Comment by graemep

1 day ago

Yes, but its not just startups and people do not seem to actually resolve it.

Lots of big businesses use recaptcha. Quite often unnecessarily. If I need to login with 2FA touse a service does it really need recaptcha?

Similarly, cloudflare sends you emails telling you how many bots and attacks it has stopped - but you do not know how many false positives there were.

3 comments

graemep

Reply
theappsecguy  1 day ago

Yes you still need recaptcha simply to avoid password stuffing attacks.

  • damsalor  1 day ago

    Certainly not in the mentioned 2fa scenario.

    I would guess that simple rate limiting would do the trick for the rest

    • Zak  1 day ago

      Rate limiting does not solve this problem because botnets often don't make repeated requests from the same IP address. 2FA does solve it.