> It's often worthwhile moving the captcha away from the initial login or signup form and only putting it on the second or third attempt to login
Though if your service is a lucrative target for {uname,pass} combolist spam, you'll see that each attempt comes from its own IP address and only makes that one request. It's pretty sobering.
Though if your service is a lucrative target for {uname,pass} combolist spam, you'll see that each attempt comes from its own IP address and only makes that one request. It's pretty sobering.