

Possibly the worst CAPTCHA ever. - chrissnell
http://www.epcounty.com/publicrecords/officialpublicrecords/OfficialPublicRecordSearch.aspx

======
gilast
Not nearly the worst.

The worst I've seen was one where the captcha was injected into the HTML, then
scrambled with CSS and scome scripting so that it would be difficult for a
human to type it.

I think it was for a bank.

~~~
bichiliad
I believe Sony did that as well. I remember it surfacing after that major
personal info breach a while ago.

------
egmracer01
Nope. Here are the worst captchas:
[http://www.johnmwillis.com/other/top-10-worst-
captchas/](http://www.johnmwillis.com/other/top-10-worst-captchas/)

------
etrautmann
This is actually one of the more useable captchas I've seen recently...

~~~
nwh
Trivial to solve with OCR though, which sort of defeats the purpose entirely.
I'm fairly certain the letters would just be in plaintext in the SWF anyway,
so it's probably breakable for a malicious person at no cost. Hard for the
user, easy for criminals, smells like DRM to me.

------
Eleopteryx
CAPTCHA is bad. It serves a purpose, but it serves it so completely and
resolutely that it does a disservice to user-friendliness. I feel like this
example is the logical evolution of the concept. That is to say, it is
abhorrent, but almost un-remarkably so. I'm also on the website for a local
government, so that probably adds to why this doesn't faze me.

And to be honest, it was still easier to process than some of the recaptcha
I've come across.

(I'll just conveniently ignore the fact that it's made in Flash.)

------
Abraln
Worst I have seen is for U-play "forgot my password". For months it has said
to do 2 side by side capchas, but only one image appears, but with two entry
boxes. Their official response is to do it through their forums, which only
requires 1.

------
nextweek2
Why are we still doing this?

OpenID is the answer to this problem. Let the likes of
Google/Facebook/Yahoo/Symantec worry about this problem.

~~~
airjrdn
Many people don't want the Google and Facebook overlords holding the keys to
our kingdoms. If logging in via FB/Google is my only option, I simply find
another site/app. It's that simple.

~~~
nextweek2
Don't do that, you are spreading FUD about OpenID. OpenID isn't a Google or
Facebook choice. Its many more and under your control, your choice. It's
statements like that that make people think an open identity platform isn't
worth implementing.

We need to stop giving emails and passwords out to 200+ sites and wondering
why we get spam and regular password resets.

~~~
voidr
> Don't do that, you are spreading FUD about OpenID. OpenID isn't a Google or
> Facebook choice. Its many more and under your control, your choice. It's
> statements like that that make people think an open identity platform isn't
> worth implementing.

In September 2013, Janrain announced that MyOpenID.com would be shut down on
February 1, 2014; a pie chart showed Facebook and google dominate the social
login space as of Q2 2013.[67] Facebook has since left OpenID; it is no longer
a sponsor, represented on the board, or permitting OpenID logins.[15][68]

source:
[http://en.wikipedia.org/wiki/OpenID](http://en.wikipedia.org/wiki/OpenID)

Generally everyone moved away from OpenID in favour of OAuth and even when
they were implementing it most big companies were just OpenID providers,
thereby totally defeating the openness part.

Based on the above, I could safely say, it's not worth implementing OpenID.

I would suggest doing research on the topic before making bold statements like
this.

> We need to stop giving emails and passwords out to 200+ sites and wondering
> why we get spam and regular password resets.

Sure, let's just use Facebook and Google logins everywhere I'm sure nothing
bad could come of it aside from the NSA getting full access to EVERYTHING that
we use then.

If you are bothered by spam and the likes, just register yourself a throwaway
email account.

------
jtokoph
Is it Flash? Because I can't see anything on mobile.

~~~
Kronopath
Yes it is. It's a flash animation with a whole bunch of letters falling
downwards, 3-5 of them green and one of them purple or blue, with some flashy
stars in the background, and it asks you to type only the green letters.

And if you hit the button to get a new CAPTCHA, the old letters vanish with a
sparkly effect before the new ones fall down.

------
mjcohen
I don't think that that is so bad. At least they don't show "GREEN" in blue.

------
ethana
The worse would be those that make you watch an ad video then type in the ad
words.

~~~
alex_duf
Does this really exists ?

~~~
zbowling
yes. during the campaign, a few sites had those video ads and I had to watch
the Meg Whitman video and then type in "GoMegWhitman2010". I did not.

------
atoponce
Hashcash.

/me keeps up the good fight.

~~~
ixwt
Hashcash just hurts people with older computers. If spammers wanted to get
around Hashcash, a decent sized rig will blow through them. Hell, it would be
easier than OCR.

~~~
atoponce
This doesn't hold up for a number of reasons.

First, the client should be actively and asynchronously working on the puzzle
when the page loads, so when the submit button is pressed, the puzzle is
solved, and ready to be submitted to the server. Asynchronous JavaScript has
already been solved. Even for a Raspberry Pi, a 16-byte Hashcash puzzle can
likely be solved before the user has finished typing in the form.

Second, the point of Hashcash is to stop spammers from mass POST attempts.
Form spammers rely on bots, without JavaScript, to mass POST to forms,
millions of times per day. As soon as JavaScript is required, this immediately
stops 90% of the bots in use, right now. Of course, they'll adapt, with
JavaScript VM bots if Hashcash is the norm, which then ties up the client
solving the puzzle. The longer the client is tied up, the less it can spam in
a given amount of time. It _drastically_ slows down the amount of comments a
spammer or zombie network can perform. As computing gets more powerful, the
Hashcash minting size can be increased, to continue tying up the bots.
"Blowing through them" couldn't be a bigger exaggeration and further from the
truth.

Third, properly implemented Hashcash is designed to prevent double spending.
So, once the token is spent, it cannot be spent again. Even better
implementations will not allow tokens that have not been minted within a
certain timeframe, such as 24 hours. The Hashcash specification has the
timestamp as part of the token. This discourages mining the tokens early, for
spending later.

Lastly, captchas have shown to be entirely ineffective against bots. Do a
search for beating captchas, and you'll see the sad state of affairs. Captchas
are getting harder for humans to interpret, because bots are getting better at
OCR, and defeating them, with increasing reliability. In every instance I've
deployed Hashcash into a web form, I have yet to see spam come through. In one
site, as of the time of this writing, Hashcash is solely responsible for
blocking 670,624 spam POST attempts in a 10 year run.

The big drawback, is forcing JavaScript to be enabled, in able to POST to a
form. From what I've seen on the virtual web hosts I administer, it seems to
be about 10% of the web traffic has JavaScript disabled, on average. This
might be acceptable, and it might not.

