Join 3,562 readers in helping fund MetaFilter (Hide)

Tags:

What's up with the "type these words" login?
November 8, 2007 3:01 PM   Subscribe

The new login procedure is annoying.

I can understand the implementation on Blogger comments, but MetaFilter? Are spambots a big problem on a site where users pay to join?
posted by Reggie Digest to Feature Requests at 3:01 PM (94 comments total)

The old login procedure was annoying and the current one is a new compromise.

Here's the thing about the login page:

- we have to have some way to disallow people a million tries at logging in, because people can write bots that dictionary-attack any known username here. They've done it (successfully) in the past. It can't happen again.

- I was allowing only five login attempts, then you'd be locked out for 24 hours like a bank might block you. But MeFi isn't a bank and people don't read so they were often getting locked out from trying too many times before emailing their password to themselves. Several times a week I had to clear out a user's login history because they got blocked. It often happens in the middle of the night as well, so they're pissed they got locked out and further pissed that it isn't reset within a reasonable time.

- Instead of the painful login lockout and logging thing, I decided to go with a captcha we've been using on the contact form for the past few months (which has gone well and we don't have spammers crapflooding anymore). It's Recaptcha which is a beneficial project -- you are helping OCR scanned in textbooks for the Gutenberg project. I agree the widget is kind of large, and sometimes the text can be hard to read, but if you hit the little refresh button it will give you a new piece of text and it offers an audio option as well.

So it's a compromise and I have to limit login activity in some way, and this helps out a cool project while fulfilling the bot-attack prevention thing.
posted by mathowie (staff) at 3:09 PM on November 8, 2007


Fair enough.

Still, let me explain why it I thought it was a MeTa-worthy pain in the ass: I was dumb enough to click 'OK' when Firefox asked me if I wanted it to save the new password. Now it thinks my password is a long string of seemingly random characters, and since there's no way of logging in without the widget, I can't reset it, so I'm stuck filling out every field, every time, by hand.
posted by Reggie Digest at 3:18 PM on November 8, 2007


Login? That would require logging out. Absurd, sir.
posted by puke & cry at 3:19 PM on November 8, 2007 [9 favorites]


Reggie, in testing on my macs running firefox, my saved passwords didn't change. It sounds like maybe the captcha itself is being saved along with your login?
posted by mathowie (staff) at 3:22 PM on November 8, 2007


I clicked through to read about that Recaptcha project -- so cool.
posted by veggieboy at 3:23 PM on November 8, 2007 [1 favorite]


Exactly.
posted by Reggie Digest at 3:23 PM on November 8, 2007


Firefox > Tools > Security > Show Passwords > select Metafilter password > Remove.

Is that what you need?
posted by eyeballkid at 3:23 PM on November 8, 2007


No, I already removed it. That's why I have to retype everything every time.
posted by Reggie Digest at 3:24 PM on November 8, 2007


Ok, I see that yeah, it oddly asks to mangle my browser's saved password.

I'll see if I can get it to stop doing that, but you can still login successfully and it's probably a bad idea in the first place to save our logins in login forms forever. I mean, it's nice and all but it's bad security practice.
posted by mathowie (staff) at 3:25 PM on November 8, 2007


Heh, I remember the days when I used to log out. I had what they call "friends" then...
posted by SassHat at 3:29 PM on November 8, 2007 [3 favorites]


I only log out when I buy a new computer
posted by lee at 3:33 PM on November 8, 2007


I only save passwords because I change them regularly and my memory sucks and I get sick of retyping the same thing a million times a day.

(Surely doing that would be bad security practice if there were a keylogger on my computer?)
posted by Reggie Digest at 3:34 PM on November 8, 2007


There's no such thing as good security practice that allows "there's a keylogger on my computer" as a given. :)
posted by cortex (staff) at 3:37 PM on November 8, 2007


I just use my cats name for all my passwords. That way I don't have to save any.
posted by puke & cry at 3:38 PM on November 8, 2007


posted by puke & cry I just use my cats name for all my passwords. That way I don't have to save any.

Cats, or passwords?
posted by fandango_matt at 3:40 PM on November 8, 2007 [2 favorites]


Serves ya right for logging out.
posted by jonmc at 3:40 PM on November 8, 2007


The recaptcha audio is the creepiest thing I've heard in a while. Log out just to hear it, yikes.
posted by neustile at 3:41 PM on November 8, 2007


That would require logging out. Absurd, sir.

So, yeah, I've not been here as long as some of you, but in 5+ years I've never logged out. I've logged in a few times - deleted cookies, new computers, what have you - but never out. MetaFilter's the only site in the history of my internet browsing - going on thirteen years, now - that I've pledged such an allegiance to. Goddamit, I love this place.
posted by soundofsuburbia at 3:42 PM on November 8, 2007


Cats, or passwords?

Either one, really.
posted by puke & cry at 3:42 PM on November 8, 2007


cortex: Well, obviously, but it's always best to assume the worst, right?
posted by Reggie Digest at 3:42 PM on November 8, 2007


It's Recaptcha which is a beneficial project -- you are helping OCR scanned in textbooks for the Gutenberg project.

*ponders how to hack "FARTS LOL" into every Gutenberg text*
posted by brain_drain at 3:43 PM on November 8, 2007 [3 favorites]


If that were the case, I'd have to close your account and scramble your password for hacking Reggie's account.
posted by cortex (staff) at 3:45 PM on November 8, 2007


I just keep my password in my profile. So I don't forget it.
posted by eyeballkid at 3:46 PM on November 8, 2007 [2 favorites]


ARGH!! So much for posting thru lynx I guess. =( (well, after my current cookie expires, or lynx crashes and loses them all)
posted by nomisxid at 3:49 PM on November 8, 2007


My password is a miniature poetic masterpiece so utterly perfect that should I ever forget it, life would no longer be worth living anyway. It'd be time for the BIG logout.
posted by flapjax at midnite at 4:06 PM on November 8, 2007


Just for the meta-ness of it all, I'm gonna name my next cat Captcha.
posted by quin at 4:13 PM on November 8, 2007


I've been having an issue here, where by when I use the login form I get an error page saying that the form.username was not submitted (or words to that effect).

I ignored it and gave up eventually, but now I've noticed that it still logged me in. This might be because I'm using a university machine and I think it had some script blocking extensions in the browser. Unfortunitely I can't produce the error page again since I'm now properly logged in.
posted by chrisbucks at 4:20 PM on November 8, 2007


My popsuckits are screwed.
posted by bardic at 4:35 PM on November 8, 2007


I got the same thing as chrisbucks - looks like it actually did log me in, but then threw up an error page.

As a compromise on the compromise, could we maybe get the first login screen not to display a captcha, and then you could throw it up after the first unsuccessful attempt from a given IP or something?
posted by whir at 4:36 PM on November 8, 2007


hey whir, could you post (or use the contact form to email) the full error message you get? That'd help us track down the problem.
posted by pb (staff) at 4:50 PM on November 8, 2007


A question. Why would you want to logout if you are sure no one is going to use your saved up passwords to log in?
posted by Memo at 4:55 PM on November 8, 2007


Ok, so we're going to do the thing that Gmail does which is a hybrid of both: you'll get 4 attempts then you'll be shown a captcha and any subsequent attempt will require a captcha.
posted by mathowie (staff) at 5:01 PM on November 8, 2007


Um, master password?
posted by Reggie Digest at 5:02 PM on November 8, 2007


Ahem.

Memo: Um, master password?
posted by Reggie Digest at 5:04 PM on November 8, 2007


So, yeah. Thanks!
posted by Reggie Digest at 5:05 PM on November 8, 2007


could you post the full error message you get?

Sorry, I just tried it again and I didn't see the error this time. However, I did notice that the URL was something like /logincheck.cfm. Also, sometime during that process my cookies seemed to get wiped out, since I went back to the default blue theme. If I can get it to recur I'll submit it the message via the contact form, though. If you want to go digging in your logs, it would have happened probably not more than a few minutes before my post above.
posted by whir at 5:16 PM on November 8, 2007


Ahem.

Memo: Um, master password? #

Yeah, I thought about that possibility two seconds after posting that comment.
posted by Memo at 5:21 PM on November 8, 2007


I can't remember the last time I logged in.
posted by The Deej at 5:34 PM on November 8, 2007


This was just a device to catch people with sockpuppets. The only people who ever log out, after all, are people with nasty sockpuppets.
posted by psmealey at 5:50 PM on November 8, 2007 [1 favorite]


thanx for the latest changes matt =)
posted by nomisxid at 5:51 PM on November 8, 2007


When I browse at home, I rarely log in. The only reason I logged in tonight was because I think reCAPTCHA is a cool idea. So cheers, Matt.
posted by solotoro at 6:29 PM on November 8, 2007


PSMeasley, I have nasty sock puppets, but I use them at YouTube, not here at MeFi. ...I mean actual sock puppets...

Matthowie. You rock. As usual. Thanks for going the extra mile to secure the site for everybody, and bringing attention to that kewl Gutenberg thingy.

...come to think of it I have puppets but they're not made out of socks... That's just splitting hairs, isn't it?
posted by ZachsMind at 6:33 PM on November 8, 2007


I just use login in for my password. It brings back the memories.
posted by drezdn at 6:34 PM on November 8, 2007


I mean, it's nice and all but it's bad security practice.

I don't know about that.. Much better to manage one password properly than a thousand passwords improperly. Given that most modern computer users have tens to hundreds of accounts, and manually managing that many passwords properly is a practical impossibility, surely a secure password manager is actually good security practice.
posted by Chuckles at 6:51 PM on November 8, 2007


It's Recaptcha which is a beneficial project -- you are helping OCR scanned in textbooks for the Gutenberg project.

Holy shit, that's fucking wild.

'wild' is my new favorite term for anything cool and original
posted by delmoi at 7:53 PM on November 8, 2007


And yeah, I never log out, so I have trouble remembering my password on new computers. So a Captcha would be a welcome addition for me.
posted by delmoi at 7:56 PM on November 8, 2007


Captcha gotcha -- especially if you're drubk.
posted by ericb at 8:52 PM on November 8, 2007


tl;dr
posted by exlotuseater at 9:04 PM on November 8, 2007


That's why I have to retype everything every time.

Also known as "logging in"
posted by dhammond at 9:09 PM on November 8, 2007


Also, I just got "Amos Represent" as my Recaptcha. So I am in total favor of this.
posted by dhammond at 10:50 PM on November 8, 2007


eyeballkid wins.
posted by roll truck roll at 10:53 PM on November 8, 2007


delmoi : 'wild' is my new favorite term for anything cool and original

"Clutch" is the new fan favorite.

Or at least it is in my smallish group of acquaintances.

Join our meme...

Join us...
posted by quin at 11:04 PM on November 8, 2007


quin, stop trying to make "clutch" happen! It's not going to happen!
posted by team lowkey at 12:00 AM on November 9, 2007 [2 favorites]


"Clutch" implies timely. Clutch is wild + timeliness.
posted by rokusan at 1:06 AM on November 9, 2007


Fetch, dude. Fetch.
posted by psmealey at 2:36 AM on November 9, 2007


I also failed to log in once with the captcha. I'm fairly certain it was typed exactly correct, as well.

Does the space count? On the second try, I continued to type in both words including a space between. I got the error about form username, but I was logged in anyway.

How exactly does this project help OCR accuracy? Doesn't the system have to already know what the words I'm supposed to type in are?
posted by odinsdream at 5:55 AM on November 9, 2007


Wild? Clutch?! Sweet cheebus, what century are you fogeys from? Pukka is teh new hotness.
posted by carsonb at 6:18 AM on November 9, 2007


groovy
posted by psmealey at 6:23 AM on November 9, 2007


"Clutch" is from Mean Girls, carsonb. (As is team lowkey's quote.)
posted by inigo2 at 6:28 AM on November 9, 2007


odinsdream, from the recaptcha page:
"But if a computer can't read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here's how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct."
posted by inigo2 at 6:30 AM on November 9, 2007


Quoting Mean Girls?! Golly, what century are you fogeys from?
posted by carsonb at 6:31 AM on November 9, 2007


I associate "clutch" with David Eckstein and I do not enjoy David Eckstein.
posted by drezdn at 6:43 AM on November 9, 2007


Plus everyone knows unleaded == cool.
posted by drezdn at 6:44 AM on November 9, 2007


I also had Chrisbucks problem above, in identical circumstances.
posted by roofus at 7:05 AM on November 9, 2007


Ok, so we're going to do the thing that Gmail does which is a hybrid of both: you'll get 4 attempts then you'll be shown a captcha and any subsequent attempt will require a captcha.

That's not working here - if I log out I have to do the whole captcha thing again on the next login.

It also sucks with Firefox on Linux - when you paste the generated code into the text box, a tab and some spaces get inserted in front of the code. This is scrolled off the top of the text box where you don't see it, leaving you fuming as to why the damn thing keeps insisting that you didn't login right.
posted by bitmage at 7:21 AM on November 9, 2007


mathowie writes "I'll see if I can get it to stop doing that, but you can still login successfully and it's probably a bad idea in the first place to save our logins in login forms forever. I mean, it's nice and all but it's bad security practice."

Yeah, but like you said this isn't a bank. I only store passwords for sites like this. If someone were to get this password, there's not much they could do but ruin my reputation here, and that would be a drag, but it's not like ruining my credit.
posted by krinklyfig at 7:27 AM on November 9, 2007


Quoting Mean Girls?! Golly, what century are you fogeys from?

I'm from the twentieth. What centuries are you guys from?
posted by timeistight at 7:57 AM on November 9, 2007


That's not working here - if I log out I have to do the whole captcha thing again on the next login.

If you re-read what I wrote about the four tries then captcha, I said "Ok, so we're going to..." meaning it should be live today.

when you paste the generated code into the text box, a tab and some spaces get inserted in front of the code.

I don't understand what you mean here. You shouldn't be pasting anything, but typing keystroke by keystroke into the captcha field. What you type should display normally as it's a normal form element, so I'm not understanding how it is scrolling for you or hard to use but then I'm not on linux.
posted by mathowie (staff) at 8:59 AM on November 9, 2007


inigo2: ""Clutch" is from Mean Girls, carsonb.

It's actually "fetch" in Mean Girls, but, yeah I'm a twentieth century fogey quoting a Lindsay Lohan movie. I should be ashamed. But I'm not.
posted by team lowkey at 9:48 AM on November 9, 2007


i can't figure out how my weenie works. i have spambots, in my pants.
posted by quonsar at 9:52 AM on November 9, 2007


...paste the generated code into the text box...

This is part of the reCaptcha process if you have JavaScript disabled. If you're not using JavaScript, then yeah, this login process is much more of a pain. bitmage, any chance you could enable JavaScript for just this site, maybe just the login page?

Anyway, I'm working on the four-strikes-and-you're-captcha'd page as mathowie described. So that should take care of things for ya when it's live.
posted by pb (staff) at 10:28 AM on November 9, 2007


When I first saw the captcha, I was like

:(

Then I read "you are helping OCR scanned in textbooks for the Gutenberg project," and I was like

:D
posted by Dr-Baa at 10:42 AM on November 9, 2007


I've had mediocre luck with captchas. There appear to be script-kiddie toolkits out there (for the past year and a half or so) to crack captchas. Hopefully this one will be a little better.
posted by lodurr at 11:23 AM on November 9, 2007


This is part of the reCaptcha process if you have JavaScript disabled. If you're not using JavaScript, then yeah, this login process is much more of a pain. bitmage, any chance you could enable JavaScript for just this site, maybe just the login page?

I have Javascript enabled for MeFi, but I guess I'll need to enable it for the captcha site...

Ah! That does make the process much less annoying than the enter username, enter password, enter captcha, click on Human button, cut 5 lines of generated text, paste into dialog, edit to remove tab and spaces that came from nowhere, submit, pant, pant, pant sequence.
posted by bitmage at 12:00 PM on November 9, 2007


Mean Girls is one of the best movies of all time. It is so fetch.
posted by blacklite at 12:04 PM on November 9, 2007


It's actually "fetch" in Mean Girls...

Son of a..... I knew that didn't sound right, and yet I insisted to myself that it was...oh well.
posted by inigo2 at 12:16 PM on November 9, 2007


The new, new login page is live. You'll only see the captcha if you've unsuccessfully tried to login five times.
posted by pb (staff) at 12:32 PM on November 9, 2007


PB:
Now when I login, I'm asked for username and password. When I enter those, I end up on a blank page with the URL: http://www.metafilter.com/login/checklogin.cfm#cgi.HTTP_REFERER#

If I refresh that blank page, I get the following page:
--------------------------------------------------------
Login Error!

The form wasn't submitted properly, there's no username defined. Go back and try again, or if you get this message frequently please contact the admins and describe your problem.
--------------------------------------------------------

But then I'm logged in ok. Javascript is active, I'm behind a squid-proxy firewall here at work.
posted by bitmage at 12:38 PM on November 9, 2007


I'm a twentieth century fogey quoting a Lindsay Lohan movie

I thought it was a Rachel MacAdams movie... rowr.
posted by psmealey at 12:40 PM on November 9, 2007


hey bitmage, do you get that same sequence of events each time you try to log in? Or was it a one-time thing? You also might try Shift + Refreshing the login page.
posted by pb (staff) at 12:52 PM on November 9, 2007


Same sequence, i.e.
Logout, close browser, open browser, go login, blank page, refresh, weird message and I'm logged in. My cache and cookies are cleared whenever I exit Firefox.

It's not a big issue, but I thought you might want to know.
Thanks for making the captcha bit less intrusive!
posted by bitmage at 12:57 PM on November 9, 2007


huh. sounds like the redirect at the end of the login process isn't working for you. You might see a blank page for a split second, but you're supposed to go on to your final destination.
posted by pb (staff) at 1:05 PM on November 9, 2007


but you're supposed to go on to your final destination.

Where I'll be baked, and then there will be cake...

Not a problem, this is much better than the captcha sequence before! Thanks!
posted by bitmage at 1:14 PM on November 9, 2007


http://www.metafilter.com/login/checklogin.cfm#cgi.HTTP_REFERER#

pb, looks like some CF code isn't running if a user is seeing the variables like this.
posted by mathowie (staff) at 1:38 PM on November 9, 2007


yeah, can't for the life of me reproduce it though.
posted by pb (staff) at 1:58 PM on November 9, 2007


And it's fixed. (Found it after all.) You should be all set bitmage.
posted by pb (staff) at 2:10 PM on November 9, 2007


Now my car won't start.
posted by cortex (staff) at 2:11 PM on November 9, 2007


I just fixed it, cortex. Try again.
posted by pb (staff) at 2:13 PM on November 9, 2007 [1 favorite]


Login works fine now. Thanks for the quick fix!
Cortex, type the capcha on your dash - should look something like PRNDL...
posted by bitmage at 2:14 PM on November 9, 2007


It's kind of doing this "rrrRUNNNGrrrRUNNNNGGkakkity" thing and then smoke comes out of the cup holders.

I'm parked at the Opera, if that helps.
posted by cortex (staff) at 2:55 PM on November 9, 2007


When I try to change the capcha or have it read to me, it tells me "Internet Explorer cannot display the webpage." Is it just me? I was looking forward to hearing how creepy the audio option sounded.
posted by Iamtherealme at 8:54 PM on November 9, 2007


oh it's horror show alright, just like a numbers station. (The worst is the murmuring voices in the background.)

If you have "Open links in new windows?" checked in your preferences, you might try unchecking that, saving, and trying the captcha again. I've noticed that reload and audio don't work with links set to open in a new window.
posted by pb (staff) at 9:21 PM on November 9, 2007


Whoa. Any reason the site went white?
posted by Reggie Digest at 9:31 PM on November 9, 2007


Ha.. D'oh. Fuckin Firefox.
posted by Reggie Digest at 10:48 PM on November 9, 2007


« Older There was a list in the last f...  |  "Get your own blog" ... Newer »

You are not logged in, either login or create an account to post comments