My site uses a 6-digit captcha, however, if an attacker tries all the combinations, then most likely he will successfully submit a fraction of the time form. (1 million in theory, much more in practice, since the random number generator that I use is not truly random).
In any case, can I stop him from succeeding even more? One way is to prevent someone from submitting the form within 5 minutes after a certain number of attempts (for example, 20), the problem is that if I store the number of attempts in a session, and the attacker creates a session for each attempt (naturally, since it uses a program, not a browser), then this will not work. And I don't want to modify the existing db schema to accommodate this logic.
Another way is to increase the number of captcha characters used, which causes user inconvenience.
All tips are welcome.
source
share