My site uses captcha of 6 digits, however if the attacker try all combinations, chances are he will successfully submit the form fraction of the times.(1/million in theory, much more in practice since the random number generator I use is not truely random).
Is there anyway I can further prevent him from succeeding? One way is to prevent anyone from form submission for 5 minutes after a certain number of tries(eg.20), the problem is that if I store the number of tries in session, and the attacker creates a session for every try(naturally since he uses a program, not a browser), then it would not work. And I don't want to modify existing db schema to accommodate this logic.
Another way is to increase the number of captcha character used, which causes user inconvenience.
All advises are welcome.
views:
71answers:
3
+2
A:
I would recommend adding letters. That will make brute force much harder, than adding more digits.
EDIT: You can also, slow done the answers after getting some incorrect attempts. Add for example, 5 min delay.
anthares
2010-02-16 18:42:27
yes that's one way, however sometimes I found that o and 0 and one and L are hard to distinguish, it annoys user
2010-02-16 18:43:50
@user121196: Don't emit these characters in that case.
KennyTM
2010-02-16 18:45:31
You can always exclude, those letters which you think are harder.
anthares
2010-02-16 18:45:45
+2
A:
Check the IP addresses of incoming connections. If the same IP address tries too many times, rate limit them harshly and if it continues for a long time, block them completely.
Of course it's not a perfect solution, but it will make it more difficult.
Mark Byers
2010-02-16 18:43:34
What about people that use internet from one external IP address. Some internet providers have such issues.
anthares
2010-02-16 18:54:44
Is that honestly so hard? Adding a table to store attempts per IP address takes about five minutes.
ceejayoz
2010-02-16 19:31:13
@user121196: Not necessarily. You could do it in memory. You only need to persist it if you want the users who are rate limited or blocked to stay blocked after you reboot the server, but even if you don't do this, the chances are they will hit the same limit again rather quickly anyway.
Mark Byers
2010-02-16 19:32:56
+2
A:
regenerate a new number after each attempt, or after x attempts =D
Hassan Syed
2010-02-16 18:54:02
This is the simplest answer and is what all real captchas do: Do not allow more than one attempt on the same number. That way, the chance of breaking the captcha does not increase with number of attempts.
Tyler McHenry
2010-02-16 18:59:03
how can this be implemented? you would have to remember all previous numbers tried?
2010-02-16 19:11:13
@user121196: There's a trick. Use a random number generator. Save the current seed value in the database. Get the seed from the database, set the random number generator. Get a random number. Save the seed.
S.Lott
2010-02-16 19:18:12
@user121196 It's not nearly that complicated. You don't have to ensure unique numbers, just generate a (pseudo)random number for the captcha, and if the user/bot fails to enter it properly, generate a *new* (pseudo)random number to challenge them with, rather than letting them re-try the same number they just failed to get. This means that even if an attacker cycles through all numbers 000000 to 999999, their chance of being right would still be just one in a million for the whole sequence, since because your number keeps changing, their previous tries aren't helping them any.
Tyler McHenry
2010-02-16 20:07:33
you guys misunderstood my question, i do generate a new code for every attempt. As stated in the question, the attacker has a ratio of 1/million success rate, but if he tried tens of millions times, he likely to get tens and hundreds.
2010-02-17 22:19:59
no, you didn't **clarify** that in your question ..... and you ended with "all advices are welcome"....
Hassan Syed
2010-02-17 23:07:29
@user121196 So, why not just use a few more digits then? Even a 7 digit captcha would have a success rate of 1 in 10 million, which would be less than one expected success a day even if the attacker were trying 10 times every second all day long. 9 Digits would get you to around 1 expected success per year at a rate of 10 tries per second.
Tyler McHenry
2010-02-18 17:43:35