oo7ml — 2013-03-15T18:51:27-04:00 — #1
Hi, i am trying to think of ways of securing or at least "trying" to put some extra security measures in place on my websites sign up form.
I understand that captchas can be broken very easily and more importantly they could actually stop a potential user from signing up to my site.
Points To Note:
- i have strong JS and PHP validation in place on the sign up form
- user's accounts stay in 'pending' status until the click the validation link that was emailed to them (changes to 'active' once the validation link is clicked)
- a cron runs every hour and deletes all 'pending' accounts that are older than 72 hours
I cannot really think of any other security measures that i could put in place, without really annoying the users, and i understand that spam / bots are just part of everyday life on the internet...
However, i would like to try and detect when suspicious activity occurs on my sign up form... so i was thinking of implementing the following:
When a user submits the form, check to see if the IP address has already created an account within the last 7 seconds... if it has, display the a captcha
I understand that a whole college or building might be running off the same IP address, but the worst than can happen is that a few users who create an account close together will have to enter a captcha... and even for a very popular site, that percentage would be very low as it is only used for sign up and not for any other function on the site
I am interested to hear whether anyone has any better idea (which i am sure loads will have) or what you think of my idea, thanks in advance for your help...
ralphm — 2013-03-16T00:23:14-04:00 — #2
Sounds like you have your form security wrapped up pretty nicely. But every little extra things helps.
One thing that has been discussed around here a lot lately is setting a 'timer' on the form. That is, the PHP checks how long the page has been open before the form is submitted. Bots will tend to submit the form very quickly, unlike real humans, so if you set the form to abort if the page wasn't open for more than, say, 7 seconds, you may trip up the bots quite a bit. This method also is very human friendly, of course, as real humans never even know it's there. It won't stop individual humans spamming you, but this is a much smaller problem than getting hit by bots.
oo7ml — 2013-03-17T15:25:45-04:00 — #3
Cool, thanks for your reply... can you provide some information on how i could implement the timer function on the form / page, thanks again for your help
ralphm — 2013-03-17T18:40:26-04:00 — #4
Because I couldn't find any info on this a while back, I tried it myself and wrote it up here:
It can probably be improved a lot, but that's my attempt at it, anyhow.
oo7ml — 2013-03-18T11:28:57-04:00 — #5
Excellent, thanks i will have a read of this...