[lucb1e]

Hello all,

I'd like to make a request for the login captcha. It isn't a really hard one, which imo is very good (hate the hard captchas). But actually what is the use of showing it to the same user again and again?

Most websites only use it after one or a couple of failed logins, and I guess you could just show it to every IP which had a failed login in the past 12 hours. That'll make the password cracking at 1pwd/12h fairly hard I think, as the chance you have the captcha correct by guess is 1 out 24^5 (or 1 out of 7962624)

Or the other way: if there was a succesfull captha in the past 48hours + successfull login in the past 48hours + no failed login in the past 12hours, don't show the captcha. You should look at the IP and some things like browser and resolution to make more sure it's the same user or at least the same machine. A potential cracker would need access to the machine for trying once. A second try would automaticly get a captcha on as there was a failed login in the last 12hours. Seems like 100% secure to me, and a lot more user comfort as they only have to enter it once every two days (unless they accidently make a typo in the login).

What do you think about it?

Regards,
Luc.