Showing CAPTCHA

Question

I'd like to show a CAPTCHA to prevent brute forcing attempts, but I was thinking of showing it whenever a user fails for an invalid username/password combination after X attempts, regardless of whether that user exists in the database or not.

The thought was that if a user did exist, then all an attacker would have to do is record which username combinations (after X attempts) displayed CAPTCHA vs did not (and thus based upon that, I can get all of the e-mails out of the database).

So therefore I'd show the captcha after x attempts regardless.

now, to keep track of that, I guess I'd need a database table that literally saves whatever input the user typed in, but does that seem somewhat excessive?

that someone could try [email protected] in one country, and in another, etc, and then one person ruins it for everyone to see captcha.

I could also try it by [email protected] + IP address (so only if you tried X times with a bad username/password combo from your current IP that it would show the CAPTCHA).

Do you think I should store IP ADDRESS and use that as the basis of showing a CAPTCHA for an invalid username/password combo? Or should I simply stick to the text used universally for some period of time.

Thanks!

Answer 1

A couple of things to consider:

• Do you really want to hide your users' IDs/emails? It's worth considering whether users are likely to forget said username/email. When they forget it, a login form that says "id or password incorrect" is terribly frustrating. Think about how often your users login, and whether you send them any paper bills or letters they're expected to store (in which case you can print a user ID on them).
• Blocking a specific ID/email for a while after e.g. 10 failed attempts is necessary to prevent online brute-forcing, indeed. If you already let actual users reset their passwords via email, remember to warn them of a bruteforce via email (including a link to re-enable their account) so if they need to login they can.
• Not serving a CAPTCHA systematically is critically important. Legitimate users get up to 40% failure rates on CAPTCHAs (citing internal sources in my research group, but I have no URL to back this up, sorry!). Serving CAPTCHAs to an attacker targeting a specific ID is probably not useful because you can just lock up the account and warn the user.
• Serving CAPTCHAs per IP can be useful to block people trying common passwords for many email addresses. Consider whether you have a large user base located in a university or large corporation that share an IP address, though. If you need to display a CAPTCHA then tell the users that this is because of large traffic from their IP address.

Answer 2

Using CAPTCHA will not necessarily stop someone from brute-forcing user accounts. It just adds another hurdle to get over. Once the attacker develops an automatic way to answer the CAPTCHA correctly, then they will continue brute-forcing.

There are several ways to prevent brute-forcing attempts against user accounts, but I believe the most effective approach is user lockout. Providing a user five attempts to login, and then offering them the opportunity to have their password reminder or reset password link emailed to them is acceptable. Once the attacker realizes his attacks are failing after only five attempts, he will most likely move on to an easier target.

Alternatively, if you're not really trying to stop brute-force attacks, but are trying to figure out who is attacking you, then yes, you would want to track and store the information related to the attacks.