Self-registration needs captcha
|Category:||Accounts / authentication|
I've had a public issue tracker running Mantis that was flooded with spammer attempts to create accounts. The spammers registered, but never completed the "click the link in email" step. So the didn't get accounts, but I had a constant stream of bogus half registered accounts to cleanup. I was only able to prevent this abuse by enabling captcha on the self-registration page.
I am now converting to Redmine, and I've noticed that there is no option for captcha on the self-registration page. I'm concerned that I'll soon be back in the same boat once Redmine goes live. Please consider adding captcha to all self-registration pages.
#7 Updated by Jean-Baptiste Barth over 7 years ago
The idea of interactive question is just a bit better than CAPTCHA, but it's still annoying for the user imho.
Please, don't introduce such a thing into Redmine...
#8 Updated by Brad Schick over 7 years ago
Jean-Baptiste, if those techniques worked as well as CAPTCHA more people would use them. The main problem is the most of them fail if a human looks at the site once, and then updates their registration bot to "behave correctly".
I'd also mention that CAPTCHA can easily be made an optional feature. But not having it at all will likely be a show-stopper for some.
#9 Updated by Jean-Baptiste Barth over 7 years ago
It could be completed, made more complicated so that it has no impact on user experience and it's still efficient. I understand your point, but I disagree with the "not widely used => not working". This is the reason why Rails doesn't enter many enterprises, and J2EE survives.
Anyway, I was thinking of a default feature. If it's optional and turned off by default, why not... Maybe it could also be implemented as a plugin, see #1131 for that, which will be integrated in the next 1.0 release.
#11 Updated by W Snyder over 7 years ago
+1 for a plugin. I also was having spam problems on my site, it reached several per day, so I hacked into the sources a "Enter 'foo' here" text field. I realize a human could easily hardcode around this, but the reality is most of the spam doesn't have a human involved at any point in the process. I've had only one get through since.
#13 Updated by Enrique Garcia about 7 years ago
Jean-Baptiste Barth wrote:
CAPTCHA is one of the darkest sides of the WWW.
To me Captchas on websites are like the Police, the Firefighters or Hospitals on the real world. It would be very nice if they were not needed. But the reality is that they are needed.