Login Captcha

[metiftikci]

How about login captcha?

Force to solve captcha if user tried to login 3 times with wrong password.

[savavirtosu]

Here is a potential development plan for solving the current issue:

Add to User model a new column LoginAttempts.
Every time a user provides a wrong password on the sign in, the LoginAttempts is incremented.
Every time a user provides a valid password on the sign in, the LoginAttempts is set to 0.

If the LoginAttempts become bigger than X, in the sign in form a new captcha field will appear.

I think we could use the existing configuration flag in order to know if we should force captcha checking after X failed attempts.
Also, I think that the number of failed login attempts X could be hardcoded to 5 directly in code.

[lunny]

@savionok I think a new column in user table is unnecessary. But the LoginAttempts could be saved in session.

[guillep2k]

@lunny if we are trying to stop a hack attempt by putting a captcha and reducing the odds that it's a robot attempt, we should not trust the session cookies, I believe. 🤔

[lunny]

@guillep2k Currently we allow one user login serval times, maybe one for your personal computer, one for working computer and one for your mobile. So store it on database one column will result in other things. If we want to do that, we needs a device management table. Of course we can do that for a long consideration.

We have depended on session cookies on login I think. Once you have a different cookie value when you logined, you will be logout.

[guillep2k]

@lunny Captchas are normally meant to tell humans from robots that can be doing a dictionary attack. If that's not our intention, why use a captcha at all? Robots will certainly not honor session cookies. 👾

Any cookies kept in the real user's computers should not be affected in any way. If they were valid, they should remain valid. No problems there.

As I understand it, the LoginAttempts column is actually meant to count login failures, not attempts (it should be named LoginFailures instead). It shouldn't affect the normal workflow of the real user, even if they use fifteen computers. If the real user logs in from another computer when LoginAttempts is maxed out, the login failure count will simply be reset to zero, even if the "robot" is failing repeatedly, but that would only give the robot three more tries. It may require the user to pass the captcha, but that's very good: knowing that someone else is trying to hack our account! 😱

Tools like RSS readers or even git's HTTP protocol will not be affected by this because they don't use the login form.

[lafriks]

I agree @guillep2k this can be global per user and reset to zero on successful authorization

[lafriks]

We should probably also keep last failed authorization timestamp so that we can discard failure count after x minutes has passed

[GAS85]

What about this nice feature? Seems really useful. I would add, that admin should be able to configure login attempts to 0 that should drive to show captcha on each login attempt.

How about not existing users attempts?
That should be kind of option to track Session, IP and show Captcha to those user.

[hiqsociety]

i prefer a captcha just for login.
i mean to login, solve captcha.
when can this be implemented?

[lunny]

Closed as #21906 opened.