#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    198
    Rep Power
    4

    Show After 3 Failed Attempts


    Hi, i have noticed that Twitter and Facebook both have a good system in place on some of their forms.

    For example, if a user fails to enter their correct details in to the Sign In Form 3-4 times, a reCaptcha shows.

    I also noticed that the reCaptcha shows on the Sign Up Form after it detects suspicious activity...

    Can anyone think how they might have implemented this system, as i really don't want to display a reCaptcha form my default... i would rather only display it if there was suspicious activity.

    (please do not respond saying that captchas are a waste of time etc... i am simply only interested in finding out how Twitter and Facebook are implementing captchas when they detect something suspicious :-)

    Thanks in advance for your help...
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    a counter for failed login attempts is obviously easy to implement. But "suspicious activity" is a bit vague. You'll have to decide yourself what exactly you want to check. I don't think anybody here has access to the Twitter or Facebook source dode.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    198
    Rep Power
    4
    Hi yes, this would be easy, but what about the sign up form... i was thing of doing the following:

    When validating the sign-up form, check to see if an account has been created from the same ip address within the last minute (or less) if it has, fail the validation and display a captcha
  6. #4
  7. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    13
    Originally Posted by oo7ml
    Hi yes, this would be easy, but what about the sign up form... i was thing of doing the following:

    When validating the sign-up form, check to see if an account has been created from the same ip address within the last minute (or less) if it has, fail the validation and display a captcha
    One thought, before you try to account for all sorts of "suspicious activity" you might just implement something simple like a captcha after the user has failed to authenticate after 3 attempts. Start simple. Log the failed attempt data. If you start to see suspicious activity, THEN attempt to stop it specifically. I think you may find yourself wasting time prematurely trying to optimize the security of your form.
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    prematurely trying to optimize the security
    I don't think the concept of premature optimization applies to security.

    Most of these sites I think simply always shown a captcha on the registration form.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    13
    Originally Posted by E-Oreo
    I don't think the concept of premature optimization applies to security.

    Most of these sites I think simply always shown a captcha on the registration form.
    "if an account has been created from the same ip address within the last minute (or less)"

    Maybe those were a poor choice of words. I guess when I read this I thought to myself, "why get so complicated?" And "This could potentially block legitimate users who are behind a single router, say schools or companies". So I thought perhaps s/he is attempting to get too complicated before actually have any problems. Anyway ...
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    198
    Rep Power
    4
    Basically what to be able to try cut down on bots signing up... however i don't want to have to have a captcha visible on the form by default... so i would like someway to detect the suspicious activity... then show the captcha

IMN logo majestic logo threadwatch logo seochat tools logo