+1 for this

+2

@Simon-Davies no it wont as captcha can be defeated

I was thinking that may be the case although I thought the new Recaptcha couldn't?

yet

@Simon-Davies no you are semi right. Recaptcha has a massively reduced attacks. It's a benefit to include It regardless.

Interesting: https://www.scmagazineuk.com/security-researchers-defeat-recaptcha/article/531691/

The best way to protect your admin is with htaccess. As this doesn't use php but is at the server level it is far more efficient on server resources etc

Of course it is @brianteeman there is no question on that.

This is a further improvement against random bots that's all.

instead of recaptcha you prefer to use 2FA on admin login

I'm planning to implement Google's recent invisible recaptcha on the login button, you will still be able to turn it off or set failed login count for it to start checking. What do you think? I believe it's a good alternative to 2FA. (NOT A REPLACEMENT)

I personally think implementing Google's invisible recaptcha is a great idea especially if it can be toggled on and off for those who do not want to use it.

Yeah, the new invicible recaptcha would be great for that :)

Hello, I am going to implement this feature on the Administrator login screen. Found out that google Invisible reCAPTCHA with internal on off functionality would be a great solution. Do any one have more better ideas?

look at #16599,
i still prefer 2fa for admin login

Please add this feature so that after 3 or 5 or 10 failed attempts ReCaptcha is shown!

ReCaptcha Invisible

+1

I still would prefer captcha instead of 2fa. And I think a huge amount of websites don't use 2fa. If you don't belive me check your telemetry.

Of course you can say: "This people are all idiots and it's their fault." But this won't help anyone. Or you do something! You won't change the peoples behaviour by repeating the same thing. Mine neither.

I want this feature even if it's an optional one.

If you plan to enable this by default you could add an additional Captcha-Plugin that works without google. (This would be a nice thing anyway) Or you can continue contributing an insecure software and blame the user for it.

Invisible ReCAPTCHA should definitely be an option in Joomla 4. There is a free plugin that activates it for WordPress.

I use 2FA but still believe that Invisible ReCAPTCHA should be used by default to prevent bruteforce attacks with tools such as Burp Suite Pro as many people don't enable 2FA.

I'm speaking as a Web Application Penetration Tester for one of the big three and a Security Researcher.

@RichardEb please stop with these posts - they are not helpful

I use 2FA where it needs to be secure.
On 4 Jun 2018, 12:37 +0100, Brian Teeman notifications@github.com, wrote:

@RichardEb please stop with these posts - they are not helpful
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

I said that I dislike 2fa and dont find at an improvment and I dont want to use it. But for you 2fa seems to solv every Problem of the World.

Both 2FA and Invisible reCAPTCHA should be implemented. They could both be optional. Let the user decide.

If you want to stay away from 3rd party services - I did the same thing (invisible captcha) years ago - it's in the JED as HashCash

I think it would be super cool if it was included in the core.

Before I get accused of advertising - that's one of my free extensions, and I'm offering it to the project.

I am sure, Joomla would not provide users with captcha in contact and registration forms, if there was no sense to do that. The only problem is, that Joomla still is leaving out its login form.
So, please, add captcha to the login form, too!
Thank you very much in advance!

I still think this is a must have. I really don't know why avoid this feature at all costs. An optional feature wouldn't harm anyone. On the other hand you already added a lot of functions to joomla that I wish you hadn't.

There are a lot of plug ins to archieve a better login protection and they have a lot of users. So why don't add an (optional) feature to joomla?

On the other hand you already added a lot of functions to joomla that I wish you hadn't.

Exactly that’s the point. You have to decide per case if I feature is useful enough for the majority of users to be added to core - what’s a must have for you is pointless to a lot of other people.

There are a lot of plug ins to add protection to the login. If you say no one wants them why there are a lot of them?

Search for Brute Force protection
https://extensions.joomla.org/instant-search/?searchall=Bruteforce&filter%5Btags%5D%5B%5D=&filter%5Bcore_catid%5D=&filter%5Bincludes%5D=&filter%5Bversions%5D=&filter%5Btype%5D=&filter%5Bhasdemo%5D=&order=&filter%5Bnewupdated%5D=&filter%5Bscore%5D=&filter%5Bfavourites%5D=&q=Bruteforce

The Brute Force Stop plug in has 40 five star ratings. The ECC+ Plug-in has 168 five star ratings. Rsfirewall 110.

Obviously there are people who want to secure their login. Or are this all idiots who can't use Joomla properly?

@RichardEb can you please stay on issue and respect other Volunteers comments?

If you say no one wants them

I didn’t say that „no one“ wants them. I tried to point out that the existence of plugins and/or a commenters individual usecase not necessarily means that a majority of users need a feature.

I followed your discussion a long time and decided to make a small simple plugin to add a captcha to all login forms. Please feel free to use it, It's free and open source (GPLv3)

https://github.com/BkrBkr/JoomlaAuthCaptcha

It's an alpha version at the moment

I am closing this. It has sat here for a year and its not going to move forward.