Hi, i am trying to think of ways of securing or at least "trying" to put some extra security measures in place on my websites sign up form.
I understand that captchas can be broken very easily and more importantly they could actually stop a potential user from signing up to my site.
Points To Note:
- i have strong JS and PHP validation in place on the sign up form
- user's accounts stay in 'pending' status until the click the validation link that was emailed to them (changes to 'active' once the validation link is clicked)
- a cron runs every hour and deletes all 'pending' accounts that are older than 72 hours
I cannot really think of any other security measures that i could put in place, without really annoying the users, and i understand that spam / bots are just part of everyday life on the internet...
However, i would like to try and detect when suspicious activity occurs on my sign up form... so i was thinking of implementing the following:
When a user submits the form, check to see if the IP address has already created an account within the last 7 seconds... if it has, display the a captcha
I understand that a whole college or building might be running off the same IP address, but the worst than can happen is that a few users who create an account close together will have to enter a captcha... and even for a very popular site, that percentage would be very low as it is only used for sign up and not for any other function on the site
I am interested to hear whether anyone has any better idea (which i am sure loads will have) or what you think of my idea, thanks in advance for your help...
In my opinion I would just create my own Captcha, such as randomly ask what technical or unique word that is on your website. As long as you have strong encryption and encapsulate any variables that a user can change then you should be OK. If you are rarely paranoid log the user's IP to the database and have it where you can ban that IP or username (I personally would ban the username for an innocent person using the IP address might be banned).
What I don't understand is that you will delete pending accounts after hanging around for 72 hours, but you want to check "suspicious" activity within 7 seconds. Highly unlikely unless someone is trying to do a brute force attack and even then it would be way longer than 7 seconds. That to me doesn't make sense, but it could just be me. I think I would rather have a person be locked out after 3 to 5 login attempts than do something like that, but that is just my opinion.