November 20th, 2012, 04:07 AM
Show After 3 Failed Attempts
Hi, i have noticed that Twitter and Facebook both have a good system in place on some of their forms.
For example, if a user fails to enter their correct details in to the Sign In Form 3-4 times, a reCaptcha shows.
I also noticed that the reCaptcha shows on the Sign Up Form after it detects suspicious activity...
Can anyone think how they might have implemented this system, as i really don't want to display a reCaptcha form my default... i would rather only display it if there was suspicious activity.
(please do not respond saying that captchas are a waste of time etc... i am simply only interested in finding out how Twitter and Facebook are implementing captchas when they detect something suspicious :-)
Thanks in advance for your help...
November 20th, 2012, 08:22 AM
a counter for failed login attempts is obviously easy to implement. But "suspicious activity" is a bit vague. You'll have to decide yourself what exactly you want to check. I don't think anybody here has access to the Twitter or Facebook source dode.
November 20th, 2012, 09:38 AM
Hi yes, this would be easy, but what about the sign up form... i was thing of doing the following:
When validating the sign-up form, check to see if an account has been created from the same ip address within the last minute (or less)… if it has, fail the validation and display a captcha
November 20th, 2012, 07:01 PM
One thought, before you try to account for all sorts of "suspicious activity" you might just implement something simple like a captcha after the user has failed to authenticate after 3 attempts. Start simple. Log the failed attempt data. If you start to see suspicious activity, THEN attempt to stop it specifically. I think you may find yourself wasting time prematurely trying to optimize the security of your form.
Originally Posted by oo7ml
November 20th, 2012, 09:32 PM
I don't think the concept of premature optimization applies to security.
Most of these sites I think simply always shown a captcha on the registration form.
November 20th, 2012, 10:09 PM
"if an account has been created from the same ip address within the last minute (or less)"
Originally Posted by E-Oreo
Maybe those were a poor choice of words. I guess when I read this I thought to myself, "why get so complicated?" And "This could potentially block legitimate users who are behind a single router, say schools or companies". So I thought perhaps s/he is attempting to get too complicated before actually have any problems. Anyway ...
November 21st, 2012, 05:46 AM
Basically what to be able to try cut down on bots signing up... however i don't want to have to have a captcha visible on the form by default... so i would like someway to detect the suspicious activity... then show the captcha