Simple Problems with Passwords

Brute Force Attacks

An Alternative to Rate-Limiting: CAPTCHAs

Sometimes, rate-limiting or rejecting multiple requests is not the solution. One unintended consequence, for example, would be locking a legitimate user's account because it is under attack. An alternative is something known as a CAPTCHA or " c ompletely a utomated p ublic T uring test to tell c omputers and h umans apart". A CAPTCHA is designed to be easy for a human but difficult for a machine. In this instance, a connection is flat out rejected if a "bot" or script is attempting to gain access through multiple attempts.

Until recently this was most commonly performed by asking a user to type some form of difficult to read text into an input. But, this problem is adversarial, and with advances in computer vision, these were defeated by scripts. One modern implementation of this system that can be added to your site is Google reCAPTCHA . This API produces a score from 0 to 1 of how likely the visitor is a bot based interactions with your site.