How a Hacker operatesA spammer or a hacker do one simple thing while trying brute force to try to login to your site. They send an HTTP post crafted with the proper form elements and data without nessecary having viewed the actual login screen and form. Each time with a new password.
On the otherhand, what average Joe does is to first view your login page, type in his username and password...letter by letter.
When the server receives a form submission from the client, the following can be detected
- Keys were pressed.
- Time differences between keystrokes.
Really fast typers can type in speeds of 20-30 characters a second, which is around 30-40 ms between keystrokes.
Argubable a hacker or spammer can simulate all this, but at their expense of higer bandwidth and processing power, which will avert them to spam or hack someone else less protected.
The argument of sending each mouse movement in Using AJAX for Image Passwords is now clear. The same keystroke / time delay detection can be applied using image passwords as well.
Try it!Below is a simple login screen. To login as a human, type in the password apple and press Human Login.
If you press Computer Login, a small script will simulate sending off keystrokes in a very short period of time. The script on the server side will detect if it was you or your browser that was trying to login.
Time TwistsTo boost things up further, it's possible to file the time between keystrokes while first entering your password. Next time you login the password on file along with a time delay pattern have to match to succesfully login.
Source CodeAvailable here
Part 3, boosting security yetPart 3 will discuess how it's possible to avoid having bots trying to login. Part 3 can be found here here
Very nice series of articles, thanks for the ideas. I have to admit, I consider myself a slow typist, but with my regular typing pattern the server considered me a computer (or rather superman, kind of flattering). But I guess the sensitivity can be adjusted.
How about users that choose to copy and paste their username and password?
If you first try the computer option, then copy-and-paste the password over the generated one, then click OK, then it thinks you are human...