July 13, 2020, 12:39:18 pm

CAPTCHA issues and ideas

Started by OldGuy, July 27, 2019, 12:39:23 pm

0 Members and 1 Guest are viewing this topic.

Holding Pattern

In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:

https://www.section508.gov/content/guide-accessible-web-design-development#captcha

Phil Hirons, Jr.


Fubar

Quote from: Holding Pattern on September 04, 2019, 12:19:52 am
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:


So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.


Doesn't apply to us.

That said, the CAPTCHA must die.

Holding Pattern

Quote from: Fubar on September 04, 2019, 04:14:34 am
Quote from: Holding Pattern on September 04, 2019, 12:19:52 am
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:


So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.


Doesn't apply to us.

That said, the CAPTCHA must die.


According to the CAP Pamphlet on IT, it does apply.

jeders

Quote from: Holding Pattern on September 04, 2019, 05:08:47 pm
Quote from: Fubar on September 04, 2019, 04:14:34 am
Quote from: Holding Pattern on September 04, 2019, 12:19:52 am
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:


So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.


Doesn't apply to us.

That said, the CAPTCHA must die.


According to the CAP Pamphlet on IT, it does apply.


If you are talking about the IT specialty track pamphlet, then the only reference to section 508 that I see is as an additional reading. That hardly counts as it applying to us.
If you are confident in you abilities and experience, whether someone else is impressed is irrelevant. - Eclipse

JohhnyD

https://www.okwgcap.org/accessibility

Oklahoma Wing - Civil Air Patrol is committed to providing a website that is accessible to all users regardless of ability. We recognize the importance and are continually working to increase the accessibility and usability of our website.

Our website should be in compliance with Section 504, Section 508 and Title II of the Rehabilitation Act. Section 504 requires equal access and communication of electronic information and data so that it is accessible to everyone. The district is utilizing the Web Content Accessibility Guidelines 2.0 - 2.1 A, AA to meet the requirements of Section 504.

Eclipse




ZigZag911

It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.

NIN

Quote from: ZigZag911 on November 17, 2019, 05:45:49 pm
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.


Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.

Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Spaceman3750

Quote from: NIN on November 17, 2019, 07:40:49 pm
Quote from: ZigZag911 on November 17, 2019, 05:45:49 pm
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.


Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.


This. Because of our predictable login ID pattern eServices is particularly vulnerable to username fuzzing and subsequent password attacks. CAPTCHA helps mitigate this, if for no other reason than it helps preserve performance for legitimate users. I'm surprised it took this long to be an issue.

Eclipse

Quote from: Spaceman3750 on November 17, 2019, 08:06:33 pm
This. Because of our predictable login ID pattern eServices is particularly vulnerable to username fuzzing and subsequent password attacks. CAPTCHA helps mitigate this, if for no other reason than it helps preserve performance for legitimate users. I'm surprised it took this long to be an issue.


It doesn't need to ask every time. Plenty of sites establish you're a person, or using a
CAPTCHA script, and then don't' ask every time.

It was also indicated that it was implemented to try and thwart people scraping the screen
for local apps, which would not be necessary if there were either actually useful squadron and activity
management modules or an API.

Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)



NIN

Quote from: Eclipse on November 18, 2019, 01:37:01 am
Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)


CAPF 27 just went in, you're the new commander of the Tannhauser Gate Composite Squadron.
Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Eclipse

Quote from: NIN on November 18, 2019, 02:54:59 am
Quote from: Eclipse on November 18, 2019, 01:37:01 am
Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)


CAPF 27 just went in, you're the new commander of the Tannhauser Gate Composite Squadron.


I've seen things you people wouldn't believe...



NIN

Quote from: Eclipse on November 18, 2019, 03:16:59 am
I've seen things you people wouldn't believe...


The bonus is, you can use the Voight-Kampff test instead of a membership board.

Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Gunsotsu

I believe this the appropriate time to use the latest...

Ok, Boomer.

NIN

Oh, come on. Surely you can be more dismissive than that?

Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Holding Pattern

Quote from: NIN on November 17, 2019, 07:40:49 pm
Quote from: ZigZag911 on November 17, 2019, 05:45:49 pm
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.


Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.


MFA is more user-friendly and more secure.

NIN

Quote from: Holding Pattern on November 18, 2019, 05:30:22 pm
MFA is more user-friendly and more secure.


MFA also has its foibles.

For example, a text-based MFA is spoofable.

Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

xyzzy

I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:


  • Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage

  • Code sent to email account. Airman may not have the password to the email account with her.


Holding Pattern

Quote from: NIN on November 18, 2019, 10:50:23 pm
Quote from: Holding Pattern on November 18, 2019, 05:30:22 pm
MFA is more user-friendly and more secure.


MFA also has its foibles.

For example, a text-based MFA is spoofable.


A hardware token costs $6. An expensive hardware token on sale on black friday costs $25. A TOTP implementation on an existing smartphone costs $0.

There are solutions for everyone on this; SMS/email is mostly deprecated.