Username and Password are not enough



  • Obviously just entering a username and password isn't secure enough.

    Without a captcha somebody could run a bot that automatically logs in and reads the latest system status.

     



  • @El_Heffe said:

    a bot that automatically logs in and reads the latest system status.

    Why would that even require a person to log in? Is the system status that secret?


  • Discourse touched me in a no-no place

    We have that bollocks on our 3rd-party service that provides our (now paperless) payslips. See how quickly you can see any other WTFs...:




  • Ringcentral has that WTF, too. Where did they learn that antipattern?



  • A financial institution with a shitty online interface? Color me surprised!



  • "Uh oh! People are bruteforcing our site by having their bots log in with the same username and dozens of different passwords! We need to stop them!" "Oh I know, we can screen out all the bots by putting a CAPTCHA on the loginpage!" instead of, y'know, rate-limiting by IP or username.



  • @Ben L. said:

    @El_Heffe said:
    a bot that automatically logs in and reads the latest system status.
    Why would that even require a person to log in? Is the system status that secret?
    If you log in you can also change your password and cancel your account. Neither of which are made any more secure with a captcha.



  • @El_Heffe said:

    @Ben L. said:

    @El_Heffe said:
    a bot that automatically logs in and reads the latest system status.

    Why would that even require a person to log in? Is the system status that secret?
    If you log in you can also change your password and cancel your account. Neither of which are made any more secure with a captcha.

    Surely if no account was required to see the system status, they wouldn't have this problem.



  •  There are sites that want to prevent the automated login, even by authorized users. Time based implementations do not address this, only something that is difficult for a machine to do, but reasonable for a human to do meets the criteria.



  • @TheCPUWizard said:

    There are sites that want to prevent the automated login, even by authorized users.

    TRWTF



  • @Ben L. said:

    @TheCPUWizard said:
    There are sites that want to prevent the automated login, even by authorized users.
    TRWTF

    Why?   Say I have a web site that asks a human to sign in and provide some information, I will pay them $$$ for each time they sign in an provide the information. I want to ensure that the information comes from a human (or at least maximize the chance) and not from some "enterprising" (pun intended) person who has automated the system so they can get paid for providing "canned" information....



  • @TheCPUWizard said:

    @Ben L. said:

    @TheCPUWizard said:
    There are sites that want to prevent the automated login, even by authorized users.

    TRWTF

    Why?   Say I have a web site that asks a human to sign in and provide some information, I will pay them $$$ for each time they sign in an provide the information. I want to ensure that the information comes from a human (or at least maximize the chance) and not from some "enterprising" (pun intended) person who has automated the system so they can get paid for providing "canned" information....


    So your website pays people to log in? What?



  • @Ben L. said:

    So your website pays people to log in? What?

    I have implemented a few sites (since they were for clients, they are technically not "mine") where people do recieve payment for their actions on the site. Determining they are "people" and not "bots" at point of login is the simplest solution (compared to doing it on the various areas that actually trigger a credit/payment to their account).

     Does this really suprise you?



  • @TheCPUWizard said:

    @Ben L. said:

    So your website pays people to log in? What?

    I have implemented a few sites (since they were for clients, they are technically not "mine") where people do recieve payment for their actions on the site. Determining they are "people" and not "bots" at point of login is the simplest solution (compared to doing it on the various areas that actually trigger a credit/payment to their account).

     Does this really suprise you?

    1. Pay someone minimum wage to solve captchas
    2. Make a bot that triggers thousands of payments per second
    3. Run a few hundred instances of the bot
    4. steal underpants
    5. ?
    6. profit


  • @Ben L. said:

    1. Pay someone minimum wage to solve captchas

    2. Make a bot that triggers thousands of payments per second
    3. Run a few hundred instances of the bot
    4. steal underpants
    5. ?
    6. profit

    1) Actually this can be a problem.
    2) Only one payment for login.
    3) N/A (see #2)
    4) TMI
    5) YUP!
    6) I do!



  • @TheCPUWizard said:

    TMI

    Cartman would disagree



  • @Ben L. said:

    Pay someone minimum wage to solve captchas

  • Make a bot that triggers thousands of payments per second
  • Run a few hundred instances of the bot
  • steal underpants
  • ?
  • profit
  • This is why we can't have nice things.

     

    Including underpants.

     


Log in to reply