?
The outages were not long but it has us considering a backup authentication that we can enable in that scenario. We have the user's email addresses (for notifications) so we are thinking about a token-based authentication that is only enabled in these situations. The user enters their email. If valid the system will send them a single-use, time-limited, authentication token via email (similar to how Medium does login all the time). Not an ideal workflow for our customers but good enough if Auth0 is down for a short time period.
Eric
Dec 9, 2021, 11:38 PM by uc...@googlegroups.com:
To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/28b76c0c6e0157b08562739fd72c666f%40adsi-sc.com.
Darrell Lee
Dec 10, 2021, 12:59:48 PM12/10/21
to uc...@googlegroups.com
Thank you. Eric, I will check out Auth0. And thanks to the other folks who replied.
Darrell Lee
Advanced Data Systems, Inc.
To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/663858c58d862ff7f0ca4b8d2ca441aa%40mailer.me.
Reply all
Reply to author
Forward
0 new messages