-1

I've read through some articles on ways to develop a PHP login form that provides security against brute force attacks and a lot recommend the use of CAPTCHA. But why?

If the script is written to lock a user after x number of failed attempts over a period of lets say 15 minutes, what benefit does CAPTCHA provide?

If the account is locked, isn't that enough?

user1052448
  • 423
  • 2
  • 6
  • 19
  • CAPTCHA used to prevent DDOS attack from robots and services that accessing your web, using captcha as a checkpoint to know whether its human or machine trying to access is a perfect solution. – Akam Oct 23 '15 at 15:47
  • Possible duplicate of [Preventing Brute Force Logins on Websites](http://stackoverflow.com/questions/424210/preventing-brute-force-logins-on-websites) – jpaljasma Oct 23 '15 at 15:49
  • If you're concerned about users having to enter characters or interact with a CAPTCHA you could use a NO-CAPTCHA, or hidden CAPTCHA, to detect whether a bot is using the form. This normally involves having a honey pot (hidden input field) and tracking the time taken to complete the form. With the honey pot, if anything is entered in the field, reject the form. If the form is completed too quickly, reject the form. – Styphon Oct 23 '15 at 15:49
  • I can see that being a good point to validate who is trying to access. This application will be on a private network so there's less likelihood of breaches, but I still want the application to be secure. – user1052448 Oct 23 '15 at 15:50
  • @Styphon, honey pots are essentially useless against a targeted script as every thing you mentioned is easily scriptable. Honey pots offer hardly any protection when compared to CAPTCHA and is not an acceptable substitute. – Christian Oct 23 '15 at 15:52
  • 1
    Captchas are a flawed protection, but they do greatly increase cost (cpu time for OCR, actual cash for a paid human service) for a bot to successfully submit a form. A naive "block account after x attempts" on a public service could be a disaster - a single bot could block all your user accounts in seconds. On a private network, i doubt you need to do any of this – Steve Oct 23 '15 at 15:57
  • @Christian The company I work for use honey pots in combination with timing the length of time to complete the form on all our forms with over 90% success rate in cutting out spam. I'm not saying it would be suitable for large websites such as Google, but for your average website it's more than enough in my experience, your mileage may vary. – Styphon Oct 23 '15 at 15:57
  • 1
    @Styphon that may very well be the case but all that tells me is that you have never received a targeted attack. I can view the source of you website to find the honey pots and tell my script to leave them alone. I can also force my script to slow down to meet your speed trap. Honey pots are only effective at blocking generic(and quite bad) scripts and some web-crawlers, whereas a script reading an image is beyond just about everyone. – Christian Oct 23 '15 at 16:00

3 Answers3

2

CAPTCHA is less about cracking login details and more about spam and bot-ing. Open forums are especially vulnerable as a simple script can load the page, fill the form in with garbage (or intelligent content) and submit, over and over and over ... but it becomes infinitely harder to also get that script to work out the CAPTCHA and so the spamming almost stops completely as people are forced to do it by hand.

Christian
  • 1,557
  • 11
  • 16
1

In most cases, it is more effective to use CAPTCHA at the registration phase, to avoid bots from registering and logging in.

Uri Goren
  • 13,386
  • 6
  • 58
  • 110
1

If you lock-out accounts after a number of failed login attempts, then that would be enough - yes.

That "if" is the key part here - CAPTCHAs and rate-limited account locking are alternatives to one another, you don't use both of them at the same time.

If you use a CAPTCHA challenge, it will be annoying for some of your users, because it requires an extra effort from them.
If you use rate-limiting, a legitimate user may be locked out during the time when their account is being attacked.

You just have to choose which one you (or your users) prefer.

Narf
  • 14,600
  • 3
  • 37
  • 66
  • So having the CAPTCHA appear after the 2nd failed login might be better for the user experience as it won't be required the first two times. I can see how having an account locked out would be a bad experience. One of the DBAs would manually have to login to the mysql server and clear the flag if all admin accounts were blocked. – user1052448 Oct 23 '15 at 15:53
  • Indeed, in a closed (I guess intranet) environment, your admins will probably get such requests frequently, mostly from users with forgotten passwords though. :) – Narf Oct 23 '15 at 15:56
  • I guess I can complicate things further by removing the lock after 5 minutes. If it gets locked again, after the 3rd lock period within a period of time it becomes permanent to where the admin has to unlock. That'll reduce the admin effort :) – user1052448 Oct 23 '15 at 16:00