RE: [KCFusion]

[Bruce Dunwiddie]

Um, no, I know first hand that those methods will not prevent bots. There is no such thing as a silver bullet to prevent site abuse. You have to decide what is reasonable, and secure down everything that is not reasonable in addition to maybe adding in things that are difficult for bots to do, but in the end, if your site is popular enough, all an ocr image will do is force 1000% the bandwidth as bots repeatedly download images, not to mention all the real user problems it creates.   Bruce Dunwiddie Ticket Technology P: 866.543.3331 F: 913.451.7832 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Glenn Crocker Sent: Friday, December 05, 2003 4:07 PM To: [EMAIL PROTECTED] Subject: RE: [KCFusion] Securing against bots requires "type in this number" systems, where the number is difficult to OCR, but easy for humans to read.   -glenn   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Bruce Dunwiddie Sent: Friday, December 05, 2003 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [KCFusion] If you ever send out any form of a password, temp or not, it's insecure. If you're asking them personal questions anyways, through an ssl connection, there's no reason to even involve their email, just immediately let them in and make them reset their password. Also, the passwords should be stored in the database as hashes of the actual password, so there's no way for your "designer's" idea to work at all since you would never even know their password. The only reason any companies send out passwords via email is to verify that the email address is valid so they can legally spam you to death. It also makes it harder for bots to script setting up accounts at your site if you have a unique restriction on email addresses, so that for every account the bot creates, it needs an email address.   Bruce Dunwiddie Ticket Technology P: 866.543.3331 F: 913.451.7832 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl Wakefield Sent: Friday, December 05, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: [KCFusion] The desinger and I are having a discussion about security. I say that if people want their passwords they have to submit emails and answers to personal questions then I send them a temp password in email that they have to change themselves. He wants to do something more simple like type in your email address and we just send you your password. I think thats horribly insecure but that is the way Macromedia works. Opinions? Adaryl Wakefield Aviator by passion Programmer by sheer force of will