Show After 3 Failed Attempts

Hi, i have noticed that Twitter and Facebook both have a good system in place on some of their forms.

For example, if a user fails to enter their correct details in to the Sign In Form 3-4 times, a reCaptcha shows.

I also noticed that the reCaptcha shows on the Sign Up Form after it detects suspicious activity...

Can anyone think how they might have implemented this system, as i really don't want to display a reCaptcha form my default... i would rather only display it if there was suspicious activity.

(please do not respond saying that captchas are a waste of time etc... i am simply only interested in finding out how Twitter and Facebook are implementing captchas when they detect something suspicious :-)

Thanks in advance for your help...

Hi,

a counter for failed login attempts is obviously easy to implement. But "suspicious activity" is a bit vague. You'll have to decide yourself what exactly you want to check. I don't think anybody here has access to the Twitter or Facebook source dode.

Hi yes, this would be easy, but what about the sign up form... i was thing of doing the following:

When validating the sign-up form, check to see if an account has been created from the same ip address within the last minute (or less)… if it has, fail the validation and display a captcha

One thought, before you try to account for all sorts of "suspicious activity" you might just implement something simple like a captcha after the user has failed to authenticate after 3 attempts. Start simple. Log the failed attempt data. If you start to see suspicious activity, THEN attempt to stop it specifically. I think you may find yourself wasting time prematurely trying to optimize the security of your form.

I don't think the concept of premature optimization applies to security.

Most of these sites I think simply always shown a captcha on the registration form.

"if an account has been created from the same ip address within the last minute (or less)"

Maybe those were a poor choice of words. I guess when I read this I thought to myself, "why get so complicated?" And "This could potentially block legitimate users who are behind a single router, say schools or companies". So I thought perhaps s/he is attempting to get too complicated before actually have any problems. Anyway ...

Basically what to be able to try cut down on bots signing up... however i don't want to have to have a captcha visible on the form by default... so i would like someway to detect the suspicious activity... then show the captcha