ReCaptcha in login form

Need help with the Administration of your Joomla! 3.x site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
komir
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Sat Jul 03, 2010 1:52 pm

ReCaptcha in login form

Post by komir » Tue Mar 01, 2016 1:02 pm

Hi, is there any way to enable ReCaptcha in fronted login form?
Thank you

 
User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38019
Joined: Sat Apr 05, 2008 9:58 pm

Re: ReCaptcha in login form

Post by Webdongle » Tue Mar 01, 2016 1:50 pm

Yes
captcha.JPG
You do not have the required permissions to view the files attached to this post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

komir
Joomla! Intern
Joomla! Intern
Posts: 86
Joined: Sat Jul 03, 2010 1:52 pm

Re: ReCaptcha in login form

Post by komir » Tue Mar 01, 2016 3:10 pm

Hi, thank you.
Yes, I know that, but, it is not visible in login form, only in registration form.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38019
Joined: Sat Apr 05, 2008 9:58 pm

Re: ReCaptcha in login form

Post by Webdongle » Tue Mar 01, 2016 3:51 pm

According to the documentation if it is set in Global config then
Set in user options None = ignores global setting
Set in user options Captcha = in Registration form only
Set as default Default = in Registration form and contact form
https://docs.joomla.org/How_do_you_use_ ... _Joomla%3F

Probably need an extension for login form
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

magestyx
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Wed Jul 01, 2009 6:49 pm

Re: ReCaptcha in login form

Post by magestyx » Wed Jul 13, 2016 5:37 pm

I just realized this as well - setting up the reCaptcha still leaves the Login page wide open even though https://docs.joomla.org/J3.x:Google_ReCaptcha says it's supposed to apply to the login page. Can we get this fixed? Protecting the login page with the same ReCaptcha is every bit as important as protecting the other forms. Otherwise it'll welcome brute force attacks guaranteed.

Thanks,

Magestyx

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38019
Joined: Sat Apr 05, 2008 9:58 pm

Re: ReCaptcha in login form

Post by Webdongle » Wed Jul 13, 2016 9:38 pm

magestyx wrote:... setting up the reCaptcha still leaves the Login page wide open even though https://docs.joomla.org/J3.x:Google_ReCaptcha says it's supposed to apply to the login page. Can we get this fixed? Protecting the login page with the same ReCaptcha is every bit as important as protecting the other forms.
...
Nothing to fix ... you have to set it up correctly and use a Template that doesn't have a faulty override.
For Contact forms and the Registration form
Go to System → Global Configuration → Site
...
https://docs.joomla.org/J3.x:Google_ReC ... _ReCaptcha
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8567
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: ReCaptcha in login form

Post by sozzled » Wed Jul 13, 2016 9:46 pm

magestyx wrote:Setting up the reCaptcha still leaves the Login page wide open even though https://docs.joomla.org/J3.x:Google_ReCaptcha says it's supposed to apply to the login page. Can we get this fixed? Protecting the login page with the same ReCaptcha is every bit as important as protecting the other forms. Otherwise it'll welcome brute force attacks guaranteed.
Let's try to put this into some kind of perspective.

CAPTCHA is a relatively simple, first line defence against unwelcome instrusion. It is not, by itself, the only solution and it does not guarantee prevention from brute force attacks. The reCAPTCHA software used by Joomla relies on software (and its API) developed by Google. Whether or not this software should be incorporated into the Joomla core is a moot point because, to be quite candid, it does not guarantee anything. If Google's reCAPTURE was a guarantee then there would never be a successful brute force attack anywhere and it would put the whole hacking business out of business. 8)

Whether or not reCAPTCHA should apply to the Joomla login form is an interesting question (I think the majority of people would disagree that this is desirable or necessary because most websites do not use such a feature at the time of user login) but there may be alternative, third-party login products that incorporate the feature.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38019
Joined: Sat Apr 05, 2008 9:58 pm

Re: ReCaptcha in login form

Post by Webdongle » Wed Jul 13, 2016 10:16 pm

sozzled wrote:...
Whether or not reCAPTCHA should apply to the Joomla login form is an interesting question (I think the majority of people would disagree that this is desirable or necessary because most websites do not use such a feature at the time of user login) but there may be alternative, third-party login products that incorporate the feature.
Joomla has the option of using recaptcha in the login form and the ability to use it in a Template override of third party login forms.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8567
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: ReCaptcha in login form

Post by sozzled » Thu Jul 14, 2016 5:14 am

@webdongle. Good point. :)

I was thinking about the issue of brute force attacks. When a user has obtained an account, it's a bit like giving that person the keys to the house. Of course, if the owner of the house (or website in this particular case) is concerned that the locks are too easy to open, there's always the method of strenghtening the lock—Joomla has this with TFA.

Basically there are two main kinds of attack. One is the brute force method. This is where the attacker attempts to obtain the login credentials of an existing account (by trying various password combinations until they are successful); there are also countermeasures against this form of attack from degrading the performance or, ultimately, suspending the account that someone is trying to use. Brute force is primarily restricted to login attempts. Then there's the other kind of attack (blind injection, XSS or other exploitations of known software back-doors) and this other kind occurs irrespective of whether the attacker can login or not.

Getting back to the main issue here, CAPTCHA is mostly used at account registration time; in other words, to "verify" if the registration attempt is being made by a human being. Login requires authentication against the user account records. CAPTCHA, in my opinion, has little to do with preventing brute force attacks. Hopefully this puts things into a little better perspective. CAPTCHA may deter the attacks but it's not a guarantee of total security.

If you want CAPTCHA with login, no problem. If people appreciate it, that's a different story. It depends wholly on the value of the site assets and the degree of security that the site owner and the site's community require in order to access them. 8)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19965
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ReCaptcha in login form

Post by leolam » Thu Jul 14, 2016 5:53 am

Nice explanation!

Brute Attacks can be intercepted on server level by a good Firewall such as Configserver (for cPanel driven servers) in combination with cPHulk Brute Force Protection enabled. On Joomla level tools that help with prevention for sure are for instance Admin Tools or RSFirewall (personally I prefer the first). I placed the 'help' part as italic for reasons that they do not protect you complete but the are an extra level of protection. However the server should intercept/block already (and CFS does this with it's IP-tables protection) before the Joomla site is actually reached. Recapcha is just a form protector and does not protect your site as such

2 ct's

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
sohopros
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Fri Jul 22, 2011 1:51 pm
Contact:

Re: ReCaptcha in login form

Post by sohopros » Wed Aug 03, 2016 8:10 pm

Webdongle:
Joomla has the option of using recaptcha in the login form
- can you explain how to set this up? We have the plugin enabled and set as default in the Global Config and User Manager options, but there mus t be something else needed.
SOHO Prospecting
https://www.sohoprospecting.com - Joomla Website development
Camarillo, CA - USA
Phone 866.644.7646

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38019
Joined: Sat Apr 05, 2008 9:58 pm

Re: ReCaptcha in login form

Post by Webdongle » Wed Aug 03, 2016 9:42 pm

sohopros wrote:Webdongle:
Joomla has the option of using recaptcha in the login form
- can you explain how to set this up? We have the plugin enabled and set as default in the Global Config and User Manager options, but there mus t be something else needed.
If look you will see that I made a leter post correcting that statement !!!

However you could try a Template override ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sohopros
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Fri Jul 22, 2011 1:51 pm
Contact:

Re: ReCaptcha in login form

Post by sohopros » Wed Aug 03, 2016 10:14 pm

Webdongle wrote:
sohopros wrote:Webdongle:
Joomla has the option of using recaptcha in the login form
- can you explain how to set this up? We have the plugin enabled and set as default in the Global Config and User Manager options, but there mus t be something else needed.
If look you will see that I made a leter post correcting that statement !!!

However you could try a Template override ?
If a later correction was made, I don't see it. We will look into an over-ride, though.
SOHO Prospecting
https://www.sohoprospecting.com - Joomla Website development
Camarillo, CA - USA
Phone 866.644.7646

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8567
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: ReCaptcha in login form

Post by sozzled » Wed Aug 03, 2016 10:36 pm

sohopros wrote:Webdongle:
Joomla has the option of using recaptcha in the login form
I think what we're trying to say is this:

1) It's technically feasible to implement CAPTCHA with the Joomla login module. Joomla does not provide this functionality natively/out-of-the-box but if you require it then you can write your own module/override for the standard Joomla login module.
2) There may or may not be modified versions of the standard Joomla login module that employ CAPTCHA—I haven't seen any but, then again, it's not something that interests me. It makes reasonable sense to use CAPTCHA together with other security screening as part of the account registration procedure. It is my personal opinion that applying CAPTCHA each and every time a validated account attempts to login is an unnecessary and disincentivising process.
3) I have not been using the Internet for a very long time (probably only the last 30 years or so) and in that 30 years of using the Internet I have never encountered CAPTCHA as part of the login process on any website that I have used. Perhaps my knowledge and use of the Internet is not as extensive as others who believe that CAPTCHA as part of the login process is a desirable or necessary requirement? I don't know and I make no comment about the beliefs that others may have.
4) CAPTCHA, by and of itself, provides no guarantees; it may give some people a fuzzy, warm feeling just like having a cup of cocoa. Whether it is effective is a matter for wider debate.

Yes, it's possible.

I haven't personally attempted to do it.

Good luck and I wish you every success if searching for the answer to your problem. 8)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
sohopros
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Fri Jul 22, 2011 1:51 pm
Contact:

Re: ReCaptcha in login form

Post by sohopros » Wed Aug 03, 2016 11:02 pm

First of all, I agree with you that putting CAPTCHA as an obstacle to a verified user is not desirable, however with the advent of single-click Recaptcha, it isn't much of an annoyance. The reason we are looking into this is that one of our Joomla sites' login form is currently under a robotic ddos attack from IP addresses that are too numerous to list here. The bots are apparently just guessing usernames and passwords and hitting the login script. In fact it has shut down our site multiple time over the past few days. In trying to mitigate it, our sys admin requested:
Is there anyway that something like a reCAPTCHA plugin can be implemented on this login form? Implementing something like this would force the user to fill in content and not leave any room for automated robots to try to exploit the login forms on these pages.
Maybe they are wrong, but they are more knowledgeable than I about these things. Any further insight you have would be appreciated.
SOHO Prospecting
https://www.sohoprospecting.com - Joomla Website development
Camarillo, CA - USA
Phone 866.644.7646

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38019
Joined: Sat Apr 05, 2008 9:58 pm

Re: ReCaptcha in login form

Post by Webdongle » Thu Aug 04, 2016 12:39 am

Given that captcha is to prevent spammers and trolls from posting on a site or using the site to spam emails then putting a captcha on a login form is useless. Anyone successfully logging in needs to have a valid user/pass and have already been verified (by registration) as not a spammer/troll. And if a spammer/troll has the login details of a registered user then you have bigger problems than a captcha can solve.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

gba
Joomla! Intern
Joomla! Intern
Posts: 68
Joined: Tue Jun 03, 2014 3:37 pm

Re: ReCaptcha in login form

Post by gba » Thu Jul 06, 2017 6:01 am

Hi!

Thank you for that interesting discussion.
https://docs.joomla.org/J3.x:Google_ReCaptcha says it's supposed to apply to the login page.
Excerpt: "The reCAPTCHA plugin, which protects your contact, login and registration forms against spam, has been updated in Joomla! 3.4.0"
In my opinion this explanation in Joomla! Documentation is clear: Joomla! is proclaimed to be able to protect also the login form with reCaptcha.
So Joomla! either really should protect also the login form, or the login form should not be mentioned in the documentation in this context.
What do you think about that?

Kind regards,
Gerald

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38019
Joined: Sat Apr 05, 2008 9:58 pm

Re: ReCaptcha in login form

Post by Webdongle » Thu Jul 06, 2017 4:14 pm

It's a wiki ... and anyone can create/edit the pages. The problem with the wiki is that the pages are not regulated by users who understand the part of Joomla that the page relates to. Many of the volunteers (including myself) in this forum spend a lot of time having to repeat what we say because Joomla docs is inaccurate.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

 

Locked

Return to “Administration Joomla! 3.x”