So, wait, is the only captcha on this site the ssg one? Cause that's the only one I've ever seen. Is there a limit to the number of login attempts that can be made even with captchas or are there cooldowns?
Actually let me go check.
EDIT: So I just went and tried to login with a bad password like thirty times, and the only captcha I saw is the SSG one. There was no attempt cooldown or anything, I logged in just fine on the 31st attempt with the correct password and my correctly solving the SSG captcha.
If I'm interpreting this correctly and there isn't a cooldown sometime after the 30th attempt that I just didn't see, this means that while the captcha will stop random spam bots from trying to hawk Cialis and tell us how they made $300 a day from home, there is basically no site protection against brute forcing a password, and it's up to the user to have a password the maximum password length in order to delay any brute force attempts, and the only real surefire way to defend against any dedicated script kiddie is to change your max length password on a regular schedule. What is the max password length btw? The regular changing of passwords might not be needed if the length means something like a year of continuous attempts to crack.
Now, I know very little about net security, and my qualifications are basically that I have logged into a lot of websites, but wouldn't it make sense to at least introduce a cooldown after x failed attempts, if a captcha would be infeasible?