The Old Joel on Software Forum: Part 3 (of 5) - Signing up for accounts

Signing up for accounts - how to prevent attacks?

Hi:

I would like to allow vsitors to my site to be able to sign up for accounts - I do not collect any user information nor do I want to.

All it does is to ask a user for their choice of 'user name' and 'password'.

How can I prevent scripts from creating multiple accounts?

Yahoo and hotmail have an image displayed that users must type into a text box - i.e. to validate it is a human.

Are there an open source application that I can use for this?

Thanks,

Hobbit
Saturday, December 13, 2003

Do you really expect it to be a problem? I maintain a quite large-ish and popular website and we've never had the problem of scripts creating multiple accounts. Why do you expect to be a target?

Almost Anonymous
Saturday, December 13, 2003

Most of the sites use the captcha method: http://www.captcha.net/

bhagwaan
Saturday, December 13, 2003

I am running the site to keep my technical skills as sharp as possible bbetween jobs.

I am trying for visualize for all eventualities :)

Thanks

Hobbit
Saturday, December 13, 2003

LOL! Re: Capcha:
"Online Polls. In November 1999, http://www.slashdot.com released an online poll asking which was the best graduate school in computer science (a dangerous question to ask over the web!). As is the case with most online polls, IP addresses of voters were recorded in order to prevent single users from voting more than once. However, students at Carnegie Mellon found a way to stuff the ballots using programs that voted for CMU thousands of times. CMU's score started growing rapidly. The next day, students at MIT wrote their own program and the poll became a contest between voting "bots". MIT finished with 21,156 votes, Carnegie Mellon with 21,032 and every other school with less than 1,000. Can the result of any online poll be trusted? Not unless the poll requires that only humans can vote. "

Sounds to me like CMU and MIT rightly took the top two spots. In fact, I'd venture this is the *perfect* way to run this poll. If a school's IT dept doesn't care enough to find out about and successfully rig the poll, do you want to go there?

Philo

Philo
Saturday, December 13, 2003

Sure. Invalidate the poll itself, but by doing so, make a much larger news item & greater publicity for your school. Sounds about right to me.

www.MarkTAW.com
Saturday, December 13, 2003

Why have a sign-up? It's annoying and it hinders the casual user. Sign-up for my site boyz == Teh suck

Saturday, December 13, 2003

"If a school's IT dept doesn't care enough to find out about and successfully rig the poll, do you want to go there?"

Sure - maybe they're spendig their time on something useful. And _NOT_ cheating. :)

sgf
Saturday, December 13, 2003

"Sounds to me like CMU and MIT rightly took the top two spots. In fact, I'd venture this is the *perfect* way to run this poll."

Good insight -- I agree.

It's not about cheating, the results proved beyond a doubt which schools had the most technically capable students who are strong believers that their school is a great one. Those votes should rightly count for more. The students who spend less time voting just didn't care as much, which means their schools are not as good and the students not as passionate about what they do.

Dennis Atkins
Saturday, December 13, 2003

Bit of a tangent: in any case where user input is being saved to a database, make sure you guard against SQL injection attacks. Essentially that involves users putting (potentially harmful) SQL commands in the input fields, which would be a hazard to your application if you were to execute them. Google for "SQL injection" for more helpful information. Good summary:

http://www.aspnetpro.com/opinion/2002/08/asp200208pl_o/asp200208pl_o.asp

Back on topic: Aside from the Yahoo image method, I'm not sure how you'd deal with spoofed IP addresses, which is what it sounds like the CMU and MIT guys were using. That would be more of a networking thing than something you could tackle with server-side scripting, anyway.

You might want to consider some "sanity-checking" database code to contain the effects of such attacks- ie, allow no more than N signups from *all* IP addresses in X minutes. Of course you'd need to make sure your legit traffic wouldn't exceed your chosen values of N and X or you'll have pissed-off legit users. :P

John Rose
Sunday, December 14, 2003

Yep. The only way to gaurantee human entered information is to find something humans can do that machine's cant, or at least not without difficulty. Microsoft also has "If you can't read the words, then maybe you can hear a sound file." If you can't do either, you can't sign up.

I remember a few years ago there was a forum for women only that required a phone call. It was the only way to gaurantee that the person signing up actually was a woman.

Limiting the number of inputs over a given period of time won't stop a bot, they'll just fill up all the available slots and prevent legitimate inputs.

In the "7th Interview Running" thread, there's an example of someone who wrote a script to automatically submit his resume and cover letter to potential employers he scraped from a job site.

Human Readable AND Not Machine Readable. Anything that can be automated will be automated.

www.MarkTAW.com
Sunday, December 14, 2003

The technique that I've used at http://www.lazarusid.com/wishlist/ which doesn't completely eliminate such attacks, but it does make things harder, is pretty simple. E-mail them the confirmation information. It's entirely possible to automate an attack against it, but it requires a new e-mail address each time. The attacker needs to be pretty determined to bother with the setup they'll need. Chances are pretty good that unless you've got something terribly valuable, they won't be all that interested in going to that much trouble.

Clay Dowling
Sunday, December 14, 2003

It's generally agreed that the image-recognition thing that Yahoo does is generally the most secure method, but I wonder how many users are turned away by that?

I have to admit it was slightly confusing the first time *I* saw it, because it took me a minute to realize it was a security measure designed to thwart automated scripts.

I could see a lot of "average" users being completely confused.

John Rose
Monday, December 15, 2003

Here's a random idea off the top of my head, just for fun...

When someone signs up for an account, make sure that the signup page was loaded by the same session about a minute ago. Bots unaware of this rule will try to signup for an account by posting the data right away without loading the page first, and you can simply discard those signups. You could even stick in some javascript to the entry fields to make sure that the keydown events happen at realistic intervals.

Of course, once someone figures it out you're sunk... security by obscurity always sucks in the end.

But it does avoid inconveniencing the user.

Jesse Collins
Monday, December 15, 2003

> Sounds to me like CMU and MIT rightly took the top two spots.

Aw, come on Philo. What has stuffing an e-vote in common with providing a decent curicullum?
Maybe they should drop all the classwork and exams and for a degree just have the students run through a quick "hack this box" contest also?

Just me (Sir to you)
Monday, December 15, 2003

I really kind of wonder about people who dimiss school spirit as any indicator of quality of education. Becoming a productive member of society is about more than "who can learn the most algorithms?"

These students, with no encouragement from the institution:
1) Showed initiative
2) Showed pride in their peer group
3) APPLIED what they had learned

If *I* was hiring, I'd take the 3.6 and "hacked the US News Poll" guy over a 4.0 student any day.

Philo

Philo
Monday, December 15, 2003

What if their solution was to pay a bunch of third worlders to keep manually answering the poll? Whould you still hire them?

pdq
Tuesday, December 16, 2003