On registration screen there are 3 fields: Email, Password and Captcha.
User has entered valid email and password but has entered wrong Captcha.
Here an error message specific to the wrong Captcha field is displayed and the Captcha is reset.
Should the value in the Password field be reset to blank too?
Answer
If you clear the password field when you have a faulty password, then it should clear the password field on a faulty CAPTCHA too and it should not specifically state that it was the CAPTCHA that was wrong while the rest were valid.
Why?
In case of using CAPTCHA — i.e. you are expecting bots to come knocking on your door and you wish to turn them away — you should not let the bot glean any information from failed login attempts. This is especially important for the case of bots trying out passwords in order to hack into accounts. You do not wish to reveal that the password was actually correct.
In these days where people re-use passwords blatantly, and servers gets hacked, those that gain access to lists of usernames and passwords then feed those lists to bots and have the bots try them out on different sites all over the net.
So even if the bot fails to log in due to the CAPTCHA, it can still tell its hacker "Hey, sites A, B and C seem to work with these username/password combos". The hacker can then manually log in and enter the right CAPTCHA.
No comments:
Post a Comment