

Death to Captchas - DanielRibeiro
http://timkadlec.com/2011/01/death-to-captchas/

======
gchucky
I'm sorry, I have a hard time with articles that complain but offer no
solutions (and the one line at the end about Akismet doesn't really cut it for
me.)

I've seen some captchas that have you do simple math problems or other basic
questions, which seemed to be a better alternative. I also remember seeing
prototypes of a captcha that showed nine pictures and told users to select the
three that were cats. Not sure why that never caught on, though.

~~~
mike-cardwell
The trouble is, those sorts of captchas are trivial to bypass. They're good
against an automated fly-by attack, but completely pointless against a
targetted attacker. Not even a good targetted attacker, just somebody who
knows how to write a script which submits a form.

I could probably get away with using the cat captcha on my blog, but Facebook
or Google wouldn't be able to use it. But the thing is, for a site like my
blog, I don't even _need_ to use a cat captcha. I just need to make sure dumb
bots can't submit anything, eg using hidden fields:

[https://secure.grepular.com/Blocking_Comment_Spam_Using_ModS...](https://secure.grepular.com/Blocking_Comment_Spam_Using_ModSecurity_and_Hidden_Fields)

So where do these image captchas have a place? Not on big sites, and not on
small sites...

~~~
Vivtek
The problem with only screening for dumb bots is that it won't screen for the
25-cent-an-hour Ukrainian or African hired to submit spam with a human-driven
browser.

~~~
mike-cardwell
That is a problem with _all_ captchas

------
noahc
He gets it slightly wrong on how it works. One is not verified by a computer
and one verified by a user. Here's a quote from
<http://www.google.com/recaptcha/learnmore>

"""But if a computer can't read such a CAPTCHA, how does the system know the
correct answer to the puzzle? Here's how: Each new word that cannot be read
correctly by OCR is given to a user in conjunction with another word for which
the answer is already known. The user is then asked to read both words. If
they solve the one for which the answer is known, the system assumes their
answer is correct for the new one. The system then gives the new image to a
number of other people to determine, with higher confidence, whether the
original answer was correct."""

------
eli
I recently tried turning off our CAPTCHA for a few weeks and instead just
blocking all comments with links. I was still getting hammered by 10% of junk
comments that don't have a link. Many of them were gibberish; my guess is it's
a bot cataloging which sites accept comments in the first place.

Solving a CAPTCHA sucks for the person submitting the comment, but having a
page full of Viagara spam burying any legit comments sucks for _everyone_.

What scares me is the noticeable rise in spam comments being submitted by
_actual humans_ apparently in India and China. I set up a ModSecurity rule to
block inbound hits coming from a Google search that includes the phrase "post
a new comment" but that's only going to work for so long.

------
nopal
>A far more elegant solution is to use some sort of filtering system (like
Akismet). Such a system can run behind the scenes and work without
complicating the user experience.

I disagree.

An automated system that calculates the probability that user data is invalid
will inevitability report false positives, leading to blocked or deleted
content. Try explaining that to a user.

------
njharman
It's a 2 of 3 problem; We want three things 1) access to stuff 2) that access
to be secure 3) no effort/time/delay for access. But in reality you only get
two of those.

In general things of _"value"_ can't be both secure and fast/easy. If it's
fast/easy it can(and will) be brute forced and/or Amazon Turked.

------
jamesshamenski
<http://www.nucaptcha.com/> Offers a solution in video captchas. Moving
letters are way easier to read and if fraudulent activity is detected the
videos slow down to a rate which becomes uneconomical to solve.

------
Vivtek
Weird for somebody to complain about visual accessibility _and_ have a site
design that's so poorly readable. I mean, OK, I only got 2.5 hours of sleep
last night and so I'm more sensitive than normal, but my eyes are still
jangling from reading that.

------
drdaeman
Does anyone have any experience with HashCash or alikes?
<http://en.wikipedia.org/wiki/Hashcash>

Obvious problem is that in case of directed attacks spammers (or other
malicious persons) would use native code or even GPUs to perform computations,
while ordinary users would be limited by slower JavaScript implementations. It
would help (but not solve the problem completely), though, if someone would
show us some non-trivial code, that performs computation in background
(without any noticeable impact on page interactivity), that'll finish in some
minimal time required to write a meaningful comment or fill out a form.

------
bengtan
If you can afford to require registration for comments, then using the
blacklist at www.stopforumspam.com works quite well. I've cut down my number
of spambot-induced accounts by about 90% for a couple of forums I manage.

------
maeon3
The next captchas will likely be "choose the animal" from a 2D picture. given
the small images across the screen, choose the dogs.

The people working to get through security measures will always be there, we
might as well put them to good use. Get them to build innovative AI software
to bypass security. The code to identify the animal in the picture will
eventually find its way into the public and be put to good use.

