I was wondering if reCAPTCHA were strong enough to prevent BruteForce from bots or if I needed to add more security, such as sending a unique mail to the user every 5 tries that someone try to log on the account and block the account while the mail isn't checked.
The aim is to prevent automated password guessing on a website.
ReCaptcha is great from a client side point of view, but it's not perfect.
The mail technique that you mention is called account lockdown, and is a very effective deterrent against brute force attacks. I would implement it because it's an added layer independent of the client side completely.
Another measure you can implement is throttling. It's unrealistic for a human to send 2 requests within 1 second (or any value you consider appropriate), so you limit the frequency of accepted connections. In iptables you would do something like this:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
(Example taken from debian-administration.org.) This will limit requests to port 22 to 3/minute, any other request will be dropped. This can be useful for other operations besides log-in routines.
A CAPTCHA is normally intended to ensure that 'user' input is from a real person.
While it could help to prevent automated attacks against a website login mechanism it is likely to negatively impact on the user experience (username, password and CAPTCHA) unless the system can be configured to only enable the CAPTCHA after one or two failed logins.
The alternative mechanism for controlling attacks without compromising on user experience is an access control policy on the website which includes a limit on the number of unsuccessful login attempts during a given period of time, followed by a lockout duration. This will help to defeat both automated and targeted (i.e. user-based password guessing attacks as well as automated attacks) so in effect you get 2 for 1.
Whether to impose a timed lockout (i.e. an automatic reset after say 10 minutes) or whether to lock the account and wait for the valid user to respond in some way is a judgment call based on the particular scenario i.e. things like data sensitivity, size of user population, number of help desk staff available etc.
Notifying the user of multiple failed logins could help to make the user aware of potential attempts of unauthorised access, but could also result in lots of unwelcome support calls, so set the bar at a level which works for you.
reCAPTCHA certainly makes password guessing harder, but not impossible. Hackers set up sites with goodies (games, downloads, etc.), which are captcha-protected, and will redirect your captcha there. Users trying to get their download will solve your captchas, enabling the hackers to use it to guess another password. Account lockdown is more effective, since only the owner of the e-mail can unlock the account. It's also more disruptive for users.
Keep in mind that both captcha and account lockdown are terrible user experiences, and your site should be pretty good / unique to be able to afford such techniques. Give your users at least a couple of attempts before you ask to solve a captcha for the first time, otherwise users may simply move to the next site offering the same services as yours.
Another means of additional security is 2-factor authentication. This is where users register their cell (mobile) phone number and whenever they logon the server sends a code via SMS message which must be entered by the user before gaining access. As with all things security, this adds a layer of annoyance for the user but is extremely effective.
A much simpler means of security is to restrict short/easy passwords. If your user is allowed to make "1234" their password then a bot is much more likely to guess that than "ihatelongpasswordssomuch"
reCaptcha is quite good but is not perfect.
A tool like fail2ban is another effective way. Configure the web site to log failures and then configure fail2ban to monitor the log and when it detects x number of failures from an IP address in a set amount of time, it adds a firewall rule so the server goes offline to that ip address for a pre-determined amount of time.
Advantages:
Disadvantages:
I have seen sites that use a CAPTCHA after a "low" number of incorrect password attempts (such as 3) and then lock the account for a period of time (such as an hour) after a "high" number of incorrect password attempts (such as 10). Effectively this means that brute force attacks are limited to a maximum of 10 guesses per hour, performed by a human operator - not very enticing from an attacker's point of view.
Many answers seem to imply reCAPTCHA verifies that the input is human... it does not. There's plenty open-source OCR utilities (both client- and server-sided) that allow any automated script to parse text off an image. So anything text based, even calculations, can easily be spoofed.
OCR does add a lot of time for each guess, and also requires much more resources (computation power), but in the end it only delays the attacker. It should therefore never be used as the only defensive mechanism, only of course one is better than none. If possible, use the new image-based verifications (select all images that show a flower). Input-based mechanisms (as Google is currently testing) are also easily spoofed by analysing your hardware correctly.
I would also advise to keep a history of IPs, user-agents, anything identifiable when an incorrect password has been entered for any user. If I were to brute-force a user I would alternate between many users, using many different proxies and using a user-agent spoofer to make it seem random, but with enough information everything can be detected and blocked.
