On Wed, Dec 3, 2014 at 8:47 PM, Daniel Friesen daniel@nadir-seen-fire.com wrote:
On 2014-12-03 8:35 PM, Robert Rohde wrote:
However, captchas might be useful if used in conjunction with simple behavioral analysis, such as rate limiters. For example, if an IP is creating a lot of accounts or editing at a high rate of speed, those are bad signs.
Don't we already do rate limiting by IP for account creation? In fact I seem to recall we have a page where people have to ask for temporary whitelisting of IPs like those used at a hackathon's Wi-Fi point where large numbers of users legitimately sign up.
I'm pretty sure the users making large amounts of malicious accounts use a bunch of proxies so they don't have to worry about rate limits.
Yes, we do have some rate limiting, though I couldn't tell you what the settings are presently. In general, we could have both a soft-limit that triggers captchas and a hard limit that results in a full stop. Depending on the settings, a two tiered system could even be more friendly for hackathons and teaching groups.
The broader point is that I would encourage people to consider ways to improve and expand the uses of similar basic behavioral analysis, rather than simply throwing a captcha at everyone.
-Robert Rohde