PLZ change the type of CATCHA on the site..

WTF the captcha is? It should be active only on accounts that have several login errors (like when someone is trying to guess the password). And then, we should be informed that our accounts were under attack.

 

I love the steam security -- if trying to enter my account from different IP it sends me a code via the registered email / then you enter it within a certain amount of time and good to go -- works perfect -- I also know if someone is trying to log into my account right away... I really like that ... captcha for those of us that have older eyes is sometimes difficult to say the least but I do agree it is better than nothing.

 

Yeah, the captcha probably shouldn't be on by default. It should only get enabled after a threshold is passed on failed login attempts. Notifications to the account owner would be nice, or at least the option to be notified when there have been failed login attempts against their account.

Also, Captcha and reCaptcha are not 2FA. These mechanisms are designed to throttle automated login attempts from bots / hackers, nothing more.

 

I agree on a different captcha being used, like the image matching one. The current captcha is old school and painful (and flawed - though better than nothing).

The reality is, most people choose really unsafe passwords - even long ones. Modern hardware allows attackers to brute force guess passwords much easier than half a decade ago, so even "YourLongDictionaryPhrase123" is not exactly safe. In this day and age, the average person is still using things like "pa$$w0rd", "jesus316", "avatar", "sota", "ultima", "the-same-exact-password-I-use-on-every-site" etc, which makes the criminal industry very happy. I live in Brooklyn, NYC, and there are many burglaries in my neighborhood that are the result of some naive transplant thinking the odds were low that a thief would attempt to enter their unlocked window or door. Keep in mind people make a prolific profession out of this, so you need a strong key for your lock. Captcha is mostly needed cuz most people have super weak passwords, thats just the reality of it.

Worse yet - there are still online vendors with a huge market share in their respective domain that dont encrypt your passwords, and store them plaintext. You cant ever fully trust any online entity to keep your pw safe, so dont ever use the same passphrase twice.

yah, basically this ^

With modern security (and sota.com really does look like a Wordpress site - which would have modern authentication plugins) this is extremely unlikely. Essentially, your session's status of "logged in" is tied to your computer alone. There are exceptions to this of course, but there is no real increased security risk of having your cookie expire never/in a long time.

In fact, if you browse the internet naively, especially if you use Windows, its highly likely you have malicious software logging your password entries. Hopefully, in this case, youre buried in enough white noise to go unnoticed .

Not trying to talk smack or anything, but I am not surprised at all that youve been on "secure" federal government forums that had little security, and havent ever seen a CAPTCHA. The gub'ment is notorious for being miles behind the criminal sector. Thus the gub'ment is likely just now figuring out the backdoor has been open the whole time. Security contractors are notoriously poor performers when it comes to the US Govt, though they reap huge profits. Ive worked in endpoint security and anything federal is usually a joke compared to the private sector. Basically, the US Govt is the entity least likely to keep technology information secure.

 

Dont know where you came from but them the old days. The place I was at was so completely over secured that you couldn't even get basic tasks done. I spent 24 years in private industry (including 15 years at one of the largest corporations in the world) and 1 in federal and there is no comparison. I think you are grossly over generalizing.

 

Could be. Ive never worked in a government capacity. I have a lot of contractor acquaintances, and plenty of white hat friends, and Ive likely just absorbed their biases and stereotypes.

Then again, I have programmer friends in the Army and National Guard that are always mocking how far behind the tech is and how easy it could be to exploit.

 

We don't have 2FA yet. CAPTCHA is not really a second form of authentication but just an anti-automation protection mechanism.

I realise smack has just pointed this out too.

As noted by others it would be a nicer user experience if the CAPTCHA showed after, say, three failed login attempts.