ZDoom

[scroton]

So, wait, is the only captcha on this site the ssg one? Cause that's the only one I've ever seen. Is there a limit to the number of login attempts that can be made even with captchas or are there cooldowns?

Actually let me go check.

EDIT: So I just went and tried to login with a bad password like thirty times, and the only captcha I saw is the SSG one. There was no attempt cooldown or anything, I logged in just fine on the 31st attempt with the correct password and my correctly solving the SSG captcha.


If I'm interpreting this correctly and there isn't a cooldown sometime after the 30th attempt that I just didn't see, this means that while the captcha will stop random spam bots from trying to hawk Cialis and tell us how they made $300 a day from home, there is basically no site protection against brute forcing a password, and it's up to the user to have a password the maximum password length in order to delay any brute force attempts, and the only real surefire way to defend against any dedicated script kiddie is to change your max length password on a regular schedule. What is the max password length btw? The regular changing of passwords might not be needed if the length means something like a year of continuous attempts to crack.

Now, I know very little about net security, and my qualifications are basically that I have logged into a lot of websites, but wouldn't it make sense to at least introduce a cooldown after x failed attempts, if a captcha would be infeasible?

[Caligari87]

Something like that does help a lot against brute-forcing accounts. I think Apple does a progressively-increasing cooldown, so every time you miss it multiplies the amount you have to wait to try again. A more dynamic recaptcha would be better too, since this one is static and could probably be script-bypassed.

[Graf Zahl]

No wonder that the idiot was able to crack this many accounts.

I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.

[faslrn]

No wonder that the idiot was able to crack this many accounts.

I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.

What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).

[scroton]

No wonder that the idiot was able to crack this many accounts.

I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.

Yes. I was honestly shocked there wasn't one, and had actually assumed there was one in place the whole time I've been using the forums. I'm surprised this hasn't happened sooner.

What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).

Oh Jesus Christ. Once someone actually goes to the trouble of writing a bot for your site, I'd assume there's no real difference between having one or a hundred static questions.

I suppose you could force users to have longer passwords with different characters (if that's even possible through the site) but that may not be much help if people replace "password" with "Password12345!" The captcha and timers have the advantage of protecting the passwords of dumb users, too.

[Graf Zahl]

What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).

Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

[Accensus]

Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

A) There is no cooldown on failed login. No need for this feature.
B) You're right, there's gonna be a major abuse of it.

By the way, has anyone seen any trolls around lately? My ISP caught fire thanks to a thunderstorm; I was with no net for a day. (Oh the horror...)

[faslrn]

No wonder that the idiot was able to crack this many accounts.

I find it amazing that the forum software doesn't come equipped with some automatic lockdown after x failed attempts or some other means to block these people.
No wonder that there's so much hacking going on if security is merely an afterthought.

Yes. I was honestly shocked there wasn't one, and had actually assumed there was one in place the whole time I've been using the forums. I'm surprised this hasn't happened sooner.

What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).

Oh Jesus Christ. Once someone actually goes to the trouble of writing a bot for your site, I'd assume there's no real difference between having one or a hundred static questions.

I suppose you could force users to have longer passwords with different characters (if that's even possible through the site) but that may not be much help if people replace "password" with "Password12345!" The captcha and timers have the advantage of protecting the passwords of dumb users, too.

I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.

What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).

Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.

[scroton]

b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

I hadn't even considered that, but that would basically be the first thing they'd do.

I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.

I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.

If Google's captcha could be implemented, that would probably be the best that could get done and seems the most likely to be supported.

I was going to bring up the idea of using email as a way around lockdowns (but it sounds it's a matter of what items are available already, rather than what can be implemented) when I remembered I hadn't updated my email in a while. When I did so I was greeted by this:

Your account has been updated. However, this board requires account reactivation on e-mail changes. An activation key has been sent to the new e-mail address you provided. Please check your e-mail for further information.

So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.

[faslrn]

b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

I hadn't even considered that, but that would basically be the first thing they'd do.

I believe that is possible from what I've read. I had a thought though, I know there are plugins/mods for having a drag/drop mouse styled Captcha. If something like that could be implemented, it might deter some brute force attacks as it would limit the ease-of simply having the bot find the Captcha box, enter in text, submit.

I wish there was a way to do either/or I don't even see someone suggesting any of that on the phpbb forums. We could log a feature request for something like a lockout after so many attempts but when that would be authorized and implemented, or even considered at all, no ones guess.

If Google's captcha could be implemented, that would probably be the best that could get done and seems the most likely to be supported.

I was going to bring up the idea of using email as a way around lockdowns (but it sounds it's a matter of what items are available already, rather than what can be implemented) when I remembered I hadn't updated my email in a while. When I did so I was greeted by this:

Your account has been updated. However, this board requires account reactivation on e-mail changes. An activation key has been sent to the new e-mail address you provided. Please check your e-mail for further information.

So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.

Looks like there is reCaptcha 2.0 for phpbb:

https://github.com/vinny/recaptcha-2-phpbbmod

[Graf Zahl]

So basically, it doesn't ask the old email for verification, but the new one. Once an account is compromised, the attacker can change the email to whatever they want and the user cannot recover it without moderator help. Doesn't matter how secure the email is, if it has two-factor identification, etc. It adds no security to the account.

AFAIK the notification is sent to both mail addresses.
Nevertheless, I think the only really safe method would be to use a different login name than the outward facing nick.

Thinking about other sites where they allow the mail address as user name gives me the creeps, though. It makes it far too easy for an attacker to check if a certain person has an account on that site. And of course most mail services do not allow generation of aliases so that most users are forced to use their main mail address for everything. Sometimes I wonder why nobody has tried yet to hack into any of my accounts.

[scroton]

AFAIK the notification is sent to both mail addresses.
Nevertheless, I think the only really safe method would be to use a different login name than the outward facing nick.

Thinking about other sites where they allow the mail address as user name gives me the creeps, though. It makes it far too easy for an attacker to check if a certain person has an account on that site. And of course most mail services do not allow generation of aliases so that most users are forced to use their main mail address for everything. Sometimes I wonder why nobody has tried yet to hack into any of my accounts.

I just checked, and it does not notify the old email. If my account had been compromised I wouldn't have any indication until I checked the forums, and I couldn't recover the account via my email either.

The separating login names from account names would be best; is that possible for phpbb? And if so can you have it take effect for existing accounts?

While having emails as login information isn't great, at least with some there's the possibility for two-factor authentication. EDIT: Wait a minute, that wouldn't matter in this context. My am dumb.

Looks like there is reCaptcha 2.0 for phpbb:

https://github.com/vinny/recaptcha-2-phpbbmod

Hooray! Randi plz add asap.

[osjclatchford]

They've been trying mine Again... so sick of this...

[enderkevin13]

I think they're trying to raid my account now, got the captcha thing. >_>
If you do happen to see posts that seem off on my account, let me know.

I don't wanna be a victim of a false ban because of these assholes.

[4thcharacter]

I got ruled out as a spambot thanks to my dynamic IP assigning me to a notorious address. For a second there I thought my account was done for and I've gotten a problem that I really need to fix too.


Also, the hackers are probably targeting active accounts now considering the old inactive accounts are now unusable to them. It's seems futile and if this keeps up for months that's just desperation.