I was surprised that there is no captcha on the log in form or block. I'd like captcha protection here to stop automatic log in attacks - or am I being TOO paranoid?

Comments

dries’s picture

dries commented

If we were to implement this, I would probably not show the CAPTCHA in the login block itself because (i) that looks ugly and (ii) requires a CAPTCHA on almost every page view regardless of the fact that the visitor might log in (the majority of page views are not login actions). I would introduce an additional step and prompt the visitor to complete a CAPTCHA after he/she attempted to login using the login block. This solves problem (i) and (ii).

matt b’s picture

matt b
Primary language English
commented

That sounds reasonable to me! I've currently implemented the CAPTCHA module to provide some protection on the login form, but it does look ugly. Problem (II) - is this assuming that the login block is visible on most pages before a visitor logs in?

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

@MattB: Yes, by default Drupal has a login block visible on every page.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Status: Active » Closed (duplicate)

If you really want to be able to do this it will be possible as a part of #245682: Enable use of Mollom for any form. As such, I'm marking this as a duplicate.