Denied If recaptcha is needed for registered users, can you please only use it once

I've just had a very frustrating experience with trying to log in. Not sure what happened with my password, but then had to reset my password. I can understand your need for security, but why should it be necessary to have repetitive captcha prompts when one has been verified already? Like while I was trying to log in I had to redo that captcha at every consecutive login attempt. it's really very frustrating and i'm not sure what the mileage is for having the same user re-verified consecutive times.

26-02-2018, 11:50 AM

deanhills Wrote: I've just had a very frustrating experience with trying to log in. Not sure what happened with my password, but then had to reset my password. I can understand your need for security, but why should it be necessary to have repetitive captcha prompts when one has been verified already? Like while I was trying to log in I had to redo that captcha at every consecutive login attempt. it's really very frustrating and i'm not sure what the mileage is for having the same user re-verified consecutive times.

See it like this:

How should we make it unique that you already solved a captcha? By IP?
In that case you could just go ahead, solve a captcha and run a bot trying to brute-force into user accounts

Understood. However the way you are forcing all members regardless of how many posts they have made to use the captcha repeatedly discourages them from logging in.

If I may ask, do you have to pass the captcha test when you log in - or is it only for members in my category?

My example for a good captcha practice would be Namecheap. Namecheap has a way where they can recognize a person who is logging in with the wrong password and only applies the requirement for captcha when (a) the member is using a wrong password or (b) the password is older than six months. That makes good sense for me. Applying the captcha regardless is equating all members, regardless of their good standing with nulledbb in the same class of distrust. I can't see how that would be good for the forum.

There's still the "keep me logged in" function. I'm not a big fan of the "show captcha after failed login" because, in most cases, this is bound to the php session and thus can be bypassed by just ignoring the php session id.

Also we're using nocaptcha recaptcha, thus, in most of the cases, you'll just have to click it.

Making people complete a captcha when signing in to keep everyones accounts secure is a fair trade off.
It'll stay as it is. Keep yourself signed in, use a password manager or write it on a piece of paper at home. Not that difficult.