Questions tagged [captcha]

Completely Automated Public Turing test to tell Computers and Humans Apart used in form validation to restrict access to humans only

121 questions
84
votes
5 answers

How does Google's "No Captcha reCaptcha" work?

Google has released a new form of captcha identification of bots, that asks the user to click a single checkbox. It uses image-based verification only if necessary. Could someone please explain to me as to how such a program differentiates a human…
ghosts_in_the_code
  • 955
  • 1
  • 6
  • 9
42
votes
2 answers

What triggers Google's reCAPTCHA

I noticed that Google's "I am not a robot" reCAPTCHA forces me to check correct images on my computer. I installed a virtual machine and tried there. Same thing. Used proxy. Same thing too. Then I used another computer in the same network (same…
sanjihan
  • 639
  • 2
  • 7
  • 11
38
votes
8 answers

Is brute force a probable threat even if you enable CAPTCHA and rate limit logins?

Let's assume CAPTCHA is enabled with account lock out control (after five continuous failed attempts, the account will be locked for 15 min) on a system. Is brute force still a probable threat?
Sayan
  • 2,033
  • 1
  • 11
  • 21
34
votes
9 answers

Is it helpful to have a captcha on a login screen?

I introduced recaptcha to the login screen of a system. My goal was all about security things like dictionary/bots attacks or other thing of that type. The users now hate it, Some did not even understand it and I had to remove it. When I look…
meda
  • 451
  • 1
  • 4
  • 7
29
votes
3 answers

Is there anything insecure about Google ReCaptcha?

In this question on software recommendations, the OP asks for an alternative to Google reCAPTCHA because "for a security reasons also we don't want to depend on any out side services". As far as I know, you ask Google for a CAPTCHA, you display it,…
25
votes
5 answers

Is there any reason to include the remote ip when using reCaptcha?

I am implementing Google's reCaptcha in my app. According to the documentation, my API request must include my secret key and the response, and optionally the user's remote ip. For what reasons would I include the remote ip?
Mooseman
  • 395
  • 1
  • 3
  • 9
24
votes
3 answers

If we know CAPTCHA can be beat, why are we still using them?

If we know CAPTCHA can be beat, why are we still using them? A 35% to 90% success rate like wikipedia is stating means software is better at solving CAPTCHAs then I am.
sup
  • 381
  • 3
  • 13
24
votes
7 answers

Are reCAPTCHA enough to prevent brute-force password guesses?

I was wondering if reCAPTCHA were strong enough to prevent BruteForce from bots or if I needed to add more security, such as sending a unique mail to the user every 5 tries that someone try to log on the account and block the account while the mail…
JohnnyBgud
  • 419
  • 1
  • 4
  • 8
19
votes
12 answers

Is there a true alternative to using CAPTCHA images?

Security is about balancing costs and risks, nothing is impossible to beat, specially not typical CAPTCHA implementations, but they do add something no other system seems to offer. I've been reading around about these CAPTCHAs for a while and…
Daren
  • 300
  • 1
  • 2
  • 8
15
votes
8 answers

How does CAPTCHA mitigate DDoS attacks?

This seems like an easy question, but I've failed to find an answer. One of the uses of CAPTCHA is to cope mitigate Denial of Service attacks. Suppose an adversary performs excessive login attempts, leaving other users unable to log in; the service…
overrider
  • 253
  • 1
  • 2
  • 6
14
votes
3 answers

Best practice in web application security authentication to avoid bruteforce attack

I want to cover the possible cases of attacking. My application already has captcha and two-factor authentication, but how can I avoid a tiny attack without annoying my users? The possible cases that I'm thinking to cover are: Show captcha after…
Mohamed Farrag
  • 243
  • 2
  • 8
14
votes
4 answers

I receive spam despite a captcha, has my wordpress blog been hacked?

I have a wordpress blog under my own domain. It does not have special security. For the past 1 week, my blog got spammed by someone from Russia - I think the contents of my blog somehow angered him. He posts about 20 spam comments (only links to…
itsme
  • 157
  • 1
  • 3
13
votes
3 answers

AntiForgeryToken versus Captcha

I am having some question regarding captcha and AntiForgeryToken Do I need to use captcha if I am using AntiForgeryToken in an MVC application. Does AntiForgeryToken prevents automated form submission? Can I use AntiForgeryToken as an alternative…
Twix
  • 233
  • 2
  • 6
13
votes
4 answers

Why Do we Need CAPTCHA? In what case we should use it?

In what case we should implement Captcha based security?. How accurate it is and if there exists any alternatives for Captcha based Security.
Joe.wang
  • 283
  • 1
  • 2
  • 6
12
votes
2 answers

Should I use ReCAPTCHA v2 or v3?

I've seen lots of SO posts and other articles on the internet about the differences between Google's ReCAPTCHA v2 and v3, but I'm not sure which one I should use. I'm looking to protect my website's sign up page (React frontend + Node.js backend).…
APixel Visuals
  • 223
  • 1
  • 2
  • 6
1
2 3
8 9