All joking aside, is there any hope that the extremely user-hostile CAPTCHA will go away any time soon? Half the time I see it I wonder if it's really necessary. The other half I wonder if the service provider could be a bit more clever or industrious.
> I wonder if the service provider could be a bit more clever or industrious
That takes time and effort, something which is often in short supply. Easier to just slap any old captcha on there, even a mostly ineffective one will stop the drive-by scripts.
I had to implement a non-CAPTCHA method of stopping spammer signups to our forums, and after a day of work I had something that still let through 2-3 spammers a day. A CAPTCHA would have taken under an hour (plugins available) and probably have stopped more.
These recaptcha CAPTCHAs are becoming ever worse. I've seen many people struggle with them and even ask my help to decode them (because, hey, a computer person probably knows how to decode the code). That can't be the purpose? If you're using such a captcha, you're losing legit users, not spammers. Spammers are the more persistent, likely.
I don't know if that is true...I haven't noticed any particularly bad captchas recently myself, but I was constantly getting really incomprehensible ones about 6-12 months ago. I think perhaps the developers have realised that it was getting too silly and they've toned them down a little bit.
If spammers and service abusers went away, CAPTCHAs would go away. Service providers don't use CAPTCHAs for the giggles. And the bad guys are getting better with OCR (or using sweat shops) so CAPTCHAs need to get harder to read to keep enough of them out.
If you can come up with something else that can distinguish legitimate users and bad guys, you'd be a very popular guy.
Some service providers seem to do it, because everyone else does it. Tiny blogs, obscure niche sites. They are afraid of spammers and never had a real look at it how necessary CAPTCHAs really are.
Oftentimes, a simple JavaScript-based spam protection is enough.
Automatically fill a hidden form with constant text. Unless you are a big site, smammers are really just bots who hit your site along with thousands of others. No one will notice if your site doesn't accept the spam, and if they did, no one would care enough to implement a work around.
Unfourtuantly, you cannot bundle this feature into a popular library, because then enough people would use it, that bot makers would implement a work around.
So true! Its beyond ridiculous when you are forced to enter captchas on tiny sites which hardly get 10 visitors in a day. Have seen this in numerous such sites.
Do you think that tiny sites get less automated spammers? In such sites the spambot registration attempts far outnumber the real users.
If you have a decent site, you can afford to review/delete/block spam afterwards, but if you have a small site and don't babysit it every dey, then a tough captcha is an absolute requirement.
For a small site, doing anything out of the ordinary is enough to stop the vast majority of spam.
For years, I had a non-captcha on my blog that simply read:
Enter the word "elbow": ________
That was it. The word was hardcoded, and the server simply checked to see if that input field did, indeed, contain the word "elbow". Spam completely halted for a long time. Eventually, it started showing up again, and once I got tired of deleting a couple of spams per week, I changed it to:
Enter the word "humour", but with American spelling: ________
Once again, spam stopped for a long time. As a bonus, I had a couple of commenters complaining that not everybody was a native English speaker and this question was too hard. I say "bonus", because I like keeping away commenters who can't be bothered to spend five seconds on Google.
This started to break down eventually as well. My latest effort, done more for fun than effectiveness, is to implement a hashcash proof-of-work system in Javascript. In short, the server sends a random salt to the client, and the client must then come up with a string which, when concatenated with the salt, has an SHA-1 hash with a certain number of leading zero bits. This is easy to verify (the server just takes the client's result, performs a hash, counts the leading zero bits) but hard to produce (the client has to brute-force it).
The relative slowness of JavaScript crypto makes this not actually very useful in a theoretical sense. I've calibrated the difficulty to take about 20 seconds of work in the browser, but a decent native code implementation can do the same amount of work in maybe a tenth of a second. So, against a determined attacker, it won't be much of an obstacle.
But as a relatively small site with a completely custom anti-spam solution, I don't get determined attackers. I get the occasional spam message with this in place, but from the server logs it's obvious that it's actual real human beings firing up the comment form and waiting the ~20 seconds for the hashcash to complete before posting their comment. Terribly inefficient for them, and it keeps stuff down to a manageable level.
In summary, if you have a small site, you can throw up nearly any custom anti-spam measure, no matter how silly or easy, and have it be effective. A standard captcha may be easier to add than a non-standard anything, but it's definitely not an "absolute requirement". Big sites are completely different, since they'll attract enough spammer attention for site-specific attacks.
I don't care if you prevent me from posting for 20 seconds, but if you make my laptop fan spin up, or cause my old computer to get unresponsive, especially if I have no clue why, I'm gonna be upset. I'm used to video sites slowing down the computer slightly, but if a simple blog does it, I'm gonna be confused, and possibly pissed.
The trick is to start the compilation when you start showing the comment box -- and only show the "reply" button once it's done. This way, for nearly all comments, it will be done calculating before you are done commenting (this has already taken me more than 20 seconds!), and it retains its hard-to-spam properties.
My comment box is always visible, but I don't start the computation until the user actually focuses one of the fields. The submit button is disabled until the hashcash computation completes, but that's about it. If you're not racing the hashcash computation, you'll likely not notice anything unusual.
Can you back that claim with actual data or are you exactly the guy I was talking about in my post?
I run a phpBB forum and 2 blogs. They got the standard spam like everyone else. Once I installed Spam Destroyer for Wordpress and made a 3-line JS-based modification for phpBB, I reduced spam by approximately 99,99%.
My main Web App gets something like 40,000 visits per week and is online since 2006. I never bothered with a CAPTCHA and there are hardly any spam signups. Same JS-based spam protection mechanism.
Yeah, if you are a small site using any off-the-shelf forum software, you will need defense from the spambots. They don't care that your forum has only 10 real users. It's spray-and-pray spamming.
Yes, I think it is inevitable that they will go away. I am litterally at a point where it is easier to copy the image to my computer, and run a captcha breaking program, then it is to actually solve the captcha myself.
Sure, the computer does not get it 100% of the time, but it gets it more often then me, and fails faster.
The worse for me is when I correctly fill in the captcha, but incorrectly filled in another field, and I have to solve that damned captcha again. I can't think of a good reason why you would not remember that the user did correctly solve the captcha and not present it again.
moot, founder of 4chan has made it very clear in the past "No, we will never implement a captcha."
It wasn't until the social virus was released on 4chan that uploaded itself, along with any random file it happens to find in Documents or other sensitive areas publicly, that the captchas were put in place.
This evolved to the point where they started selling 4chan as a service without a captcha (I'm actually all for that).
Sometimes there is just no way around the problem.
Okay, not every CAPTCHA, but a scarily large amount of them are just plaintext with fancy formatting. Occassionally I see one with an actual image, but with the plain text as part of the image URL.
You can solve this, of course, by using the inspector in Chrome to select the '<div class="code">', and then entering copy($0.innerText) in the console.
So this is actually easier to solve than the audio mode of reCAPTCHA.
Evil Idea: Put up a really good, well paid, job ad with an application that has this crapcha at the very end. Log IPs and see how long the average person tries to submit their application.
Compile and release the statistics to your evil deed on HN.
Ryaniar (a budget travel airline in Europe) have started using this type of thing to their advantage. Each Captcha is about flight insurance, low cost, on time etc. Annoying and good advertising at the same time.
My favorite part was the (i) link went to a new tab with the site.
Captcha remind me of inkblot tests [1]. I wonder if there are any that actually use those cards.
My favorite captcha experience: it only checked the first 3 characters matched (as in only enter the first 3 of a two word captcha). I supposed maybe I misunderstand how they work but I would have thought they checked against at least one full word.
I just spent way too much time on this. Some of the icons (the ones you can't view source and copy) come from http://fortawesome.github.io/Font-Awesome/. Allow hex input and you're golden.
I could solve some of them quite well with only using a standard US keyboard and US layout (the trick is to use the compose key)… As long as they don't start including icons into the crapcha as well.
In 50 years, the machine will be able to outperform the bottom 50% of the human population in any conceivable endeavor or task behind a keyboard/monitor. So CAPTCHAS will eventually be useless.
So it's an intelligence race. The more intelligent system (a computer, human, or hybrid) will be able to deceive the lesser intelligent system (computer, human or hybrid).
So the problem changes from: "Is the entity I am dealing with a computer or a human" to: "Does the entity I am dealing with have intentions to gain an unfair advantage over this transaction."
Humans have a part of our brain where we look for how others might be taking advantage of us, the algorithms and data structures there are remarkable. Computers will need to acquire those abilities if they are to manage the exchange of money, goods and services.
Captchas are really just an efficiency measure. You could simply have a human screen every single comment (or signup or whatever) and cull the spam. But human time is too limited, so we come up with lesser measures.
When machine intelligence advances that far, we'll be able to easily automate human-level examination of every single comment or submission or whatever. So I think the problem will get better, not worse, with that level of power.
