I wonder is it a good idea using captcha when using token on

I wonder is it a good idea using captcha when using token on login page? I think it\'s impossible for robots to mess with login page because token changes on every request.

Thanks.

Solution

Yes its neccessary. A token can still be requested by a bruteforcer. Yes, it would cost the bruteforcer one request extra per try, but a captcha still blocks attempts completely instead.

If you dont want to bother your users with a captcha, you could set so when a incorrect password is used, the account in question will require a captcha. This both thwarth bruteforcers, but also alert the original account holder, that someone might try to access his account. To avoid that a bot might figure which accounts that exist or not, store this flag also for non-existing accounts.