A privacy engineer has been asked to review an online account login page. He finds there is no limitation on the number of invalid login attempts a user can make when logging into their online account.
What would be the best recommendation to minimize the potential privacy risk from this weakness?
To minimize the potential privacy risk associated with an unlimited number of invalid login attempts, implementing a CAPTCHA system is the best recommendation. This will help prevent automated attacks such as brute force or password guessing attacks by requiring users to validate that they are human. This measure effectively limits the number of invalid login attempts because solving a CAPTCHA is computationally expensive and time-consuming, making it much more difficult for automated scripts to continuously attempt to log in. This should be part of a layered security approach including other measures such as account lockout mechanisms, strong password requirements, and encrypting user data, but for this specific issue, a CAPTCHA system directly addresses the problem.
A is correct
A is the answer
B is the answer, Captcha system helps prove you are not a robot but doesnt help with authentication
A is the right answer
The best recommendation to minimize the potential privacy risk from this weakness would be A. Implement a CAPTCHA system. A CAPTCHA system can help prevent automated attacks, such as brute force or password spraying attacks, by requiring users to prove they are human before they can proceed. This would effectively limit the number of invalid login attempts because an attacker would need to solve a CAPTCHA challenge for each attempt, which is computationally expensive and time-consuming. This makes automated attacks much less feasible. Please note that this should be used in conjunction with other security measures like account lockouts after a certain number of failed attempts, strong password policies, and encryption to provide a comprehensive security solution.
A. Implement a CAPTCHA system. A CAPTCHA system helps to prevent automated attacks and limit the number of invalid login attempts, reducing the risk of unauthorized access and protecting user privacy.
why not "A"?