CAPTCHA after X attempts

Is it possible to add the option of requiring reCAPTCHA to the Web Vault after X failed attempts (and if possible to the Desktop app and Browser Extension as well)?

This feature would prevent brute-forcing attacks, since users are terrible at choosing their Master Password.
A “strong” master password is usually only 40 bits entrophy (according to, even though the NIST recommends 80 bits.

According to Bruce Schneier, a 40 bits key could be cracked in only 2 seconds in a dedicated attack.

Personally, I would think that requiring the reCAPTCHA after 15-20 wrong attempts would be reasonable, considering that some might want to brute-force their own forgotten master password. However, any suggestions are welcome!

Hope to see this feature implemented soon!


Hey @vachan,
Thanks for the reply!
If you want, you can start another feature request for the lockdown feature. In my opinion, it’s irrelevant to this topic. (No offense tho)
How does recaptcha invade a user’s privacy? Google Analytics is completely different from recaptcha… It’s used to track users, while reCaptcha is used to stop computers from hacking accounts.

It’s also worth noting that both Gmail and Outlook (and presumably many other companies) require reCaptcha (or something similar) after several failed attempts.

Ok, I will delete the post.

I read an article and it stated:

reCAPTCHA also works by collecting data from your computer, which gives Google a view into user traffic. Over the years, the view has grown larger and larger as more websites have adopted reCAPTCHA to stop spammers.


Cloudflare ditched recaptcha and chose hcaptcha instead due to privacy concerns from users.

Thank you very much for the info! @vachan

I think cloudflare does some sort of compute problem now. I’ve never read what they do, but crunchyroll tends to have a cloudflare anti-DDOS protection load page popup from time to time that says it’s “validating” me or something, and uses a bunch of CPU for a bit before proceeding.

I assume they have some sort of compute problem that is difficult to compute, but easy to validate. This effectively rate limits(slows down) the attacker similar to key-stretching.

@Ben86 @vachan
Thank you all for your reply and contribution!

I’m sure that the Bitwarden Team would choose hCaptcha or other similar software instead of reCaptcha if user privacy is at risk!
I would certainly agree to using other Captcha software if it’s more effective and more private than reCaptcha! :grinning:

Hope to see it implemented soon!

@tgreer This feature request can be closed, since hCaptcha has already been implemented. Thanks!