Can any1 help me custom captcha authentication

[bannedjpg]

reply if u want to try i'll type out what i mean :P

[bannedjpg]

no i'm planning on generating 6-to-10-character alphanumeric strings on my server and creating captcha images from them

[bannedjpg]

i want to stop someone from breaking my captcha and flooding my website with bots posting things pretending to be humans

so i want to limit how many captcha's i send to a user account but i'm wondering how many a machine-learning program needs (i dont know anything about machine learning but i've seen some hackers mention them for captchas)

[bannedjpg]

a lot of the times it's best to find a way to otherwise divert them or act like it worked but dont actually work. Why? Because again if a bot/script kiddy or nerd wants to circumvent your script, they can and will. Acting like they succeeded makes them 'stop trying' in a sense. whilst making the denial obvious simply makes them keep trying until they get it.


A super super good network/source of info and methods all brogrammers need to know and know well is called OWASP


They cover many topics in security.

In your case,

https://owasp.org/www-project-automa...-applications/




My response unrelated to above page:

1. Depending on security and how much time or money you're willing to invest, you can uniquely browser fingerprint each session on form page and deny/fake error page people that dont generate a key (aka use javascript, most bots cant parse javascript), then store each unique browser fingerprint in database as well. tie fingerprint(s) to users. they can be on a new ip but fingerprint will still be same. limit from fingerprint or fallback ip.

thanks for the OWASP link i completely forget to check them out for this problem

that's interesting idea like shadow-ban them from within their own browser. so even if their IP-address changes, they're still banned. only issue like u said is tricking them into thinking they're not banned
... related to that i had the idea of my server "playing dead" where if i ban someone i'll send back 500 errors for stuff so they think they broke my server or corrupted my database or something

[bannedjpg]

i think if i can do that idea of burying an identifier somewhere in their browser that would be crazy good

i'm still trying to figure out if "fingerprint.js" is that tho brb

[iwant2beswole]

Just use recaptcha instead of reinventing the wheel