Development Discussion Board

[imkingdavid]

A default set of questions is no good, as no matter how many you have, they can be broken by anyone with access to the phpBB installation files, which is everyone.

Admittedly making an installation requirement of configuring Q&A would make the process longer and perhaps more difficult. Perhaps an override?

By default, phpBB must be configured to require a question at registration to combat spam. The method offered, if properly used, is very effective. However, if this is a local installation, or an intranet or one with closed registration, or for any other reason you wish to override that, you can do so by by checking the box below that says "I love spam" (just kidding - "I do not want to enable spambot countermeasures at this time")

Or maybe just make filling it out optional, and if they don't give a question, there won't be anti-spam enabled.

[Oleg]

I think a nag in acp index would be sufficient.

[MichaelC]

I think I've changed my mind on this and that Q&A CAPTCHA should be added as an installation step with a Skip button.

[callumacrae]

I think I've changed my mind on this and that Q&A CAPTCHA should be added as an installation step with a Skip button.

+1

[brunoais]

Why not just place multiple input@type=checkbox or input@type=radio for the user to choose?
Just make a warning (in red and bold) if the user chooses not to use any captcha.
If the user chooses Q&A, ask for Q's and A's to add.
If the user chooses ReCaptcha, state that there's a need for an application key and also show the instructions about how that application key can be obtained.
If the user chooses one of the other 3 (default) captcha, show the lack of security it means.
If the user chooses none, warn that it's a ludicrous option unless it's a test forum.

[imkingdavid]

EDIT: Ticket

I believe the best way to go about this is:
- New page following server settings with a "Skip" button at the top and a "Next" button at the bottom. Skip never takes any input on that page into account, it just moves to the next page.
- If no question/answer is entered, use current default captcha (or no captcha)
- If only question or only answer is entered, error to ask for the empty one
- Otherwise, continue.

And a Skip button should be similarly added to the Server Settings page, since that page generally needs no changes to it anyway.

Would it be possible to find/write code for a spam bot and have it test the question that is entered, both during install and later on? If it can crack the question, we could warn the admin that the question is too easy. Of course I have no idea how spam bots work, what language they are programmed in, etc, but I figured I'd toss this out there.

[stevemaury]

I think the way to handle question difficulty is to give a couple of examples, making it clear that the examples should not actually be used.

Like this:

BAD

What is 2 + 2

What color is the sky?

Who is President of the USA?

_________________________________-

GOOD

Q: Type the (first, last, middle) three (or 4 or 5) characters of the following string: )kT53@x

Q: Type the (first, last, middle) three (or 4 or 5) characters in the name of this Board

Q: What are the (first, last, middle) 3 characters in the fifth word of the message in smaller type just below this question?

Q: Click this link and type the name of the animal in the picture.

[Marshalrusty]

I think a nag in acp index would be sufficient.

In the short term, I tend to agree with Oleg.

The best solution would be a refactor of the installer to add optional pages (with a "Skip" option) to the end. This would also make it possible to change some of the currently required fields to optional. Without significantly refactoring the installer, however, the simple solution is to display a nag on the ACP index telling administrators that their forum is currently susceptible to spam. Something this simple could even be done in the 3.0 line, I think.

I also recently created an anchor to information on spam (which may eventually turn into a dedicated page): http://www.phpbb.com/support/spam/

[Marshalrusty]

GOOD

Q: Type the (first, last, middle) three (or 4 or 5) characters of the following string: )kT53@x

Q: Type the (first, last, middle) three (or 4 or 5) characters in the name of this Board

Q: What are the (first, last, middle) 3 characters in the fifth word of the message in smaller type just below this question?

It should be noted that:
"Type the last three characters of the following segment: fy7g3yd"
is equivalently difficult for a bot to do as:
"Type '3yd' into the box"

Unless a large portion of phpBB administrators use the exact syntax, bots will be unable to figure out what is being asked. On the other hand, if we make this a default recommendation, someone will write a bot to target these kinds of questions, looking specifically for keywords like "one, two, three, four" and "first, last, middle", which, even with a 25% success rate, will result in a breach.

If these kinds of sample questions are offered, they should be generic enough that people don't use them as-is or with minor variations, else we'll end up with the problem above.

[Vinny]

Maybe this is a crazy idea, but Q&A should parse BBcode (only [ b], [ i], [ u] and [color]) to create more complex questions. Examples:

The sky is blue, but this text is ...?
------------------------
I the sentence: "Choose what is right, not what is easy." What words are bold?