[hombre_fatal]

Captcha still means you get to do the cred stuffing attack, just potentially more slowly which still doesn’t protect the user.

I think for sensitive data where you want to protect the user, it makes even more sense to just generate passwords for them. It’s even simpler than 2FA. Some online casinos do this.

[mullingitover]

If your attacker is stuck manually passing the captcha time after time, they're probably not going to bother.

The thing that worries me more is the possibility that newer AI tools are allowing attackers to beat reCAPTCHA with automation. If that's the case, a lot of folks are going to be caught with their pants down.

Edit: looks like it's more than a possibility[1].

[1] https://twitter.com/sw33tlie/status/1710409035030122731

[minitech]

The linked post isn’t reCAPTCHA, it’s just some random bad CAPTCHA that’s been easy to defeat with OCR for ages. The real fundamental flaw is that human time is cheap enough: see Amazon Mechanical Turk. Many bulk, human-powered CAPTCHA-solving services have existed for years.