As designed Option "Enable CAPTCHA for guests" does not enable it for login page.

[Jonathan_Bathrough]

Affected version

2.3.6

Hello,

template "register_form" contains:

<xf:captcharow label="{{ phrase('verification') }}" hint="{{ phrase('required') }}" context="xf_register" />

template "login" contains:

                <xf:if is="$captcha">

                    <xf:captcharow label="{{ phrase('verification') }}" force="true" force-visible="true" context="xf_login" />

                </xf:if>

Captcha is enabled:

Setup -> Options -> User registration
"Enable CAPTCHA for guests" is set up to Use hCaptcha

Issue Description:
When "Enable CAPTCHA for guests" is set up CAPTCHA is displayed and validated correctly on the sign-up (registration) page. However, on the sign-in (login) page, no CAPTCHA is displayed.
If the conditional <xf:if is="$captcha"> is removed from the "login" template, the CAPTCHA widget becomes visible. However, the CAPTCHA response is not validated on form submission, allowing login to proceed without requiring a correct CAPTCHA solution.

Expected Behavior:
CAPTCHA should appear on the login form when enabled in options ("Enable CAPTCHA for guests"), and the CAPTCHA response should be validated properly to prevent login if the CAPTCHA is incorrect.

 

[Chris D]

The captcha is not designed to be displayed for every login attempt.

It is displayed conditionally if a number of failed login attempts are detected, depending on the failed login settings.

This is currently working as designed.

 

[Jonathan_Bathrough]

The captcha is not designed to be displayed for every login attempt.

It is displayed conditionally if a number of failed login attempts are detected, depending on the failed login settings.

This is currently working as designed.

View attachment 324785

thx.
How can I display it for every login attempt?

 

[Chris D]

That’s not a feature that’s available.

 

[Kirby]

You'll need an Add-on to have a CAPTCHA for every login.

[XenConcept] Captcha login

Apr 28, 2018

This add-on allows you to set a captcha for each connect.

• XenConcept
• admin captcha login
• Add-ons [2.x]

But why would you want to have this anyway?

When a login is performed there are basically 5 possible scenarios:

1. The account was created by a human and this human tries to log in
2. The account was created by a human but got compromised and another unauthorzied human tries to log in
3. The account was created by a human but got compromised and a bot tries to log in
4. The account was created by a bot and a human tries to log in with the recorded credentials
5. The account was created by a bot and another bot tries to use the recorded credentials

Only scenarios 3) and 5) could probably benefit form a login CAPTCHA, do you really think that's worth the annoyance of CAPTCHAs?

 

[Chris D]

Kirby is right. This is exactly why CAPTCHA on login isn’t available on all logins.

Deliberately putting barriers that will mostly affect legitimate users is a bad UX and should be avoided.

 

[nocte]

The account was created by a human but got compromised and a bot tries to log in

We should also name the technique credential stuffing, that has gotten very popular in the past years and seems to have already affected many XF installations (especially with a larger user base).

If it's an advanced hacker (e.g. every request a new IP-address) IMHO only a CAPTCHA or similar technique can avoid that type of attack.

 

[Kirby]

Yes, this is a problem - but IMHO not as big to justify annoying everyone with a CAPTCHA on login.

There a quite a few things that could be done and that would be way less intrusive:

• Encourage users to use 2FA
• Probably strengthen password complexity checks, eg. reject very easy / common passwords like Password, Test, etc.
• Check for leaked credentials
• Check for unusual behaviour
  For example if a user account hasn't logged in for years and now tries to login from a Datacenter / Proxy / VPN IP

A CAPTCHA would not stop such attacks, in fact it could help to mask them as unsuccessful attempts will not trigger any action / alert / log or cause the bot to not even attempt login.

 

[Jonathan_Bathrough]

You'll need an Add-on to have a CAPTCHA for every login.

annoyance of CAPTCHAs

Thanks for your opinion. Although I am a paranoid user, CAPTCHA doesn’t bother me at all . However, I didn’t realize that most users don’t like it.

Check for leaked credentials

How do you legally check this leaks without leak your user DB?

only a CAPTCHA

2FA mandatory requirement will defeat this attack IMHO.

 

[nocte]

2FA mandatory requirement will defeat this attack IMHO.

Not as good as a CAPTCHA. It also depends on the contents of the attacked website and the purpose of the attack:

With 2FA enabled a login is still possible. The attacker will see that there is an account with username A, email address B and password C.

Now, the forum may contain sensible contents (e.g. a forum about mental health, sexual issues, ..). So, the owner of the hacked account may be blackmailed by the attacker.

Also, with 2FA via email, the 2FA may be inefficient, if the attacker has access to the mail account (e.g. the account owner used the same password for all purposes; in this case forum and email account).

So, if the attacker only tries to access valid accounts and automatically post some ad spam, that's only annoying. But a more advanced attack can be dangerous for the users.