I think that is higher than what I get when I do it myself.
Which is kind of horrible, since it means that you might not be given an obvious opportunity to change your score if you fail.
That's got to be a joke, since I have to pass the challenge like 99% of the time, not exaggerating. Of course, I have my browser configured in a privacy conscious way, so...
But stop making me click the friggin’ stop lights every time I log in to my own account.
> stop bots from submitting fake data to sign up forms
I don't think there's an universal solution here. it depends on the application itself and why you consider fake signups an issue in the first place.
add an email-reset for the limit so users can't be locked out of their accounts by a DoS.
To stop fake signups, require confirming the email address and only allow some number of signups per IP per day. It's not perfect but neither are CAPTCHAs and either way you can probably stop most spam, if it's even a problem for you.
I imagine using a standard text field and then hiding it using css probably works much better than setting a type=“hidden” field. I also usually use something like name=“phone” and then just naming the actual phone field something else, if needed.
Generating simple math question/answer can work well enough to keep out non-targeted traffic (someone not targeting a bot tailored to your site).
If you want to hinder determined (but inept) adversary, impose reverse time limit: make your captcha a bit complex and deny answers, that arrive too fast. Legit users will spend a bit of time to solve captcha. Machine-learning-driven bots will blaze it. In addition to measuring speed of filling captchas you can measure amount of user time spent on other actions on your site — in process making your bot detector increasingly similar to Google's reCAPTCHA.
In general look for behaviors, distinguishing legitimate users from malicious. Hint: having Google account might or might not indicate a legitimate user, but it is probably more efficient to ask users for it directly than in roundabout way by using reCAPTCHA.
Also on Firefox mobile, not only do i get the challenge, but I get multiple challenges.
It also learns about typical usage on that page, it trains about usage patterns, mouse movements etc.
We find it very effective in eliminating bot spam.
 https://imgur.com/9wT9yZ2 [ignore font/layout issues in that image - my usercss and fontconfig/freetype font rendering settings are very unusual, complex, and often very disruptive]
 https://support.google.com/recaptcha/?hl=en#6223828 "We support the two most recent major versions of the following: [Desktop: Chrome, Firefox, Safari, Edge]"
And if I pass your captcha, can you not cookie me with a signed token indicating that I already proved I was human for 30 days? It's like these lazy people can't handle bot login spam, so they just throw recaptcha on their login form and call it a day.
If your login form requires paying customers to fill in recaptcha each time, you're doing it wrong. Please stop. Or go out of business faster.
I've even gotten caught in a reCAPTCHA loop where I successfully complete the capctha only to have to redo it again as soon as the page reloads.
There are large sets of stolen credit card numbers. Most of them are disabled. Crime group automated purchase process to determine if the number is live.
So online stores really want to eliminate the automation.