Solved

Image Verification Security

Posted on 2006-12-01
5
140 Views
Last Modified: 2006-12-04
Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts' and how they associate attempts with users.

Through my own testing I have determined the following:

1) Attempts are not stored in cookies or sessions
2) Attempts are not linked to the remote address

So just how do they know how many attempts I have had without storing my remote address or session id (or any other form of cookie related information).  I have examined the $_SERVER variables to try and determine if there's any kind of data that is can be used to identify users, but I have failed to find any.  

The only other theory that I can thikn of is that they combine a number of different data (creating a "fingerprint"), such as remote address mixed with the users browser for instance, but that would be useless for a variety of corporations and educational centres that have networked computers sharing the same address and using the same browsers.

Please put me out of my misery :)

Thanks,

Karl.
0
Comment
Question by:KarlPurkhardt
  • 3
5 Comments
 
LVL 11

Expert Comment

by:ch2
ID: 18057315
On each login attempt you send your username and then your session fails and the validator updates the database.
0
 
LVL 11

Expert Comment

by:ch2
ID: 18057333
< Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts'

Usually in DB

< how they associate attempts with users.

Username you send and the one in the db.
0
 
LVL 4

Author Comment

by:KarlPurkhardt
ID: 18057781
Neither of those would work the same as www.gmail.com image verification.  For example, if I make several attempts (using different email addresses and passwords) I will still have to go through the image verification after x attempts, at this point, I can clear my cookies and I will still be prompted to validate via the image verification, even tho each attempt was made on a different account (different email/password) and I have cleared my cookies.
0
 
LVL 11

Assisted Solution

by:ch2
ch2 earned 60 total points
ID: 18057859
www.gmail.com use javascript, POST data and a certificate so just remove all and you cannot connect.
0
 
LVL 8

Accepted Solution

by:
jk2001 earned 65 total points
ID: 18058562
They probably keep track of the IP address.  How can you be sure they don't track that?

They could, for example, have lists of IP addresses associated with any account you try to use.  If you try to get to foo@gmail.com from 1.2.3.4 and then from 2.3.4.5, maybe foo@gmail.com gets associated with both 1234 and 2345.

Then subsequent attempts from 1234 are linked to all the accounts you try, and same for 2345.  This creates a little pile of linked accounts, and that's your fingerprint.

I'm totally speculating here.  Seems like too much work, to me.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Introduction Many web sites contain image galleries; a common design for these galleries includes a page with a collection of thumbnail images.  You can click on each of the thumbnail images to see the larger version of the image.  This is easily i…
Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now