
Captchas are Becoming Ridiculous - JoshTheGeek
https://www.andrewmunsell.com/blog/captchas-are-becoming-ridiculous
======
sp332
The squished-up word is the control word, and the straight one is the unknown
one. You only need to get the wavy word right and just guess at all the cut-
off examples.

~~~
Alupis
I've solved a lot of captcha's in my time, and really have never experienced
the trouble the author is detailing. Not only am I relieved when I see a
reCaptcha since they are some of the easiest and most forgiving challenges,
but I don't recall ever having repeated bad/unsolvable challenges presented on
the same page.

Sure, maybe sometimes you get a weird one and fail it. But typically the next
challenge is easy to pass. Seems the author cherry-picked some of the worst
reCaptcha examples for the article, but wrote it in a way that made it seem
they were presented back-to-back.

Besides this -- the article makes no attempt to offer a better solution.

Captcha's are really the best way we have right now to "prove" someone is not
a bot. Hidden Form fields, etc, don't work and are easily spoofed. Sure
Captcha's can be beaten by bots sometimes -- but I trust Google's scale/volume
with ReCaptcha to handle that for me (for the most part).

Captcha's are not going anywhere anytime soon.

~~~
vitd
>Besides this -- the article makes no attempt to offer a better solution.

That's completely irrelevant. Criticism is not about solving the problem. It's
about pointing out that the current solution is inadequate.

Most movie critics never wrote, directed, or acted in movies. It doesn't
invalidate their criticism.

In fact, your criticism of the other poster's criticism doesn't offer a better
solution than criticism either. You simply criticize that post. (And that's
OK, if ironic.)

~~~
prof_hobart
Absolutely.

I hate with a passion the attitude of "Don't bring me problems. Bring me
solutions". Sure, if you've got a solution as well, that's great. But I'd much
rather know there's a problem that you don't have a solution to than be
completely ignorant of it.

~~~
skj
I go even a bit further: don't bring me solutions, just tell me what makes
your life difficult.

As a tools developer, I observe that user-provided solutions almost never
address anything outside their specific problem, which is potentially only one
of many things the feature with the issue is designed to address.

Some of my colleagues tend to point to user feedback as gospel, including the
ways suggested to "fix" the issue. But those fixes are often myopic and laden
with technical debt.

But I will never disbelieve a claim that something is confusing, or hard to
use (almost never, anyway; some people are idiots). Just don't be offended if
I don't fix it in the way you came up with.

------
smackfu
Here's something interesting. If I go to the ReCaptcha demo page in Chrome
that is logged in to Google, I get all house numbers, a lot of which seem like
easy OCR. If go to the same demo page in Incognito mode, I get the two word
version instead, like this blog is complaining about.

[http://www.google.com/recaptcha/demo/](http://www.google.com/recaptcha/demo/)

~~~
nandhp
Yes: reCAPTCHA now keeps a profile of you and gives humanoid users easier
reCAPTCHAs.

[http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-j...](http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-
just-got-easier-but-only-if.html)

~~~
metacorrector
in other words, it's not giving you reCaptchas, it's giving you unCaptcha's
yet so you can do work for them for google streetview.

------
nsxwolf
The audio captchas are psychotic. They are scarier sounding than anything I've
heard in a horror movie lately, and I have never been able to solve one.

~~~
lfam
Psychotic and almost impossible to solve. I tried an audio captcha recently on
a whim and I was bewildered.

I think any site that uses reCAPTCHA must not have any regular vision impaired
users.

[https://www.youtube.com/watch?v=HhFLC8ZZQeM](https://www.youtube.com/watch?v=HhFLC8ZZQeM)
[https://www.youtube.com/watch?v=KNVcIogEXOo](https://www.youtube.com/watch?v=KNVcIogEXOo)

~~~
krapp
Analysis of audio captchas has led to a number of exploits for several captcha
systems including recaptcha - which is what all that horrible obfuscation is
trying to prevent.

~~~
nsxwolf
It seems to be really good at preventing visually impaired users from using
your site. Unless it is true that they really do develop better hearing.

~~~
krapp
I don't know how you would solve that problem, other than not having one at
all, which of course wouldn't be fair. Having the audio clearly describe the
solution would make the captcha useless.

------
gildas
Here's the one I got on linkedin recently

[https://twitter.com/check_ca/status/480784849260019712](https://twitter.com/check_ca/status/480784849260019712)

~~~
kroger
I got one in Hebrew once:

[http://twitpic.com/8u8un4](http://twitpic.com/8u8un4)

~~~
arseniclifeform
Looks like something you might get with CRAPCHA:

[http://crapcha.com](http://crapcha.com)

~~~
jobigoud
Brilliant. I think I'm going to use this on my site and ask humans to not
enter anything. Anyone entering something will be considered a bot.

------
incision
I was just thinking this yesterday when I had to recover a Flickr account I
hadn't used in ages. I had to solve captchas from Yahoo and Microsoft.

The Yahoo captcha used rotating, bouncing letters on a scrolling background of
more letters - ridiculous. Microsoft's was just a typical smeared mess, but no
easier to actually solve.

I think I failed each at least 3 times.

It's not just difficult captchas, but use of them everywhere. The site my
university recommends for ordering textbooks starts inserting captchas if one
searches more often than perhaps twice within a minute. Another I can't recall
the details of requires a captcha solve to make any sort of profile change
despite being previously authenticated.

~~~
Alupis
The article's largest complaint is not being able to read one (1) of the two
(2) words in the captcha challenge.

ReCaptcha only requires one (1) out of two (2) words to be correct in the
challenge.

It presents one known-by-the-system-word, and one not-known word. If you get
the known word correct (the easier of the two to read) then it passes the
challenge.

ReCaptcha then pools the answers for the second not-known word and after
pooling thousands (or more) responses, then that word becomes "known" based on
the average answers (and then that word is "digitized" and used by google
maps, or ebooks, etc).

~~~~

And for those wondering, I find it easiest to read captcha's by just looking
at the letters by shape.

Going down the list in the article:

onightsl secretary.

. phaRega

o ndaaar

proximity rsgrrem

and khseeke

. azedcg

elearsal 5

ination amesye

se ebtyR

Reomi now

ivestshm nwre

Again, it's important to note, you only have to get _one_ of the two words
correct to pass the challenge. So.. probably 99% of the above list would pass.

~~~
jdbernard
No, the problem the author mentions is _explicitly_ with ReCaptcha. He
addresses your edit in the article, which you would know if you actually read
it and didn't just skim. The problem, as evidenced by the author's many
examples, is that the control word is often distorted beyond reasonable
recognition, and the new word is not valid data. So _neither_ of the two words
is solvable.

 _Edit in response to your edits_

You've deleted your previous edit. Still, even with your current edit it is
clear you are not actually reading the article. You say:

 _Again, it 's important to note, you only have to get one of the two words
correct to pass the challenge. So.. probably 99% of the above list would
pass._

However, the author of the article explicitly states that he did this:

 _I decided to just guess the first word and hope “secretary” was the control.
It wasn’t._

So the author correctly identified one of the two words (and makes the same
identification as you did), but was still rejected because it was not the
control word.

You obviously don't have an accurate understanding of ReCaptcha
implementation, and you apparently are not reading the article with
comprehension, despite claiming several times that you have.

~~~
Alupis
> You obviously don't have an accurate understanding of ReCaptcha
> implementation

I do (I've implemented them many times), but no point in arguing.

I must be the only person who finds the level of security a captcha provides
worth the 1 to 2 seconds it takes to type in a Captcha. And if done properly,
you should only have to type a captcha once per site.

Which is easier? Allow form spam on your site, or have a user type a captcha
once the first time they visit and decide to post a comment or something?
Captcha's have provided a tradeoff between inconvenience and protecting your
site.

~~~
jdbernard
Pardon my confusion, but wasn't your original comment arguing _against_
homebrew Captchas?

Also, you say that you have an accurate understanding of _ReCaptcha_
implementation based on the qualification that you have "implemented them many
times". ReCaptcha was created by Google, so unless you work for Google on the
team that implemented ReCaptcha, it doesn't seem possible for you to have
"implemented them [ReCaptcha] many times".

~~~
neurobro
Minor point, but reCAPTCHA was purchased by Google, not created by them.

------
joshfraser
I'll repost this once again. Why you should never use a CAPTCHA:
[http://www.onlineaspect.com/2010/07/02/why-you-should-
never-...](http://www.onlineaspect.com/2010/07/02/why-you-should-never-use-a-
captcha/)

~~~
k__
The proposed alternatives are crap. Why shouldn't an attacker read the CSS...

~~~
joshfraser
Many (maybe even most) people who use CAPTCHAs are never going to be targeted
with a personalized attack. Instead they're using CAPTCHAs to prevent generic,
spray and pray spam. The bots know how to post a comment on a Wordpress blog,
but making even a small tweak to your comment form can get rid of 99% of them.

------
izzydata
Lately I've noticed 90% of my captcha's being a single number. That is it. A
number like "1057" with nothing else. what do they honestly expect me to do
with this?

Basically I have to fill in the number and then guess whether it was the first
or second set of characters and fill out bogus before or after the number and
hope I got it right. The numbers weren't even hard for a computer to read. The
only thing it does is waste everyones' time.

~~~
jobigoud
This happens when they already know there is a fair chance that you are human.
So they give you an easy one and get their OCR for free. You are probably
already logged in your Google account when it happens. Go incognito, browse
with Tor, etc. and you will get the impossible ones.

------
companyhen
What is everyone thoughts on this type of CAPTCHA?

[http://areyouahuman.com/site-owners/playthru/](http://areyouahuman.com/site-
owners/playthru/)

~~~
gdilla
it's interesting but two things come to mind. Viewing it on this site makes it
seem like it's great, but what about in context? If i came across that, I'm
forced to think more than a capthca, just since it's so different and
unexpected (maybe that goes away if it's very widespread). Also, it looks like
an annoying banner ad game from orbitz or something of years back - that might
make me avoid it, ignore or just not trust it.

~~~
tjpaxton
in context we get about 40%-60% higher conversion rate depending on the use
case and have over a 95% success rate. we have a lightbox mode that makes it
really apparent what you are doing and only has you attempt a captcha after
you submit and the form is validated.

------
pbreit
I can't believe we have not figured out something better than captchas by
2014. I would imagine Google could figure at least how to bake something into
Chrome which many would eventually follow. It's asinine that all legit
customers have to go through such a silly, completely unrelated hoop.

~~~
tempestn
Google _has_ figured out something "better". Basically they use all the data
they collect on you to determine whether you're likely to be a bot or not. If
not, you most likely won't even see a captcha. (And if so, you'll get a
difficult one.)

~~~
kstenerud
It must think I'm a bot, then. I get captchas all the time, and they've been
definitely getting harder and harder to solve over time. I suspect their
algorithm pushes me further and further into the bot camp the more captchas I
fail (I have about a 10-20% success rate now, and it's dropping). At this
point, I only stick around for the 5-6 tries it takes if I REALLY want to use
whatever service it's guarding. Often, I'll just leave the moment a captcha
appears because I don't want to be bothered. If it's a contact form, I'll use
google to find a direct email address or phone number instead (Yes, I've had
to resort to that approach many times).

~~~
tempestn
Hmm ya, I could certainly see a positive feedback loop developing. Out of
curiosity, do you regularly log into a google account and/or use services like
gmail? I'm guessing not, since presumably that would give it plenty of data.
(Unless you actually are a spammer... ;) ) Also, are you connecting from a
location that Google might see as more likely to produce spam? (I would guess
any non-"western" country to some extent, with Nigeria likely being at the far
end of the scale.)

~~~
kstenerud
I have gmail open most of the time, but it rarely asks me to log in. It's only
when I try to use other services that use recaptcha, or the rare occasions
where I have to relog into google and mistype my password more than once. Last
time that happened it locked me out of my account for 24 hours because I
couldn't solve the captcha (although I could still access gmail on my phone).

------
joelgrus
I always worry that they're getting harder because I'm getting old, so it's
comforting that an arms race against bots is the real cause! :)

~~~
drglitch
I literally had the same thought after I unsuccessfully tried to get through a
captcha for 10 minutes.

It was for a contact form on a vendor's website. Ended up going with another
vendor who had identical product

~~~
hippich
would you wait instead of entering captcha with hashcash.io widget? Widget
like that - [https://hashcash.io/auth](https://hashcash.io/auth) (notice
unlock switch)

~~~
drglitch
absolutely not -- at least not on every login into a service.

the on/off metaphor is not clear either - at least make the "login" button be
not enabled until the switch is moved

Its sitting on the login form for at least a minute now, filling up the switch
background btw

------
vinc
We need a browser extension to help us solve captchas with OCR. This is indeed
ridiculous.

~~~
slig
I thought about this as well. I went and registered instacaptcha.com but I
never managed to do it and the domain expired.

Seems to be doable. The user pays 1 usd/month and gets 100 credits. The
extension author can outsource the solving to
[http://antigate.com/](http://antigate.com/) and get the answer in 15 seconds.

------
nikanj
I think it's time to move to the ultimate captcha: "Is this post spam?"

Then we just hope that the spammers create a perfect solver again :)

------
aluhut
I realised an intersting thing there. I also get those complex captaches using
firefox. But I also have an Opera12.17 running. With this one my captchas for
the same page are ridiculousy easy. Sometimes it's just an house number. One
item. I never had one even close to what I get on FF.

~~~
wmf
I think it depends on a cookie. Once you correctly solve a dozen or so hard
captchas they'll give you easy ones from then on.

~~~
aluhut
That would be the logical thing to do. Unfortunately I rarely use Opera. I
can't remember solving more then 5 captchas with it. I use FF most of the time
with hunderts of solved captchas there. (FF Private Mode did not help either)

------
andmarios
I have this fear that skynet originally started as a captcha solver algorithm.
:p

------
Houshalter
A paper came out awhile ago showing that neural networks are extremely
vulnerable to adversarial examples [1]. They showed even slight perturbations
of an image generated with their method could cause NNs to misclassify it, but
appear no different at all to a human. I am interested if methods like this
could be used to extend the life of CAPTCHA a bit longer, even as computers
are starting to beat even humans at object recognition tasks.

[http://cs.nyu.edu/~zaremba/docs/understanding.pdf](http://cs.nyu.edu/~zaremba/docs/understanding.pdf)

~~~
sjtrny
I think you have made a good point and possible solution here. But I am keen
to see if researchers can quickly address this issue with NNs. Someone might
find an easy fix to this problem.

------
yaroslavvb
We found that neural networks can solve CAPTCHAS much better than humans,
99.8% on the "hard" ReCAPTCHA instances:
[http://arxiv.org/pdf/1312.6082.pdf](http://arxiv.org/pdf/1312.6082.pdf)

This is why visual recognition is just one of the signals you need to use to
tell humans and computers apart
[http://googleonlinesecurity.blogspot.com/2014/04/street-
view...](http://googleonlinesecurity.blogspot.com/2014/04/street-view-and-
recaptcha-technology.html)

------
Fice
Dear website owners, please, do not use reCaptcha. As was noted in other
comments, Google discriminates against the users who try to protect their
privacy by showing them nearly unsolvable variant. For instance, I see the
hard version all the time since I started to use Privacy Badger for Firefox.
It is also not impossible that they discriminate by user-agent.

And generally it is a very bad idea to choose the most popular service among
the alternatives, as by doing so you are contributing to the centralization
and monopolization of the Internet.

~~~
skj
It's almost like, if they already know you're not a bot, they don't have to
try very hard to re-prove it, or something.

Think of it in a Bayesian sense.

If 10% of anonymous users end up being bots (the prior), and the "hard"
recaptcha has a 1% false-negative (incorrectly identifying someone as a human)
rate, then of the anonymous users who succeed in getting past the recaptcha,
.1% will be bots (the posterior).

But if 1% of sign-in users are bots (probably less than that), you only need a
recaptcha with a 10% false-negative rate to achieve the same bot throughput
limit. And, those users are less frustrated.

~~~
jobigoud
While Google is worried by the false negative, we as users measure frustration
with the false positive (failures to identify an actual human) rate. Ideally
they would find a system where both rates are independent or where false
positive are rare.

~~~
skj
Ideally, yes.

------
paulmd
[https://www.youtube.com/watch?v=kNdDROtrPcQ&feature=kp](https://www.youtube.com/watch?v=kNdDROtrPcQ&feature=kp)

Pretty neatly conveys the feelings on this topic.

------
asaegyn
It took me about 30 min and >15 captcha's before I could register for this
site. The audio didn't help either...

They __are __getting ridiculous.

------
ademsha
[shameless blog post promo ahead]

One simple way for minimizing junk going through automated submits. Idea
without using recaptcha at all: [http://ademsha.com/notes/simple-proposal-to-
stop-spam-going-...](http://ademsha.com/notes/simple-proposal-to-stop-spam-
going-through-web-forms/)

It works only with JS enabled and uses randomization in order to stop bots
learning how to avoid it.

------
Tarang
I have to type this awful thing every time I log into Envato and I can never
get it right. It's so frustrating. Envato refuse to acknowledge its an issue.

I don't even get the point of it since you can get passed them by just hiring
people off like at [http://antigate.com/](http://antigate.com/) for as little
as 70c per 1000 captchas

------
Aardwolf
If computers get so good at solving captchas, are we also getting better OCR?

Time to switch to next, harder, AI problems as captchas :)

~~~
valarauca1
I hate to be so simple but XKCD said this first

[https://xkcd.com/810/](https://xkcd.com/810/)

------
pbhjpbhj
Recent discussion,
[https://news.ycombinator.com/item?id=7419667](https://news.ycombinator.com/item?id=7419667)
(there are others)

Also a couple of examples [http://alicious.com/hard-recaptcha-
huh/](http://alicious.com/hard-recaptcha-huh/).

------
wmf
Since 2012 there have been some changes that make it easier under "normal"
conditions:
[http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-j...](http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-
just-got-easier-but-only-if.html)

------
tempestn
Is it not obvious in the first case that "secretary" is the unknown word?
Clearly ocr wasn't able to read it due to the fading. Likewise, the cut off
words spanning two lines in the later versions are obviously the unknown
words. The author states right at the beginning that he understands there is a
control and an unknown word; he then proceeds to "hope" that the obvious
unknown word is the control in the first case, then skip numerous captchas
where the control word is straightforward and the illegible word is obviously
the unknown. This certainly sounds like willful ignorance for the sake of a
blog post.

Also, '“Onightsl”? “Onighisl”? Are those even words?' No, my understanding is
that dictionary words are never used as the control, so as not to be
vulnerable to dictionary attacks.

Edit: I'm not suggesting that these captchas are in any way good; they do
clearly have issues. I'm just saying that storyline in the blog post seems
contrived. To me it would be more convincing if presented in a more genuine
manner. However, perhaps he was simply very unlucky.

~~~
arrrg
What a concise description of why captchas as they exist today are just awful
and we have to come up with a better solution!

There you are, talking on and on and on about some tiny unimportant but
extremely specific implementation detail no one should ever have to care
about. People shouldn’t have to read a manual about the inner workings of this
captcha implementation (and have some experience with what types of text
computer vision is good and bad at recognising!) to have any chance solving
it.

In this case the author clearly had no idea how that control/unknown system
works in detail (it seems like they, just like me, only know that you do not
have to recognise both, but they didn’t really understand the reason for that
– nor should they have to) but that doesn’t really matter for their argument
even a tiny bit.

~~~
tempestn
Fair enough. I didn't mean to suggest that these captchas are in any way
_good_. Only that the author does appear to have technical knowledge of how
they work - otherwise they wouldn't use terms like "control word", so it seems
that the difficulty experienced was likely contrived for the purpose of
writing the blog post.

For me at least, the point would have come across better if that (seemingly)
false ignorance were dropped. (Either that, or frame it in terms of, "Here's
what an average user sees when they try to log in," or something along those
lines.)

------
mathattack
I believe that this will eventually become a losing game. Normally there's an
arms race between those creating security and those thwarting it. In this
case, once the recognition schemes are as good as humans, the game is over for
good.

------
Tycho
If only we could invent the verbal equivalent of a trapdoor function. A word
puzzle that would be extremely easy for computers to generate and humans to
solve (since we understand language), but extremely hard for computers to
solve.

~~~
peterwwillis
It's a nice idea, but you have to consider the complexity of the word puzzles
compared to the average human's brain power. Most people are quite dumb. If
there aren't a sufficient number of problems/answers, or they're simple enough
for computers to solve, or they're too complex for a minority of humans to
solve, you're boned.

The whole thing is a technology arm's race. The best solution would be one
where you simply verify fixed private information. We use captchas for
verifying a human being is not a bot, right? And we do that because we assume
the user is anonymous for a short time.

Instead we could simply provide a secured authentication gateway where one
could provide private information that is linked to a human identity. That way
it can't be abused unless they have an unlimited supply of stolen identities.
Even better would be if everyone signed up for a TOTP service provider and
used their token generator and service-account to prove their human-ness
without needing to put in sensitive information. But that's probably too much
work.

~~~
biggerfisch
> Most people are quite dumb.

I know what you're trying to say here, but consider today's xkcd[0] as a
counter-point. I think "most people" are quite capable of solving a lot of
puzzles. This issue is that any puzzle that we can solve in a reasonable
timeframe is often a good target for a computer-generated solution as well.

[0] [http://xkcd.com/1386/](http://xkcd.com/1386/)

~~~
wellactually
The xkcd is only necessarily true when it is the median average that is
considered. However, most people are not necessarily of mean average
intelligence.

------
wingerlang
Off topic slightly, but does people with dyslexia have a hard time with
captchas?

~~~
x0054
I have dyslexia, no problems with captchas though. In fact I found the
examples from OP article to be not all that difficult. Maybe it's because when
I am solving the capture, I just look at one letter at a time, instead of
trying to read and comprehend the word. I found it that in many cases the
control word isn't actually a word at all, just string of characters. I
usually have 80-90% success rate nowadays, used to be 100%, but they are
really getting more and more difficult.

------
me1010
Easy... A stereogram "captcha" ... What's the hidden 3D image? More fun too...
[http://www.brainbashers.com/stereo.asp](http://www.brainbashers.com/stereo.asp)

~~~
aestra
NO!!!!!!!!!!!!!! Please NO! I'm stereoblind but also not a bot.

[http://en.wikipedia.org/wiki/Stereoblindness](http://en.wikipedia.org/wiki/Stereoblindness)

------
Jekyll
[http://www.newscientist.com/article/dn24476-software-
beats-c...](http://www.newscientist.com/article/dn24476-software-beats-
captcha-the-webs-are-you-human-test.html)

------
sebmarion
This is where Facebook comes in handy! Please add your captchas there:
[https://www.facebook.com/IHateCaptchas?fref=ts](https://www.facebook.com/IHateCaptchas?fref=ts)

------
hippich
It is funny how link [1] from my app solving this problem got more upvotes :)

[1]
[https://news.ycombinator.com/item?id=7944540](https://news.ycombinator.com/item?id=7944540)

------
mcv
There are plenty of tricks around Visual Captchas. What you need is a semantic
captcha that's only recognizable as such by a human. Hide a simple question
somewhere in a piece of text.

~~~
lauradhamilton
Who writes the question and answer?

Although...maybe you could outsource the question and answering to Mechanical
Turk. Turn the whole thing on its head. Have a real person write a question to
try to trick the bot into revealing its botness, have the real human grade the
answer.

------
Pinckney
The problem isn't captchas, but users not understanding how to interact with
them. So what if a few are bad? Hammer out best guesses, fast as you can,
until you're successful. It's not as if you're graded on accuracy. There is no
reason to ever resort to the refresh button,

Out of curiosity, I went and opened the demo page
([https://www.google.com/recaptcha/demo/ajax](https://www.google.com/recaptcha/demo/ajax))
in a new incognito window and timed myself. I can do about 8/minute at maybe
90% accuracy.

Captchas are only a problem if you compulsively refresh in hopes of getting
something clear.

~~~
mrjatx
After I've filled out 20 different forms the last thing I want to do is deal
with a completely illegible captcha which might go far as to refresh the
entire page or wipe out what I've entered in certain fields (password, ssn,
etc) each time I get it wrong. That's one way to push me away from signing up
for your service.

~~~
Pinckney
That's not really a problem with recaptcha so much as the integration with the
rest of the site.

~~~
hueving
Well then you obviously understand some websites have problems with this, so
why would a user risk losing all of their filled out data?

------
adestefan
I've recently seen a bunch of them with just one number. Just a single 7 or 4
on a white background and nothing else. Kind of scratch my head at those ones.

~~~
scandinavian
Do you mean the house numbers/street signs? Like these:
[http://i.imgur.com/yD1FrlH.jpg](http://i.imgur.com/yD1FrlH.jpg)

If it's those, I guess google uses recaptcha to get data for streetview.

~~~
adestefan
I've seen that, but I've also seen plain black numbers on white that look like
they're right out of MS Word. Got me.

------
bryan_rasmussen
hmm, I have to say I haven't had a recaptcha that bad yet, but I have had some
bad ones.... But uh... on the first bad recaptcha when trying to guess their
password they thought - this recaptcha is ridiculous I will try to solve it of
course but just right now I am also going to screenshot it because this is
naturally the first thing I think to do!

------
opendais
I agree that those captchas are obscenely bad. :)

I think we really, really need a replacement solution for them that works as
reliably vs. bots.

~~~
ChuckMcM
So at what point do we 'switch over' which is to say that the Captcha code
realizes that if you _solve_ it your a robot/script because humans can't ?

~~~
opendais
The API stuff that solves these captchas is really akin to Amazon's Mechanical
Turk and outsourced to places like India.

[http://antigate.com/](http://antigate.com/)

Scroll to the bottom.

------
mmagin
I experienced animated GIF captchas with Yahoo's login process. Not sure if
that was better or worse than reCaptcha.

~~~
pornel
I don't get why they're doing this. Animation _adds information_ and makes
CAPTCHA easier to break!

Attacker can choose the frame that's easiest to attack and they can segment
better with help of motion vectors and differences between frames.

------
hammock
It's difficult, but I was able to read all of those captchas (the wavy ones).
Maybe it's a special skill?

------
kkhire
If i am relaxing back and have to enter a difficult captcha to watch a movie,
I am not watching that movie.

------
talles
This made me remember: I once saw a website with a moving captcha.

Can't remember where I saw. Anyone knows?

~~~
callahad
Comcast does that on their password reset pages. E.g., go to
[https://login.comcast.net/myaccount/reset](https://login.comcast.net/myaccount/reset),
type in "foo", and click "Next."

Edit: From checking the source, it looks like they're using NuCaptcha
([http://www.nucaptcha.com/](http://www.nucaptcha.com/)). Looks like O2,
Groupon, and StumbleUpon are also NuCaptcha customers. You can see examples on
this page: [http://nucaptcha.com/features/security-
features](http://nucaptcha.com/features/security-features)

~~~
ashmud
There is a blog post about defeating NuCaptcha here:
[http://www.elie.im/blog/security/how-we-broke-the-
nucaptcha-...](http://www.elie.im/blog/security/how-we-broke-the-nucaptcha-
video-scheme-and-what-we-propose-to-fix-it/)

------
vegancap
I had one read 'drink issue' once... Wasn't sure if normal capture or advice.

------
pertinhower
Shoulda stopped at number 5: "and khseeke" seemed pretty clear to me.

But point taken.

------
atoponce
I've said it before, I'll say it again: hashcash.

------
progx
Alternatives exists, but the usage is low.

A simple solution is google Authenticator (or similar systems).

The only problem is a system for all kind of users and equipment.

