Ask Questions and Find Answers

Hi Sayfullah,

Curently our recommendation is using password policies to prevent brute force attacks and there is no plan to change this. This is a much more common method than CAPTCHA. It's insanely easy to break CAPTCHA.

Regards,
Zsigmond

Hi Zsigmond,

I wanted to clarify the issue we're facing regarding account security. The primary concern isn't just about enforcing strong password policies. The real challenge is that if an attacker has a list of usernames, they can launch a denial of service (DoS) attack. This happens because our hard lockout mechanism, which is essential to prevent brute force attacks, locks users out after a certain number of failed login attempts.

Even with strong passwords, this lockout mechanism is necessary to protect our server from brute force attacks. However, it also means that legitimate users can be locked out if an attacker repeatedly attempts to log in with their usernames.

To mitigate this, implementing a CAPTCHA adds an additional layer of security. It requires anyone attempting to log in to solve a CAPTCHA, which significantly increases the computational power needed for an attacker to carry out a brute force attack. This makes it much harder for them to succeed.

Could we consider adding this as a future feature? Similar to how we have a toggle for the register and password reset pages, we could add a toggle for the login page to enable CAPTCHA or not.

I hope this clarifies the situation.

Best regards,
Sayfullah

Hi Sayfullah,

I see. I believe, it’ll be achiavable with the https://liferay.atlassian.net/browse/LPD-6378 and with https://liferay.atlassian.net/browse/LPD-6353 it’ll be even more customizable.

Regards,
Zsigmond