Originally Posted by
jtuttle
reCaptcha is a "BOT" defense to be used on user sign-up pages to keep "BOTS" from signing up to spam the site. The use of reCaptcha on a LOGIN page will only slightly slow the hacker down. Getting rid of all pins and using passwords will not put a major disturbance in the customers experience on the HHonors site. As for me, the disruption caused by the reCaptcha on the login page of HHonors is a deal breaker. I and my 270 days a year account will have to find another chain, if recaptcha is not gone from the login page in a week. If the Hilton IT team thinks that reCaptcha stops hackers then my credit card info is in the wrong hands.
Simple solution that provides more security: once getting too many attempts that fail (for an account, from an IP, whatever),
then start requiring Captcha. (Yes, this won't stop a concerted distributed attack, unless they can discern other characteristics to compare. They can, many exist, but it's better not to mention them publicly.)