Double passwords instead of captchas

Discussion in 'Programming' started by relixx, Feb 16, 2006.

  1. #1
    I'm not sure where to put this, my apologies if it's in the wrong forum :)

    I was thinking about captchas (the auto-generatated verification picture that you see on login/signup pages) on the way to work this morning, and about how easy they are to crack nowadays (esp by simply hiring sweatshops to manually type them in) and I was thinking, if it's for a login page, instead of having a captcha field, while not just ask for a second password?

    Eg, you have a login page, and it has two password fields. So, if they type either in incorrectly, only a generic error message gets returned, meaning that it's be far, far more difficult (and time-consuming) to hack in, as you wouldn't know if either password was correct.

    What do you guys think of this method? Do you know if something like this has been implemented? I suppose having to type in a digicode (a feature my bank's website offers) is something along the same idea...
     
    relixx, Feb 16, 2006 IP
  2. mad4

    mad4 Peon

    Messages:
    6,986
    Likes Received:
    493
    Best Answers:
    0
    Trophy Points:
    0
    #2
    The way I see it captcha is designed to prevent automated sign ups so if you sign up and set the two passwords then a script could still do the same.

    If you sign up and an email is sent with the second password then this could work.

    Anything that needs email verification adds an extra step that hackers won't bother with.
     
    mad4, Feb 17, 2006 IP
  3. relixx

    relixx Active Member

    Messages:
    946
    Likes Received:
    54
    Best Answers:
    0
    Trophy Points:
    70
    #3
    Truew, but I was thinking more along the lines of after they've registered and want to log in again. I've seen login pages with captchas before, but like I said they can be bypassed
     
    relixx, Feb 17, 2006 IP
  4. vectorgraphx

    vectorgraphx Guest

    Messages:
    545
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    0
    #4
    i've found captchas to be EXTREMELY effective on some sites I run them on - before the captcha i was getting lots of message-spam sort of user sign-ups, which almost completely dried up as soon as i put the captcha on.
     
    vectorgraphx, Feb 17, 2006 IP
  5. clancey

    clancey Peon

    Messages:
    1,099
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #5
    IMHO , once someone has registered, adding capcha's and double passwords to the login process creates unwarranted and unnecessary complexity.

    Who among us has a website which contains material of such sensitivity that we need that much security?

    If spam is the issue -- then we need to insert anti-spam routines at appropriate places in websites.

    If hackers are the problem, enforce a strong password policy. At a minimum passwords would contain letters and numbers. Next best is not allowing all the numbers to be all together. Next best is to require non-numeric characters in the password and a minimum password length of eight characters. Next best, is a strong password and strong user-name policy.
     
    clancey, Feb 17, 2006 IP
  6. relixx

    relixx Active Member

    Messages:
    946
    Likes Received:
    54
    Best Answers:
    0
    Trophy Points:
    70
    #6
    I'm thinking of launching a site that my clients will be able to log into to manage their accounts, checking billing details, etc.

    I always find the "minimum of X characters" bit funny, because you're basically heping the hackers out by telling them how many characters to start with :p
     
    relixx, Feb 18, 2006 IP