WordPress.org

Ready to get started?Download WordPress

Forums

Captcha
CAPTCHA is inefficient - form tries to login first, then checks CAPTCHA value (14 posts)

  1. crysman
    Member
    Posted 11 months ago #

    That means if I fill-in the correct username, wrong password and wrong CAPTCHA, the login page returns:

    ERROR: The password you entered for the username <my_famous_username> is incorrect. Lost your password?

    Which means it first tries to login, then verifies CAPTCHA. This is incorrect and makes CAPTCHA (as protection against automated login atempts) inefficient, because this way the attacker gets to know the correct and real username!

    http://wordpress.org/plugins/captcha/

  2. bestwebsoft
    Member
    Plugin Author

    Posted 11 months ago #

    Hello crysman,

    The captcha doesn't affect to password. But we will check the possibility of this error.
    Please provide your plugin version and WordPress version, and a list of installed plugins and themes.

    Kind regards,
    Support Team

  3. crysman
    Member
    Posted 10 months ago #

    I am using the latest plugin version available today.
    I am using my own custom theme.
    It is actually also being discussed in another thread: http://wordpress.org/support/topic/this-doesnt-work-against-the-current-brute-force-attempts-on-the-login-page?replies=5

    So it seems we have duplicate thread now. That only shows I am not the only one considering this an important issue...

    Thanks!

  4. bestwebsoft
    Member
    Plugin Author

    Posted 10 months ago #

    Hi crysman,

    Please write here http://support.bestwebsoft.com/ and provide an access to your admin area so that we could analyze the problem.

    Sincerely,
    Support Team

  5. crysman
    Member
    Posted 8 months ago #

    Why are you deleting my posts? I've just posted something like this right here in this thread:

    Hi,

    I cannot give you the access to the admin interface due to security issues. Just check your own WP installation, I believe you'll get the same result and issues as we do... or you don't?

    I am wondering why this is "resolved", when it is NOT... The same here in the duplicate bug report: http://wordpress.org/support/topic/this-doesnt-work-against-the-current-brute-force-attempts-on-the-login-page?replies=6

    #crysman

    And now I can see it's not here! So I am posting it here again now. I hope it will remain here until it actually gets trully resolved...

  6. Cross posting topics is never a good idea. Really it just muddies up the support model even more as your installation is different than others.

    If you have something new to add to this topic i.e. "I also tried X, Y, and Z and that didn't work" then that adds value. If you are just bumping the topic then please don't do that. Those get deleted when found.

    http://codex.wordpress.org/Forum_Welcome#No_Bumping

  7. bestwebsoft
    Member
    Plugin Author

    Posted 8 months ago #

    Dear crysman,

    we mark the topic as "Resolved" since there isn't another opportunity of marking it as "Duplicating". We suggested that you should write ether in our open forum or create a private ticket at http://support.bestwebsoft.com/ "and provide an access to your admin area so that we could analyze the problem." We are still waiting for your imformation.

    Sincerely,
    Support Team

  8. crysman
    Member
    Posted 7 months ago #

    You still don't get it. There is no need to give you any access to any admin area, because it is just not working anywhere, not even on a fresh WP install. Just try it yourselves - where is the problem?

    I will repeat the problem, maybe you do not understand:
    The problem is that your current captcha implementation checks the captcha input form field last - after user and password. That is incrrect. It should check the captcha input field first and if it's incorrect not even try to log-in.
    Why?
    Because this way (as it is now) anyone is able to get existing username and password! It just stops him/her from logging-in. OK, so what - if I am the attacker, I know all the credentials now (got them via brute force attack e.g.), so I just enter the correct captcha value myself now...

    I hope it is clear now... (?)

  9. crysman
    Member
    Posted 7 months ago #

    I've made a video for you, should be clear perfectly now:
    http://youtu.be/X5vd8tB-3To

  10. bestwebsoft
    Member
    Plugin Author

    Posted 7 months ago #

    Dear crysman,

    Unfortunately, WordPress DOES NOT have an opportunity to check captcha input BEFORE entering the rest of the fields. Do you suggest that WordPress Core should be CHANGED so that our captcha could function "correctly"? We are FOR it, please contact WordPress developers.

    Sincerely,
    BestWebSoft Support Team

  11. Celeste1212
    Member
    Posted 7 months ago #

    Crysman, you posted, "It should check the captcha input field first and if it's incorrect not even try to log-in."

    Your argument is not persuasive unless and until you can demonstrate another CAPTCHA plugin that follows the rules you think should be implemented in WordPress. If you cannot find such a plugin, then you can create a plugin which does what you want it to do, which is likely not a simple task. Or, as BWS suggest, contact the WordPress Core development team.

  12. crysman
    Member
    Posted 6 months ago #

    @bestsoftweb: that is a pitty :( I haven't known that. I've created a thread on WP core developers forum here:
    http://core.trac.wordpress.org/ticket/26760#ticket
    So you may comment and participate there, too.

    @Celeste1212: my argument is true and legit independently of any existing plugin, because what I say and request is not related to the number of properly-functioning-captcha plugins available. It is a concept. If it's a problem of every and any CAPTCHA, OK, we must change the concept, because otherwise all CAPTCHAs at WP login pages are inefficient.

  13. crysman
    Member
    Posted 6 months ago #

    OK guys, as explained here
    https://core.trac.wordpress.org/ticket/26760#comment:2

    it is not a WP core related bug. Moreover, you are able to fix it yourselves by following what Sergey suggest:

    ...The plugin should just hook into the same filter with an earlier priority...

    So that's a good news, isn't it?! Just let us know if you are going to fix it or not - so we might eventually migrate to the correctly behaving plugin Sergey mentions. Personally, I would prefer you fix it, because except for this bug I like your plugin.

  14. bestwebsoft
    Member
    Plugin Author

    Posted 6 months ago #

    Dear Crysman,

    Thank you for the information, we are going to study this issue and make the necessary changes.

    Sincerely,
    BestWebSoft Support Team

Reply

You must log in to post.

About this Plugin

About this Topic