Search results
Results From The WOW.Com Content Network
A captcha on a login screen makes no sense. I'm not surprised your users hated it. The purpose of captcha fields on forms is to prevent them being submitted by bots. A bot should not be able to login through your login screen, as it should not have valid credentials. If a bot can guess valid credentials, then you need to increase password strength.
Captcha are based upon the turning test and as such the main purpose is to differentiate human from machine. Pattern recognition, vocal, visual (dynamic/static) has been broken several time. Much of the time it become a pain for the end-user, because they are a pain to decipher.
11. A captcha prevents an attacker from performing more database-intensive operations that may cause a DoS via CPU or memory exhaustion. However, this is only the case when the CPU and memory consumption caused by generating the captcha image must be less than that of the normal page request.
A CAPTCHA is normally intended to ensure that 'user' input is from a real person. While it could help to prevent automated attacks against a website login mechanism it is likely to negatively impact on the user experience (username, password and CAPTCHA) unless the system can be configured to only enable the CAPTCHA after one or two failed logins.
First login failure, you have 15 second lockout, next failure you have 30, etc etc. This is much less hassle to legitimate users, and much more trouble to attackers. In order to make DoS harder, you would need a kind of recipe involving the IP address as well as the account name, capping the maximum delay per account-IP pair to a tolerable value.
Here is what you may try, You can simply login to web app with captcha + credentials through burp proxy and when you have the session cookie set, you may proceed to do the vulnerability assessment scans with burp. If your situation is where application logs you out after a while or with one wrong payload, hopefully macros can help you OR try ...
My boss asked me how I would improve the login strategy they have implemented at the moment: introduce user, password and resolve a .NET captcha from the first attempt. An auditor security team said that our web applications may be vulnerable to brute force attacks, so I propose them to carry out the following strategy:
Here is a very simple CAPTCHA-effectiveness test you can do yourself: Step 1. Browse to your site. Step 2. Check if there is a CAPTCHA on the site. Step 3. If you do have a CAPTCHA, then you know it is not effective. -- It is really that simple: any CAPTCHA you might have is NOT effective, anyway. Don't bother checking anything else. –
1. My local mobile carrier (Play, Poland) and its paid SMS gate is the first example, that I recall in my entire Internet history, that forces users to fill out dully CAPTCHAs even on pages, which are secured by HTTPS protocol and user login. Is there any reason for doing so in this situation? Is there any increased security or anti-spam effects?
If the user is not logged in the Google Account (in the browser) then s/he gets a visible captcha. If the user is logged in, then depending on your previous (probably across google) activity history (either on that page or before you navigated there), there are two possible scenarios: You will not get any captcha.