
Ask HN: Are some signup CAPTCHAs becoming a bit ridiculous (yes you HN)? - bitmilitia
My friend showed me this after trying to sign up for HN.  There’s now a Capcha when you sign up which is more than difficult to answer... mostly because the text is so difficult to read it doesn&#x27;t look like english.   
Not sure if the intent is trying to stop bots or trying to stop anyone who doesn’t want to spend 10 guessing characters.
Oh, and think the text CAPTCHA is hard… listen to the audio puzzle (get your pen and paper ready).
======
krapp
It seems to me that any captcha worth breaking is already "broken", given the
existence of captcha farms - and I put broken in quotes because _technically_
, with captcha farms, the captcha is working as designed, you're just paying
human beings to break them. The assumption, of course, that there is
necessarily a difference between a "spambot" and a "human being" is not as
true as it used to be.

Even so, the constant war of escalation between captchas and anti-captcha
measures should eventually lead to the necessity to create a captcha which is
impossible for most humans to decipher, once the capability of software to
decipher them passes baseline human ability. At that point, just being able to
solve the captcha would more or less prove you're probably not a human being.
So the basic model of "text a human can read but a computer can't" is probably
obsolete, and only still works due to the inertia of programmer laziness, and
the fact that breaking captchas probably doesn't have a ROI worth the trouble
for most sites.

Constructing more subtle captchas present their own problems, in that they can
make cultural assumptions about the user. If you're also using the captcha as
a community filter, this may be a feature though (for instance - having a site
about anime set up a quiz about anime as a captcha, or having users solve
complex programming puzzles.) Even so, any process which a human can perform
through rote UI can be automated, so even those tests will fail. Most captchas
are poorly designed and leak their solutions one way or another anyway. I've
even seen a few posted here which seem to add their solutions in plaintext to
the form as a hidden field or something.

I haven't got a clue what Recaptcha can be replaced with once it's thoroughly
useless, but i've come to believe that captchas are one of those things it's
impossible to do correctly, just adequately most of the time.

~~~
shubhamjain
This is like saying we should stop locking our doors because every door can be
broken by a locksmith anyway. The purpose of captcha is not to break any
attempts of automation but only to make it more harder. Considering that
automating a script to break captcha with human intelligence / automation is
not trivial by any means I think, they serve their purpose.

~~~
Xenmen
The issue is that, given a little more time, we'll see a "one-size-fits-all"
captcha breaker, one that needs little to no modification to break the captcha
on new sites.

------
dang
The captcha on HN is temporary. We put it up to mitigate an attack while
implementing a longer-term solution. Sorry for the inconvenience.

If we ask nicely, perhaps kogir will show up to say more.

~~~
jcr
There's a much better solution than a CAPTCHA, but when SN/HN was started, it
wasn't as simple or easy to do. The answer is to simply require a tiny
donation like one to five dollars to a charity (like Watsi) or non-profit
organization (like the EFF).

YC now has (at least) two payment processors who could handle the
transactions, either in real currency (Stripe.com) or virtual currency
(Coinbase.com):

[http://stripe.com](http://stripe.com)

[http://coinbase.com](http://coinbase.com)

The payment processors will always have upstream fees that need to be paid,
but if they're feeling generous, they could waive their profits on the
donations.

If for some reason a person objects to donating to the EFF, then just give
them a choice of charities, including the YC funded Watsi.org:

[http://ycombinator.com/watsi.html](http://ycombinator.com/watsi.html)

[https://watsi.org/](https://watsi.org/)

The altruism would also be good promotion for YC, Stripe, CoinBase, Watsi, and
whoever else is involved.

If you want to give a break to the starving university students, then let them
by-pass the donation requirement with an *.edu email address.

To keep everything fair between new and old users, the tiny donation could be
an annual requirement. I sincerely doubt the kinds of hackers who want to
contribute to technical discussions will have any problem with making a small
contribution to one of many known-good charities.

~~~
tptacek
I like this idea a lot, but it won't work in practice without killing off
serendipitous contributions from people associated with stories here that
happen to find out about HN and join just to answer questions. That happens a
lot, and it'd be a shame if we killed it off.

~~~
jcr
That's a huge and important point. We all love to see the contributions from
the people associated with the stories (well, I should only speak for myself,
but it's seriously one of the best parts of HN).

Using an eventual required donation in conjunction with an initially usable
account (e.g. allowing "X" days/comments/submissions before requiring a
donation) might be able compensate, but it would not solve the underlying
CAPTCHA, drive-by trolling, or spam problems.

It seems safe to assume the increased friction of requiring a tiny $1-5
donation (micro-payment) to a good cause will reduce the desired and
beneficial contributions from people associated with a submission.

The tough question is, "By how much?"

It would be difficult to measure when associated people show up to add their
contributions to relevant submissions. It would take just about all of the
data on HN, and some very elegant code. The results would still be imperfect,
but the results might still be useful. Even if actual measuring proves to be
too difficult, a rough guess (opinion) of better/worse for before/after could
still be useful. (Heck, removing per-comment karma scores "worked" to reduce
hostility/competition even though we don't have any solid measurement data to
prove it)

And the tougher question is, "Are we sure?"

Contentious comments (dumb/mean) have always been a problem in open discussion
systems, and similar is true for abusive manipulation (spam, ring-vote, ring-
flag, etc.). Having a gate of an act of altruism _could_ also both assure
intent/interest and improve quality enough to actively encourage associated
people to consider commenting to be even more worthwhile than it currently is.

In other words, there's also a second less obvious safe assumption; we're far
more inclined to join a good discussion on a topic of interest than a bad
discussion on the same topic.

Without testing, we just won't know if the added friction of a required
donation would be overall harmful, or overall helpful, or roughly even. Prior
to Stripe/CoinBase/Watsi/... the idea of requiring a tiny donation just wasn't
feasible, but now, it might be an experiment worth running.

But the toughest question is, "How much will it hurt to try?"

If it really did kill off contributions from associated people, then it would
certainly need to stop, but other than the possible temporary reduction of
associated contributions (which could be reversed), I'm unable to see any
other real or lasting harm. Even if requiring a tiny donation turned out to be
a totally failed experiment in forum design, it would still do some good in
the world.

You might be totally right and it might fail in practice, but until we run the
minor risks of actually testing it, we'll never really know.

------
Vanit
Okay, you win HN, I created an account because the anti-captcha crowd is
missing the point.

There's a current bug in Recaptcha.

IPs that successfully solve too many captchas get given progressively more
difficult challenges, which is fine, but currently Recaptcha is using the IP
of the web servers, not the client. This means that the difficulty ramps up
for all users quite quickly. It seems the iframe Recaptcha is permanently
affected, if you use AJAX its fine after the first reload (I wrote a simple JS
hack that makes it reload the first time, see www.mPoll.me)

Only noticed it because I was previously proxying Recaptcha through the server
and it run its successful solutions up too high, so when the new bug came in
it was immediately obvious what had happened when the first challenge is
"wthdyjikhgfyijv" and on reload its "fluffy bunny 18".

On my website I'm currently overwriting the Recaptcha callbacks to allow
multiple captchas, just put in a simple check to reload it the first time:

    
    
        var reloaded = false;
    
        function reloadCaptcha(challenge) {
            $(':input[name=recaptcha_response_field]').val('');
            $('img.recaptcha').attr('src', '//www.google.com/recaptcha/api/image?c='+challenge);
            $(':input.recaptcha').val(challenge);
    
            if(!reloaded)
            {
                reloaded = true;
                Recaptcha.reload();
            }        
        }
    
        Recaptcha.finish_reload = function(challenge,b,c){
            reloadCaptcha(challenge);
        }
    
        Recaptcha.challenge_callback = function(){
            reloadCaptcha(RecaptchaState.challenge);
        }
    
        Recaptcha.create(recaptchaKey);

------
codemonkeyism
For a throwaway account recently it took me >20 tries to register an HN
account.

~~~
asdfasdf23sdd
Did it on my second try -- I, personally, don't think it's so bad. I thought
it was a bit crazy when I first looked at it but if you look hard enough, you
can make the letters out. I am not sure what the idea is behind the "challenge
text" though.

------
KhalPanda
Most CAPTCHA's nowadays I find unnecessarily complex. Use tricks like timing
form completion (<50ms? Bot), hidden fields, etc, before ruining the UX with
CAPTCHA.

Then again... does HN really care about UX? Token expiration after x time when
browsing through the listings, ancient unresponsive design, etc.

There comes a point where it'll be more cost effective for spammers to just
farm out the solving of CAPTCHA's to people in third-world countries. It just
depends if there is enough value in spamming HN for them to bother (probably
not, given the user-curated-and-rated content model.

~~~
jaredmcateer
Timing form completion also rejects legitimate users that have form filling
extensions (e.g., LastPass, 1Password, Roboform, etc.) In my experience hidden
form fields were only marginally effective, a lot of bots run headless
browsers capable of detecting if a field has been hidden by JS/CSS

~~~
timr
Between a simple captcha and a CSRF token, I've found that nearly all spambots
are defeated. Hidden form fields don't do much, since bots are almost never
paying attention to anything other than the DOM.

What can work well -- if you're willing to give up on fallback for non-JS
users -- is inserting a required form element into the page with JS on submit.

------
cottonseed
The Facebook account delete CAPTCHA was literally impossible. I had to give up
and use the audio option. Every step of the process made me happier I was
doing it.

~~~
DanBC
Here is the best (most readable) Facebook captcha I had.

[http://imgur.com/P7nln3d](http://imgur.com/P7nln3d)

------
carsongross
I don't know that the research says about their effectiveness (hard to find
through all the stuff on google) but I've liked the slider-based captchas I've
seen:

[http://www.3dcaptcha.net/](http://www.3dcaptcha.net/)

Seems promising given that human visual processing and pattern recognition are
lightening fast, and the slider is intuitive and kinda fun.

Anyone know how effective they are at stopping bots?

~~~
simcop2387
If you can end up getting a polygon list from it I'd think it wouldn't be very
effective at all. it looks like it decomposes the triangles onto multiple
planes so that they only line up when rotated one way, but you can calculate
that rotation based on the rotation of the planes that the polygons are on.
Even if they correct that, you'd still likely be able to find whatever image
has the lowest amount of white pixels (or whatever the background is) and
probably do a reasonable job at least with the example on the page.

------
jbb555
There have been several websites recently where I've given up because after 10
attempts or so I still can't get the capcha right.

~~~
qguv
Perhaps you're not human after all…?

~~~
danielweber
HN gave me this image just now:

[https://www.google.com/recaptcha/api/image?c=03AHJ_Vutw8XwYq...](https://www.google.com/recaptcha/api/image?c=03AHJ_Vutw8XwYqiyhWsv8G5nYgad0R0mGi9ZTyQmbJpoSzJv0tJwspYPGVVYjzwMlOKL37wzUw3SSlUKrhIO0hvmYNmY7iIaaWQyCEXprzNGYFDvpbJiu3JW6-L0p4xXRO6wUUG-
LiyxuJ1YwqFSTZadbTasR8zpVkkTLmNNZR9-EUdARTyHwk84biJh6RQSWNG5cAAiMiT75SuHh45bc3v7zsQWkFWa9kQ)

------
larrys
I sometimes think that people don't really give much thought to some of the
things that they do where they simply copy what others do.

My own personal pet peeve is people, on HN, who obscure their gmail address so
that it can't be slurped by bots.

I mean why not just use a dedicated gmail account, just for HN, rather than
"use my hn handle at that email service that everyone else uses generally".
The dedicated account has spam protection and you can forward mail to your
primary account as a filter if you want.

I have a couple of web forms with no spam protection at all. The amount of
bots that I get isn't so great that I need to trouble people to figure out a
captcha. Much less a really difficult one.

~~~
bradleysmith
>why not just use a dedicated gmail account, just for HN, rather than "use my
hn handle at that email service that everyone else uses generally". The
dedicated account has spam protection and you can forward mail to your primary
account as a filter if you want.

Because starting, configuring, and checking ANOTHER gmail address takes more
time and effort than obscuring my current dev-related email address to be
human parse-able only. Seems like a strange thing to have a pet-peeve about,
as it could only barely affect your ability to get in touch with these people.
Unless, you've been trying to slurp email addresses from HN profiles... I
could see it being bothersome in that case.

~~~
larrys
"and checking ANOTHER gmail address"

If you forward it it's not another account to check though. Sure you have to
set it up.

Also, obscuring it doesn't prevent someone who has written to you having a
situation where your email ends up in the wrong hands (for sure you've
received, if you don't have spam protection, those emails where someone who
has emailed you has had some virus which gets all their email contacts,
right?)

If you setup a dedicated gmail you can periodically change that as well
"refresh" using your own email you can't do that.

To be sure though the pet peeve is really more just thinking that people are
being overly hygienic about protecting their email address I guess. You are
right that it's not a huge burden on someone who is sending you an email.

When I used to post my gmail account to my HN profile gmail caught all the
spam it wasn't a problem (maybe this was for a year or year and a half that it
was in the profile..)

~~~
bradleysmith
I'll concede, I'm a little under-protected when it comes to spam in my email,
and sectioning my usage out to different emails would probably be a very big
improvement upon that.

Still, this ought be more a pet-peeve for myself. I can't see how obscuring my
email would bother you, except perhaps in the line of thought that you think
it does NOTHING to avoid spam, and I am just wasting a tiny amount of
everyone's time by having them parse it while not benefiting personally. I
figured if there was ever a profile a geek would write a scraper for, HN would
probably be it. It was a single line of defense I saw others use, and adopted.

Appreciate the conversation. The mostly undiscussed behavior of email format
preference in HN profiles is something that has always strangely held my
attention; I consider myself a geek for micro-behaviors in this and most any
community though.

------
andyhmltn
Just today I found this:

[https://www.sublimetext.com/forum](https://www.sublimetext.com/forum)

Incredibly frustrating. A CAPTCHA that requires you to email for the code

------
kogir
We're just using the standard reCAPTCHA
([https://www.google.com/recaptcha/intro/index.html](https://www.google.com/recaptcha/intro/index.html)).
Maybe they're harder because I don't trust third party javascript and use the
iframe version instead?

It sucks, and will shortly go away for most users. When previously our code
would refuse or tell you to try again in a few hours, the captcha will be
required instead.

------
jasonlotito
> Not sure if the intent is trying to stop bots

CAPTCHA does not stop bots. Captcha solving can, at the very least, be
automated away. CAPTCHA's do not work.

~~~
ryanburk
google security did a nice blog post supporting the statement that CAPTCHAs
aren't as effective as they used to be:

[http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-j...](http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-
just-got-easier-but-only-if.html)

------
thewarrior
Some random ideas which I know are not perfect just putting it out here :

Taking an image and turning into a jigsaw puzzle.

Using a proof of work scheme similar to bitcoin.

Do a google image search for say fish . Take 5 of those images and put them on
one side put two on the other alongside images of 10 other random objects. Ask
the user to pick the two on the right similar to the ones on the left.

------
Matheo05
Try the audio version, it's even worst!

------
fredsted
May I suggest an alternative: paying a small fee to avoid/replace captchas
(say $1-10, or higher than the captcha farms pay...)

Also it seems like HN is using the older recaptcha (without numeric signs), I
didn't know you could choose your recaptcha "version" though.

~~~
Glyptodon
You may if you feel like paying every person on earth $500 a month to cover
their captcha fees. Unless your goal happens to be excluding most of the world
from Internet services and random web forums.

~~~
fredsted
I don't know where you got that number from, that's extreme. This is a one-
time fee we're talking about here. Also why should I pay anybody? Strange
reply.

~~~
maxbrown
I think it was a strange way of saying that $1-10 may not be cost-prohibitive
to financially-comfortable residents of 1st world countries, but could
certainly be cost-prohibitive to users with less financial resources or from
3rd world countries. Such a fee could be a serious deterrent on a free and
open internet with diverse participants.

------
ing33k
HN uses reCAPTCHA, it can be bit frustrating sometimes. but its one time thing
to get in .

~~~
karangoeluw
I tried to solve the HN captcha. It's almost impossible and you have to get
_really_ lucky that you get an easy image. The audio alternative is pretty
messed up too.

~~~
codesuela
are you using TOR or any other IP masking solution? The more reCaptchas get
solved or requested by a particular IP the harder they become, so if you are
behind a IP that has been used for solving/requesting a lot of reCaptchas it
is close to impossible to get a readable one (took me about 80 tries till I
got one right when I used TOR). I don't know what exactly determines this
difficulty but it is definitely there and Google talks about it here:
[http://googleonlinesecurity.blogspot.de/2013/10/recaptcha-
ju...](http://googleonlinesecurity.blogspot.de/2013/10/recaptcha-just-got-
easier-but-only-if.html)

------
xacaxulu
If you like the image, just wait until you try the audio! Even more fun.

------
unwind
Is the actual link missing? Not sure where I'm supposed to look, anyway.

~~~
ozh
[https://news.ycombinator.com/logout](https://news.ycombinator.com/logout)
then
[https://news.ycombinator.com/newslogin](https://news.ycombinator.com/newslogin)
I guess

------
jcfrei
IMHO visual/audio recognition based CAPTCHAs are a dead end.

