views:

372

answers:

8

In a recent project I put a captcha test on a login form, in order to stop possible brute force attacks.

The immediate reaction of other coworkers was a request to remove it, saying that it was inapropiate for that purpose, and that it was quite exotic to see a captcha in that place.

I've seen captcha images on signup, contact, password recovery forms, etc. So I personally don't see inapropiate to put a captcha also on a place like that. Well, it obviously burns down usability a little bit, but it's a matter of time and getting used to it.

With the lack of a captcha test, one would have to put some sort of blacklist / account locking mechanism, which also has some drawbacks.

Is it a good choice for you? Am I getting somewhat captcha-aholic and need some sort of group therapy?

Thanks in advance.

+4  A: 

Captcha isn't a very traditional choice in login forms. The traditional protection against brute force attacks seems to be account locking. As you said, it has it's drawbacks, for example, if your application is vulnerable to account enumeration, then an attacker could easily perform a denial of service attack.

Kim L
You can of course lock temporary instead of permanently
Henri
Or you can let the brute force attacker log in into a fake empty account.
Tadeusz A. Kadłubowski
+21  A: 

Just add a CAPTCHA test for cases when there have been failed login attempts for a given user. This is what lots of websites currently do (all popular email services for instance) and is much less invasive.

Yet it completely thwarts brute force attacks, as long as the attacker cannot break your CAPTCHA.

intgr
Yes, good point. Add the CAPTCHA on failed attempts only, or - as e.g. Facebook does - if the user logs in from an unusual location.
0xA3
+4  A: 

It's not immoral per se. It's bad usability.

Consider security implications: the users will consider logging in to be time consuming and will:

  • be less likely to use your system at all
  • never log out of your system and leave open sessions unattended.

Consider other forms of brute-force attack detection and prevention.

Tadeusz A. Kadłubowski
+2  A: 

I would tend to agree with your co-workers. A captcha can be necessary on forms where you do not have to be authorized to submit data, because otherwise spambots will bomb them, but I fail to see what kind of abuse you are preventing by adding the captcha to a login form?

A captcha does not provide any form of securtiy, the way your other options, like the blacklist, would. It just verifies that the user is a human being, and hopefully the username/password fields would verify that.

If you want to prevent bruteforce attacks, then almost any other form of protection would be more usefull - throtteling the requests if there is too many, or banning IPs if the enter wrong passwords too many times, for instance.

Also, I think you are underestimating the impact on usability. A lot of browsers provide a lot of utilities to deal with username/password forms and all of these utilities are rendered useless if you add a captcha.

AHM
A: 

Many popular (most used) mail server doesn't have it?!

AKN
A: 

The unfortunate reality is that there can be a legitimate need for CAPTCHA even in the login process. As Tony alluded to, most people simply do not use strong passwords, so brute force attacks are a possibility (if your site is attractive enough to be a target for a hacker). There was a NY Times article in January that said 20 percent of the population share the top 5,000 most common passwords.

As others have pointed out here, CAPTCHA can be used as a backup security challenge in the event that the user fails the login a certain number of times, or if they are logging in from an unrecognized or suspicious IP address. The key is really to strike a balance between security and usability so it’s not a burden for the user – you shouldn’t have to choose between making the login process more secure or making it usable.

Without trying to be too self-promoting here, I’d like to put out this CAPTCHA alternative for your consideration: http://www.confidenttechnologies.com/products/confident_CAPTCHA.php. I’d be interested in getting feedback from anybody and hearing your thoughts on it. Would you be more likely to use an alternative like this on your site than a traditional CAPTCHA that so many people hate?

Confident Technologies
+1  A: 

I would like to address the question in the title—the question of morality.

I would consider a captcha immoral under the following circumstances:

  1. It excludes participation in the application to those with physical or mental challenges, when the main portion and purpose of the application would otherwise not make such an exclusion.

  2. The mechanism of the captcha exposes users to distressing language or images beyond what would normally be expected in the application.

  3. The captcha mechanism as presented to the user is deceptive or misleading in some way.

A captcha may also be considered immoral if its intent is to exclude genuinely sentient machine intelligences from participation for reasons of prejudice against non-humans. Of course, technology has not yet advanced to the level at which this is an issue, and, further, when it does become an issue, I expect human-excluding gates will be more feasible and common.

Jeffrey L Whitledge
A: 

There are many far better alternatives to using a CAPTCHA to stop automated attacks/use. Security should be as transparent and unobtrusive as possible for your users, otherwise they will go elsewhere :) Alot of CAPTCHA systems have been broken, so you only end up annoying your users and not stopping the criminals