Forums

reCAPTCHA... why?

Quick find code: 278-279-104-66065959

Immortalized

Immortalized

Posts: 32,823Sapphire Posts by user Forum Profile RuneMetrics Profile
i have some other griefs with captcha system

if you try to log in with an invalid password it gives you another login form

no matter WHAT this form ALWAYS fails for me

i enter the correct credentials and it just refreshes, but now shows me a captcha

i enter the exact same credentials and do the captcha and it lets me log in

the captcha should have appeared on the 2nd attempt. i always have to log in 3 times if i fail a login.

also playing from a country where google captcha is blocked (china), there is no indication that a captcha even exists if it fails to load, leaving you very confused since the form otherwise looks like it always does. and it's really mindblowing that jagex requires you to sign in with a captcha in a country where google cannot even load.

i've reported these issues and got no response to date... i don't understand
bring back the lumbridge pig pit

07-Dec-2018 08:36:34

Immortalized

Immortalized

Posts: 32,823Sapphire Posts by user Forum Profile RuneMetrics Profile
I don't use password managers and it is not me typing it incorrectly the 2nd time. A captcha is meant to appear and does not on the 2nd attempt. I've verified this behavior on multiple devices including the iPhone I'm posting on, my desktop at home in Texas, my android device from home and in china, and another laptop. I'm not sure how you tested to get different behavior since I have experienced this in multiple locations within my home state and even a different continent.

With all due respect the suggestion that I contact the Chinese government is ridiculous. If you cannot find an alternative solution to google captcha, which has unfortunately become a monopoly on human verification (a different concern in itself), you could at the very least stop automatically locking my account every time I go to china. It has happened multiple times even though I have google authenticator and verify it is indeed me playing. The act of logging in causes my account to be locked a few days later (negating any kind of benefit of locking it since I've already been "hijacked";), and since it's locked I fail to log into the website, which triggers the captcha which has no visual indicator whatsoever on the form if it fails to appear. There are plenty alternatives to captcha like letting me sign in using my authenticator code.

The kind of response you have given me is surprising since my other thread all I got was the feedback was being passed along and being looked at, but you have very flatly rejected any notion that it was being looked at in any way whatsoever. The least you could do is make a visual indicator that captcha is required when it appears, since in countries where it does not load the same form appears and looks identical to the one where it is not required. And logging in with an authenticator code should trivially solve the issue of unauthorized attempts on someone's account. Very shocked by the response confirming my suspicion nothing was being looked at at all.
bring back the lumbridge pig pit

07-Dec-2018 12:42:33

Immortalized

Immortalized

Posts: 32,823Sapphire Posts by user Forum Profile RuneMetrics Profile
I'd also want to say there is no requirement to enter a captcha to log into the game client, which you can then click on a news item to log into the website. So the idea that captcha is just REQUIRED to be here strikes me as one that does not actually provide any additional security at all when you can easily circumvent it, even in mass with new technology.

In general during my trips to China I've found the experience extremely poor both on the game and the website, to the point that I start to wonder if it is a deliberate attempt to make it harder for individuals in this region to even reasonably do anything. While a separate issue the fact that this site is still HTTP while the rest of the site is HTTPS for years is yet another thing that ruins the experience when your connections are indeed being watched by others. And you can point the blame elsewhere but if your site is all HTTPS except one area of it I am not sure what the priorities are here on security.
bring back the lumbridge pig pit

07-Dec-2018 12:46:24 - Last edited on 07-Dec-2018 12:54:28 by Immortalized

Immortalized

Immortalized

Posts: 32,823Sapphire Posts by user Forum Profile RuneMetrics Profile
Iceberg said:
Applejuiceaj said:
Iíve had it every once in awhile, though usually itís only if Iíve typed my password wrong. If I type it right the second time, the page refreshes making me log in once more and answer the captcha, and then the next few times after that on a fresh login Iíve had to go through it as well.

Me too - though only when logging in on my phone. It's annoying having to type your password 3 times even though it was right the second time :(

Agreed, this is exactly the issue I mentioned previous page. I am glad it's not just me.
bring back the lumbridge pig pit

07-Dec-2018 14:14:48

Immortalized

Immortalized

Posts: 32,823Sapphire Posts by user Forum Profile RuneMetrics Profile
2_Tron said:
I'd rather stick with
'Choice A'
keeping it secure and safe as it is and maybe the future has a helping hand in the distant future.
Of course, easy loging in is always top-priority but security of everything exceeds all and must be maintained to make sure Jagex & The RuneScape Community stay safe allowing use to have maximum joy.

You can already circumvent captcha by simply logging into the client and clicking a news article. What security do you think captcha is bringing to this website?
bring back the lumbridge pig pit

08-Dec-2018 16:40:24 - Last edited on 08-Dec-2018 16:41:29 by Immortalized

Immortalized

Immortalized

Posts: 32,823Sapphire Posts by user Forum Profile RuneMetrics Profile
I agree, which is why I think it should go away. The site already bars you from logging in for a period of time after x failed login attempts, so I don't know what additional benefit this provides if any. Someone trying to get into your account can use the other means available that do not include a captcha. bring back the lumbridge pig pit

08-Dec-2018 18:02:44

Immortalized

Immortalized

Posts: 32,823Sapphire Posts by user Forum Profile RuneMetrics Profile
Original message details are unavailable.
News articles are not behind a captcha check, as you mentioned users who log into the game should have Authenticator enabled, which provides more secure logins for users entering the website from the game. For your inevitable followup, I want to add the Authenticator to the website too - its finding the time to do it.

So I never said they were, just that you can log into the website without a captcha by clicking one from the game client. And unless I am mistaken there are many (in fact, probably most) users who do not have authenticator enabled, so their accounts can in fact be logged into the website without captcha or authenticator, by bruteforcing their login on the game client and clicking a news article.

I hope you are planning on adding it as a substitution to captcha and not an addition, since it eliminates the bruteforcing concern when only the account owner knows the code.

Original message details are unavailable.
Google's website on Captcha lists one of the benefits as "Advanced Security". Either way, our opinions on what captcha is clearly differs but captcha allows us a front-end immediate check on whether a user is legitimate and if we should allow the traffic through. Captcha is one of many systems and features we have in place - the rest of which I will not discuss.

Isn't that kind of irrelevant? I mean, specifically, what security does it bring here?

As far as I can tell, it's only being used to stop bots from bruteforcing logins. You can still do this in the game client and companion app. So how does captcha actually increase security in this respect if it's not on all means of logging into RuneScape?

The login service blocks your IP after numerous failed attempts for a period of time. I would argue that this makes the game client and companion app just as secure as using captcha. The benefits it is providing still are not clear to me.



Also the second login screen missing a captcha is still an issue regardless. See Applejuiceaj's post.
bring back the lumbridge pig pit

10-Dec-2018 12:18:42 - Last edited on 10-Dec-2018 12:50:23 by Immortalized

Immortalized

Immortalized

Posts: 32,823Sapphire Posts by user Forum Profile RuneMetrics Profile
client
- does not require captcha
- optionally require authenticator after login succeeded
- can log into the website

companion
- does not require captcha
- require authenticator after login succeeded

website
- optionally requires captcha after login failed
- does not require authenticator

Original message details are unavailable.
captcha allows us a front-end immediate check on whether a user is legitimate and if we should allow the traffic through

Here's the concern I have. You already allow potentially illegitimate traffic through since there is no captcha on the client or companion app.

In fact, more people log into the client than the website!

I mean at best all this does is slow down an attacker and inconveniences up to 1.3 billion people from accessing the website. I myself was able to post on the website from China by logging into the game client and then clicking a news article.

How is it OK to justify captcha as checking legitimate users, when this check is not performed anywhere else? Especially the more used systems.
bring back the lumbridge pig pit

10-Dec-2018 13:02:16 - Last edited on 10-Dec-2018 13:07:35 by Immortalized

Quick find code: 278-279-104-66065959Back to Top