Not new. See this thread from Feb 2022. After three unsuccessful login attempts you’re presented with a captcha. “The lock out (actually showing CAPTCHA) is based on IP address as this is more effective to prevent brute force attacks.”
I also have an Olimex FB running 23.19 and just entered a bogus password three times in a row, got the page with the captcha, and was able to log in after solving the captcha (on my second try), so the functionality is still in place. I don’t know if a cool-off period was ever added.
Thanks, I think this is exactly what happened to me. For some reason keypassXC was typing login and password wrong. I only managed to solved the captcha at the 4th attempt and was getting a bit nervous.
It appears that this question in the original thread was never answered. It’s the first thing that came to mind when I read the current thread, and it alarmed me. Is the CAPTCHA an internal FreedomBox feature, or does its operation rely on some third party?
CAPTCHA implementation in FreedomBox interface does not rely on any third party service or even a FreedomBox foundation provided service. It uses a local library to generate the distorted image (via the python imaging library) and compares the user answer to the text. It is, hence, completely private.