Adding a CAPTCHA to the sign in portletAdding a CAPTCHA to the sign in portlethttps://liferay.dev/en/c/message_boards/find_thread?p_l_id=119785294&threadId=1233253662026-04-09T12:12:37Z2026-04-09T12:12:37ZRE: RE: Adding a CAPTCHA to the sign in portletZsigmond Rabhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785294&messageId=1233450532025-04-10T07:44:11Z2025-04-10T07:44:10Z<p>Hi Sayfullah,</p>
<p>I see. I believe, it’ll be achiavable with the <a
href="https://liferay.atlassian.net/browse/LPD-6378">https://liferay.atlassian.net/browse/LPD-6378</a>
and with <a
href="https://liferay.atlassian.net/browse/LPD-6353">https://liferay.atlassian.net/browse/LPD-6353</a>
it’ll be even more customizable.</p>
<p>Regards,<br> Zsigmond</p>Zsigmond Rab2025-04-10T07:44:10ZRE: RE: Adding a CAPTCHA to the sign in portletSayfullah Jumoortyhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785294&messageId=1233421182025-04-09T17:41:42Z2025-04-08T13:34:44Z<p>Hi Zsigmond,</p>
<p>I wanted to clarify the issue we're facing regarding account
security. The primary concern isn't just about enforcing strong
password policies. The real challenge is that if an attacker has a
list of usernames, they can launch a denial of service (DoS) attack.
This happens because our hard lockout mechanism, which is essential to
prevent brute force attacks, locks users out after a certain number of
failed login attempts.</p>
<p>Even with strong passwords, this lockout mechanism is necessary to
protect our server from brute force attacks. However, it also means
that legitimate users can be locked out if an attacker repeatedly
attempts to log in with their usernames.</p>
<p>To mitigate this, implementing a CAPTCHA adds an additional layer of
security. It requires anyone attempting to log in to solve a CAPTCHA,
which significantly increases the computational power needed for an
attacker to carry out a brute force attack. This makes it much harder
for them to succeed.</p>
<p>Could we consider adding this as a future feature? Similar to how we
have a toggle for the register and password reset pages, we could add
a toggle for the login page to enable CAPTCHA or not.</p>
<p>I hope this clarifies the situation.</p>
<p>Best regards,<br>
<font>Sayfullah</font>
</p>Sayfullah Jumoorty2025-04-08T13:34:44ZRE: RE: Adding a CAPTCHA to the sign in portletZsigmond Rabhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785294&messageId=1233255972025-03-28T15:59:17Z2025-03-28T15:59:17Z<p>Hi Sayfullah,</p>
<p>Curently our recommendation is using password policies to prevent
brute force attacks and there is no plan to change this. This is a
much more common method than CAPTCHA. It's <a
href="https://geekflare.com/captcha-solving-services-api/"
title="https://geekflare.com/captcha-solving-services-api/">insanely
easy</a> to break CAPTCHA.</p>
<p>Regards,<br> Zsigmond</p>Zsigmond Rab2025-03-28T15:59:17ZRE: Adding a CAPTCHA to the sign in portletJamie Sammonshttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785294&messageId=1233260972025-03-28T15:55:41Z2025-03-28T15:55:41Z<p>Feature Request Created: https://liferay.atlassian.net/browse/LPD-52321</p>Jamie Sammons2025-03-28T15:55:41ZAdding a CAPTCHA to the sign in portletSayfullah Jumoortyhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785294&messageId=1233253652025-03-28T15:43:08Z2025-03-28T08:37:24Z<p>Good Day,</p>
<p>I know that CAPTCHA's can be enabled on user registration and
password forgot pages, but how would I go about adding it to the login page?<br>
<br> Reason being is due to the hard lockout mechanism. If a third
party has a list of valid user usernames, then they can easily use
bots to brute force the login page and hard lockout users, essentially
a denial-of-service attack.</p>Sayfullah Jumoorty2025-03-28T08:37:24Z