Hi, i am trying to think of ways of securing or at least "trying" to put some extra security measures in place on my websites sign up form. I understand that captchas can be broken very easily and more importantly they could actually stop a potential user from signing up to my site. Points To Note: - i have strong JS and PHP validation in place on the sign up form - user's accounts stay in 'pending' status until the click the validation link that was emailed to them (changes to 'active' once the validation link is clicked) - a cron runs every hour and deletes all 'pending' accounts that are older than 72 hours I cannot really think of any other security measures that i could put in place, without really annoying the users, and i understand that spam / bots are just part of everyday life on the internet... However, i would like to try and detect when suspicious activity occurs on my sign up form... so i was thinking of implementing the following: When a user submits the form, check to see if the IP address has already created an account within the last 7 seconds... if it has, display the a captcha I understand that a whole college or building might be running off the same IP address, but the worst than can happen is that a few users who create an account close together will have to enter a captcha... and even for a very popular site, that percentage would be very low as it is only used for sign up and not for any other function on the site I am interested to hear whether anyone has any better idea (which i am sure loads will have) or what you think of my idea, thanks in advance for your help...
I think your idea is 99% there. What I would add to that is use Flash cookies - again that's not 100% secure but it would add some extra security. About Flash cookie - http://www.wired.com/business/2009/08/you-deleted-your-cookies-think-again/
If you want a real secure signup system, let the users validate themselve by activating there profile by clicking a link in a email. Most spambots doesn't validate
"i have strong JS and PHP validation in place on the sign up form" -- what the *** does that even mean? Did you piss away accessibility by making it so people with JS unavailable (either through lesser UA's or intentionally blocked)?!? remember, scripting should enhance, not supplant functionality, and NOTHING you can do from JS (being a client side tech) makes it any more or less secure (since it's completely and easily faked) than a flat normal old-fashioned form. I would save a random hash tied to the IP address and UA string when you send the form as a hidden input, verifying and invalidating that hash on submit so the form cannot be re-used endlessly without a new 'request'. (you'd be shocked how many bots that makes fall flat on their face)... probably with a captcha on that form too -- send the validation e-mail with it too using a unique and random hash, AGAIN tracking the IP and UA... and yes, if the same IP address tries to complete a join (ONLY when they complete, just in case they had a problem with the mail) I'd flag that as suspicious. In those cases I'd flag it for a manual review and tell them such. I WOULD use the captcha ALL the time on joins. Just be sure to use a good one that includes things like audio and non-scripted fallbacks.
Great TIP deathshadow (the part of the session with IP check) but i would not recommend the use of captcha in anyway... its irritating and frustrating!
There are 2 security aspects: 1. Protect bulk spam accounts from registering There are some spam bots that can validate emails and recognise 70-90% of captcha images but most spammers just take avantage of unprotected sites. You should implement these to filter most spam but not something that can hassle users. Some captchas are hard to understand by real people. 2. Protect existing accounts from being hacked If you need advanced account password protection to avoid brute force attack, you could have some protection similar to cpHulk implemented (ban an IP that tries to login multiple times with wrong credentials and whole account after many bad attempts). User can confirm again by email to unlock.