I have a html submission form with a captcha at the bottom. Concerning security I was wondering:
- If the captcha is entered wrong should I change the captcha image?
- If the captcha is entered correctly, but there is another error server side (like not valid form data) should I change the captcha image?
By what I know, I think 1. Should be true, and 2. should be false. My logic is that if an AI tries to read the image it will get a list of possibilities. If the captcha is not reloaded, the malicious software will try from the most probable result to the less probable one, until it gets a hit. If the captcha is reloaded on the other hand, the malicious software will only get one chance to guess. Also I think big companies have the same approach. But I am not sure if my arguments are valid or not.
After some thought, I realized that if the captcha is entered wrong the captcha image should be changed. Not only because of some AI attack, but also because of the margin for human Error. Since the captchas have become increasingly harder even for humans, they could see it wrong and get frustrated why the site tells them to enter it again.
always remember to balance security with not making your users crazy. It seems to be the practice to change the image, but I wouldn't necessarily say that your server is more immensely more secure by having that feature. Since it's a form, it's be assumed that you're concerned about the integrity of your data, therefore you need to evaluate what is the amount of garbage data you are willing to tolerate for your needs. If it's critical that everything is correct use the highest security settings, whereas if it's not as important if a little bit of garbage get's in your DB, I would try to make your website more usable, and therefore not be as strict in the captcha's. Remember entering a 5 different captcha's will make people hate your site