Your questions, answered by Cybernews: Why do we still need CAPTCHAs?

Published: 28 September 2025
Last updated: 28 September 2025
Questions answered by Cybernews
Image by Cybernews

Clicking Google CAPTCHA images can sometimes feel pointless. But are there other ways to secure your accounts from brute force attacks? Each week, our team selects one pressing and common reader issue and deconstructs it to help you stay safe online.

“Select all images with stairs,” asks Google’s CAPTCHA every time you try to log in to your account. And then you go through nine blurry images, wondering if that pixelated gray corner counts as a step or if it is just bad compression.

This is all just to prove that you are a human and not a bot trying to brute-force the website with endless password guesses.

ADVERTISEMENT

But what if there were a simpler fix? One Cybernews reader asked: “Wouldn’t it be easier if websites just let you fail five times and then locked you out for 24 hours? Wouldn’t that kill brute-force attacks instantly? If it is a yes, why isn’t it the default?”

This week, the Cybernews editorial team decided to investigate why we still need CAPTCHAs and why locking out failed password attempts might not always help to stop large-scale attacks.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Why locking out attackers for 24 hours may not work

The bottom line is that most platforms already employ similar protection measures.

“However, they usually make the number of possible attempts higher, to ensure a smaller number of accidental lockouts, lowering the burden on customer support and improving the customer experience,” said the Cybernews research team.

Frequent lockouts mean more password resets and support calls. That’s expensive and harms user trust. There might be legitimate situations, like user travels, new or shared devices, or password managers failing to synchronise, that might look like an attack on the system.

Also, even with five tries per 24 hours, it’s still possible to brute force login attempts.

ADVERTISEMENT

“Instead of trying to guess 100 passwords for one account in a row, they can guess one password for one account, and move on to the next account, returning to the first account after a few hours,”

our researchers explained.

While it makes targeted brute force attacks against a single account less feasible, it makes little difference in larger-scale brute-forcing campaigns.

Also, attackers often use botnets or many IP addresses. Because lockouts are per account and often only triggered after several rapid failures, this distributed pattern evades detection and slows defenders, who rely only on per-account counts.

This tactic does not save user accounts from the brute-forcing technique known as “password spraying.” Instead of trying 1,000 guesses on one account, hackers could take a few of the most common passwords, such as “123456” or “password,” and apply them to as many different accounts as they can.

If just 0.1% of users pick “123456,” that's still 100 successful compromises.

This shows that you still need to have a password that is as strong as possible. It needs to be at least 16 characters long, including numbers, special characters, and uppercase and lowercase letters. You can use password generators to create strong passwords.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT