Is it immoral to put a captcha on a login form?

Question

In a recent project I put a captcha test on a login form, in order to stop possible brute force attacks.

The immediate reaction of other coworkers was a request to remov

Answer 1

It's not immoral per se. It's bad usability.

Consider security implications: the users will consider logging in to be time consuming and will:

• be less likely to use your system at all
• never log out of your system and leave open sessions unattended.

Consider other forms of brute-force attack detection and prevention.

Answer 2

I would like to address the question in the title—the question of morality.

I would consider a captcha immoral under the following circumstances:

1. It excludes participation in the application to those with physical or mental challenges, when the main portion and purpose of the application would otherwise not make such an exclusion.

2. The mechanism of the captcha exposes users to distressing language or images beyond what would normally be expected in the application.

3. The captcha mechanism as presented to the user is deceptive or misleading in some way.

A captcha may also be considered immoral if its intent is to exclude genuinely sentient machine intelligences from participation for reasons of prejudice against non-humans. Of course, technology has not yet advanced to the level at which this is an issue, and, further, when it does become an issue, I expect human-excluding gates will be more feasible and common.

Answer 3

Many popular (most used) mail server doesn't have it?!

Answer 4

Just add a CAPTCHA test for cases when there have been failed login attempts for a given user. This is what lots of websites currently do (all popular email services for instance) and is much less invasive.

Yet it completely thwarts brute force attacks, as long as the attacker cannot break your CAPTCHA.

Answer 5

I would tend to agree with your co-workers. A captcha can be necessary on forms where you do not have to be authorized to submit data, because otherwise spambots will bomb them, but I fail to see what kind of abuse you are preventing by adding the captcha to a login form?

A captcha does not provide any form of securtiy, the way your other options, like the blacklist, would. It just verifies that the user is a human being, and hopefully the username/password fields would verify that.

If you want to prevent bruteforce attacks, then almost any other form of protection would be more usefull - throtteling the requests if there is too many, or banning IPs if the enter wrong passwords too many times, for instance.

Also, I think you are underestimating the impact on usability. A lot of browsers provide a lot of utilities to deal with username/password forms and all of these utilities are rendered useless if you add a captcha.

Answer 6

Captcha isn't a very traditional choice in login forms. The traditional protection against brute force attacks seems to be account locking. As you said, it has it's drawbacks, for example, if your application is vulnerable to account enumeration, then an attacker could easily perform a denial of service attack.