Why the captchas to login?

Discuss technical problems and features here
User avatar
mrwarper
Orange Belt
Posts: 106
Joined: Sat Jul 18, 2015 4:06 pm
Languages: A bunch, in various stages
Language Log: http://how-to-learn-any-language.com/fo ... ?TID=39905
x 149
Contact:

Why the captchas to login?

Postby mrwarper » Mon May 02, 2022 3:05 pm

First of all, my congratulations go to rdearman or emk or both for setting up a captcha system that is not overly intrusive, requires stupid JS bells and whistles, or otherwise manages to keep me out, and that we can also get a chuckle out of : )

I read in some other technical thread why some system proxy thinks that I (read: everyone) exceed some number of login attempts, and so the captcha request is triggered, that's not the question. It is, does the signup subsystem (where captchas totally make sense) let in enough bots and the like that you still need to protect the forum from otherwise legitimate registered users, or am I missing something else?

IOW, why do we need to demonstrate that we are human *every time* after registration? Have real users' login data ever been leaked and used by robots?
0 x
MrWarper while HTLAL is offline.

User avatar
Lianne
Green Belt
Posts: 457
Joined: Mon Jul 20, 2015 3:29 pm
Location: Canada
Languages: Speaks: English (N)
Actively studying: French (low int)
Dabbling in: Italian (beginner), ASL (beginner), Ojibwe (beginner), Swahili (beginner)
Wish list: Swedish, Esperanto, Klingon, Brazilian Portuguese
Has also dabbled in: German, Spanish, toki pona
Language Log: https://forum.language-learners.org/vie ... hp?t=12275
x 1298
Contact:

Re: Why the captchas to login?

Postby Lianne » Mon May 02, 2022 3:29 pm

Have you ever forgotten your password and exceeded the number of guesses before? Because I have, and ever since I get the captcha every time. It sucks, particularly since it doesn't give it to me until I've already tried to log in so I actually have to log in twice every time. But I don't remember ever having that happen before, so I just assumed it was because of my past too many login attempts. Either that or this is a relatively recent change.
0 x
: 3 / 100 French SC (Books)
: 7 / 100 French SC (Films)
: 0 / 50 Italian Half SC (Books)
: 0 / 50 Italian Half SC (Films)

Pronouns: they/them

User avatar
Iversen
Black Belt - 4th Dan
Posts: 4768
Joined: Sun Jul 19, 2015 7:36 pm
Location: Denmark
Languages: Monolingual travels in Danish, English, German, Dutch, Swedish, French, Portuguese, Spanish, Catalan, Italian, Romanian and (part time) Esperanto
Ahem, not yet: Norwegian, Afrikaans, Platt, Scots, Russian, Serbian, Bulgarian, Albanian, Greek, Latin, Irish, Indonesian and a few more...
Language Log: viewtopic.php?f=15&t=1027
x 14962

Re: Why the captchas to login?

Postby Iversen » Mon May 02, 2022 4:26 pm

I simply enter x and x on the first screen, and then I give the real information the second time (including captcha and remember-me)
4 x

User avatar
Le Baron
Black Belt - 3rd Dan
Posts: 3510
Joined: Mon Jan 18, 2021 5:14 pm
Location: Koude kikkerland
Languages: English (N), fr, nl, de, eo, Sranantongo,
Maintaining: es, swahili.
Language Log: https://forum.language-learners.org/vie ... 15&t=18796
x 9384

Re: Why the captchas to login?

Postby Le Baron » Mon May 02, 2022 5:15 pm

mrwarper wrote:IOW, why do we need to demonstrate that we are human *every time* after registration? Have real users' login data ever been leaked and used by robots?

See this thread. Also the total none existence of spam around the forum indicates that the policy is beneficial and probably worth having.
5 x

User avatar
mrwarper
Orange Belt
Posts: 106
Joined: Sat Jul 18, 2015 4:06 pm
Languages: A bunch, in various stages
Language Log: http://how-to-learn-any-language.com/fo ... ?TID=39905
x 149
Contact:

Re: Why the captchas to login?

Postby mrwarper » Mon May 02, 2022 9:13 pm

Lianne wrote:Have you ever forgotten your password and exceeded the number of guesses before?
I may have, I had to recover my login data from some backup from 2018 IIRC, I wasn't really paying attention and it's not data I use anywhere else so I don't remember whether I made a few unsuccessful attempts to login prior to that.
Le Baron wrote:
mrwarper wrote:IOW, why do we need to demonstrate that we are human *every time* after registration? Have real users' login data ever been leaked and used by robots?

See this thread. Also the total none existence of spam around the forum indicates that the policy is beneficial and probably worth having.
That's where I read about the reverse proxy. I went very quickly through it again, and I could not locate any specific reason for the captchas -- if I missed it, a direct link will be welcome.

Just in case, I'll state clearly that I am not annoyed in the slightest by the captchas as currently implemented, I am just curious. I have formulated a couple of reasonable hypothesis why they could be necessary (login data of real users leaked, and/or robots still signing up successfully) -- it would be nice to know whether I am right or, if I am wrong, what the real reason is. If for whatever reason it must be kept secret I am OK with that too.

As for the 50x errors, it is just too easy to hog a forum server* without even being registered (i.e. with or without login captchas) -- it would be misguided to put them in place to stop that.

*As somebody else mentioned in the thread above, it is part of the standard set of problems you can expect when setting up a forum nowadays: overly aggressive search spiders, random DDOS attacks, and real attacks of many kinds from people who hold a grudge against the forum. Interestingly enough, in my experience the latter should be statistically the least of your concerns, and the easiest to deal with.
0 x
MrWarper while HTLAL is offline.

User avatar
Le Baron
Black Belt - 3rd Dan
Posts: 3510
Joined: Mon Jan 18, 2021 5:14 pm
Location: Koude kikkerland
Languages: English (N), fr, nl, de, eo, Sranantongo,
Maintaining: es, swahili.
Language Log: https://forum.language-learners.org/vie ... 15&t=18796
x 9384

Re: Why the captchas to login?

Postby Le Baron » Mon May 02, 2022 9:18 pm

It practically eliminates bot sign-ups and spam. I've seen spam once on here and it vanished rapidly.
1 x

User avatar
mrwarper
Orange Belt
Posts: 106
Joined: Sat Jul 18, 2015 4:06 pm
Languages: A bunch, in various stages
Language Log: http://how-to-learn-any-language.com/fo ... ?TID=39905
x 149
Contact:

Re: Why the captchas to login?

Postby mrwarper » Tue May 03, 2022 9:28 am

The operative word being up. You don't want robots to register as forum members, because the only ones that need to do so would be those intended to post spam. So captchas are OK to prevent automated sign up -- if working correctly, they should let in humans only.

Once humans have signed up, they need to sign in every time they want to post (or their session expires, etc.) but being humans no captcha won't stop them ; ) The only reason I can think of why you may want captchas to keep preventing humans from signin in automatically is that you're still unsure whether they're spammers. But isn't that exactly the function of the "remember me" checkbox -- to let registered users sign in without a captcha?

So, either presenting the captchas to registered users every time doesn't make sense, or I am still missing something else.
0 x
MrWarper while HTLAL is offline.

User avatar
Iversen
Black Belt - 4th Dan
Posts: 4768
Joined: Sun Jul 19, 2015 7:36 pm
Location: Denmark
Languages: Monolingual travels in Danish, English, German, Dutch, Swedish, French, Portuguese, Spanish, Catalan, Italian, Romanian and (part time) Esperanto
Ahem, not yet: Norwegian, Afrikaans, Platt, Scots, Russian, Serbian, Bulgarian, Albanian, Greek, Latin, Irish, Indonesian and a few more...
Language Log: viewtopic.php?f=15&t=1027
x 14962

Re: Why the captchas to login?

Postby Iversen » Tue May 03, 2022 9:48 am

I have to solve a captcha every time I log in. The 'remember me' option is not like the one from certain other progams where your ID and password is stored on the machine and then you don't have to write it next time. This 'remember me' just saves you from being logged out all the time during the session - and the only price seems to be that I see my title lines in black instead of blue. I don't even know if that problem has been solved because now I always do the 'remember me' thing.

PS: I have set my browser up to remove cookies and history when I log out so maybe things would work differently if my password actually was stored somewhere on the machine, but I don't like that thought.
1 x

User avatar
mrwarper
Orange Belt
Posts: 106
Joined: Sat Jul 18, 2015 4:06 pm
Languages: A bunch, in various stages
Language Log: http://how-to-learn-any-language.com/fo ... ?TID=39905
x 149
Contact:

Re: Why the captchas to login?

Postby mrwarper » Tue May 03, 2022 1:04 pm

Iversen wrote:I have set my browser up to remove cookies and history when I log out so maybe things would work differently if my password actually was stored somewhere on the machine, but I don't like that thought.
I would normally say "with good reason", but except for login (when you need to actually send your password), nowadays all subsequent session renewal and such, where some information needs to be sent back and forth between the server and you for validation --normally in the form of cookies-- should be done with a one-way transformation ("hash") of your password instead of it.

This means that if you don't store your password somewhere to automatically fill the login form, your password shouldn't be recoverable from cookies, etc. so you shouldn't need to be especially paranoid about that.

Naturally, I still am, so I had to assume what the "remember me" checkbox here actually does (and be wrong about it ; )
0 x
MrWarper while HTLAL is offline.

garyb
Black Belt - 1st Dan
Posts: 1572
Joined: Mon Jul 20, 2015 12:35 pm
Location: Scotland
Languages: Native: English
Advanced: Italian, French
Intermediate: Spanish
Beginner: German, Japanese
Language Log: viewtopic.php?f=15&t=1855
x 5992
Contact:

Re: Why the captchas to login?

Postby garyb » Tue May 03, 2022 1:12 pm

The captcha requirement is reasonable and understandable. The awful usability around it here (first login attempt being ignored entirely and captcha only being shown afterwards, "Remember me" not being preserved, and the confusing message about maximum login attempts exceeded), not so much.

Edit: I know there are workarounds like entering x for the fields on the first attempt, but a bad user experience with workarounds is still a bad user experience.
Last edited by garyb on Fri May 06, 2022 10:03 am, edited 1 time in total.
4 x


Return to “Technical Support and Feature Requests”

Who is online

Users browsing this forum: No registered users and 2 guests