Stupid question: why do companies care so much about bots to the point of degrading the customer experience significantly? I can understand for things like public forums. But like why would an ecommerce website ever put a captcha between you and your order (or a news website)?
An example from another comment: bots checking stolen cc numbers which then results in high numbers of charge backs and the potential for getting blocked by visa/mastercard.
For example:
- bots sign up with email addresses that are owned by other people that don't appreciate your welcome/activation/etc. mails.
- all that automatically generated data can start to hurt performance. Especially on a smaller site, having millions of useless users in your database can slow things down significantly.
That's one thing, but like why would the FT put a captcha on the login page. I am not signing up. I just want to access a website I already paid for. This is just terrible UX.
I think it's again to mitigate against potential bad actors attempting to access legitimate users' accounts.
You could use other methods but there's always tradeoffs, e.g., let's say that instead of using a captcha you just temporarily block login attempts to some account after X failed login attempts. This has the advantage that it's faster for legitimate users as you don't need to complete the captcha; however, the main disadvantage is that you can then get an attacker brute-forcing logins (even if they don't really care about getting users' credentials) which can disrupt your website by preventing potentially thousands of users from signing in.
In my opinion the captcha is the least bad option from a security point of view, as long as it has an alternative accessible mechanism for example for blind users.
