Login Security

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
9/19/2010 1:35:40 AM
broscott
Gravatar
Total Posts 22
View Posts

Login Security

Hello Mojo...

I have enabled reCaptcha on forms and such, but have not located a method to apply to the sign in/log in.

In the past, I have experienced a login page being spammed in attempts to get in.

Current incorrect attempts I have limited to 3, but am uncomfortable not to have captcha on the login.

How can the captcha be applied to login, and why is this not standard....

Or did I miss a simple switch in the administration area?

9/20/2010 12:45:22 PM
broscott
Gravatar
Total Posts 22
View Posts

Re: Login Security

I see that the login page is searchable, of course I will add it to the robot.txt file.

How can reCaptcha be applied to the Login Page?

9/20/2010 12:58:42 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Login Security

It is not currently possible to enable a captcha on the login page, and to be honest that sounds like a bad idea to me. No sites I use require a captcha to login. That would be quite a nuisance and discourage use of your site.

I can see where you might like to have a captcha on the registration page and I have a to do list item to make that possible, but currently it is not possible. What we have now is a setting in site settings where you can require that the email address used for registration must be validated before the user can login. When this is enabled, when a user registers it sends them an email with a link they must click to activate the account. Only then can the user login.

Hope it helps,

Joe

9/20/2010 7:19:29 PM
broscott
Gravatar
Total Posts 22
View Posts

Re: Login Security

Thank you for the followup.

I am familiar with the enrollment process and email confirmation... love it.

I am also involved in another company with an enterprise level software.
Due to PCI compliance, Captcha is a staple for logins.
Some companies are leaving the old fashioned captcha, like banks, and going with a graphical image...

Display a bird, you answer with what it reminds you of.

None the less, captcha on login is absolutely important (although a nuisance) if you have membership site that holds a DOB, Social, or conducts Shopping.

In the case of Mojo, I don't believe DOB or Social are used at all, but believe security on the membership site would be best if the Webmaster has the option to turn on captcha.

I really don't want to face another instance of programmers from _____ running a script, attempting to login.

Just like on submitting data in the Contact Me Form, and with Registration, Login should have option of Captcha.

9/21/2010 6:52:34 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Login Security

I will add a wish list item in my project tracker for this, maybe I will implement it at the same time when I do it for the registration page.

Note that there are settings in Site Settings to control how many failed login attempts before an account is locked temporarily. So if you define that as say 5 attempts in a 5 minutes then what happens if there are 5 failed attempts within a 5 minute period then the account will be locked for 5 minutes.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.