I would like to suggest that web client should have captcha to login.
For a curiosity, I have created a automated script, which will login to qc from web, and do some stuff.
It got success, and that script works very well.
its too much easy, where any person can create such script, and create a bot, which will do any activity here.
For a security, I am not sharing that code here, but if "developers want, we can discuss it on private channel.

Hello,
rules say:

Scripting and other means to modify client or game behavior in any form and for any purpose, are strictly forbidden.

Thus, as someone who is just a user, I would strongly advise you not to use that script again. The rules make it pretty clear you could very well receive a punishment for doing so. Even though they refer to modifying the client, I'm pretty sure this covers this type of automation as well.

For your initial suggestion, a CAPTCHA on each login would certainly be unbelievably annoying, and especially considering that the accessibility of CAPTCHAS can be a hit or miss, most importantly on mobile, which is one of the main purposes of the web client.

I mean, to be completely honest you don't even need to use any automation or things like that. You can just use various means to figure out the API of the playroom. So, a captcha on login would only work to enhance security if it is tied into other measures to ensure that all connections are official, which the playroom currently does not have.

@Nikola

Thus, as someone who is just a user, I would strongly advise you not to use that script again.

Yes. I am not using that script, As I mention above,

For a curiosity, I have created a automated script, which will login to qc from web, and do some stuff.

I also know, its illegal to automate any website without prior permission of the developer.
Reason I raised this topic, is to just show the security loop holes.

For your initial suggestion, a CAPTCHA on each login would certainly be unbelievably annoying, and especially considering that the accessibility of CAPTCHAS can be a hit or miss, most importantly on mobile, which is one of the main purposes of the web client.

I don't think so. there are lot's of ways to put the captcha, which will be user friendly for the mobile users.
Also, it will be annoying, only, if user do login multiple times.

Hello,

We are trying hard to avoid putting captcha.

They are most of the time inaccessible, hard to complete, and are a last an useless annoyance for all users.
Many users on the playroom aren't so comfortable with their computer or mobile phone. For those people, a captcha would just mean unable to connect and play. Registration and login must stay as simple as possible.

There are other means than captcha to stop spam and malicious users, which are completely transparent, really fully transparent to honest people.

people should be honest and friendly to each other, spamming around doesn't make anyone win something and as for this message @nicola if he would be a malicious people, he would use it and get punshment. If someone is villing to share founded bug, you should appreciate it.

@Thomas it's quite simple, I shared that just in case the person wasn't familiar with the rule. Nothing more to it. I don't advocate for anybody to be banned or something similar.

Anyway, a captcha wouldn't solve it in my view, it would just make it semi-automated, as you'd be the one who has to log in now, but other than that, nothing really changes.
On the other hand, yes, I would assume that most people who are active login multiple times a day. To be honest I also never used a website that's so aggressive and annoying to ask for it on each login.
Oh, scratch that, I did, I was locked out of Discord multiple times because HCaptcha is wonderfully accessible and always works…

well so, if there are ways to prevent this automation other than captcha, then that's good.
As i already said, I just raised this topic to show the security issue.
as @Aminiel says,

There are other means than captcha to stop spam and malicious users, which are completely transparent, really fully transparent to honest people.

Then I also agree, there is no need to create captcha.

one's talent should be appreciated always rather than making fear of punishes. who know how many security flaws exists in this playroom. at least he can able to find one now. if we encourage more, may be he can find further more.

As a security measure: a random arithmetic can be used for each login, or a random word to enter, etc.

You'd need to make those prompts varied if you did that. Otherwise, the question can just be tokenized and solved.