miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
Official Addons and Solutions miniBB Support Forums / Official Addons and Solutions /  
 

CAPTCHA (Human Authorization)

 
 
Page  Page 8 of 9:  « Previous  1  2  3  4  5  6  7  8  9  Next »

Author nobody
Partaker
#106 | Posted: 16 Apr 2013 19:57 
so well said, better than all i have read,,,, thanks!

Author tom322
Active Member
#107 | Posted: 16 Apr 2013 23:31 
That makes me think - currently the addon has this option:

$symbAmount=6;

And then, in the script, it is like:

.. maxlength="{$symbAmount}"..

Maybe it's better that the maxlength value doesn't set the maximum value (or sets it to something bigger than $symbAmount) because spam robots may assume by default that they should check {$symbAmount} symbols. Why give them this important hint ; ).

Author Paul
Lead Developer 
#108 | Posted: 17 Apr 2013 12:13 
Well... hackers usually collect information about "breakable" sites and put it in some kind of database/scripting collection, which is later re-sold to the "end spammers". There, all the information about the breaking method/alogirthm is kept. One of the accomplished ways to break Captchas is to read the image which is passed to the form, and some way de-cypher it. Per each image type there need to be a unique algorithm. I'm sure it's easy to build such an algorithm for default miniBB's Captcha options, by default it has easy-to-guess fonts. Symbols amount doesn't make lots of sense here. It may be not even taken into attention, when the Captcha is "de-cyphered". It's more for users comfort - I know my own cases, when I've typed a "spare" letter, at the time I already was done, so... by this time, I'll keep it.

The idea about miniBB Captcha, is that it is customizable. You can set such fonts which can't be broken with the default algorithm. Also, there is a way to set up a unique secret phrase/symbols amount each hour or even each minute. So it would be impossible to build a database of pre-defined values for such a secret phrase, like it could be done in theory.

So, by this time the two most important ways to get safe, is to provide an image which could be hard-to-OCR, and provide the set of references, which can't be brute-forced, and miniBB Captcha at least has a tension to keep both. So far I just can't imagine a better way :)

Author SteveB
Partaker
#109 | Posted: 6 Sep 2013 21:50 
Hi Guys
Sorry for just adding on to the previous posts but I cannot find how to start a new topic so I hope I'm doing the right thing.
I just wish to ask... could someone please explain the significance of the Turing Password in the Captcha options. ($secretTuringPass variable)
If I create a custom password as the readme file suggests... when am I likely to need to use it and do I need to configure some other file to match match the password?
I'm lost, I don't see the need of a "password" as such, that you don't have to recall and use elsewhere.
Many thanks.
SteveB

Author Paul
Lead Developer 
#110 | Posted: 7 Sep 2013 03:40 
You *should* change this phrase, it should be unique for you - it's a security measure. Knowing the standard key phrase, it's easy to break up the protection, there becomes no protection actually.

I suppose, 95% of users buying this module, do not change the phrase and then claim that the module doesn't help...

SteveB:
do I need to configure some other file to match match the password
No, just this one place.

For being even more customized & protected, you may
- change the characters amount (increase up to 6-7 chars)
- change fonts (try to install "florid" type of fonts)
- set the grid.

Author SteveB
Partaker
#111 | Posted: 7 Sep 2013 11:00 
Many thanks Paul for clarity and quick response.
I congratulate you on a great product and service!
Steve

Author Paul
Lead Developer 
#112 | Posted: 9 Sep 2013 12:29 
SteveB:
I congratulate you on a great product and service!
Thank you, but... please, clarify: did it work for you, finally?.. Flood registration stopped some way?

Author SteveB
Partaker
#113 | Posted: 10 Sep 2013 09:41 
Hi Paul
YES we have managed to stop the flood registrations.
Thanks again.

Author Paul
Lead Developer 
#114 | Posted: 30 Apr 2014 14:56 
Captcha improvement.

I suppose, in some cases spammers may "decode" the Captcha's back-reference codes (those coming to the image generator via GET method), just building the static database of those codes. If the $secretTuringPass is not changed for a long time, in a week or so, they could completely generate all possible variations of the 5-characters or even less phrase and then use it to automate spam, even if the forum is protected by Captcha.

The basic workaround here is to use $secretTuringPass more often and set $symbAmount to a larger number. However not each forum admin / module owner is up to this... Below I have provided instructions on how to boost the security of the Captcha module. Similar codes were used for our customer's forum and by now they appear to work for months.

The tricky side of it, is that each new day the script will add a specific character to the end or the beginning of the secret phrase, so each day it will be new. Also, on odd dates, the Captcha will consist of 6 chars, on even dates it will consist of 7 chars.

This may be changed or improved on your end with customized values; mandatory change is about $secretTuringPass value - the one we have here, is just for example and it should be changed to something more tricky and unknown!

Let's go:

1. Under addon_captcha_options.php, instead of just the plain value of the $secretTuringPass, set this code:

$chr1=chr(65+date('d'));
$chr2=chr(65+date('m'));
if(date('d') % 2 == 0) $whereToPaste=0; else $whereToPaste=1;

$secretTuringPass='Yon2kqeTer90_sm';

if($whereToPaste==1) $secretTuringPass.=$chr1.$chr2; else $secretTuringPass=$chr1.$chr2.$secretTuringPass;
You may change if($whereToPaste==1) to if($whereToPaste==0) to make it less obvious, you could also swap d / m for $chr1, $chr2 defs.

2. Instead of the plain value of $symbAmount, set this:

$symbAmount=((date('d') % 2 == 0)?6:7);
You may change 6 and/or 7 to another values, or swap them.

3. Just let's not forget that as more characters you have to appear, as more width the Captcha image should have, so set this with a reserve:

$t_imgW=230;
***

I've currently set up the similar codes here on miniBB forum, let's see if they will help.

Feel free to report your issues on this.

Author Jaime
Partaker
#115 | Posted: 30 Apr 2014 16:46 
That's a good idea! Did I immediately installed. Thank you Paul!

Author bjcolsn
Partaker
#116 | Posted: 22 May 2014 13:31 
Did it too... i'll let you know. We've been flooded by chinese spam recently !

Author marsbar
Associated Member
#117 | Posted: 12 Jun 2014 02:33 
Hi, Paul and fellow miniBBers.

Firstly, I'd like to thank Paul for his continued effort and commitment to improving miniBB and its many add-ons.

Now, moving on to a few questions ...

Paul:
$secretTuringPass='Yon2kqeTer90_sm';
1) To set the $secretTuringPass value, can one include any symbol/special character besides numbers 0 to 9 and letters a to z/A to Z? I see Paul's example contains an underscore.

2) If I set the $secretTuringPass value to something complex and lengthy (e.g., 20+ characters), how often should I change it? What is Paul's recommendation?

3) What is the difference between $secretTuringPass and $t_symbols? Earlier, I inadvertently changed the latter when I'd meant to change the former. Thankfully, there was no harm done, as I was able to un-do the mistake.

With thanks and best wishes -
marsbar

Author Jaime
Partaker
#118 | Posted: 12 Jun 2014 12:57 
marsbar
With the variable $secretTuringPass, of course, you put your personal password and NOT take on the cited example of Paul.

Example:
$secretTuringPass='I_Am-a-VERY_secret_password-with_Numbers0-9_and-characters_!!';

I have it defined once and have never changed.

$t_symbols ... As the characters come in to be displayed later. Some characters can be confused, for example, 1 and I or g and 9.That's why I let these characters in the variable away.

Author Paul
Lead Developer 
#119 | Posted: 14 Jun 2014 16:51 
marsbar:
1) To set the $secretTuringPass value, can one include any symbol/special character besides numbers 0 to 9 and letters a to z/A to Z? I see Paul's example contains an underscore.
It's my common recommendation to anything :) if you just use alphanumeric, then avoid more problems in the future.

marsbar:
2) If I set the $secretTuringPass value to something complex and lengthy (e.g., 20+ characters), how often should I change it? What is Paul's recommendation?
marsbar:
3) What is the difference between $secretTuringPass and $t_symbols? Earlier, I inadvertently changed the latter when I'd meant to change the former. Thankfully, there was no harm done, as I was able to un-do the mistake.
$t_symbols are displayed to the end user. You could limit this to number-only or letters-only. Or some other special chars only. $secretTuringPass is length and difficulty of the pass phrase. It could be long and difficult.

Jaime:
And Paul seems to be like here in the forum over
Hopefully I'm still in the building, and the forum is not over :)

Author marsbar
Associated Member
#120 | Posted: 15 Jun 2014 12:51 
Jaime:
With the variable $secretTuringPass, of course, you put your personal password and NOT take on the cited example of Paul.
Yes, thank you for the reminder, Jaime: I shall treat Paul's example as just that--an example. :)

Paul:
$t_symbols are displayed to the end user. You could limit this to number-only or letters-only. Or some other special chars only.
Thank you, Paul, for taking the time to respond.

So, if I understand correctly, to have pureply numerical Captcha ouput, $t_symbols needs to be set to "2345678" (omitting 0, 1 and 9 to save confusion with letters o, O, l, and g), correct? And $symbAmount sets the length of the output.

Paul:
$secretTuringPass is length and difficulty of the pass phrase. It could be long and difficult.
Sorry, I still do not quite follow this bit. :-(
I have imagined the Captcha codes end users see are permutations of the $secretTuringPass that have undergone some kind of hashing process ... ! This is why the $secretTuringPass value needs to be as complicated and lengthy as possible--to achieve a higher number of permuations.
As I have clearly misunderstood the purpose of $secretTuringPass and the logic behind miniBB captcha add-on, I would be most grateful if Paul would put me on the right track and out of my misery.

With thanks -
marsbar

Page  Page 8 of 9:  « Previous  1  2  3  4  5  6  7  8  9  Next » 
Official Addons and Solutions miniBB Support Forums / Official Addons and Solutions /
 CAPTCHA (Human Authorization)
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Check out the File and Picture Attachments add-on: extend your miniBB-forums, attaching images and files.


  ⇑