<![CDATA[hCaptcha on Login Forms]]>Putting it out there the possibility of Google ReCaptcha or hCaptcha to prevent bots brute forcing login forms.

]]>https://forum.cloudron.io/topic/5136/hcaptcha-on-login-formsRSS for NodeFri, 17 Apr 2026 00:35:05 GMTThu, 27 May 2021 05:10:27 GMT60<![CDATA[Reply to hCaptcha on Login Forms on Fri, 28 May 2021 10:41:35 GMT]]>I think enabling 2fa on your Cloudron will prevent brute-forcing already and the validation REST call on the server is pretty light-weight, so I don't think adding a captcha will be of great benefit.

]]>https://forum.cloudron.io/post/32067https://forum.cloudron.io/post/32067Fri, 28 May 2021 10:41:35 GMT<![CDATA[Reply to hCaptcha on Login Forms on Thu, 27 May 2021 22:49:12 GMT]]>Complete thread hijacking - but if you want to see if your users are password numpties, stick their email address into here: https://haveibeenpwned.com

Also interesting to see the sort of interests people have from the leaked websites they've sign up to!

]]>https://forum.cloudron.io/post/32042https://forum.cloudron.io/post/32042Thu, 27 May 2021 22:49:12 GMT<![CDATA[Reply to hCaptcha on Login Forms on Thu, 27 May 2021 22:33:01 GMT]]>I hate captchas - although it is perhaps fair game to add one after a number of failed attempts.

As long as there's a minimum password length policy and 2FA enforceable, the rest doesn't keep me awake at night.

]]>https://forum.cloudron.io/post/32039https://forum.cloudron.io/post/32039Thu, 27 May 2021 22:33:01 GMT<![CDATA[Reply to hCaptcha on Login Forms on Thu, 27 May 2021 22:32:20 GMT]]>@d19dotca All GREAT suggestions.

]]>https://forum.cloudron.io/post/32038https://forum.cloudron.io/post/32038Thu, 27 May 2021 22:32:20 GMT<![CDATA[Reply to hCaptcha on Login Forms on Thu, 27 May 2021 22:31:48 GMT]]>@marcusquinn It covers it to a degree. Adding a hCaptcha to the login form kills 95% of bots from submitting the form, thus not sending a full authentication request.

]]>https://forum.cloudron.io/post/32037https://forum.cloudron.io/post/32037Thu, 27 May 2021 22:31:48 GMT<![CDATA[Reply to hCaptcha on Login Forms on Thu, 27 May 2021 17:29:16 GMT]]>@dylightful I think it's a nice idea to add reCAPTCHA / hCaptcha as needed to the page. With that said, as @marcusquinn stated, fail2ban should more or less prevent any brute force attacks. Also the Cloudron has rate limits in place by default (https://docs.cloudron.io/security/#rate-limits) for Cloudron login page. Of course, that can be greatly improved as 10 requests per second per IP is far too high in my opinion, should be more like 10 requests per 5 or 10 minutes or something like that. But that was also requested already too to improve the rate limits to be more secure: https://forum.cloudron.io/post/28271 which @girish has already confirmed is going to be one of the focuses in 6.3.

]]>https://forum.cloudron.io/post/32011https://forum.cloudron.io/post/32011Thu, 27 May 2021 17:29:16 GMT<![CDATA[Reply to hCaptcha on Login Forms on Thu, 27 May 2021 10:08:01 GMT]]>@dylightful Fail2Ban should already cover this.

]]>https://forum.cloudron.io/post/32005https://forum.cloudron.io/post/32005Thu, 27 May 2021 10:08:01 GMT