grnadpa — 2013-04-29T10:31:49-04:00 — #1
Here's an out-of-the-box thought. What if I require more than one password on my sign-in page? Would that confound the phishing bots? (If so, then I could even allow the client to enter relatively easily remembered passwords).
spikez — 2013-04-29T10:34:03-04:00 — #2
Isn't 2 passwords really just the same as username + password combination or do you mean that users have to remember 3 things?!
grnadpa — 2013-04-29T11:06:44-04:00 — #3
My point is that the malicious software phising bots expect just one password in addition to the username. Hence the bizarre requirements for developing passwords (e.g. 8 characters, uppercase, lower case, number, special characters) as protection.
Adding a second password (or as you put it "remember 3 things") I'm thinking would defeat these bots because, even it it guesses one of the passwords, it's not expecting a second one -- and therefore will fail to break into the site.
As such, the passwords need not be so complex.
logic_earth — 2013-04-29T22:23:26-04:00 — #4
Afraid it would just making things more complicated for your users. Your users alone are responsible for creating strong passwords and managing them. Its not yours. The only thing you have to do is store them in a secure matter. And those bots could easily adapt to the change anyways.
paul_wilkins — 2013-04-30T02:05:29-04:00 — #5
Sadly, exactly the opposite thing will happen. Your strange and odd security measures will attract the attention of all sorts, resulting in special attention being paid to your site from groups who attempt to automate their way around such things.
Your best bet to avoid notice is to apply the same best practice techniques that others use. Those are the most reliably known ways to reman secure without annoying your uses too much.
system — 2013-05-07T02:52:07-04:00 — #6
Nothing is impossible for a malicious software trying to detect a password. Even if you put something new, you would rather attract the attention of programmers as you are the founder of this innovation. They would go to far ends just to crack this challenge! In regards to the security, if you use md5 encryption, and if you instruct your users to create a difficult password with a combination of symbols, letters and numbers, with NO word from the english dictionary and no numbers in a proper sequence, there is no way a malware can decrypt it. This is because the encrypted code of every password keeps changing and only your server will be aware of the combination. Not even you!
webcosmo — 2013-05-07T14:33:38-04:00 — #7
Too complicated, some people wouldn`t bother remembering those passwords. Just use a good captcha along with the password, like skrill.com does and you should be fine. But no way 2 passwords.
grnadpa — 2013-05-23T10:59:16-04:00 — #8
Thanks to all for your responses. I'll defer to your judgement.
No argument if we are looking for who (whom?) to blame. But, as the linkedin hack demonstrated, users are not particularly diligent in devising strong, esoteric passwords (among the top 30 passwords: link  1234  work god job from mashable dot com slash 2012 slash 0608 slash linkedin-stolen-passwords-list)
Okay, why would it attract attention? Some feedback mechanism the 'bot sends back?
Finally, I find I am not alone in finding capchas (or would that be capchi?) particularly annoying. See www dot socialreflections dot com slash unreadable-captchas-can-destroy-your-business
Again, I will defer to your comments. And thank you for your feedback.
logic_earth — 2013-05-23T15:32:46-04:00 — #9
But it is still not your responsibility. You can try and educate the user on using secure passwords, however it is better that you do not enforce any strict rules. You are only responsible for making the backend secure, storing those passwords in a secure way.
paul_wilkins — 2013-05-23T16:13:56-04:00 — #10
Not quite. It's because anything strange and new attracts attention, as this thread well demonstrates too.
When users of your site start to use a login process that to them is strange, some of them are liable to talk to others about it. Word gets out.
felgall — 2013-05-23T17:20:56-04:00 — #11
You don't need to include a CAPTCHA with a password because the password process can be set up as an even better CAPTCHA all by itself.
Simply record the time when an invalid access attempt is made and lock the account completely for a period of time - any further attempts even with the right password during the lock time simply reset the lock start time so as to extend the lock period.
To make it more user friendly and more secure at the same time you can also record the number of unsuccessful attempts since the last successful one and use say a two second lock time for the first two wrong attempts and thirty seconds or even a minute if the wrong guresses continue after that.
No bot is going to wait more than a minute between guesses and even if it did it would then take way too long to get to the right password.
The best CAPTCHA to use on any site where you need your visitors to log into their account anyway is to require a password. That way your CAPTCHA is far less obtrusive than ones that require your visitor to read scrambled text in an image or perform some sort of calculation. Also the CAPTCHA not only identifies that it is a real person and not a bot - it also identifies which real person it is as only one real person knows the password.