Cierge utilises reCAPTCHA to ensure magic codes (which expire quickly) are not brute-forceable.
Is there server side account-based throttling or locking? Relying exclusively on reCAPTCHA means that anyonebypassingit will be able to easily bruteforce the small magic code.
Bypassing reCAPTCHA doesn’t sound easy. Your first link mentions, at the end of the post, that it doesn’t work anymore. And the second link is based on humans solving reCAPTCHA with an average response time of 10s, which is way too long to brute force. Am I missing something? Anyway, with or without reCAPTCHA, throttling is a must have.
My point with the first 2 links is to show that every once in a while someone find some way to bypass reCAPTCHA. reCAPTCHA is not provably secure, it’s just security through through a bunch of heuristic. The last link show how with a few bucks you can solves many thousands of reCAPTCHA. 10s might look slow, but you can do them concurrently and if there’s no throttling, the attacker has as many tries as he wants, so he’s bound to win sooner or later.
The README at https://github.com/pwdless/cierge seems a better introduction, including details on how to deploy with docker; it runs on ASP.NET Core.
No mention of whether this is used in production anywhere, unfortunately.
Is there server side account-based throttling or locking? Relying exclusively on reCAPTCHA means that anyone bypassing it will be able to easily bruteforce the small magic code.
Bypassing reCAPTCHA doesn’t sound easy. Your first link mentions, at the end of the post, that it doesn’t work anymore. And the second link is based on humans solving reCAPTCHA with an average response time of 10s, which is way too long to brute force. Am I missing something? Anyway, with or without reCAPTCHA, throttling is a must have.
My point with the first 2 links is to show that every once in a while someone find some way to bypass reCAPTCHA. reCAPTCHA is not provably secure, it’s just security through through a bunch of heuristic. The last link show how with a few bucks you can solves many thousands of reCAPTCHA. 10s might look slow, but you can do them concurrently and if there’s no throttling, the attacker has as many tries as he wants, so he’s bound to win sooner or later.