reCAPTCHA v3

kemp596 · 28 Jan 2020 at 19:36

After a few credential stuffing attacks on our websites, we’re now looking at implementing reCAPTCHA v3.
I was wondering if anyone had any experience of implementing it ? Mainly has it reduced attacks, has it had any negative impacts on server performance and once the captcha allows connection through does it need to stay active to keep the connection open ?
Thanks

Deleted member 77746 · 28 Jan 2020 at 20:09

reCAPTCHA just means you need to click the right combination to pass the gate. Once you have authenticated then that's it. There is no server performance hit at all.

touch · 29 Jan 2020 at 10:32

All a reCAPTCHA does is stop automated attempts to fill in the form. It will validate for any human user. It doesn't care what credentials are entered, if a human entered them then it's a valid entry to the reCAPTCHA.
So it'll stop automated password guessing attacks but wont stop credential sniffing (assuming this is what you meant, I've never heard of "credential stuffing" but maybe it's just something I dont know about).

Pho · 29 Jan 2020 at 10:51

mrbell1984 said:
reCAPTCHA just means you need to click the right combination to pass the gate. Once you have authenticated then that's it. There is no server performance hit at all.

Recaptcha v3 doesn't require any human input (unless it really doesn't trust you I think) which is quite smart, it just passively does its thing

.