[clug] looking for webmail with catcha

David Schoen neerolyte at gmail.com
Tue May 26 11:38:23 GMT 2009 

2009/5/26 Francis Markham <fmarkham at gmail.com>

> Firstly, captchas are annoying and detrimental to accessibility.
> However, they do stop spambots (at least until they break your captcha
> or pay/trick some humans into solving them).
>
> Other possible solutions include:
>
> * "I think an arguably better plan is to have something like 3 strikes
> and  you're out. Even if it just locks out for 15 minutes you're
> making it a lot harder to guess passwords.".
>
> The problem with this is that people can deny service to a particular
> user by simply attempting to log in with incorrect credentials.  This
> is particularly bad for a webmail system as user names are often
> public knowledge.
>
>
> * "You should be able to have something look through the logs and block any
> IP
> that locks out more than one account."
>
> Unfortunately, one IP does not equal one user.  If you assume they do
> you will get false positives in the form of people sharing IP
> addresses (i.e. at corporations or universities) blocking each other
> and false negatives, in the case of when a botnet is try to spam you.
>

No, but often enough one IP does equal one user and if you find out you're
blocking an organisation you can always put a specific allow in.

Also given the lack of information in the original request it's possible
Jeff could actually be in a situation where one IP will equal one user.


> Thus, a captcha system starts to look attractive again.  Its problems
> can be worked around (until it is broken, that is) to an extent.  You
> can do what gmail does and only display a captcha after three failed
> log in attempts.  You can also try the audio captcha or simple logical
> question and answer approaches for accessibility.  And to improve the
> effectiveness of these measures you should implement rate-limiting.
> Instead of a "three strikes and your out" system, you can have a
> timeout of 1 second before the second log in attempt, 2 seconds before
> the second, 4 seconds before the third, 8 seconds before the forth
> with a ceiling you think is an appropriate trade off (1 minute?).
>

This isn't really that different from 3 strikes and you're out as long the
"you're out" is temporary, which I already mentioned.


- Dave

More information about the linux mailing list