Is it immoral to put a captcha on a login form?

2019-03-17 19:38发布

问题:

In a recent project I put a captcha test on a login form, in order to stop possible brute force attacks.

The immediate reaction of other coworkers was a request to remove it, saying that it was inapropiate for that purpose, and that it was quite exotic to see a captcha in that place.

I've seen captcha images on signup, contact, password recovery forms, etc. So I personally don't see inapropiate to put a captcha also on a place like that. Well, it obviously burns down usability a little bit, but it's a matter of time and getting used to it.

With the lack of a captcha test, one would have to put some sort of blacklist / account locking mechanism, which also has some drawbacks.

Is it a good choice for you? Am I getting somewhat captcha-aholic and need some sort of group therapy?

Thanks in advance.

回答1:

Just add a CAPTCHA test for cases when there have been failed login attempts for a given user. This is what lots of websites currently do (all popular email services for instance) and is much less invasive.

Yet it completely thwarts brute force attacks, as long as the attacker cannot break your CAPTCHA.



回答2:

It's not immoral per se. It's bad usability.

Consider security implications: the users will consider logging in to be time consuming and will:

  • be less likely to use your system at all
  • never log out of your system and leave open sessions unattended.

Consider other forms of brute-force attack detection and prevention.



回答3:

Captcha isn't a very traditional choice in login forms. The traditional protection against brute force attacks seems to be account locking. As you said, it has it's drawbacks, for example, if your application is vulnerable to account enumeration, then an attacker could easily perform a denial of service attack.



回答4:

I would tend to agree with your co-workers. A captcha can be necessary on forms where you do not have to be authorized to submit data, because otherwise spambots will bomb them, but I fail to see what kind of abuse you are preventing by adding the captcha to a login form?

A captcha does not provide any form of securtiy, the way your other options, like the blacklist, would. It just verifies that the user is a human being, and hopefully the username/password fields would verify that.

If you want to prevent bruteforce attacks, then almost any other form of protection would be more usefull - throtteling the requests if there is too many, or banning IPs if the enter wrong passwords too many times, for instance.

Also, I think you are underestimating the impact on usability. A lot of browsers provide a lot of utilities to deal with username/password forms and all of these utilities are rendered useless if you add a captcha.



回答5:

I would like to address the question in the title—the question of morality.

I would consider a captcha immoral under the following circumstances:

  1. It excludes participation in the application to those with physical or mental challenges, when the main portion and purpose of the application would otherwise not make such an exclusion.

  2. The mechanism of the captcha exposes users to distressing language or images beyond what would normally be expected in the application.

  3. The captcha mechanism as presented to the user is deceptive or misleading in some way.

A captcha may also be considered immoral if its intent is to exclude genuinely sentient machine intelligences from participation for reasons of prejudice against non-humans. Of course, technology has not yet advanced to the level at which this is an issue, and, further, when it does become an issue, I expect human-excluding gates will be more feasible and common.



回答6:

Many popular (most used) mail server doesn't have it?!