For example:
- bots sign up with email addresses that are owned by other people that don't appreciate your welcome/activation/etc. mails.
- all that automatically generated data can start to hurt performance. Especially on a smaller site, having millions of useless users in your database can slow things down significantly.
That's one thing, but like why would the FT put a captcha on the login page. I am not signing up. I just want to access a website I already paid for. This is just terrible UX.
I think it's again to mitigate against potential bad actors attempting to access legitimate users' accounts.
You could use other methods but there's always tradeoffs, e.g., let's say that instead of using a captcha you just temporarily block login attempts to some account after X failed login attempts. This has the advantage that it's faster for legitimate users as you don't need to complete the captcha; however, the main disadvantage is that you can then get an attacker brute-forcing logins (even if they don't really care about getting users' credentials) which can disrupt your website by preventing potentially thousands of users from signing in.
In my opinion the captcha is the least bad option from a security point of view, as long as it has an alternative accessible mechanism for example for blind users.
