Insecure Security – Authentication and CAPTCHAs

CAPTCHA is the authentication step at a website that asks you to write a bunch of letters and numbers that appear on the screen. It is designed to tell the web that you are a human and not an automated bot. A CAPTCHA makes great sense at a registration web page where the website is trying to figure out that you are human and not a bot trying to create new users perhaps for spamming purposes.

CAPTCHA’s make no sense after the website knows you are a human. For example after you login to a site with a user name, password, and if you are a site with sensitive data (i.e.,, financial or health data) also use a multiple-factor (something you have, something you know, something you are like a fingerprint), the site knows you are not a bot. If bots are able to login to a site, the site has got big security problems. So once you are authenticated, you should be a human.

Today I visit a state of Virginia website and login. I see that my password has not been changed in a few months (this is the topic for another blog) so I go to the change my password page. Why is there a CAPTCHA on the page? If I am bad guy I’m not going to change the password via a bot. The bad guy already has the password. Why change it to tip off the legitimate user? It makes no sense to have a CAPTCHA on a password change webpage or any webpage that appears AFTER the user is authenticated. This adds no security and just gets users upset (upset enough to write a blog!).

Use CAPTCHA’s in the right place on a website and understand what you are protecting.

Advertisements

About infoguardianangel
The consumer and corporate information guardian angel. Cybersecurity and privacy advice for my clients (and anyone else who cares about protecting their data or their companies).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: