why is the Captcha only for Public mode?
Our users need more comfort.
So I dont want to use Fail2Ban or 2FA.
At first a Captcha would be fine to fight against brute force attacks.
(Please let us not discuss what is more secure).
Basic question: Why is the Captcha only for Public mode?
Captcha is used in two places.:
If someone is signing up for a new account, in Public mode, Captcha is recommended to try to stop 'bots firing up malicious accounts. You don't need it in private mode - your admins have to add people, and we generally have to assume that your admins know who they're adding and have already decided that they are humans.
If someone gets their password wrong too many times, they will be asked for a Captcha after a handful of wrongs. The mode does not matter
Unfortunately, when you enable captcha for incorrect password attempts via "Maximum Authentication Attempts Allowed" setting. It opens Jira up for User Enumeration, as the captcha ONLY displays when invalid passwords occur for VALID users.
If you try to log in with an invalid user, the captcha never shows up.
Atlassian doesn't appear to care about this little bug.
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event