I'm just curious to see what other people think about this. Here is my opinion:

I don't see why it is necessary to do something like this for a login page. Yes, yes, to prevent scripted attacks and whatnot. However, I have NEVER seen a CAPTCHA system on a login page, not even on accounts which are much more sensitive than a web hosting account (ie: bank, credit cards, investment sites). If people have strong passwords like they should, then there shouldn't be a problem. If they don't, it isn't PW's fault that their accounts are getting hijacked, it is their own fault for being stupid.

If PW has a problem with scripts attacking the login page trying to gain access to accounts, is this really going to stop that? I'm not sure about this, but won't the scripts just keep on trying, but now also be trying to break the CAPTCHA system? It won't stop the battery of attacks, it will just lead to more unsuccessful attempts (just as people implementing strong passwords would lead to more unsuccessful attempts).

Conclusion: I hate interpreting what these systems produce, and I think the extra step is completely annoying and unnecessary.

Anyone else have any input?

In order for me to login to my bank, there is a picture and a phrase that have to match before I can complete the login.

And technically, there is no discussion. They are implementing it and were merely notifying people in advance.

Yes, I also have that same feature with my bank. Assuming we're talking about the same one, it is not CAPTCHA, nor is it anything like CAPTCHA. The point of CAPTCHA is to stop scripts. The point of the system the bank uses is to prevent customers being redirected to third party sites. The bank system does not make you read skewed numbers out of an image, it simply asks you to look at the image before you enter your password so you can verify it is the image which you chose, and therefore, verify the identity of the website.

The point of this thread is not to convince PowWeb that this is a bad idea. As I said, I am curious as to what other people think, that's all.

In order for me to login to my bank, there is a picture and a phrase that have to match before I can complete the login.I was just thinking that this would be a much better way to implement a higher level of security, as I agree with patr547. I strongly dislike CAPTCHA validation.

rtoohill's announcement (http://forums.powweb.com/showthread.php?t=79278) admits that PowWeb realizes "that CAPTCHAs aren't the most widely lauded tools" and that "we're trying out a CAPTCHA."

So for those of you who also dislike the new CAPTCHA validation, I have submitted a suggestion (http://members.powweb.com/webControl/vote/) to either remove it, or at least:
1) The CAPTCHA should be no longer than 6 characters.
2) The letter O and the number 0 should not be required (which causes confusion), as well as some others (1, l and I, 9 and g, 4 and A, etc.)
3) CAPTCHA surrounds (pixels added around the numbers or letters to prevent computers from interpreting the characters) should not resemble letters or part-letters.

Go there and vote for this suggestion if you dislike the CAPTCHA validation on login to the PowWeb control panel.

Conclusion: I hate interpreting what these systems produce, and I think the extra step is completely annoying and unnecessary.
I totally agree. Actually, I'm pretty upset about this. Not only I'm visually impaired, my website is just fanstuff about animation, rats, no one would take the time to break the password of such silly website. This is totally unnecessary.

In order to break a login page with an automatic script by brute force, you would need an extremely long time just to break one password. Isn't better just to add a timer between failures after the third login error?

no one would take the time to break the password of such silly website
They don't break into your website to mess with your site, they bust in to use the space. Many phishing sites that are set-up are nested in a subDirectory of a real website. Someone is hostinging it and doesn't know until they are shut down or get complaints. They could also set-up spam mailing scripts or even create e-mail accounts to spam from.

I don't log into OPs that often, so I guess I don't worry about it that much.

I have noticed more and more sites moving to the CAPTCHA including one of the banks I have an account with. They have gone overboard if you ask me. They ask a security question, have a CAPTCHA, and have a custom image that I have created displayed on everypage. ALL of that is on top of my normal password!

Powweb is clearly managed by DA's. Did they even test this before implementing it?

I am now on my tenth attempt to log in. I can't read the images. Which characters are o's or 0's? Which characters are l's, 1's or i's?

I will admit that I have only seen one Captcha that was worse then that one. VERY difficult to read and as spamjim says, there is no way to tell similar characters apart.

After a half hour of being on chat hold (phone support hung up on me after 25 minutes on hold), I am now in a chat window with support. They asked to see how bad the images were. I copied a few to my site and shared links. We played a game where I would quickly copy the CAPTCHA image to my server and share with the Powweb technician. The powweb technician would guess what it read. I typed what the Powweb tech gave me. And the Powweb OPS response would be 'Input did not match the text. Please try again.' How are customers supposed to use this if Powweb staff cannot?

To give fair credit, the tech is telling me that my issue is being escalated.

The shame in this is that CAPTCHA is being implemented to prevent brute force attacks by automated programs. The best way to defeat an automated attacker is to limit the number of login attempts. Powweb allowed me 20 successive attempts to login (as I guessed the CAPTCHA phrase incorrectly 20 times until successful) so it appears Powweb does not limit login attempts. This makes their current CAPTCHA system even more pointless.

I just went out and checked the login page and have to agree with you guys. I've NEVER seen ones that were that hard to read. Putting the damn thing in color would make it a lot easier to read. The grays all blend together.

I give it a big thumbs down for now.

2 comments:

I have logged in and out of OPS twice today with no problem. I do believe that no numeric characters are being used -- at least I didn't see any. So that eliminates some confusion.

Don't like the CAPTCHA?
http://members.powweb.com/logout.bml

;)

While you might be right about zero, I saw plenty of other numbers.

Then I stand corrected.

EDIT: I just went to the login page again and do see a "5". So you are definitely correct -- at least some numbers are being used.

This is freakin ridiculous! It's aggravating as hell. Thank you so ****ing much for making me deal with a captcha on 11 domains.. I really appreciate the extra headache powweb.

Secure your servers in other ways that don't aggravate the **** out of us.

PS: Your captcha's are too damned hard to read... AND now I can't login at all... the captcha is right and the password is right... reset password three times and still no luck getting in. Thanks a lot.

Don't like the CAPTCHA?
http://members.powweb.com/logout.bml

;)

No go. You are still asked for the CAPTCHA. It's just on a secondary page.

While I like the added security, it is cumbersome. I login to OPS 10-15 times a day for various accounts. I agree that this additional level of security is probably not needed, perhaps a simpler method (such as the "bank image") would be a better alternative.

I doubt we are going to see any change with this, however. I bet that a large amount of PowWeb customers don't login to OPS all that much.

May I recommend RECAPTCHA (http://recaptcha.net). Offers much easier to read text, and provides an audio version for the visually impaired. I also like how you can refresh the text without reloading the page.

Dangit, that'll teach me to post without testing it first.

My bad.

This thread will be left open until everyone gets the ranting out of their systems then it's nighty night for it. :)

Appreciate the added security. It only took me 3 tries to login.

How about adding HTTPS for OPS next?

I appreciate the added security as well...would it be less effective if it were not so hard to read? what is the extent of the problem this fixes? seems like using a sledgehammer for a finishing nail.

That would have to be the hardest captcha I have seen, three attempts, even with my glasses on. <sigh>

One of my clients said he had to try several times to log into OPS. I tried several times and failed. I am STILL unable to read those image verification messages. There isn't enough contrast, so the images look like a blurry black smudge.

I manage to guess them on the first to fifth try on MySpace and other form submissions, but I can't get the one on PowWeb. I tried NUMEROUS times! Help! And to think that I have to do this for EVERY account I manage on PowWeb. No wonder I was forced to get bifocals. My eye surgeon would be disappointed. I almost didn't need glasses and then I went back into the computer field. Now I am going blind.

I only skimmed the other responsive, but here are my thoughts:

1. Only on OPS is OK with me, but PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE DO NOT put it on webmail login's. All my webmail users will freak out.

OK, that was my only thought. Just PLEASE don't expand it to webmail. It took me 2 tries to log into OPS today - but that is not too much of a big deal to me. Would be nice if users could have the option to use it or not to use it, but that would probable be too tricky to setup. (just please do not expand the use to webmail)

While I can understand the need the need for improved security (and I appreciate it), it is still apparent that PowWeb's focus is not on improving the customer experience. Every block or extra step you (or in any company) places in front of the customer just to "get" to the product makes the whole experience more complicated and difficult to use.

PowWeb has made great strides in improving security, but I will say that a vast majority of the improvements involve placing the burden back on to the customer. What we customer's would like to see is more of the burden on you to improve security. Make anything behind login encrypted (and make it load fast), change our account urls so that they don't reveal our usernames, and hide any account information you can from e-mail headers.

PowWeb requires more from the customer in terms of security to login than TurboTax, the company responsible for doing the taxes for over 60% of Americans!

And if you do change something, don't do the ol switcharoo by saying, "ok - we'll fix part of it, but you now have to jump through hoops to use it."

Give us a pure unadulterated feature or improvement that requires no action on our part! We'll love you for it and come back for more.

That is all.

One of my clients said he had to try a few times to login before he was successful, so I tried to login to my account and tried and tried... and failed and failed. I called support and he was able to log into my account with my username and password, so I was using the correct login but not typing the correct image verification.

I finally managed to login after NUMEROUS attempts. I have read image verification on other websites and forms and could guess them after one to five tries, but this one took an hour! I thought they would log my IP address and ban me! While I appreciate the idea of added security, the account is useless if I cannot log into my own account.

The black, blurry smudges are too difficult to read. This is unfair to the visually impaired. We cannot highlight and read images. We cannot click a "read verification" link to hear the characters to type. We just keep guessing and hope we guess it correctly. What a waste of my time and strain on my eyes.

PLEASE DO NOT put it on webmail login's. All my webmail users will freak out.

I agree! In fact, that would DRIVE customers away from here. That would probably include me. I can't believe I wasted half the morning trying to log into my control panel when I was using the CORRECT login. Now I will have to wait until my son comes home before logging into the control panel for any of my PowWeb clients. He has better eye sight and doesn't even wear glasses (yet). I guess I should eat more carrots or someone should try another image verification method.

Maybe a mass of tickets from customers would get them either a) change the system or b) make the damn things easier to read.

I have a 19" monitor at work and a 24" widescreen monitor at home and BOTH of them are hard to read. (And being almost a half century old doesn't help the eyesight either!!)

I just got bifocals less than a year ago after two months of form submissions using image verification caused severe eyestrain. My husband remembers this. My work is becoming hazardous to my health!

I made it clear to support that many of us are not satisfied with the current image verification. I also said that we are supposed to submit trouble tickets through OPS, but we can't do that if we can't log into OPS. My trouble ticket was that I could not log into OPS!

Another web host for a client in Canada had a problem where we could not log into her control panel. We used the same login for a while and they actually blocked my IP address! If we had the choice of typing our IP address or the image verification for added security, I would use my IP address (http://whatismyip.com/). They log it when we log into the control panel anyway, don't they?

Maybe a mass of tickets from customers would get them either a) change the system or b) make the damn things easier to read.

I've submitted my ticket... (via OPS, and after seven login attempts no less).

There's no plan to put it on webmail. If you're a multi-account holder, and you have the client manager tool, you don't need to reauthenticate with a CAPTCHA.

Quite frankly, we didn't have time to do a SiteKey. I wanted to do a "kitten CAPTCHA", if we were going to do one at all, but we would have had complaints about it being unprofessional. Cute, but unprofessional.

We'll continue to tweak the CAPTCHA. Work on make it easier for humans, but harder for machines.

But for those of you who think that this is not a deterrent, you're gravely mistaken. In our work over the past few months, we have seen some ingenious schemes to get into people's accounts. Granted, our security is pretty great. One compromised account cannot get into another.

But we get countless calls/chats/IMs each day of accounts that have been compromised and customers who blame us for a lack of security. In many cases, it's their own compromised PHP scripts, or a weak password. But in some cases, it's that some folks who live in Eastern Europe or Russia have a list of passwords and will use botnets to authenticate and upload malware.

It's not science-fiction, it's legit. They'll compromise the account through tradtional means (an old phpBB board), then use the compromised account, through scripted logins, to continually put back malware, trojans, etc. Which is bad in a bunch of ways, obviously.

We do our best to combat this. One thing was the new "change your password at next login" when we find you've been compromised. Another was the "we only send you a temp password over email, you have to change it when you use it." (Which, by the way, was a PowWeb request from long ago). Another was the CAPTCHA.

We'll work to improve the CAPTCHA, make it better, maybe replace it with something like a SiteKey down the road. Maybe we'll ditch it altogether.

For now, we're giving it a shot because we figure it is easier to deal with the small volume of complaints about a CAPTCHA than the large volume of people who blame us for them getting their site hacked. (Small volume isn't meant to be derogatory. It's meant to actually reflect the number of support contacts we've gotten on the issue, which has been sub-30 in 2 days. It'll go up, I know, as more people come to the site to login, but we're looking at 30 contacts per a few thousand unique logins, which is much less than I expected.)

Believe me, I hate CAPTCHAs. But we're not unique here. They've been proven to be effective.

Now back to what I've spent the last few 80 hour weeks doing, which is cleaning up people's phpBB boards that they've left to die and fill with spam and cause a ridiculous load on our MySQL servers, slowing your sites down. Seriously. That's pretty much it. Killing off 10 or 20 spam boards per box can bring the load down by an order of magnitude.

Quick addendum:

IP addresses are, unfortunately, not nearly unique enough to be used as a verification mechanism. Lots of big ISPs send lots of users from the same IP address. And it's inherently scriptable.

The end goal is something really cool like a SiteKey. For now, we'll continue to tweak the CAPTCHA.

The image verification that they started for the ops control panel is rediculous! How are we supposed to read that? I have to go through 6 images before I get one that works. It is very agrivating. Anyone else having trouble with this? :eek:

The CAPTCHA is pretty silly honestly. Why do you make all the good people suffer for a handfull of idiots? Many people with a disability simply cannot use CAPTCHA logins. Ban delete block the idiots, make it hard for them not the good people. If some fools let their phpBB demise nuke it too. It's funny you mention out of date phpBB's, had a look in Install Central lately? Nearly every single application version number is out of date.

Photo of powweb's capatcha system (attached)

IP addresses are, unfortunately, not nearly unique enough to be used as a verification mechanism.

No, but at least I can read it and enter it. It is probably easier to guess my password than my IP address. It was just a suggestion since I can't read those stinkin' images.

If some fools let their phpBB demise nuke it too. It's funny you mention out of date phpBB's, had a look in Install Central lately? Nearly every single application version number is out of date.

Staff must be sick of us bringing up this topic. Disable OLD scripts and notify owners to update before re-enabling them. I would love to see Install Central gone, especially if it can't be updated soon enough. People who use IC don't know or remember when to update scripts. They rely on PowWeb for that.

I will admit that I have only seen one Captcha that was worse then that one. VERY difficult to read and as spamjim says, there is no way to tell similar characters apart.Agreed.

I'm not visually impaired but this CAPTCHA looks like smudged writing on a sixth-generation photocopy. It would be helpful to


use a white background
use high contrast images.


There should also be a button or other option to use audio for the visually impaired and those of us who find that 7-8 attempts are needed when using the visual representation.

OK, I think we'll all gotten the idea that people don't like the new CAPTCHA, so this thread is pretty much reaching the end of it's shelf life.

But for those of you who think that this is not a deterrent, you're gravely mistaken. In our work over the past few months, we have seen some ingenious schemes to get into people's accounts. Absolutely correct.

Last year I had a problem with another ISP. One of my sites was compromised by someone who uploaded scripts and pages for spamvertising prescription drugs. I'd only accessed the control panel and FTP via computers that were scanned every day - so I had no reason to believe my passwords were stolen by spyware. No one else had physical access to those computers and the password information isn't stored on any of the hard drives.

The web site had no scripts that had security vulnerabilities, and the site wasn't running any web applications that had reported security vulnerabilities.

It eventually became apparent the ISP's Windows Server Administrator wasn't top of the line talent. Undoubtedly the Windows Server had been hacked to get the account information.

So PowWeb is astute in protecting customers' interactions with 3-factor authentication, in addition to measures to secure its servers. However, the CAPTCHA needs a bit of work.

I left <<name removed>> because of their horrible interface and if I have to go through three attempts to log on to my account - I may begin to look for a new host...

Quick addendum:

IP addresses are, unfortunately, not nearly unique enough to be used as a verification mechanism. Lots of big ISPs send lots of users from the same IP address. And it's inherently scriptable.

The end goal is something really cool like a SiteKey. For now, we'll continue to tweak the CAPTCHA.


Please tweak it hard. It takes me at least half a dozen tries before I can finally read the captcha. If it were more legible, it wouldn't be such a problem. What would be the big deal in making it prefectly legible? Why does it have to look like bad scrambled eggs? It's an image and there is no reason that I see why it has to be so difficult to read.

I just click a few times and change it to one that I can read easily. It takes a few extra secs but saves me frustration. :)

I also had trouble logging in. I couldn't read the letters and then they wouldn't appear.

This definitely needs to be improved.

It took me three attempts to log in. Hardest to read CAPTCHA I've ever seen.

I just click a few times and change it to one that I can read easily.

I had to do that after ten minutes of wrong guesses. I could be reading only one character incorrectly and not even know which one is wrong. I had to contact support as I feared they would think someone ELSE was trying to log into my account. I checked to see if I accidentally bumped the Caps Lock key. I was unsure if my password was still correct. I couldn't believe how many times I guessed the image verification incorrectly!

I decided to click to change in hopes that one image would be easier to guess than the previous one. I felt like I was taking an eye exam and failing. My eyeglasses are not even a year old. I can read the fine print on a contract better than these images. If this isn't improved soon, I will have to take a vacation from PowWeb hosted logins. The eye strain is causing headaches and blurred vision.

It is surprising that there is no audio version for the vision impaired. It doesn't seem fair for a global business that sells to such a general public to NOT offer services to the visually impaired. Even if the image verification is improved for easier visual reading, how about those who cannot read visually? We cannot highlight images to be read as text. I hope that this will be taken into consideration.

They could do the image in braille, that would make it easier to login.

At least when I came back here today, I"m not the only one with problems. I spent 5 tries today to get in.. and my vision is perfect... this officially sucks!

I run sites for clients on here as well. I REALLY enjoy having to hear them all call me up because they too think this sucks.

I called Friday for tech support because I couldn't get in at all. The tech I spoke to Friday was so clueless I had to hang up and beat my head against the captcha until I got one I could read. He honestly didn't know what a captcha was. When I demanded to speak to a supervisor who knew what the hell I was talking about, I got put on hold for 20 minutes and eventually hung up.

We long term customers who have been using powweb for 5 years now really appreciate your continued screwing us with the inability to access our accounts simply because you admins can't protect your servers adequately against intrusion.

If your php scripts are vulnerable to exploit, REMOVE THOSE DAMNED SCRIPTS and stop screwing with our time. I'm sick and tired of multiple attempts to get into each and every domain I host here. This is pathetic and needs to stop.

ANd Doc C, it'll reach end end of its life when they get rid of the captcha.

We long term customers who have been using powweb for 5 years now really appreciate your continued screwing us with the inability to access our accounts simply because you admins can't protect your servers adequately against intrusion.

If your php scripts are vulnerable to exploit, REMOVE THOSE DAMNED SCRIPTS and stop screwing with our time. I'm sick and tired of multiple attempts to get into each and every domain I host here. This is pathetic and needs to stop.

ANd Doc C, it'll reach end end of its life when they get rid of the captcha.

Yeah!

No, it will reach the end of it's life when it contributes no more to the forum. Them's the rules.

Has anyone seen any good alternatives to the current image verification method? Using common questions can still be guessed, because the answer will be a word from a dictionary and customers speak different languages, but the question and answer will probably be in English. It would be helpful if we give the staff ideas what could replace what is currently in use.

I have no problem with a CAPTCHA if it is a good one. I think the biggest problem with this one is how poor the images are.

I personally have no problem with it other than what entrecon says regarding the crappy images. If they are made legible, 90% of the complaints about it disappear.

I agree with entrecon and Doc.

I agree; legible images would be good, and I also believe most complaints center around that issue. I read somewhere that there are scripts that read captcha now, so I understand the need to not just have real easy letters...but the current system is a little too extreme.

Not that my decision has anything to do with whether or not it stays or goes.

But, stop and think for a second; if you make the images easier to read, you render the security measure useless. Making them easier for people to read, makes them easier for bots to read, too.

Not to dissuade anything, or to throw anything in anyone's face. I, for one, don't necessarily agree with (or like) the captcha, either.

But, stop and think for a second; if you make the images easier to read, you render the security measure useless. Making them easier for people to read, makes them easier for bots to read, too.

By that logic, making the images so difficult to read renders OPS useless.

I read somewhere that there are scripts that read captcha now, so I understand the need to not just have real easy letters...but the current system is a little too extreme.

I agree.

By that logic, making the images so difficult to read renders OPS useless.

That was my original complaint to support. I cannot log into OPS without wasting ten minutes guessing that stupid image code. Now only spammers can log into OPS and real people cannot. I do NOT have this problem elsewhere and may have to move ALL accounts elsewhere to be able to manage them.

Security is important, but if customers cannot access their own accounts, they will have to go elsewhere. If the image cannot be changed, can there be audio? We know that alt tags are not a good idea, but can an audio link be used? I have seen that elsewhere and used it.

I think the usability benefits from it being a little less secure would make the customers happy...although fewer customers would make things more secure :)

What about requiring stronger passwords, in combination with a more legible captcha? for example, a password must be at least 8 characters, with a minimum of two numbers and two uppercase letters.

Making them easier for people to read, makes them easier for bots to read, too.

I actually read where hackers were tricking people into reading the CAPTCHA for them. They would display a CAPTCHA from a site ithey wanted to hack nto a phony site they had created. Someone would think they were entering it for the site they were visiting and wouldn't even realize they had just helped a hacker.

In all my years of web design, none of my clients have had a problem with their control panel being hacked on any web host (yet). I hope it never happens, but they often use the same passwords for EVERYTHING and their MySpace, Hotmail or other accounts are sometimes hacked. We haven't used old open source scripts such as phpBB that are common targets for hacking. It appears that most accounts that have been hijacked had a security issue stemming from another insecure account.

How many accounts have actually had OPS hijacked? Of those, how many were using old or abandoned scripts, free email accounts or weak passwords? Some people allow too many people to have privileges on their accounts. Customers need to improve security in other areas. Use strong passwords, use different passwords for different accounts, update scripts and remember to login to accounts to make sure your information is correct and up to date.

A few years ago, I attempted to order something from a company that had my account on file. I discovered that someone changed the shipping name and address to a place in California! I contacted the company and they discovered that there was a breach in their security. They have since corrected the problem. While credit cards want the billing and shipping address to match, PayPal didn't care at the time (don't know if they do now).

I haven't had a security problem with PowWeb's control panel until now. On a good note, after taking a product sent to me by a client, my health and vision has improved. And I managed to log into OPS after only 2 tries today! I still don't think it is fair to those who have no method of reading that image.

Don't know about anyone else but this thread is starting to remind me of a kick-punt dog.

I submitted a suggestion to the wishlist about replacing the current image verification with something else. I got an email reply:

email contents removed

They don't seem to understand that CAPTCHA is simply deterring customers and not anyone who wants to take over someone else's website. Meanwhile, they totally ignore people with impairments. This is unfair. CAPTCHA has already been proven to be readable. There must be a method that doesn't hinder the true account owners.

I'm finding CAPTCHA a big inconvenience, to say the least. I have assigned strong passwords and now I need to enter the password and attempt to satisfy CAPTCHA, which I haven't been able to do on the first or second try in most cases. It seems to have turned off the password save option as I need to enter the password on each
attempt. This is incredibly frustrating and time consuming ... My point is,
Network Solutions, GoDaddy and a number of website hosts that I'm aware of
don't use this type of "security." It seems like less than a "professional"
approach to me.

I have contacted PowWeb to request that CAPTCHA be an option to turn off and on ... but so far, deaf ears. I posted to a forum of peers and this is what they had to say on CAPTCHA:

The only justification I can see any web site having for a captcha is a
highly popular site susceptible to automated sign-ups...something like DIGG
where automating multiple accounts could be useful.

Beyond that, it seems like a 'we're too lazy to look deeper into a better
way to secure this application so let's just toss a CAPTCHA on the front'

Having to type in a CAPTCHA to get to my control panel would be akin to my
Bank requiring me to walk through a hedge maze before walking in the door
each time. ;o)

----------------------------------------------------------------


"It seems like less than a "professional" approach to me. Or am I off
base?"

FWIW, I agree, I also find CAPTCHAs a real PITA 9 times out of 10. And even
if they do work it is not a solution I would be happy to offer a client.

-----------------------------------------------------------

Captcha to get into your control panel? I've never heard of that....

Perhaps you can ask them to switch it off on your sites, on the basis that
otherwise, you'll consider moving to another host?

FWIW, I hate captcha. Most of the time (with only a few honourable
exceptions), you need images switched ON in your browser for it to work -
which is useless for blind people and those who generally surf with images
switched off (me!).

OK, I think we'll all gotten the idea that people don't like the new CAPTCHA, so this thread is pretty much reaching the end of it's shelf life.

But still we have no resolution. We should be able to turn-off the annoying and less than "professional" security approach on sites we are actively working on. I have upwards of 70 clients that I have hosted with PowWeb ... CAPTCHA is a nightmare.

How does a web hosting company, which is in the business of offering site enhancing features, release such a half-baked function.

Let's leave the inability to read the capatcha issues to the other thread (especially the issue of having to re-enter everything each time capatcha fails), let's talk about the most basic principles:

1) If you are going to add a new security measure, change EVERY SINGLE LOGIN PAGE. Capatcha was failing every time, but I found a page where you could still login using only username/password. How secure is that?

If pow's reply to the above is "we left a page where you didn't have to use capatcha, in case users had issues with the new feature," I'd have to really and truly wonder how much testing was done before this feature was released. Leading me to:

2) we are paying customers, not guinea pigs. Don't release a feature on us (especially one we aren't asking for) until it's bullet proof and fully tested for usability. We are not an Open Source community, we are not paying money to test your new features.

3) Give us the full limitations on new passwords. One letter, one number, at least 8 characters...ok, I got that. But what is the upper limit? I've added two passwords now that don't work. I change the old password to a 35 character new one, it changes fine, and then it fails every login attempt. Change it to an 11 character login, and I can login. Instead of us guessing at the limit, how about telling us the upper limit.

Summing my issues into one solid point: this new feature does nothing to improve the hosting experience. Finding the reason(s) the database server I'm on slows to a crawl daily at certain times for the last year & 1/2 is a much worthier cause!

[QUOTE=rtoohil;454386]. If you're a multi-account holder, and you have the client manager tool, you don't need to reauthenticate with a CAPTCHA.

How does one go about getting the client manager tool? I have multi-multi client accounts but I put them in the client's name.

Please share with me the location when I can login without CAPTCHA

http://www.powweb.com/errors/powweb/404.html

I'm not a big fan of the current CAPTCHA, but I agree that making it a little simpler for actual humans would make it a non-issue.

Of course, then I see articles like this one (http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html) and wonder anew what problem is actually being solved.

The CAPTCHA already didn't include a few misleading characters. We've taken out a few more.

We've also closed a few of the loopholes that people have been kind enough to point out.

For the folks who think this is all about exploitable scripts, you're entirely missing the point. Our servers are pretty darned locked down. To the point it's a royal PITA for me to get around to do stuff.

Your site is as secure as you can make it. You want to leave exploitable phpBB scripts available, go for it. You want your password to be easily guessable, awesome. We do our best to prevent that, but we can't do it entirely.

The problem comes when the less knowledgeable among us -- i.e not you folks -- get hacked because their password is p@ssword. Their homepage is replaced with some hacked thing, and they believe our security to be the culprit. So they call us, call the BBB, call everyone, refusing to believe that the problem was, in fact, their own lack of a strong password.

When we started requiring a strong password, we got 100s of calls in the first few days, and ~1000 over the first month or so of people who didn't like that they could use 'joe' as their password. We've gotten significantly fewer calls about the CAPTCHA, which is either a testament to how people have gotten used to them and can't be too bothered to complain, or that they just don't find them overly offensive.

They are useful for what we're trying to do -- prevent scripted logins of accounts. We're dealing with other problems (phpBB, InstallCentral, etc.) in other ways. If you think disabling 10s of thousands of user-installed applications would be less invasive and less tumultuous than a CAPTCHA at login, you just don't have a good view of how customers (in general) are.

We drive more support volume when one MySQL server slows down for a few hours than we have driven with the CAPTCHA over a week. I agree, it doesn't make the CAPTCHA any more fun, but I hope it puts in perspective exactly how big this issue is.

Good catch. The 404 page now directs through the CAPTCHA.

Thanks for the 'straight' info, rtoohil. This doesnt seem like something many people consider filing tickets about, because it's not 'broken' and easy to surmise what the problem is. I'll see about filing a ticket to cast a vote...although I would not ordinarily.

You say some problematic characters have been removed. SO, if I can read the captcha the first time, I wont file a ticket...

EDIT - indeed, it is more legible...out of 8 image refreshes, 6 were human readable, while two were questionable. it's an improvement! I can live with it at present.

Has anyone seen any good alternatives to the current image verification method? Using common questions can still be guessed, because the answer will be a word from a dictionary and customers speak different languages, but the question and answer will probably be in English. It would be helpful if we give the staff ideas what could replace what is currently in use.

https://login.yahoo.com/config/login?.src=fpctx&.v=0&.u=54rcarh409k0c&.last=&promo=&.intl=us&.bypass=&.help=3&.partner=&pkg=&stepid=&.pd=fpctx_ver%3d0%2526c=&.done=http%3A//www.yahoo.com

I haven't logged into Yahoo in a LONG time, because I barely use it. While it is great that the customers are trying to find better alternatives, it would be nice to see the web host admit that the images were terrible. They have now attempted to change some characters, so we should have a better chance of guessing. But the customers should not have so much trouble logging into their own accounts.

How does one go about getting the client manager tool? I have multi-multi client accounts but I put them in the client's name.

I would love to be able to login with my own login to manage all accounts here. Because my clients have their own accounts, I have been logging into each account with their usernames and passwords. I had to create profiles with my name in their accounts to contact support on their behalf. If I could use one login as I do in Google Webmaster Tools to check stats for all domains I manage, that would be so much easier. I have headaches from those stupid codes.

EDIT - indeed, it is more legible...out of 8 image refreshes, 6 were human readable, while two were questionable. it's an improvement! I can live with it at present.

I hope you are right. If I can guess in 3 guesses instead of ten or more, I will be happier. I won't be satisfied until there is a better alternative that serves the visually impaired. I have no desire to eat 50 carrots a day to improve my vision just to read these stinkin' images!

Well, we all know what the solution is if you don't want to have to use the CAPTCHA.... :)

Well, we all know what the solution is if you don't want to have to use the CAPTCHA.... :)

What might that be ... take my load of clients and move elsewhere? Some response from a person representing PowWeb.


Put CAPTCHA in the trash where it belongs

In the interest of keeping this an active thread (and since my thread was merged into this one), I'll ask what I asked in my post above again..

List the total number of characters you are allowed in a password!!!!

If you corrected the 404 link so fast (which I did not list to be fixed, but to help other frustrated users), how about saving all of us (who can remember a large string password) from trying to guess at how many characters we can use. Just add one extra line to your password requirements:

be at least 6 characters
contain at least one letter
contain at least one number or punctuation character
not be the same as your username
not be the same as your recent passwords
character limit: XX

And change it EVERYWHERE. And bug test it. Twice.

All of my saved passwords are gone too (PowWeb login only ... I didn't clear my passwords)! Is this just a problem I'm experiencing or across the board? I have to look up the client's password and deal with the images as well, if I get the images wrong, I have to put the password in again as well!

In the interest of keeping this an active thread (and since my thread was merged into this one), I'll ask what I asked in my post above again..

List the total number of characters you are allowed in a password!!!!

If you corrected the 404 link so fast (which I did not list to be fixed, but to help other frustrated users), how about saving all of us (who can remember a large string password) from trying to guess at how many characters we can use. Just add one extra line to your password requirements:

be at least 6 characters
contain at least one letter
contain at least one number or punctuation character
not be the same as your username
not be the same as your recent passwords
character limit: XX

And change it EVERYWHERE. And bug test it. Twice.

Thanks so much for pointing that out Tom ... I should have asked off list.

I can't believe that this hasn't been fixed or abandoned yet. The text is unreadable by HUMANS at least 70% of the time. GET RID OF IT OR I AM GONE WITH MY THREE ACCOUNTS!

&*%&&$%&^$ IDIOTS!

Solution: Why not let each user decide if they want to use the CAPTCHA

Username: MyUsername
Password: MyPassword
CAPTCHA: (leave blank)

hit enter - the system see's that "MyUsername" does not want to use the CAPTCHA and lets them in with nothing in it. For those that want to leave it on, they will have to enter it.

And those "spammers" and bad people trying to get into our OPS - well they will be sitting there trying all day to guess the password & entering the CAPTCHA - but will keep getting rejected for those who don't use the CAPTCHA system!

Is this possible? (at first I did not think it would be, but since I seen that a way to fix the 404 login problem, they just sent you to a second screen to enter the CAPTCHA - so at that point the OPS system has your user name & password - enough to know if you are wanting to use the CAPTCHA system or not - so I would think it would be possible)

(Would be a lot easier to just get easier to read images, but what do I know.)

Put CAPTCHA in the trash where it belongs

They won't give this up without having something else to use instead. That is why I asked what alternatives customers think would be acceptable. It is obvious that we are NOT happy with the crappy images that we CANNOT read. While they do not seem to care about the visually impaired, they should care about customer satisfaction. We simply can't login to OPS using the images without a hassle.

Strong passwords should be used. Old scripts should be detected and disabled. Email notification to customers of disabled scripts should be sent. It still appears that most of the security problems come from old scripts that were exploited. The rest of us must be inconvenienced, because of those who have these old scripts.

We need an acceptable alternative to CRAPCHA.

All of my saved passwords are gone too (PowWeb login only ... I didn't clear my passwords)! Is this just a problem I'm experiencing or across the board? I have to look up the client's password and deal with the images as well, if I get the images wrong, I have to put the password in again as well!

I thought I lost passwords when I cleared my private data on my computer, but the other logins work on other websites. PowWeb is the ONLY website that is a BIG hassle for logins right now.

Let's just stop the rants now, OK? It's not going to get anyone anywhere and is plain annoying. You all know this is a customer to customer forum so you're preaching to the choir.

Put in tickets if it's so bad.

Put in tickets if it's so bad.
You have to get past the CAPTCHA first! :eek:



( I know you can e-mail or use the online chat....but I couldn't resist)

Let's just stop the rants now, OK? It's not going to get anyone anywhere and is plain annoying. You all know this is a customer to customer forum so you're preaching to the choir.

Put in tickets if it's so bad.

I edited my post where I wrote CRAPTOLA (which is what I had always called it - and was too lazy to go and search what it was really called)

But now that I seen that some might just see the word CRAPTOLA and think it is a rant - when I really gave a good SOLUTION to the problem - I went back and made sure to spell it all correct.

(So if you didn't read it before because you thought it was a rant, feel free to go read it now - I think it is a perfect solution for both those who what more security... and those who do not.)

I re-read your post and agree with you, it is a perfect solution. Reps to ya. :)

I repeated when Linda called it CRAP, because we are sick of it. I have to guess many times to login to report the problem through OPS and I called to complain. Security is supposed to stop OTHER people from logging into customer accounts. It is NOT supposed to stop customers from logging into their own accounts.

I did not want to rant about the problem. I wanted to discuss why the current solution is NOT acceptable and what alternatives we could suggest to the web host, so they would consider replacing what is there with what would be acceptable.

Please show some compassion for the customers who have tolerated more than our fair share of obstacles here. Instead of asking us to live with it or leave, perhaps you can help us find a reasonable solution to this problem. I would be happy just to hear staff admit that the images are not a good solution and that they plan to replace it with something better.

I would like to think that SOMEONE still cares about the customers and that we are not just ranting here. The announcement asked for our opinions and we are giving them. Sorry if you don't agree or like what some of us have to say about it, but with this login problem and the web stats issue, I am really disappointed. The only way that the web host will know that is if we tell them. And if we cannot log into OPS and they disconnect our phone calls, the forum has been our means of communicating for many customers.

Maybe they can send each customer special 3D decoder glasses to decode image verification codes. I need all the help I can get!

I will try NOT to discuss this topic any further in the forum. Feel free to edit or delete my posts. I really don't care. I contacted support and I am glad to know that I am not the only one having trouble. That means I don't have to replace my eyeglasses, monitor or other things. The problem is the image verification.

Maybe they could just double the size of the image, that shouldn't be too hard.
Or just get rid of the cork background.

heh, I used a magnifying glass and still got it wrong.

I goto login, type user/pass and wrong verification 5 times, refresh image, have to retype user/pass and on third try I'm in phew! Go back to my FTP, it's timed out. I reconnect and relocate the directory I was at. Repeat that a few hundred times and tell me your not sick of this lame CAPTCHA that is supposed to make you feel all safe, warm and fuzzy. Powweb is supposed to help us not hinder.

What good is CAPTCHA on OPS when you don't even have sFTP? You guys do realise there are programs that can sniff FTP user/passes when connecting to a server right? A member even proved it here on the forum once, instead of fixing the problem they closed his account and banned him. I realise sFTP would be hard to configure on the current platform but until you do it's a wide open hole. CAPTCHA on OPS pfff please, stop the nonsense.

I don't mind using Captchas to log into Ops, but do they have to be so hard to read?

Directly from ZDNet ... posted April 14, 2008


http://blogs.zdnet.com/security/?p=1023

We sympathyze ... it is very hard to read and we all hope PowWeb will rethink CAPTCHA.

Try this, I find it helps ... if you use IE on the very bottom right you can increast the size of the page ... I increase it to 200percent and now I only have to try to login 3 times or so ;)

There is a related link on that story that says "This stripper is paid in CAPTCHAS" and talks about a program that shows someone a CAPTCHA and in return the stripper removes a piece of clothing. The CAPTCHA is actually one from another website and the person watching the virtual stripper has just helped the hacker.

My suggestion is that PowWeb implement this for their CAPTCHA and let users choose either a male or female stripper. Additionally, clothing should get removed even if you get teh CAPTCHA wrong. This should reduce the number of compalints and may even lead to people getting the CAPTCHA wrong on purpose!

Try this, I find it helps ... if you use IE on the very bottom right you can increast the size of the page ... I increase it to 200percent and now I only have to try to login 3 times or so

I use Firefox, but if I need to log into OPS, I guess I will have to try IE. Thanks!

My suggestion is that PowWeb implement this for their CAPTCHA and let users choose either a male or female stripper. Additionally, clothing should get removed even if you get teh CAPTCHA wrong. This should reduce the number of compalints and may even lead to people getting the CAPTCHA wrong on purpose!

Most of my clients would love this option, but some would be offended. Still, thanks for the laugh. Again, I do not want to rant anymore, so I won't. I am still reading this thread for helpful suggestions. Most of my clients use IE, so they probably have better luck or just haven't tried to login yet. Sooner or later, they will and I will have to hear about it. I was hoping it would have been GONE before they see it!

There's no plan to put it on webmail. If you're a multi-account holder, and you have the client manager tool, you don't need to reauthenticate with a CAPTCHA.

Quite frankly, we didn't have time to do a SiteKey. I wanted to do a "kitten CAPTCHA", if we were going to do one at all, but we would have had complaints about it being unprofessional. Cute, but unprofessional.

We'll continue to tweak the CAPTCHA. Work on make it easier for humans, but harder for machines.

But for those of you who think that this is not a deterrent, you're gravely mistaken. In our work over the past few months, we have seen some ingenious schemes to get into people's accounts. Granted, our security is pretty great. One compromised account cannot get into another.

But we get countless calls/chats/IMs each day of accounts that have been compromised and customers who blame us for a lack of security. In many cases, it's their own compromised PHP scripts, or a weak password. But in some cases, it's that some folks who live in Eastern Europe or Russia have a list of passwords and will use botnets to authenticate and upload malware.

It's not science-fiction, it's legit. They'll compromise the account through tradtional means (an old phpBB board), then use the compromised account, through scripted logins, to continually put back malware, trojans, etc. Which is bad in a bunch of ways, obviously.

We do our best to combat this. One thing was the new "change your password at next login" when we find you've been compromised. Another was the "we only send you a temp password over email, you have to change it when you use it." (Which, by the way, was a PowWeb request from long ago). Another was the CAPTCHA.

We'll work to improve the CAPTCHA, make it better, maybe replace it with something like a SiteKey down the road. Maybe we'll ditch it altogether.

For now, we're giving it a shot because we figure it is easier to deal with the small volume of complaints about a CAPTCHA than the large volume of people who blame us for them getting their site hacked. (Small volume isn't meant to be derogatory. It's meant to actually reflect the number of support contacts we've gotten on the issue, which has been sub-30 in 2 days. It'll go up, I know, as more people come to the site to login, but we're looking at 30 contacts per a few thousand unique logins, which is much less than I expected.)

Believe me, I hate CAPTCHAs. But we're not unique here. They've been proven to be effective.

Now back to what I've spent the last few 80 hour weeks doing, which is cleaning up people's phpBB boards that they've left to die and fill with spam and cause a ridiculous load on our MySQL servers, slowing your sites down. Seriously. That's pretty much it. Killing off 10 or 20 spam boards per box can bring the load down by an order of magnitude.

I can give you a good idea: Use the same style of CAPTCHA that MySpace is using. I never have a problem with those. I frequently have issues with the ones here

I can give you a good idea: Use the same style of CAPTCHA that MySpace is using. I never have a problem with those. I frequently have issues with the ones here

MySpace CAPTCHA is easier to read, but I have to guess on them a few times sometimes. They have copyright watermark across them, but they are still easy to read using OCR. They do have it optional. It would be an improvement to what we have now, but what about people who are blind? Is there an option for them? This is a global audience. See vocal captcha (http://labnol.blogspot.com/2006/04/google-introduces-vocal-captcha-for.html) for the disabled.

Uh, not to be a wise guy here but how would a blind person even log into OPS?

Someone who is legally blind (in the UK) can still use computers that screen read and type in the username, password (but not now distinguish the CAPTCHA).

Being blind, legally, doesn't mean (in the UK) a total absence of sight and can include tunnel vision and other visual difficulties.

There is software that reads text and links. Some people are partially blind and simply have difficulty reading or distinguishing colors. Others are completely blind.

Try Opera browser and the add-on Voice where you can highlight text and it will be read to you. I let my son use that to read words he does not recognize. I have tried other software in the past since some diabetics also have varying degrees of blindness. There are other browsers with speech capabilities.

There is software that does not require screen at all! See SpeakOn (http://www.a-technic.net/speakon.htm) freeware for an example. See Blinux (http://www.leb.net/blinux/) which is Linux for the Blind.

I know I am a PITA over this, but it is important that EVERYONE can enjoy the Internet. Read this article about the blind winning a lawsuit against Target (http://www.theiplawblog.com/archives/-cyberspace-law-blind-internet-users-victorious-in-discrimination-action-against-website.html). Also, I am worried that I may go blind reading these image things on so many sites!

Worry not Yvette, you'll have won or left before you go blind!

Unfortunately, the reference appears to be saying that in US law there needs to be a specific tie-in between a phyiscal place and a web-site. That isn't the case with Powweb. We all have agreed to be bound by the laws of the state of Mass. and the US. The interpretation of the law in California will have a bearing, but until the case is resolved and Mass. implements similar laws Powweb seems to be not breaking any laws.

A question comes to mind that was asked elsewhere: How do 'blind' people create web-sites? (Ignore the issue of logging into OPS for the answer to this one).

As was pointed out to me, the use of screen readers or browsers is great, but how do the people who are registered blind (in whatever state/country) actually create a web-site?

Technically, the lawsuit was not won. It was granted class action status and the suit itself is still pending.

CA also has the Unruh Act which grants disable persons even more rights to sue for reasons that would not be granted in
other states.

A question comes to mind that was asked elsewhere: How do 'blind' people create web-sites? (Ignore the issue of logging into OPS for the answer to this one).

As was pointed out to me, the use of screen readers or browsers is great, but how do the people who are registered blind (in whatever state/country) actually create a web-site?

I'm curious about that too! Wait, it was my that pointed that out!

Yvette, if your vision's bad, how do you actually design sites? I don't mean to call you out about this, it's just that you're definitely the most vocal about the anti-captcha movement.

I'm completely colorblind, and can see the captcha just fine. The front and background colors are easily distinguished for me. Maybe my overall vision's just better than yours?

I don't often login to Ops for any reason, but the few times I've tried, I haven't had any issues, at all.

I'll gladly be the voice of reason here, to get them to remove Captcha, when someone can bring me a blind person that actually built, and maintains their own website through PowWeb. I honestly don't believe such a person exists.

Doc, that's why I said it wasn't resolved!

You did at that, Ian. I was busy researching the case prior to my posting so I'd have my facts straight. You beat me to the punch. Isn't it about time for you to go on another holiday? :)

Change your sig, dude!!!

Ian, you're gone, presumably on holiday. Now go out and play already :D

symo

Playing in hail & sleet ain't much fun!
I'm travelling back home on 18th April - so I'll go watch some TV (it's 9:45pm ish here)

Yvette, if your vision's bad, how do you actually design sites? I don't mean to call you out about this, it's just that you're definitely the most vocal about the anti-captcha movement.

I had eye surgery when I was my son's age to correct double vision. A few years ago, I almost didn't need eyeglasses. Then I went back to computer programming and web design. Last summer, I had to get bifocals and need to rest my eyes from staring at the screen all day. I wear tinted lenses, because the surgery made my eyes sensitive to light. Also, I have a problem when there is not enough contrast in colors to read things. For example, light green text on green background is difficult to read.

My eyes are really fast for finding mistakes in people's code. I can read text, especially when I can highlight it or enlarge it. But anything that is warped, scrambled and hidden causes eye strain. I can't tell the lower case i from lower case j in the PowWeb CAPTCHA, for example. The number 8 and the letter B look similar.

My first client was color blind. And I used to work in a pharmacy, so I have known many people who are visually impaired in various ways and degrees. Legally blind is as Ian described while I was still typing. I have seen people use voice software to communicate online. In case you didn't realize it, many people hire other people to create websites for them. A website owner can manage a web host account and not design or edit the web pages. That person may be visually impaired. Just stickin' up for them.

when someone can bring me a blind person that actually built, and maintains their own website through PowWeb. I honestly don't believe such a person exists.

I know there are blind Internet users. I don't know how many of them own websites. It is possible for someone to create web pages with just text. Just static HTML pages as seen when the Internet was born to share information.

Ensuring web sites are easy for disabled people to use is no longer an option - it is a legal obligation. (http://news.bbc.co.uk/1/hi/england/norfolk/3117050.stm) - article in UK

Should Websites Have to Be Accessible to the Blind? (http://www.theinternetpatrol.com/should-websites-have-to-be-accessible-to-the-blind-lawsuit-against-target-says-yes) - see comments. Pete is blind and works in IT field.

I could probably contact associations for the blind or the government to get information. But you make think the number isn't big enough to care. There are customers who are not visually impaired who had problems with the CAPTCHA. We mentioned it here. There have been some improvements, because I can login after a handful of tries now. As more people use the Internet, especially those with disabilities, being user-friendly something to consider.

Just in case this hasn't been mentioned, how about a five minute time-out after three wrong password entries? Along with a "strong" password requirement and password aging, this should solve the brute-force issue.

If Powweb was serious about security, for a start, SFTP would be implemented and OPS would use HTTPS by default.

If Powweb was serious about security, for a start, SFTP would be implemented and OPS would use HTTPS by default.Woould either of these prevent a brute force scripted attack to crack access to OPS?

Just in case this hasn't been mentioned, how about a five minute time-out after three wrong password entries? Along with a "strong" password requirement and password aging, this should solve the brute-force issue.

When I first started programming, I used the "three strikes" method and then an email would be sent to the owner. If the owner was the person who was trying to login, he/she would know it and could request a new password. If the owner did not receive the email (wasn't a problem back then), he/she could send an email from the SAME email account that is on file.

Using this method and strong passwords (that didn't spell anything) worked for us. We really didn't have any problems, but there wasn't much traffic and we were not running popularly used and exploited scripts. This method protected website admin logins. And this even worked on Windows servers!

I would much prefer this method, but I suppose they don't feel this is secure enough.

If Powweb was serious about security, for a start, SFTP would be implemented and OPS would use HTTPS by default.

Customers would think that this would have been a logical step. Think about websites where you enter and leave a secure area. There may be a break somewhere (with all those links to change) and that weak link can be the hole in security. All that work would be for nothing. You can use scripts to find http and replace with https for anything that is a PowWeb URL, but this can be messy.

I am still unsure how secure this really is. If anyone else uses the computer you use, he/she could possibly get into your account. But most "illegal" logins are from another computer. I agree that FTP could be more secure. One way is to discourage people from making changes through the browser! I personally prefer NOT to edit websites through the browser with CMS or to allow visitors to FTP using scripts. Most of the sites I manage do not allow visitors to upload or edit website contents, though some may login for a shopping cart order. Most spammers and hackers need to find weak scripts to change websites. If the scripts are not there, many exploiters will move on to other websites to exploit.

Since many people still want to use CMS and allow visitors to login and do things, these website owners need to keep scripts up to date and set limits for users. Have limits for login time, uploads, downloads, sending mail and other bandwidth usage. Even legitimate users can abuse websites. The spammers will abuse even more. Use a different password for OPS, email, databases and other logins and change them on occasion. Website owners who make/use less secure websites should use additional security measures.

The increase in OPS login security makes me wonder how many people decided to attack OPS directly. I think the attacks were made on accounts using the same passwords as their CMS scripts. Therefore, I don't see any benefits to the recent increase. The increase in security should have been applied to Install Central scripts, FTP and things related to the websites themselves.

There were occasional attacks to websites with static HTML, however. And I remember the JavaScript redirect that appeared in the access logs. There are other methods to "interfere" with OPS or websites. Web hosts need to know how to identify and prevent problems. Of the few problems I have seen, I must repeat that the problem was website owners using the SAME easy-to-guess password for EVERYTHING! That includes free email accounts which are easy to hack. One client used the word "password" for his password! Too bad people have to learn the hard way.

Woould either of these prevent a brute force scripted attack to crack access to OPS?

No, a strong password and a time out after three failed attempts would slow/thwart a brute force attempt. Password aging further ensures security.

SFTP and HTTPS are additional security measures. Like Yvette said, your security is only good as your weakest link.

Not going to address the HTTP or SFTP stuff here, that's a different topic all together.

However, to address the "lock your account" piece;
People are unhappy when they have to wait on hold, when calling support, for two minutes. Imagine if we locked every account automatically after 3 attempts, when bots hit the servers thousands of times a minute?

Almost everyone would call at least once a day, resulting in longer hold times, more support people required, more expensive support, higher monthly hosting fees, etc., etc., etc.

That's my unofficial guesstimation as to why we don't do this. Our support lines would explode.

It would be where I work after a four-day weekend and people come back not remembering the password that they had changed just before they left for the weekend.

Geeez, you'd think no one had ever heard of Post-it notes. :D

CAPTCHA is counter productive. Wastes my time trying to log on. VERY hard to view. Sometimes 4-5 tries to get a readable picture.

My 2 cents

Geeez, you'd think no one had ever heard of Post-it notes. :D

Writing passwords down on a piece of paper is a horrible, insecure method to bypass remembering them. If this is done, however, it is much safer and secure to hide the note under your keyboard so it can't be found just laying around in plain sight.. :D

Or a text file on your desktop called passwords.txt. :eek:

I personally enjoy it when I go to some place like a hospital to pick someone up (I work for an ambulance service), and while I'm waiting I just sit around, and it (almost) never fails: the username/password for the computer and any applications needed to get into the hospital's systems are attached to the front of the monitor with that sticky label-maker paper stuff.

I know a LOT of people who display their passwords or save them on their computers. I have to search for passwords in folders in a locked cabinet for my clients. I discourage them from sending them via email, yet they are not careful with their passwords! It drives me crazy, but I have no control over what they do. That is why the web host is forcing another method of security.

I would prefer that they count letters and numbers for a stronger password and reject weak passwords such as "password" or "sexygirl69". I could probably use even stronger passwords for some accounts, but I try not to hide things from my husband. I do try to hide things from my son, though. For example, he does NOT know my password for eBay or PayPal. I do NOT save THOSE passwords, so I have to login every time. Better that than to pay for a thousand video games.

Not going to address the HTTP or SFTP stuff here, that's a different topic all together.

I thought it was all about security. Why put a deadbolt (CAPTCHA) on a screen door (server without SFTP)? Everything is related.

...Imagine if we locked every account automatically after 3 attempts, when bots hit the servers thousands of times a minute?

Most system administrators block the attacking IP address from accessing the server; they don't lock the account from its legitimate user. If someone is hammering a server, it is not likely one of the server's allowed users. This is not rocket science. Or is it?

I would have thought blocking an IP address for a period of time and if the 'attack' is repeated, a much longer period of time, would be a technique that is used.

Unfortunately, we're unlikely to be told all the methods used in the arsenal of the host to reduce the consequences to their customers. We're just seeing the more public manifestation of one method.

(I've now returned and sometimes get into OPS in one go, sometimes it's taken 5 or 6 tries before I can read all of the letters/numbers with confidence. I've a password which has upper & lower case and numbers and is fairly long and I don't enjoy typing it in each time I fail :(

I was caught by CAPTCHA today. It was my first attempt to login to OPS since this implementation. It took at least 6 attempts. And at least 6 more times I asked for a new image to try to get one I could read.

I have seen this kind of security before. I will not speculate on whether it makes sense or is necessary. However, I have never seen images that were so unreadable as the ones POWWEB is using. I sure hope they will at the very least get a new image generator that creates readable images!

I wish Powweb would ask in maybe a poll how we would prefer that they up their login security. I HATE the stupid pictures. I have a actually stopped using some services that require it and perhaps I will do the same with Powweb. There are plenty of other hosts out there wth great offerings. If you insist on using the dumb pictures, at least make it take MUCH longer for my session to time out and require me to re-login. I'd follow Yahoo's example and give me the option of letting my session remain open for two whole weeks. OR, get rid of the pictures and have an account be frozen for 20 minutes after 5 unsuccessful login attempts.

Since IE and FF remember my login, I used to be able to simply start typing my username and have it auto input my username and password (not on a shared PC). Now, not only do I have to type in the image 20 times, but I also now have to re-type my password every time too.

PLEASE, PLEASE, PLEASE get rid of it.

Please, enough ranting. It isn't going away (at least any time soon) so rants and threats to leave aren't going to work.

Anyone else think this thread has served its purpose and has become the proverbial deceased equine.

Anyone else think this thread has served its purpose

I thought that it was dead after staff told it that it was what it was.

You're pretty much right on that account.

I thought that it was dead after staff told it that it was what it was.Or mods..... :D
But I'm convinced that the CAPTCHA system needs to go or be modified - my experiences and that of others here convince me it's not good.

Pointing out that only a few have complained doesn't wash as far as I'm concerned. OK, the complaints and complainants are from a few active members who do often find faults with Powweb changes or inefficiencies but, and it's a big BUT, those that can't login into Powweb OPS aren't going to be able to file tickets in the preferred manner.

People with genuine difficulties will be in the minority and a small minority at that but that doesn't make it right to ignore them. You don't say "Hey, we've only had one wheelchair user try to get in and turn away so we don't need to put in a ramp for 3 steps that will cost $3000 and gain us one customer who will pay $0.15 that candy!" Or at least you don't in a caring society!

Your example here would be a violation of the ADA and result in fines and/or imprisonment.

We were merely pointing out the fact that this thread has gone from a discussion (as the subject states) to a rant session. It's know that although rants do make one feel better, they do not get things done.

Also what can we as customers do other than turn in tickets?

Your example here would be a violation of the ADA and result in fines and/or imprisonment.

We were merely pointing out the fact that this thread has gone from a discussion (as the subject states) to a rant session. It's know that although rants do make one feel better, they do not get things done.

Also what can we as customers do other than turn in tickets?What can we do, we can encourage as many people as possible to complain in the OFFICIAL channel and to encourage them to get their associates to do the same, and THEIR associates to do the same!

Many people don't log into OPS regularly (I don't) so won't know of the difficulties (hopefully they know of the system from contact by Powweb). If they don't try to log-in then they won't complain!

Many people don't log into OPS regularly (I don't) so won't know of the difficulties (hopefully they know of the system from contact by Powweb). If they don't try to log-in then they won't complain!

right...I wonder if they can keep track of how many failed login attempts there are with the correct password, and how many times people click on the 'change image' button. that information would provide objective information about the extent of the problem. No need to rant about it.

and I think I am discussing, not ranting :)

.I wonder if they can keep track of how many failed login attempts there are with the correct password, and how many times people click on the 'change image' button. that information would provide objective information about the extent of the problem.

I asked support about this when I was afraid they DID keep track and would block my ip address for too many failed attempts! They claim that they are not keeping track.

Since most people do not login to OPS often, they may not be aware of the new security. Wait until people can't login to pay or change something important. I don't think any of my clients have tried to login yet. It is usually my problem.

My ticket request yesterday to fix this image problem got me a reply including, "If you are still feel any inconvenience regarding this feature, then please let us know so that we can make the necessary arrangements so that you will not experience issues while login to vDeck." Today I notified they I do indeed still feel inconvenienced. Now I await what "necessary arrangements" will be made. (Today's login only took two attempts and about 5 requests for a new image.)

I think you got a person from support who didn't understand you're not using 'vDeck' but their own system!

Re-open the ticket and see what happens :D

I sent in a ticket as well and they're passing my 'suggestion' onwards.

I was wondering what the "vDeck" had to do with it. I thought maybe it was a user id or something.

I thought it was one level below the Holodeck. :)

Sounds more like a few levels below engineering. ;)

But not in the domain of Scotty!

Technically, you are using vDeck.

vDeck is a different name for the control panel, for other brands that the parent company of PowWeb owns. The agent was simply just confused as to the fact you're using OPS, not vDeck. That's all.

Essentially, vDeck and OPS are the same, aside from what they're called, and what brands they're used on.

I've looked at the vDeck site (http://vdeck.com/) and see that features currently not available on OPS are 'coming soon'. Can we look forward to getting some of those features? (We do have many of the so called 'new' features of vDeck 3.0 :) )

Honestly, I don't know.

If there's features that you see there, that you want, PM them to me, and I'll see what I can do.

Generally, it should be almost identical to OPS now.

While I don't login all that often, it is a pain in the backside to try to get the numbers and letters right. Being dyslexic doesn't help this either. Since this was implimented, I have been actually staying away from logging in because it is so blasted aggravating. I refreshed the image at least four times this time, and had a failed entry on about five tries between refreshes. :wreck:

There's gotta be a better way to do things than punishing your customers for the crimes of others. At least leave the name and password in when you don't get it right the first time!!! I have to practically stick my nose through the monitor to separate the figures from the background. I'm up for renewal here in about a month and a half. If it's not fixed within the month to something easier for ME to use, I'll be looking elsewhere for my web-hosting!

Most sincerely ticked off!!! :sad3: Yes, this IS a rant - I don't like submitting "formal" tickets, as that is a whole other issue for me!

Whereas formal tickets can be addressed by PowWeb, rants do little.

If you have a problem at the local DIY store, do you sit in the parking lot and gripe to everyone going in or coming out about your problem? No, you go inside and talk to a manager.

Not only is your problem going to be addressed by someone who can help, you won't annoy those who can do nothing for you.

My husband is also dyslexic. I normally type and read for him. If my clients had to login regularly, there would have been more complaints. Most of them are over 50 years old and would find the images difficult to read.

What is the magic number of complaints for action? It has to be a lot from DIFFERENT people and not numerous complaints from a few of us. Maybe I should alert my customers to encourage them all to complain if they don't like it. But it is a hassle for THEM, too.

Since the complaint to support got me a useless email response, I don't know if it is worth my time to log into every account to complain. But I want this problem to be solved before we need to login in a hurry to do something important. Still disappointed to be inconvenienced.

It certainly discourages me from logging into OPS for anything. I don't want to check web stats, yet I need them and they don't want to save them anymore. Of course, they may not be working yet, but I can't log into OPS to find out. I really need to login to check Mick's messed up stats, but those images are too difficult to read. (sigh)

Whereas formal tickets can be addressed by PowWeb, rants do little.

If you have a problem at the local DIY store, do you sit in the parking lot and gripe to everyone going in or coming out about your problem? No, you go inside and talk to a manager.

Not only is your problem going to be addressed by someone who can help, you won't annoy those who can do nothing for you.

So what you're saying is, that each time I have a problem with this issue, I should open a support ticket? Also, it was my understanding in reading the "announcement" post about this way up there at the top that we were "welcomed" to voice our concerns here. But this is not the first time I've been put off here (in this forum) by someone telling me to "go away" - any wonder that I don't come to visit the forum very often anymore. Makes one wonder why anyone would want to be a "Mod" if my (or others) complaining about a legitimate issue that we've been encouraged to "let us know if there's a problem", annoys them. :confused:

Anyways, I'd personally like to hear about the "advanced" solution to this because I don't have time in MY busy day (as business person, and webmaster) to be futzing around with trying to decipher gibberish just to log into someplace I legitimately should be able to without so much aggravation! Anyone up for that?

Anyways, I'd personally like to hear about the "advanced" solution to this because I don't have time in MY busy day (as business person, and webmaster) to be futzing around with trying to decipher gibberish just to log into someplace I legitimately should be able to without so much aggravation! Anyone up for that?I can't see Doc mentioning an "advanced" solution..... and as this thread is too long to re-read I will assume the strain from reading the CAPTCHA images has made you mis-read what he actually said - unless you actually 'quote' the phrase correctly attributed.

I think 'advanced' should have been 'enhanced' as the thread title says. With the evil eye test images and allergy season, I have had increased eye strain and headaches. I am looking forward to some time away from the computer next week for my anniversary.

This thread was opened by another forum member not a mod and/or PowWeb staffer.

This is a customer helping customer forum and as such, we can't do anything to remove the CAPTCHA that's been added to OPS. Any more than the person standing next to you in the cereal aisle can give you a discount on a box of Cap'n Crunch.

As far as this being a legitimate issue, this thread is over 140 posts long with the majority of them along the lines of CAPTCHA sucks. I, personally, got the idea about 120 posts ago.

Maybe someone needs to put down the stick because to paraphrase Butch from Pulp Fiction, "Mr. Ed's dead, baby. Mr. Ed's dead."

This is a customer helping customer forum and as such, we can't do anything to remove the CAPTCHA that's been added to OPS. Any more than the person standing next to you in the cereal aisle can give you a discount on a box of Cap'n Crunch.

They could offer you a coupon. My wife would take it. Heck, even I would for Cap'n Crunch.

Maybe someone needs to put down the stick because to paraphrase Butch from Pulp Fiction, "Mr. Ed's dead, baby. Mr. Ed's dead."
LOL i think you are getting Bruce Willis and a horse mixed up.
i think you mean "Zed's Dead, Baby, Zed's Dead..."

Which is why I used the word "paraphrase" rather than "quote". But nice try. :D

In response to Post #140, IanS today:
From rtoohil of PowWeb Staff, quoting what they said on April 9, 2008 at 11:14 AM in the "Enhanced Security on Login" thread: "We also understand that this may prove a barrier for our members who are sight-impaired, and we do have a solution at hand to help them" so I guess I at least was able to read that correctly, and apologize for being so unclear that no one was able to track it down from my reference.

Having shown this, then, why doesn't PowWeb please provide those of us with whatever kind of sight-impairment, a specific place where we can go to get this "fix", rather than to be relegated to waiting on fix-it tickets, and struggling along? At least provide us with a specific location where we can get to once we do manage to get logged in, so we can then set it so that we are in that area of solution, and can implement it for our services from that point forward. I tend to use spell-check a lot to avoid the problems of being dyslexic, and being treated like a third-class citizen because I have problems with it. Unfortunately, spell check doesn't work with this monster.

This is the last I will post here about this or anything else, unless someone can see their way to solving this so that it is equitable for ALL PowWeb users. I no longer consider this place friendly! :(

This is the last I will post here about this or anything else, unless someone can see their way to solving this so that it is equitable for ALL PowWeb users. I no longer consider this place friendly!

I understand. If you reread the posts in this thread, you will see that I have explained our problem and tried to offer alternative solutions. Since they have not received enough complaints (yet), I don't think they are planning to offer a better solution (yet). When more customers finally try to login and fail, more complaints will follow and they should have an alternative solution ready.

Perhaps those of us with disabilities can contact health associations that may already have alternative solutions to offer. I was waiting for the Association for the Blind to return my call, but they have not (yet). I posted the link for the solution Google uses.

Before anyone diminishes our disabilities, please remember that all people have different degrees of disabilities. Even people who think they have good vision will have trouble with the current image codes. As more people try to login, they will be annoyed as we are. Disabled in this case means anyone who is UNABLE to login successfully, because they can't read those images.

I did not want to rant here. I am now saying that more people need to report the problem to show staff that this is a BIG obstacle. There MUST be an alternative, because paying customers have the right to login to their own accounts. Usability and accessibility is more important than security. If I can't login, I can't use the account for which I pay.

Must I call support when I need to update my payment info? I am not joking. What if I have another day where it takes hours to login like the first day? I have days like that. And I know I am not the only one. Too bad one of my clients isn't a lawyer. That person could contact PowWeb for us.

This is a serious matter, but talking on this forum isn't enough. It only shows us customers that we are not alone. We must all continue to contact support (by phone since we can't login) until they fix the problem or go elsewhere. There really isn't much choice unless divine intervention gives me a third eye or something to guess those codes.

Sorry if this became a rant again. EVERYONE WHO HATES CAPTCHA MUST CONTACT POWWEB AND TELL THEM! Contact your clients and tell them to complain, too.

Doc said this years ago... (albeit paraphrased) the owner of PowWeb is going to own it as they see fit. You don't like Captcha, stop using a host that uses Captcha.

Look, we are all adults here (for the most part). If the Albertson's store doesn't have the product you like, you go elsewhere (try to buy green chili in California other than mild)

Whether an esoteric discussion regarding captcha will, or will not move management, I'd vote for no way in hell will it move any of the PW management, is not the issue. Is this host providing you with the services you want/need, or not. There's no crying in web-hosting (to also paraphrase Tom Hanks in "A League of Our Own").

There's no need for more rants, or more blasts, no more up-setted-ness... Life is too short.

Just don't jump from the frying pan into the fire :D

symo

(sorry, I feel much better now... the orange pill is starting to kick in :eek:)

They're not going to change. Symo is right.

Even people who think they have good vision will have trouble with the current image codes.

I didn't think I had bad vision. I saw the image quite clearly, after seeing one that I couldn't read. I entered it in thinking I was lucky to have such a clear one. It didn't work. I know another time it didn't work when I couldn't see what was wrong. It's almost like it forces two attempts, or maybe it's something to do with requesting a new image?

Personally, I don't see how it helps. But, then I wouldn't know how to write an evil spam program, anyway. This is saying that the password (with all it's requirements) does not provide enough security. How about entering two passwords?


Is this host providing you with the services you want/need, or not.

Well, I guess this is another mark I'll add with the rest. Including the one about the security question issue which I thought had been solved in the past, but just got the run around after I had logged in to ask a question in chat. <<name removed>> asked me for the answer to the security question, so I pointed out I had logged in and could just look at the answer. He said it was to "protect" my account which I said I couldn't see how. Whatever. I went to the security question, since I couldn't remember it nor the answer, repeated it to him, which I guess made him feel like he was "protecting" my account and then he asked, "what was my question?" I copied and pasted it from the chat session. The question was to confirm whether my payment got applied since my previous received payment was not and the site was offline for a day. There's three marks, right fresh in my mind - or is it four?

So, are services being provided I value? Hmmm.....

Please don't turn this into a bash Support thread and do remain on the topic of CAPTCHA.

Thank you.

I spoke with Marc Grossman, Accessibility Specialist - AFB Consulting American Foundation for the Blind. He uses JAWS, because he is blind. He suggested contacting Darrell Shandrow, editor of Blind Access Journal. He also sent a link to Microsoft research for accessibility (http://www.microsoft.com/enable/research/).

They did not have accurate or specific information about the number of blind website owners, but they did have a large number of known blind Internet users. I still believe that if the blind can use the Internet, they can have a website and purchase and maintain a web host account (if it is accessible).

We discussed how other websites use audio if you cannot read the image. Since he is blind, I tried to describe the image as being confusing, mixed up or noisy. I compared it to trying to listen to someone talk while the TV and radio are on, the kids are talking and the dogs are barking.

As I researched this and spoke directly with blind Internet users, I see how important the Internet is to them. And Marc asked me to stay on this issue and/or pass the word to those who can and will do something about it. We know that there must be enough complaints (from different people) to motivate action from the web host. Expect more to follow.

Sorry Doc, I guess it does seem to be turning into a bash support. I guess I was frustrated. Probably the main thing is I do not understand how or if someone could abuse it, and if they could, how the CAPTCHA is needed at that level to prevent it. I've seen others more clear. I think there is an issue here, that alternatives need to be seriously considered. The users of the system shouldn't have to get upset.

A) If a chat agent doesn't ask you for your security question .. he/she may find him/herself with some free extra time and a smaller paycheck ... if he/she does it repeatedly (neglects to verify the Security Question on every contact), they probably won't be allowed to make the mistake for any extended period of time .... So, Expect to be asked the Security Question on every Telephone/Chat contact!

B) If you have an actual visual impairment, provide documentation via a ticket (attach a doctor's note/optometrist's diagnosis/etc.) -- I would imagine that the Business Dept will be able to have Legal make some accommodation. However, since the current use of Captcha was mandated for legal reasons at the highest level (way above us plebs, support, sups, staff, managers, etc.), you would need to demonstrate your need concretely, rather than simply state a desire not to be encumbered by the Captcha ---

(Personally speaking, I haven't seen any of these applications, but, I would think, possibly, a disclaimer and additional liability release might also be required to have an exemption from the current Security Policy requirement)

Please provide a liability form for security. I can contact my optometrist for a medical statement. I have a valid medical reason. I don't mind typing another code if I could read it. Unfortunately, I cannot read the entire code correctly.

The lowercase i and lowercase j look the same in the image, for example. I take a guess and guess incorrectly for one character and I have to try the entire login again. Since I have many accounts to manage, this is more than a nuisance. It causes eye strain and headaches.

Please leave detailed instructions. Any necessary forms, the email or fax number to where they should be sent. Make a sticky post (or whatever they are called) for other customers who have visual impairments. My visually impaired colleagues told me to switch hosts, but I can't tell my clients to switch hosts because I have an impairment. It would be good PR for PowWeb to improve usability and accessibility for customers. I certainly would appreciate it.

The're doing a hell of a job! The security is so good, I can't get into my accounts any more!

I know how you feel, Trapazoid. I wore eyeglasses since I was 5 years old. By the time I was 9 or 10, I had gone to the eye doctor every 6 months, wore a patch over one eye and wore prisms (vertical lines) on my lenses to train my eyes to work together. I finally had surgery on my right eye and the double vision was gone after a few weeks of recovery and temporary blindness. (Yeah, those were the days BEFORE laser surgery.) My eyes finally improved and I almost didn't need eyeglasses.

Last summer, I had to go to the eye doctor to replace my eyeglasses that were damaged in the auto accident (I was a passenger). I had an exam while there and since I had headaches often, they insisted that I needed bifocals. I still need tinted lenses since my eyes are sensitive to light. This may add to my contrasting color issues. I was spending two months submitting websites to search engines and directories more often than usual. The image verification was hurting my eyes and I was making mistakes. But none were as bad as the images seen here on PowWeb.

For my vision, my health and my sanity, I would prefer a better authentication and security method. I would rather change my password every 90 days or do something else than read those image codes. I guess one character incorrectly and have to start again. I feel like I am playing the board game Sorry where I get so far and I am sent back to Start! I don't get paid to guess codes all day. It is maddening!

I remember getting a medical excuse for gym after knee surgery. I didn't think I would need a medical excuse for a web host to explain why I can't login to my own account anymore. I was able to login before the image verification was added. (sigh) Am I just getting old? I am not 40 yet! :eek:

If they don't change the image code, can they send special decoder glasses to members of the secret club? And a special decoder ring? Yeah, that would be cool. :cool:

Maybe they could make a deal with a cereal company and put them in cereal boxes.:D

The cereal companies sell to everyone not just PowWeb customers. There goes the security issue. My son would get that decoder and log into my accounts. If they put one on eBay, that would stink. I don't save passwords for fear that my son will buy too many video games and spend my money!

Maybe we all need a thumb print reader to access accounts. Now I am thinking of that movie with Arnold taking that woman's thumb to access secure areas of that cloning facility. I do not recall the name of the movie since I never see entire movies. Anyway, I could be blind and still place my thumb on a reader. That would be cool! :cool:

There were some secured areas in the building where I worked that were protected by biometric scanners. I had a hell of a time with them when I was going through chemo as I got dehydrated.

How about a retina scan? Like the one used in NCIS?

I don't like retina scans. I wear eyeglasses which may magnify the scan and burn my eyes! You know, like holding a magnifying glass to burn the ants on the sidewalk. I guess a retina scan could be used if customers do not have fingers. Fingerprints can be used for customers who don't have eyes (that can be scanned). This conversation is beginning to get strange.

.......

B) If you have an actual visual impairment, provide documentation via a ticket (attach a doctor's note/optometrist's diagnosis/etc.) -- I would imagine that the Business Dept will be able to have Legal make some accommodation. ........



This is a patently ridiculous and bordering on violation of medical confidentiality requirement.

Often school kids need medical certification to justify excessive absences. I don't think it proper that a webhost have such a policy. Very disappointing, and I thank God that no other webhost has anything like this in place.

I don't think people with visual impairments should have to get a medical excuse to have access to their accounts. I am surprised that the law does not protect the visually impaired by forcing businesses to make the accounts more accessible. This business reaches a global audience and is based in the United States. Our country currently obsesses about security and now the disabled have been neglected.

After speaking to the Association for the Blind, I learned how much of a problem this really is. And now even those who did not consider themselves impaired are feeling that way. I thought my surgery improved my vision and allowed me to use computers, read books and live a "normal" life. The past year has been filled with image verification codes to deteriorate my vision and remind me of those who have limited or no vision.

They should be able to enjoy the Internet, because many of them rely on the Internet to read, shop and communicate. Some cannot drive to the store, so they order online. They cannot get a book from the local library and read it. They use software that read text to them. The software does NOT read images. Logins should be possible by paying customers and customers should not be required to pass an eye exam to manage an account.

I would prefer that image code to be replaced or removed, but if that doesn't happen, I again ask for instructions. Please send the necessary medical excuse form and the recipient of that form. Would you like a note from my mother? By the way, my sister has an account here and she does not drive. She has a medical excuse and takes the Lanta Metro bus to and from work. She manages her own account and makes her own website. She wore bifocals before I did and we are the same age (we are twins).

As more people try to log into OPS, there WILL be more complaints. That image is too difficult to read. We don't mind extra security or another password or security question to answer. We just can't read that image. Please don't use the excuse that we are too lazy to type the code. That is not true. I spent ten minutes guessing that first day and got a headache. Now I try to avoid logging into OPS and haven't checked web stats!

About 2 or 3 years ago, almost all visual Captchas were solved at an average success rate of 90% by bots, if not more.
I doubt nowadays a visual Captcha will stop any decided attack, and if coz of this Captcha, Powweb didn't implement a timeout after x failed tries, then actually, the security level is _lowered_ !! (I won't check if there's a timeout by myself, as it already takes age to just login once :sweatdrop )
And from dmacminn's post, I guess it's to please Powweb's insurance company... Crazy stuff... :confused2

A visual Captcha is worth something only if it's a very custom one (ie: a unique kind, only found a non-important small site), and that no hacker will earn anything by breaking it.

PS: I don't like to have to solve a Captcha to login... ;)

I can't imagine any OCR software would recognise the OP's CAPCHA image.
If a CAPTCHA image problem can make a thread 160+ posts long, it can not be easy to decode.
It is not only a matter of decoding the CAPTCHA to access OP's, you also need to have the password.
CAPTCHA makes breaking passwords almost impossible.

With Powwebs 100,000+ customers, I wonder how many passwords have been hacked to make CAPTCHA a "needed' security measure.

HalfaBee, a bit of reading : http://libcaca.zoy.org/wiki/PWNtcha
that's what did a guy 4 years ago... It didn't work with back then latest Yahoo & Microsoft captcha, and other ones, but was quite successful with a good bunch of captcha.

And so, since 4 years, I'd guess some other people did better than this program... :cool:

Thanks for that interesting article.

That link won't work for me.

it seems its server is currently down ; u can have a look at it with google cache here : http://72.14.235.104/search?sourceid=navclient-ff&ie=UTF-8&q=cache%3Ahttp%3A%2F%2Flibcaca.zoy.org%2Fwiki%2FPW Ntcha .
But it's not interesting without the sample images.
So you should try again in a few hours...

Seems to be working now. A very interesting list of styles of CAPTCHA and a critique of many of them.

I am surprised to see CAPTCHA still in use anywhere. If you have a dictionary, people will learn it. The bad guys always find a way to exploit security like this while normal users are inconvenienced or worse. It is not merely an inconvenience to some of us. We are actually unable to access OPS unless we manage to guess the code correctly.

We don't hack our accounts like real hackers/crackers do. If they log ip addresses for multiple failed attempts, they would log mine for several accounts. If they decide to ban my ip address, I would not be able to manage any of the sites hosted here!

As I mention the current login security for PowWeb to customers, they are complaining. They did NOT try to login until I mentioned it and now I am hearing the rants of people who have visual impairments. If they would contact PowWeb instead of me, PowWeb would see how many more people are having difficulty logging into OPS. My sister is annoyed and plans to CALL support to complain. Judy is over 60 years old and her site is for business.

It is important for customers to have access to their accounts, especially to manage payment and contact information. There must be an acceptable alternative to what is in use now. Added security is fine if we do not lose accessibility. I still think my computer ip address would make a better security code in place of CAPTCHA.

Security could be improved in other areas such as FTP. I noticed that the sites that allow visitors to upload and download through the browser have more problems than those who do not. There are scripts that are commonly exploited. More effort should be put into watching those things instead. Of course, that is easy for us to say since we don't see what is REALLY happening on the server side.

With Powwebs 100,000+ customers, I wonder how many passwords have been hacked to make CAPTCHA a "needed' security measure.

This worries me. But I still think that many customers used the same password in open source CMS and their OPS login. The bad guys find the password in the script, then try it for OPS and if it works, they gain access. There are other methods I won't discuss here, but the most common method is probably an exploited script.

I highly doubt that the legal dept would be stupid enough to mandate the use of CAPTCHAs as a MUST for Powweb to implement. I imagine the legal dept wanting tighter security and asking that SOMETHING be implemented. Then someone in development decides that CAPTCHAs is the way to go and implements it. Well, let's go back to legal and let them know that CAPTCHAs really suck for your customers and that you need to come up wth someting else to keep your customers happy.

My suggestion for POWWEB (I hope you are listening). Is to get rid of CAPTCHAs entirely and to implement a "3 strikes you're out" (or 5 strikes) rule instead. Let a user attempt to login to their account 3 to 5 times. If they fail to provide the correct password after th 3rd or fifth attempt, lock that users account for a period of 20 minutes unless they call into support and provide their security question and have the freeze out reset.

Or, my brokerage account asked me for several security questions. They say that if they detect suspicious activity when I try to log in, they will randomly ask me one of my security questions. If I can supply an answer, they let me in. If not, they don't.

I just don't understand why my HOST feels they have to go above the security tactics that even banks use for their online banking. Maybe part of the problem is that Powweb does not encrypt their login page and therefor, the login is sent in plain text and is being intercepted or something. So, just encrypt the login page and then revert back after login is successful.

But, PLEASE get rid of CAPTCHAs. They are really only used on sites where they have people signing up for new accounts to prevent robots from creating 1,000 new accounts for the purpose of spam or the such. Not for actual user logins to their own already established accounts. Maybe you could implement them for when a user first creates a new account. But, even then, they are usually only implemented on free services. With Powweb, you have to pay for hosting so its not like a million bots are trying to setup new Powweb accounts.

Take it back to legal and tell them CAPTCHAs SUCK and should be replaced by something else. They only are successful in pissing off your current customers.

Once again, the reminder: This is a customer to customer forum and not an official comm channel to PowWeb.

That is all. We now return you to your regularly scheduled programming.

Once again, the reminder: This is a customer to customer forum and not an official comm channel to PowWeb.

That is all. We now return you to your regularly scheduled programming.

Ya, but obviously some Powweb people read it from time to time as we occassionally get a person from Powweb posting a comment. Just wanted to have my ideas for better security measures written down for reference as a phone call gets me nothing.

By the way, whatever happened to that opinion voting page where Powweb posts feature suggestions and lets the powweb users vote. I want an item asking that the CAPTCHAs be removed so I and others can vote to let Powweb know we don't like it one bit. If you know what I'm talking about, post a link to it. Thanks.

The're doing a hell of a job! The security is so good, I can't get into my accounts any more!

I received a nice message from support yesterday:
<<removed>>

I believe PowWeb really knows how unhappy their customers are and now that they're placed webstats behind the same scribbles, my clients are unhappy as well ... I'm going to continue to give PowWeb the 'benefit of a doubt' but most sincerely, if this isn't resolved soon, I'm going to jump ship, me and a boat load of clients. I found a competitively priced host with similar services, as well as a comparable (dollar wise) affiliate program. I hate to go for all the work getting things setup but I can't continue on with the frustration of not being able to easily login to various accounts throughout the day. Not only when I get the scribble wrong, my password(s) is no longer retained ... double trouble.

I do appreciate this forum to share thoughts and troubles with the PowWeb community.

LinK

Ok, I just called Powweb support to let them know that I am very unhappy wth the new CAPTCHAs and the tech I got said "there's not really anything I can do" and " what do you want me to do". I told him that I wanted him to let whomever know that there are a lot of customers that are unhappy with it and that we would like it removed. So, I am petty sure he hung up and took his next call without doing anything. THAT is why I needed to post my suggestions, recommendations, ideas in here so that Powweb CAN read them should they choose to. A phone call obviously will do NOTHING.

Calling the fire department to tell them your house is on fire, when the fire department's already there putting out the first is about as helpful as calling to tell us you're unhappy about Captcha.

We already know. We're working on making it better.

The wishlist where customers log into OPS and vote still has a link. I already submitted the replacement or removal of CAPTCHA, but that list has not been updated in a while.

This post is a reply to smarttech's question. The staff post was not there when I typed this. Glad to know that PowWeb is working on making it better.

Correct me if I'm wrong but it's CAPTCHA not COPTCHA, right?

Also speculation on what a support rep did after terminating a call is just that.

You can post your suggestion, recommendation, and ideas in here all you want. Just remember what this place is and don't hold your breath waiting for a reply here.

Calling the fire department to tell them your house is on fire, when the fire department's already there putting out the first is about as helpful as calling to tell us you're unhappy about Captcha.

We already know. We're working on making it better.

From what I have been reading in the forums here, I didn't get the impression that Powweb had decided to remove the CAPTCHAs. So, either the fire dept hasn't arrived yet, or they went to the wrong house because I still have to log in a half a dozen times before I can get into my account.

I appreciate Powweb keeping security in mind, I really do. I just think there are sooooo many other ways of improving security withouth making it the user's burden. Just because there is a new fancy shmancy security tool doesn't mean that it is any good or that it would be beneficial to implement. The picture recognition has its purpose but I don't think that logging into a web host is it.

Anyway, I am glad to know that Powweb is going to fix this and I am very hopeful that it will be sooner than later as it is beyond annoying to deal with.

Anyway, I am glad to know that Powweb is going to fix this and I am very hopeful that it will be sooner than later as it is beyond annoying to deal with.Fixing the problem (CAPTCHA) isn't the same as removing it.

We've been told it's not going to be removed and nothing in the posts recently have given me that impression.

Mike said "We're working on making it better." not we're going to remove it. I take that to mean that they are improving the implementation and images used.

Fixing the problem (CAPTCHA) isn't the same as removing it.

We've been told it's not going to be removed and nothing in the posts recently have given me that impression.

Mike said "We're working on making it better." not we're going to remove it. I take that to mean that they are improving the implementation and images used.

I still say remove it. It was a stupid idea to begin with. A web host is NOT a good place to implement such a tool. I find it to be a useful tool in forum sign-ups, free account sign-ups and stuff like that. NOT for me to get into my paid account. I mean, I am paying good money for my hosting as well as all the hosting of my clients. I'm the customer and I would think that you would rather take care of your customers as you and your customers will be much happier in the long run. And, you'll make more money in he long run too.

The cost of this implementation is far greater than the benefits derived from it. Get rid of it please.

Either they are getting easier to read or I'm just getting used to them. I very rarely input the characters incorrectly.

There are other hosts who do not use CAPTCHA.

I'm waiting for people to say they are going to hold their breath until they turn blue if it isn't removed. :D

Either they are getting easier to read or I'm just getting used to them.

I have been guessing them correctly in 5 tries or less now, so they must be getting easier. I still make mistakes, though, but I do on ANY CAPTCHAs. They are truly a nuisance.

A web host is NOT a good place to implement such a tool. I find it to be a useful tool in forum sign-ups, free account sign-ups and stuff like that. NOT for me to get into my paid account.

I agree. But as long as the accounts are still accessible, some form of "enhanced security" is acceptable. CAPTCHA is just a poor choice. Still getting complaints from clients about it. My sister and other "medically documented" visually impaired Internet users are UPSET over this. My sister would also like to know where to send her medical excuse.

I better buy more carrots to improve my vision. I am blurry-eyed now just to stare at the screen all day! Actually, one of my clients (hosted elsewhere) sent a dietary supplement to improve my vision. My clients are feeling sorry for me! Perhaps that helped.

I'm waiting for people to say they are going to hold their breath until they turn blue if it isn't removed. :D
I don't care if they remove it or not... I just get a kick out of holding my breath until I turn blue... :eek: We sometimes even have competitions here at the hospital. Stanley over in B Wing is the facility champion right now, but I keep practicing.

symo

Hey Doc ... why the heck did you edit my message, I didn't say anything unfavorable. Gosh this censorship goes too far ... why have a forum?

Forum policy is that communications from support are not to be posted. If you want to put it in your own words, that is fine.

I don't make the rules. I just enforce them.

Forum policy is that communications from support are not to be posted. If you want to put it in your own words, that is fine.

I don't make the rules. I just enforce them.

Okay ... thanks ... next time I'll paraphrase.
lk

I found the windows magnifier set on x3 works wonders on the CAPTCHA image, even without my glasses.

I was going crazy trying to log into Judy's account. I typed her OLD password on top of typing the image code incorrectly. I emailed her and she told me her current login info. I kept trying and finally logged into OPS to optimize her database and make a backup.

It took less time to make the backup the database and server files than it did to login to OPS! My clients are also having difficulty. My husband even tried to guess the codes with me and he left the room to avoid my loud exclamations of frustration. I am now blurry-eyed again.

Facebook has two image words and audio for the visually impaired. If we MUST have the image verification, there must be an audio verification for those who cannot read the images. Let's hope changes are made soon.

Remove it. Come up with something else.

I asked if there could be a login for developers who log in multiple times a day and was told it wasn't possible. However it is! I remember someone posting one location that was overlooked and one could still login without CAPTCHA ... in one hot minute it was removed ... so those in charge do read this forum. I'm waiting for an answer to my still open 'ticket' to hear about the meeting of the 'highest.' What's with this CATCHA is it something PowWeb snagged off Dynamic Drive !

One of the staff, I think it was mjandreau, mentioned that this was a mandate that came from legal. In my experience with legal departments they don't usually go poking around looking for things to implement. The driving force for them comes from one of two places. Either a complaint has been filed against the company OR against someone else in their industry. Legal's role then is to immediatly mandate implementing a process that will reduce or eliminate liability in that area.

If this is truelly a legal mandate, the CAPTCHA will not be removed. Chances are the techs were forced to put something in place with little warning and used the existing CAPTCHA because it quickly met what ever criteria they needed. We can only hope that they are now researching/analyzing oher tools that will meet the need mandated by legal, work with the PowWeb infrastructure, and accomodate the account holders.

I remember someone posting one location that was overlooked and one could still login without CAPTCHA
It wasn't removed, the person who had found it just had not tried to log into that screen. There are several places on the PowWeb site where there is a Login that does not display the CAPTCHA, however once you click on the Login button you are taken to a screen that has just the CAPTCHA on it.

As far as a developers login, there is some tool/process you can go through to link accounts. Someone who has done that or is aware of the tool would have to speak to it, I just remember someone mentioning it.

Chances are the techs were forced to put something in place with little warning and used the existing CAPTCHA because it quickly met what ever criteria they needed. We can only hope that they are now researching/analyzing oher tools that will meet the need mandated by legal, work with the PowWeb infrastructure, and accomodate the account holders.

We hope they find something that meets the needs of PowWeb AND customers. I can understand a legal need for enhanced security, but it is also illegal (or immoral) to accept money for services and then deny them by making accounts inaccessible (and unusable). It is one thing to refuse a new customer, but taking away accessibility from an existing (paying) customer is wrong.

We understand that it was NOT their intention to deny us access, but that is what happened. Just as we expect the database server, CGI and other issues to be resolved, we hope that access to OPS can be made possible again. We should not require a seeing eye child or special software to log into our accounts. I don't know what to do until this problem is resolved. My son still has a few weeks of school, then I will ask him to read the codes for me. I can't sit here and guess all day. It hurts my eyes.

Does anyone else have alternative security ideas that PowWeb may consider? Anything that would improve or replace the current image verification would be helpful. We know they can't simply remove it, but maybe we can help them find something we like. Again I will mention the one on Facebook, MySpace or Google submissions as possibilities that reach a general audience. Someone else suggested Yahoo earlier. Any other suggestions? Not sure if a poll would be necessary, but it wouldn't hurt.

Even if legal desired more security logging in, I doubt they would have said "We must use CAPTCHAs". They probably said that security needs to be tightened during user login. Then the developers hurried and threw on the CAPTCHAs. Now they need to go back and remove CAPTCHAs and implement something else since CAPTCHAs SUCK. Are they not open to ideas from us? And how is it again that I let them know my hatred of the CAPTCHAs if they don't read these forums and calling support gets very little recognition that there even IS an issue? I should be able to voice my opinion SOMEWHERE so they will know for sure.

This reminds me of all the crap that was going on when they implemented the OUTGOING e-mail filters to try to catch spam being sent from Powweb accounts. That caused all kinds of problems. I wish they would fully test and do some market research BEFORE implementing new things rather than throwing something together and telling us they are working one FIXING what they've implemented afterward.

Just get rid of it, do your research and major testing, and come up with a BETTER solution than CAPTCHAs. In this situation, CAPTCHAs are not the answer.

Just get rid of it, do your research and major testing, and come up with a BETTER solution than CAPTCHAs. In this situation, CAPTCHAs are not the answer.

I agree with you, but they WON'T remove it until/unless they have a BETTER solution. That is why I suggested that we make a list for them to expedite their possible action. If you lost the key to the lock on your front door, you couldn't just remove it until you got a new lock. You would get a new lock and/or key first. Too bad we don't have a back door or window to get into OPS. ;)

I haven't contributed to this thread since about 130 posts ago. ;) One caveat up front: I don't have to log in to OPS daily, or multiple times a day as some of you do. I will say that I have had little trouble with the CAPTCHA even though I am not particularly fond of it. Once in a while it seems a little capricious and an "x" will look like a "k" or something and I'll have to try again. One hint I can give to those complaining about having to re-enter your username/password: Use Opera. "Store" the username/password for your OPS account and then all you have to do is enter the CAPTCHA, hit Ctrl+Enter and go. If you mess up the CAPTCHA, just repeat.

All that being said, OPS is the only online account that I have to deal with a CAPTCHA to access. My bank, insurance company, credit card, phone, etc. do not use it. In addition to username/password, my insurance company uses a PIN. My bank uses a series of "secret questions". Initially, I chose 3 questions from a group of 10 or more that I could supply answers to. Each time I access my account I am asked one of those 3 questions at random and must supply the exact answer I gave initially. It is case-sensitive. (notice the possible alternative hint being cast at Powweb ;))

Folks, the hackers are getting more and more sophisticated. Unfortunately for us "regular people" the fallout from that is, and will be, increasing difficulty in accessing any of our online accounts -- OPS being just one. Get used to it because it's gonna be a fact of life. What was a one-step log-in to my bank account is now a 3-step, 4-page process. Is that account any more or less secure than previously? Who knows -- but it satisfied the bank's lawyers. ;)

Kevin

One hint I can give to those complaining about having to re-enter your username/password: Use Opera. "Store" the username/password for your OPS account and then all you have to do is enter the CAPTCHA, hit Ctrl+Enter and go. If you mess up the CAPTCHA, just repeat.

I was using Firefox and tried to store logins for my clients. It kept putting MY login in its place when I failed the CAPTCHA. We want to check web stats, optimize and backup databases, report problems (create tickets) and other things through OPS. We need to do this for each client and this is annoying.

It would be great if we could manage accounts with our own (admin) login. We already have profiles created in case we need to contact support. If I could login to my account and click the domain name of the any of my client accounts and answer my security question, that would be great. I wouldn't have to guess CAPTCHAs all day!

I agree with you, but they WON'T remove it until/unless they have a BETTER solution. That is why I suggested that we make a list for them to expedite their possible action. If you lost the key to the lock on your front door, you couldn't just remove it until you got a new lock. You would get a new lock and/or key first. Too bad we don't have a back door or window to get into OPS. ;)

They can totally remove CAPTCHAs. It's not like they had NO security before CAPTCHAs. You still have to enter a username AND password. Take off the CAPTCHAs while you work on a new solution. Do your homework though and very very thorough testing before implementation of a new solution.

Bottom line, folks, is that it's staying 'till they find something else. I'd suggest you save your rants and other non-constructive posting for something it will help with. Say, global warming, the grassy knoll conspiracy or things like that.

If we shut-up they'll think we're ok with the CRAPTCHAs. The squeaky wheel gets the oil.

Bottom line, folks, is that it's staying 'till they find something else.

That is why we should help them find something else. We don't want the current image verification method to stay, so any alternative suggestions could be useful.

The squeaky wheel gets the oil.

You have to hear the squeak in order to be compelled to get the oil. ;)

T


You have to hear the squeak in order to be compelled to get the oil. ;)

.... and the price of oil is at an all-time high.

I'd always heard it was the squeaky wheel that gets the grease not oil. :)

Grease and oil are similar. We use 3-in-1 oil to oil or grease the sewing machine or other machines.

I hope a staff member post here again to say that PowWeb understands our concerns and will soon replace CAPTCHA with an acceptable alternative security solution. Many members have posted better alternatives. Security questions and the 3 strikes rule have been popularly implemented for years. Other suggestions are welcome and encouraged. Rants are no longer necessary. This thread is long enough to prove how much we hate CAPTCHA.

1) Powweb understands your concerns (obviously the intent is not to make things more difficult, that would be completely nonsensical) ....

2) Powweb has a responsibility to protect account holder login security; and, where the risk of accounts being compromised is demonstrably increased, we also have an obligation to respond as quickly as possible to thwart such behaviors.

3) Captcha was the easiest tool to implement quickly, in response to a threat --- it has been used within the system on other than Powweb accounts for some time -- no one thought it would be a picnic and most of the Powweb staff don't like it -- but it was the best tool at hand to address the issue without significant development delay.

4) Rather than rant, which has no positive effect --- people could concentrate on solutions/examples they have seen/etc. Some of the suggestions made have already or are being considered --- they will take redesign of the SSO authentication systems to implement, so the Captcha will remain in place (although it is likely to be improved/modified) as the project to develop additional security moves forward...

5) Any additional changes (other than tuning/improving the Captcha system now in place), will take additional time --- the login attempt idea, which seems "trivial" when one first looks at it, actually requires some significant implementation development.

6) If the idiots who write distributed software to attack account credentials within moments of their creation, and search across accounts for simple passwords, tire of their anti-social campaign, perhaps things will be able to progress more quickly...

Here's a few suggestions.

1. Maybe a "Make me bigger button", without refreshing
2. Make the image refresh without reloading the whole page
3. Put a sound track with the image, it might be good for blind people.

Recap my ideas:
1. 3 strikes, you're out (for 20 minutes)
2. Encrypt the login page so usernames and passwords cannot be intercepted.
3. Only ask for additional verification if and when there are suspicians about a certain login attempt (multiple incorrect passwords attempted with the same username), but this one is kind of taken care of in number 1 anyway.

We rant to be heard so you know we are dissatisfied. Now that I know you are working to remove CRAPTCHAs I am much more comfortable. I hope the new implementation is soon although I would rather wait a little longer for it to be done right and not hodge podged together. I appreciate getting an intelligent response from someone at Powweb as this is obviously a MAJOR issue to everyone using Powweb hosting.

Oh in addition to number 1, if an account is consistently "out" for 20 minutes, say 10 times in a 24 hour period, then it would seem logical that someone is trying to force their way into an account. So, after maybe 10 "out" periods within a certain timeframe (maybe 24 hours) you send an e-mail to the account owner and let them know that they need to call in to get the account unlocked otherwise it will remain locked (also make sure the error message when they attempt to login clearly tells them that their account has been locked and that they need to call support to unlock it). This would let the account owner know that someone is attempting to break into their account so they can keep a lookout (perhaps a fellow worker or competitor). It may give them a heads up to use more difficult passwords or to at least change them every so often.

Instead of only 3 failed attempts, authorize 5.
For a bot trying millions of combinations, it won't change a thing, but for a user with a lot different passwords, mistyping fingers, and a blur memory, it could be a huge time saver... :o
For the same reason, set the timeout to 10 min.

Enforcing a change of password and a long password could add to the headaches of people with multiple passwords and accounts.

Timing out frequent failed attempts from the same IP when that same IP is used again and again for different account and has frequent failures on multiple accounts.

Just my 2 penneth worth. :D

Instead of only 3 failed attempts, authorize 5.
For a bot trying millions of combinations, it won't change a thing, but for a user with a lot different passwords, mistyping fingers, and a blur memory, it could be a huge time saver...
For the same reason, set the timeout to 10 min.

I agree with you! I have to type many passwords for my own accounts as well as other people's accounts. I don't always use the same password for OPS, FTP and email. In fact, I discourage it (though people still do it).

dmacminn, thanks for reassuring the customers and members that our opinions matter and our suggestions are being considered. I have seen many improvements and many of our suggestions implemented. Spam filters have improved, the username.powwebmysql.com renaming of the database server and even improvements to web stats. We appreciate your efforts.

The main reason for the rants on this topic are that we urgently need to update payment information or manage accounts. And we can't wait long for changes to be made. Customers get impatient and also got responses from support and staff that were not satisfactory. Your reply was very thoughtful, thorough and helpful. Thank you!

There'd be less ranting if people would take HalfaBee's advice in post 190 of this thread.

I'd also like to add a suggestion to some; see if the captcha image is readable and get a new one displayed if not BEFORE entering a user/pass combo. The input fields on any form don't need to be filled in in the order they are displayed on the page..

Powweb could also add a hover to the image that is 3x as big.

I wouldn't bother spending too much time improving the CRAPTCHAs. Spend your time on the NEW solution so we can get rid of the darn images completely. We can limp along with these crappy images knowing that you are hoping to implement something better in the near future. Making the images TOO easy to read defeats the whole purpose of doing the images in the first place.

Correct me if I'm wrong but it's CAPTCHA not COPTCHA, right?

Also speculation on what a support rep did after terminating a call is just that.

You can post your suggestion, recommendation, and ideas in here all you want. Just remember what this place is and don't hold your breath waiting for a reply here.

How about "Crap-tcha" as it is worthless. try 8 rounds of "Input did not match the text. Please try again."

I'm not blind, I do graphic design for a living, I can tell you the difference between grey and gray but for christ sake this sucks, sucks, and sucks some more. when it is contorted so much you can't tell if its an S 5 or R, or O 0 Q C or D, is that a M or N...

How about using dictionary words so if i can't understand the whole thing I have half a chance of getting the X@#!@# right!

Dictionary words would be no good, bots could simply use a dictionary as part of the guessing game they play.

I'm not blind, I do graphic design for a living, I can tell you the difference between grey and gray but for christ sake this sucks, sucks, and sucks some more. when it is contorted so much you can't tell if its an S 5 or R, or O 0 Q C or D, is that a M or N...

See how even designers can't read these images? I can't tell S from 5, R from P, K from X, O from 0 or other characters, either.


I wouldn't bother spending too much time improving the CRAPTCHAs. Spend your time on the NEW solution so we can get rid of the darn images completely.

I agree. Whatever the new solution will be, it should NOT include images.

This is turning more and more from a discussion thread to a rant thread, IMO.

This is turning more and more from a discussion thread to a rant thread, IMO.

How is suggesting ideas a rant thread?

Let’s stop inaccessible CAPTCHAs (http://www.trenholm.co.uk/?p=113) is an interesting article with comments and alternatives. One person mentions a college that caters to deaf students and mentions that some students have vision AND hearing impairments, which means image verification and audio would not be a good solution. Accessibility is priority one, then security.

An additional security question and answer would be better than the image, but what question(s) and answer(s)? Another web host uses a customer ID as one of the logins. PowWeb could assign a customer ID that is unique and not an "easy-to-guess" word. But any combination of letters and numbers could still be guessed by bots and not humans.

My ISP increased security a while ago and asks for my (husband's) mother's maiden name, contact info and other security questions. It is similar to us contacting PowWeb support by phone. But we probably wouldn't type so many answers at login. How many questions? How many failed login attempts? How long to (temporary) ban logins? Will you ban ip addresses that appear to fail too many login attempts?

I still think that most of us (customers) can guess our passwords after 5 tries or contact support. If spammers cannot guess the login after 5 attempts, they should be blocked and will hopefully give up on the account.

How is suggesting ideas a rant thread?
Most suggestions contain constructive elements to them. While I have seen some valid points here, they get lost in all of the complaining. I think most everyone agrees that the CAPTCHA (calling is CRAPTCHA doesn't help either) is an added pain. it is also quite clear that it can't be read by some users. Repeating this fact or saying "me too" is not a suggestion.

I vote this thread be closed and one be opened specific to suggestions for replacing/improving the CAPTCHA that is currently in place.

I think so too!

I've created this thread here (http://forum.powweb.com/showthread.php?p=455890#post455890) for the purpose. Rants about CAPTCHA or complaints about the implementation will be removed/edited as per existing forum policy on posts not being on topic. Long posts may be edited to maintain a readable list of alternatives.

I thought so also but got called away to address a problem here at work. Stupid job always interfering with life.