Why does the web login need a verification code?

Many friends don't understand the authentication code that must be encountered when logging in , Increase the redundancy of user operation , Direct login is very convenient , Why? web A verification code should be added to the terminal login ？ Until last week , A company doing business security gives us now Web Website security report , I realized ： The essential attribute of verification code is security , In addition to preventing malicious password cracking 、 Brush ticket 、 The wool party 、 Forum water 、 Other than reptile behavior , Or users and website information security strong guarantee .

Here's what our technicians gave. From a safety point of view , Why? Web Verification code is required for login ？

Because of you. WEB Sometimes the station will encounter malicious attacks from clients . One of the most common attacks is identity fraud , It writes some code in the client script , Then use its client on the website 、 Forum login repeatedly , Or an attacker creates a HTML forms , If its form contains the same fields as your registration form or posting form , And then use it "http-post" Transfer data to the server , The server will perform the corresponding account creation , Submit garbage data and other operations . If the server itself cannot effectively verify and reject this illegal operation , It will seriously consume its system resources , Reduce website performance and even crash the program .

## The following reference 2 A common HTML Examples of attacks ：

1、HTML Account security problems exposed by syntax

The standard HTML In the syntax , Support in form Use tags in the form to create a HTTP Submitted properties , modern WEB Logon , The following forms are common ：

<form action = "http://localhost:8080/Application/login" method = "POST"> user name ：<input id="username" name="username" type="text" /> password ：<input id="password" name="password" type="password" /> <button type="submit"> land </button></form>

form The form will when the request is submitted , Will get form in input The label exists name Properties of , As HTTP Requested body The parameters in are passed to the background , Perform login verification .

For example, the account number is user1, The password is 123456, Then it will be sent to the background when submitting for login HTTP The request is as follows （Chrome perhaps FireFox Developer tools capture , To be opened Preserve log）：

It can be found that even if password The field is a black dot , But this machine still intercepts the request in clear text .

2、HTTP The protocol transmission directly exposes the user password field

In the process of network transmission , Being sniffed will directly endanger the user's information security , With Fiddler or Wireshark For example , Find captured HTTP The message contains sensitive information ：

And now the popular judgment visit WEB Whether the program is a legitimate user or a malicious operation , Is to adopt a method called “ Character check ” Technology ,WEB The website is like the current Mobile Forum , His approach is to provide customers with a picture containing a random string , The user must read these strings , Then submit it together with user created forms such as login form or post form .

So what to do ? What protective measures are there ？ At this time, our security researchers invented the verification code . For a detailed introduction to the historical records of specific inventions, see the introduction in my previous articles . Because people's words , You can easily read the numbers in the picture , But if it's a piece of client attack code , It is difficult to identify the verification code through general means, so as to ensure that the current access comes from a person rather than a machine and AI robot .

Verification Code ： It's a random string of numbers or symbols , Create a picture , Add some interfering pixels to the picture （ prevent OCR）, The user can visually identify the verification code information , Enter form to submit site validation , You can use a function only after the verification is successful .

Typical application scenarios ：

Website security ： Junk registration 、 Malicious login 、 A malicious attack
Data security ： Data crawling 、 Data destruction 、 Account embezzlement
Operational safety ： Malicious brush list 、 False second kill 、 False comments 、 Occupied seat 、 Brush ticket
Transaction security ： False transaction 、 A malicious cash out 、 Pay with stolen card

significance ： Now, in order to prevent users from automatically registering with robots 、 Sign in 、 irrigation 、 Brush ticket 、 Collect wool, etc , They all use captcha technology .

The present , With the development of science and technology , The verification code has also been greatly improved in the form of interaction , More and more emphasis on user experience , For example, the intelligent senseless verification of the top image , An authentication system that can identify users without authentication is introduced , The principle is also very simple . Before the user attempts to log in or do other traditional operations that need to be verified , Will scan the operating environment , And some key parameters are analyzed , Including common IP、 Location 、 Usage habits 、 Malicious features 、 Device fingerprints, etc . Analysis based on a large number of models and data , The risk control engine can make a pre judgment on the user's identity . If the risk control engine thinks the user is “ A good man ”, Then directly release ; If it is determined that “ machine ”, Will not be released ; If in doubt , Then the verification code is given. Slide .

The verification code can effectively prevent the continuous login attempts of a specific registered user by using a specific program brute force cracking method , In fact, the use of verification code is now a common way for many websites （ such as 12306、 Online personal banking login page of major banks ,BBS Forum, etc ）, It's a little bit of a hassle, though , But for the website, this function is still very necessary , It's also important. .