Add captcha after failed login

lubbers · October 4, 2022, 7:41am

1. What is the issue? Please be detailed.
Impact:
By using Bruteforcing, one can guess the password of any user or admin and take over the account.

Fix:
Use CAPTCHA verification if many requests are sent.

2. What steps can we take to reproduce this issue?

3. What have you tried to fix the issue?

Restricting IP addresses, but that is not really a solution, as there are many in different countries that need to use the site.

4. Upload any test forms or screenshots below.

Please, introduce CAPTCHA in ODK Central to fix the problem. Now not only the security guys of WUR but also other guys urge us to resolve this security flaw.

LN · October 21, 2022, 8:43pm

Thanks for considering security!

We don't believe that this is a viable attack. I went into more detail in this post. Authentication takes some notable amount of time because we use bcrypt.

Even if you have an unencrypted database that an attacker gets access to, it would take them significant time and resources to get access to plain text passwords. Through the API, it would take much longer.

CAPTCHAs can help prevent basic bots but they're easy to bypass and are a bad user experience. They also wouldn't help with direct API requests.