CAPTCHA ???

[Wolfghost]

I got this every time now

[webfork]

I got this every time now

Andrew has been a good admin and there have been few issues that he hasn't handled very quickly, so that this is still a problem likely means more information is necessary.

- To assure a clean test, clear the browser cache/cookies and restart. Ideally test on more than one system browser so we can narrow down the possible problems.
- Describe the steps you're using to log in including URLs you're using.

[guinness]

Touchwood! I haven't had any problems for the last 5 days, so it's best to check webforks advice. Hope you tried out Opera?

[Hydaral]

It's amazing how much difference adding one more character to the length of your password can make. I currently use 10 character lower, caps and special, cracking with the Distributed.net network at 76 billion per second takes ~40 days. Changing it to 11 characters extends that time to ~8 years.

Maybe everyones New Year's resolution should be to extend their passwords.

[Wolfghost]

I got this every time now

Andrew has been a good admin and there have been few issues that he hasn't handled very quickly, so that this is still a problem likely means more information is necessary.

- To assure a clean test, clear the browser cache/cookies and restart. Ideally test on more than one system browser so we can narrow down the possible problems.
- Describe the steps you're using to log in including URLs you're using.

Yea I know Andrew doing a huge good work in here, I'm not blame him
So I tryed to change my password to 12 characters lower/upper/caps/special/custom,
and it works now, but for how long

BTW @guinness I have not tryed out Opera yet

[Andrew Lee]

I encountered the CAPTCHA message today too. Did a little more digging. Here's what I found.

It turns out the CAPTCHA is triggered only after 3 unsuccessful attempts. This value is configured under "Spambot countermeasures" in the ACP:

Maximum number of login attempts:
After this number of failed logins the user needs to additionally solve the anti-spambot task.

This helps mitigate against brute-force password attacks, and the default small value of 3 makes a lot of sense.

Anyway, I did an SQL select and found many users with >= 3 failed login attempts, myself included. Just to give you an idea, there were 54 users returned, including Andrew Lee, risk, JohnW, Lupo73, Firewrath etc. Yes, even "admin".

After entering the CAPTCHA and logging in, "user_login_attempts" was reset to 0 as expected. Logging out and in did not trigger the CAPTCHA. Manually setting it to 3 again triggers it.

So this is obviously not a client-side issue. Clearing cache/cookies on your browser will not help you. Just think about it. I can trigger this for anyone just by trying to log into his account 3 times. Easy.

So I suspect some bot is running around doing this. In a couple of days' time, my "user_login_attempts" will get pushed up to 3 again, and I will get the CAPTCHA message again. And so on until the bot stops running.

I checked the "IP Search" field in my profile and noticed all kinds of IP addresses that do not belong to my ISP. So obviously this is coming from all over the place...

Not sure what I can do about this. It is an inconvenience, but it is there to protect us, and it is doing its job.

[I am Baas]

Thanks for clarifying that, Andrew.

[usdcs]

All right, Andrew. If it isn't client-side related, can you shed some light on this?

Just now, I came to the site using QtWeb, after closing it the last time with Privacy -> Quit With Full Reset... I picked Login, and was greeted with the Captcha login message.

I then started my Firefox Portable, where I had previously selected "Log me on automatically each visit". I was logged in without incident, and am typing this in my Firefox session.

[ EDIT ]

I then left the site (in Firefox) and looked at my cookies. I had four:

__qca
phpbb3sul4g_sid
phpbb3sul4g_K
phpbb3sul4g_u

I deleted the first one, __qca, and came back to the site, and was still logged in.
I cleared my Recent History (for the day), and came back to the site, and was still logged in.
I deleted phpbb3sul4g_sid, Cleared my Recent History (for the last hour), and came back to the site, and I was NOT logged in.
When I tried to log in, I received the Captcha message.
Obviously, after responding to the Captcha challenge, I am back in, and my phpbb3sul4g_sid cookie is back...

[ EDIT 2 ]

And now, I just switched back to QtWeb (with a Full Reset) and logged in without incident.

It's getting curiouser and curiouser...

[webfork]

I currently use 10 character lower, caps and special, cracking with the Distributed.net network at 76 billion per second takes ~40 days. Changing it to 11 characters extends that time to ~8 years.

Yes and, by my math, a 12 character password run using 100 computers just like yours would take 6 1/2 years.

Users can test the difference between just 4, 5, and 6 characters using a zip cracking program here on the site. Each character you add is a tremendous jump in the number of possibilities a cracking program must guess.

[Andrew Lee]

All right, Andrew. If it isn't client-side related, can you shed some light on this?

I can't. But seriously, I am not expert enough with the low-level details of phpBB3 to answer that question with any confidence. But to do a fair cross-browser comparison, I would suggest to log out of your current session first before proceeding.

Also, under QtWeb, try logging in 3 times unsuccessfully and see if you get the CAPTCHA message.

[SYSTEM]

I got captcha a while ago. The first and currently only time.

[ChemZ]

Yoohoo! Got my first captcha today.

Noticed that if you got PeerBlock running with certain lists, the captcha doesn't show up at all.

Took me a while to figure that one out....

[guinness]

HowSecureIsMyPassword's interface has changed since the last time I used it.